mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-01-13 15:52:05 +00:00
1235dd4ed4
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1. References: https://nvd.nist.gov/vuln/detail/CVE-2024-41671 Upstream-patches:046a164f894a930de12fSigned-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
90 lines
2.9 KiB
Diff
90 lines
2.9 KiB
Diff
From 046a164f89a0f08d3239ecebd750360f8914df33 Mon Sep 17 00:00:00 2001
|
|
From: Adi Roiban <adiroiban@gmail.com>
|
|
Date: Mon Jul 29 14:28:03 2024 +0100
|
|
Subject: [PATCH] Merge commit from fork
|
|
|
|
Added HTML output encoding the "URL" parameter of the "redirectTo" function
|
|
|
|
CVE: CVE-2024-41671
|
|
|
|
Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33]
|
|
|
|
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
|
|
---
|
|
src/twisted/web/_template_util.py | 2 +-
|
|
src/twisted/web/test/test_util.py | 39 ++++++++++++++++++++++++++++++-
|
|
2 files changed, 39 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py
|
|
index 230c33f..7266079 100644
|
|
--- a/src/twisted/web/_template_util.py
|
|
+++ b/src/twisted/web/_template_util.py
|
|
@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IRequest) -> bytes:
|
|
</body>
|
|
</html>
|
|
""" % {
|
|
- b"url": URL
|
|
+ b"url": escape(URL.decode("utf-8")).encode("utf-8")
|
|
}
|
|
return content
|
|
|
|
diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py
|
|
index 1e76300..9847dcb 100644
|
|
--- a/src/twisted/web/test/test_util.py
|
|
+++ b/src/twisted/web/test/test_util.py
|
|
@@ -5,7 +5,6 @@
|
|
Tests for L{twisted.web.util}.
|
|
"""
|
|
|
|
-
|
|
import gc
|
|
|
|
from twisted.internet import defer
|
|
@@ -64,6 +63,44 @@ class RedirectToTests(TestCase):
|
|
targetURL = "http://target.example.com/4321"
|
|
self.assertRaises(TypeError, redirectTo, targetURL, request)
|
|
|
|
+ def test_legitimateRedirect(self):
|
|
+ """
|
|
+ Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation
|
|
+ """
|
|
+ request = DummyRequest([b""])
|
|
+ html = redirectTo(b"https://twisted.org/", request)
|
|
+ expected = b"""
|
|
+<html>
|
|
+ <head>
|
|
+ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\">
|
|
+ </head>
|
|
+ <body bgcolor=\"#FFFFFF\" text=\"#000000\">
|
|
+ <a href=\"https://twisted.org/\">click here</a>
|
|
+ </body>
|
|
+</html>
|
|
+"""
|
|
+ self.assertEqual(html, expected)
|
|
+
|
|
+ def test_maliciousRedirect(self):
|
|
+ """
|
|
+ Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body
|
|
+ """
|
|
+ request = DummyRequest([b""])
|
|
+ html = redirectTo(
|
|
+ b'https://twisted.org/"><script>alert(document.location)</script>', request
|
|
+ )
|
|
+ expected = b"""
|
|
+<html>
|
|
+ <head>
|
|
+ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/"><script>alert(document.location)</script>\">
|
|
+ </head>
|
|
+ <body bgcolor=\"#FFFFFF\" text=\"#000000\">
|
|
+ <a href=\"https://twisted.org/"><script>alert(document.location)</script>\">click here</a>
|
|
+ </body>
|
|
+</html>
|
|
+"""
|
|
+ self.assertEqual(html, expected)
|
|
+
|
|
|
|
class ParentRedirectTests(SynchronousTestCase):
|
|
"""
|
|
--
|
|
2.40.0
|