meta-openembedded/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch

From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Wed, 10 May 2023 11:33:18 +0000
Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q

don't strip leading `=` when parsing cookie

"src/werkzeug/sansio/http.py" file is not available in the current recipe
version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0
version, this http.py file was only available in the "src/werkzeug/http.py"
and we could see the same functions available there which are getting modified
in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" file.

CVE: CVE-2023-23934

Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028]

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
---
 CHANGES.rst               |  4 ++++
 src/werkzeug/_internal.py | 13 +++++++++----
 src/werkzeug/http.py      |  4 ----
 tests/test_http.py        |  4 +++-
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index a351d7c..23505d3 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -1,5 +1,9 @@
 .. currentmodule:: werkzeug

+-   A cookie header that starts with ``=`` is treated as an empty key and discarded,
+    rather than stripping the leading ``==``.
+
+
 Version 2.1.1
 -------------

diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
index a8b3523..d6290ba 100644
--- a/src/werkzeug/_internal.py
+++ b/src/werkzeug/_internal.py
@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
 _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
 _cookie_re = re.compile(
     rb"""
-    (?P<key>[^=;]+)
+    (?P<key>[^=;]*)
     (?:\s*=\s*
         (?P<val>
             "(?:[^\\"]|\\.)*" |
@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]:
     """Lowlevel cookie parsing facility that operates on bytes."""
     i = 0
     n = len(b)
+    b += b";"

     while i < n:
-        match = _cookie_re.search(b + b";", i)
+        match = _cookie_re.match(b, i)
+
         if not match:
             break

-        key = match.group("key").strip()
-        value = match.group("val") or b""
         i = match.end(0)
+        key = match.group("key").strip()
+
+        if not key:
+            continue

+        value = match.group("val") or b""
         yield key, _cookie_unquote(value)


diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
index 9369900..ae133e3 100644
--- a/src/werkzeug/http.py
+++ b/src/werkzeug/http.py
@@ -1205,10 +1205,6 @@ def parse_cookie(
     def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
         for key, val in _cookie_parse_impl(header):  # type: ignore
             key_str = _to_str(key, charset, errors, allow_none_charset=True)
-
-            if not key_str:
-                continue
-
             val_str = _to_str(val, charset, errors, allow_none_charset=True)
             yield key_str, val_str

diff --git a/tests/test_http.py b/tests/test_http.py
index 5936bfa..59cc179 100644
--- a/tests/test_http.py
+++ b/tests/test_http.py
@@ -427,7 +427,8 @@ class TestHTTPUtility:
     def test_parse_cookie(self):
         cookies = http.parse_cookie(
             "dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;"
-            'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
+            'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
+            "==__Host-eq=bad;__Host-eq=good;"
         )
         assert cookies.to_dict() == {
             "CP": "null*",
@@ -438,6 +439,7 @@ class TestHTTPUtility:
             "fo234{": "bar",
             "blub": "Blah",
             '"__Secure-c"': "d",
+            "__Host-eq": "good",
         }

     def test_dump_cookie(self):
--
2.40.0