mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-01-13 15:52:05 +00:00
c5c647ba6a
CVE-2023-49081: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0. References: https://nvd.nist.gov/vuln/detail/CVE-2023-49081 Upstream patches:1e86b777e6CVE-2024-30251: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply a patch to their systems. Please see the linked GHSA for instructions. References: https://nvd.nist.gov/vuln/detail/CVE-2024-30251 Upstream patches:cebe526b9c7eecdff163f21c6f2ca5CVE-2024-52304: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue. References: https://nvd.nist.gov/vuln/detail/CVE-2024-52304 Upstream patches:259edc3690CVE-2023-49082: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0. References: https://nvd.nist.gov/vuln/detail/CVE-2023-49082 Upstream patches:a43bc17798CVE-2024-27306: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. References: https://nvd.nist.gov/vuln/detail/CVE-2024-27306 Upstream patches:28335525d1Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
82 lines
2.8 KiB
Diff
82 lines
2.8 KiB
Diff
From d05042f1a35ec0adb797c056024d457ac1fd7088 Mon Sep 17 00:00:00 2001
|
|
From: Sam Bull <git@sambull.org>
|
|
Date: Thu, 11 Apr 2024 15:54:45 +0100
|
|
Subject: [PATCH] Escape filenames and paths in HTML when generating index
|
|
pages (#8317) (#8319)
|
|
|
|
Upstream-Status: Backport
|
|
[https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397]
|
|
|
|
CVE: CVE-2024-27306
|
|
|
|
Co-authored-by: J. Nick Koston <nick@koston.org>
|
|
(cherry picked from commit ffbc43233209df302863712b511a11bdb6001b0f)
|
|
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
|
|
---
|
|
CHANGES/8317.bugfix.rst | 1 +
|
|
aiohttp/web_urldispatcher.py | 11 ++++++-----
|
|
2 files changed, 7 insertions(+), 5 deletions(-)
|
|
create mode 100644 CHANGES/8317.bugfix.rst
|
|
|
|
diff --git a/CHANGES/8317.bugfix.rst b/CHANGES/8317.bugfix.rst
|
|
new file mode 100644
|
|
index 0000000..b24ef2a
|
|
--- /dev/null
|
|
+++ b/CHANGES/8317.bugfix.rst
|
|
@@ -0,0 +1 @@
|
|
+Escaped filenames in static view -- by :user:`bdraco`.
|
|
diff --git a/aiohttp/web_urldispatcher.py b/aiohttp/web_urldispatcher.py
|
|
index e8a8023..791ab94 100644
|
|
--- a/aiohttp/web_urldispatcher.py
|
|
+++ b/aiohttp/web_urldispatcher.py
|
|
@@ -1,7 +1,9 @@
|
|
import abc
|
|
import asyncio
|
|
import base64
|
|
+import functools
|
|
import hashlib
|
|
+import html
|
|
import inspect
|
|
import keyword
|
|
import os
|
|
@@ -87,6 +89,7 @@ PATH_SEP: Final[str] = re.escape("/")
|
|
_ExpectHandler = Callable[[Request], Awaitable[None]]
|
|
_Resolve = Tuple[Optional["UrlMappingMatchInfo"], Set[str]]
|
|
|
|
+html_escape = functools.partial(html.escape, quote=True)
|
|
|
|
class _InfoDict(TypedDict, total=False):
|
|
path: str
|
|
@@ -706,7 +709,7 @@ class StaticResource(PrefixResource):
|
|
assert filepath.is_dir()
|
|
|
|
relative_path_to_dir = filepath.relative_to(self._directory).as_posix()
|
|
- index_of = f"Index of /{relative_path_to_dir}"
|
|
+ index_of = f"Index of /{html_escape(relative_path_to_dir)}"
|
|
h1 = f"<h1>{index_of}</h1>"
|
|
|
|
index_list = []
|
|
@@ -714,7 +717,7 @@ class StaticResource(PrefixResource):
|
|
for _file in sorted(dir_index):
|
|
# show file url as relative to static path
|
|
rel_path = _file.relative_to(self._directory).as_posix()
|
|
- file_url = self._prefix + "/" + rel_path
|
|
+ quoted_file_url = _quote_path(f"{self._prefix}/{rel_path}")
|
|
|
|
# if file is a directory, add '/' to the end of the name
|
|
if _file.is_dir():
|
|
@@ -723,9 +726,7 @@ class StaticResource(PrefixResource):
|
|
file_name = _file.name
|
|
|
|
index_list.append(
|
|
- '<li><a href="{url}">{name}</a></li>'.format(
|
|
- url=file_url, name=file_name
|
|
- )
|
|
+ f'<li><a href="{quoted_file_url}">{html_escape(file_name)}</a></li>'
|
|
)
|
|
ul = "<ul>\n{}\n</ul>".format("\n".join(index_list))
|
|
body = f"<body>\n{h1}\n{ul}\n</body>"
|
|
--
|
|
2.25.1
|
|
|