python3-twisted: Fix CVE-2024-41671

Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1. References: https://nvd.nist.gov/vuln/detail/CVE-2024-41671 Upstream-patches: https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33 https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2024-08-25 18:41:03 +0000
committer: Armin Kuster <akuster808@gmail.com> 2024-08-25 15:15:10 -0400
commit: 1235dd4ed4a57e67683c045ad76b6a0f9e896b45 (patch)
tree: 65920197df4ef699c5a8fb83b369a8e2a443714f
parent: 399b7b9051bb985dc37850c153a1029e1d3491bd (diff)
download: meta-openembedded-1235dd4ed4a57e67683c045ad76b6a0f9e896b45.tar.gz
3 files changed, 345 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch
new file mode 100644
index 0000000000..1f6bf6bbfc
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch
@@ -0,0 +1,89 @@
+From 046a164f89a0f08d3239ecebd750360f8914df33 Mon Sep 17 00:00:00 2001
+From: Adi Roiban <adiroiban@gmail.com>
+Date: Mon Jul 29 14:28:03 2024 +0100
+Subject: [PATCH] Merge commit from fork
+Added HTML output encoding the "URL" parameter of the "redirectTo" function
+CVE: CVE-2024-41671
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/twisted/web/_template_util.py |  2 +-
+ src/twisted/web/test/test_util.py | 39 ++++++++++++++++++++++++++++++-
+ 2 files changed, 39 insertions(+), 2 deletions(-)
+diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py
+index 230c33f..7266079 100644
+--- a/src/twisted/web/_template_util.py
+++ b/src/twisted/web/_template_util.py
+@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IRequest) -> bytes:
+     </body>
+ </html>
+ """ % {
+-        b"url": URL
+        b"url": escape(URL.decode("utf-8")).encode("utf-8")
+     }
+     return content
+diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py
+index 1e76300..9847dcb 100644
+--- a/src/twisted/web/test/test_util.py
+++ b/src/twisted/web/test/test_util.py
+@@ -5,7 +5,6 @@
+ Tests for L{twisted.web.util}.
+ """
+-
+ import gc
+ from twisted.internet import defer
+@@ -64,6 +63,44 @@ class RedirectToTests(TestCase):
+         targetURL = "http://target.example.com/4321"
+         self.assertRaises(TypeError, redirectTo, targetURL, request)
+    def test_legitimateRedirect(self):
+        """
+        Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation
+        """
+        request = DummyRequest([b""])
+        html = redirectTo(b"https://twisted.org/", request)
+        expected = b"""
+<html>
+    <head>
+        <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\">
+    </head>
+    <body bgcolor=\"#FFFFFF\" text=\"#000000\">
+    <a href=\"https://twisted.org/\">click here</a>
+    </body>
+</html>
+"""
+        self.assertEqual(html, expected)
+
+    def test_maliciousRedirect(self):
+        """
+        Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body
+        """
+        request = DummyRequest([b""])
+        html = redirectTo(
+            b'https://twisted.org/"><script>alert(document.location)</script>', request
+        )
+        expected = b"""
+<html>
+    <head>
+        <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/&quot;&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">
+    </head>
+    <body bgcolor=\"#FFFFFF\" text=\"#000000\">
+    <a href=\"https://twisted.org/&quot;&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">click here</a>
+    </body>
+</html>
+"""
+        self.assertEqual(html, expected)
+
+ class ParentRedirectTests(SynchronousTestCase):
+     """
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch
new file mode 100644
index 0000000000..147c21d73d
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch
@@ -0,0 +1,251 @@
+From 4a930de12fb67e88fefcb8822104152f42b27abc Mon Sep 17 00:00:00 2001
+From: Adi Roiban <adiroiban@gmail.com>
+Date: Mon Jul 29 14:27:23 2024 +0100
+Subject: [PATCH] Merge commit from fork
+Address GHSA-c8m8-j448-xjx7
+CVE: CVE-2024-41671
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/twisted/web/http.py           |  21 +++--
+ src/twisted/web/test/test_http.py | 122 ++++++++++++++++++++++++++----
+ 2 files changed, 122 insertions(+), 21 deletions(-)
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index 1c59838..3b784f5 100644
+--- a/src/twisted/web/http.py
+++ b/src/twisted/web/http.py
+@@ -2000,16 +2000,21 @@ class _ChunkedTransferDecoder:
+         @returns: C{False}, as there is either insufficient data to continue,
+             or no data remains.
+         """
+-        if (
+-            self._receivedTrailerHeadersSize + len(self._buffer)
+-            > self._maxTrailerHeadersSize
+-        ):
+-            raise _MalformedChunkedDataError("Trailer headers data is too long.")
+-
+         eolIndex = self._buffer.find(b"\r\n", self._start)
+         if eolIndex == -1:
+             # Still no end of network line marker found.
+            #
+            # Check if we've run up against the trailer size limit: if the next
+            # read contains the terminating CRLF then we'll have this many bytes
+            # of trailers (including the CRLFs).
+            minTrailerSize = (
+                self._receivedTrailerHeadersSize
+                + len(self._buffer)
+                + (1 if self._buffer.endswith(b"\r") else 2)
+            )
+            if minTrailerSize > self._maxTrailerHeadersSize:
+                raise _MalformedChunkedDataError("Trailer headers data is too long.")
+             # Continue processing more data.
+             return False
+@@ -2019,6 +2024,8 @@ class _ChunkedTransferDecoder:
+             del self._buffer[0 : eolIndex + 2]
+             self._start = 0
+             self._receivedTrailerHeadersSize += eolIndex + 2
+            if self._receivedTrailerHeadersSize > self._maxTrailerHeadersSize:
+                raise _MalformedChunkedDataError("Trailer headers data is too long.")
+             return True
+         # eolIndex in this part of code is equal to 0
+@@ -2342,8 +2349,8 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin):
+             self.__header = line
+     def _finishRequestBody(self, data):
+-        self.allContentReceived()
+         self._dataBuffer.append(data)
+        self.allContentReceived()
+     def _maybeChooseTransferDecoder(self, header, data):
+         """
+diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
+index 33d0a49..1130d31 100644
+--- a/src/twisted/web/test/test_http.py
+++ b/src/twisted/web/test/test_http.py
+@@ -135,7 +135,7 @@ class DummyHTTPHandler(http.Request):
+         data = self.content.read()
+         length = self.getHeader(b"content-length")
+         if length is None:
+-            length = networkString(str(length))
+            length = str(length).encode()
+         request = b"'''\n" + length + b"\n" + data + b"'''\n"
+         self.setResponseCode(200)
+         self.setHeader(b"Request", self.uri)
+@@ -563,17 +563,23 @@ class HTTP0_9Tests(HTTP1_0Tests):
+ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+     """
+-    Tests that multiple pipelined requests with bodies are correctly buffered.
+    Pipelined requests get buffered and executed in the order received,
+    not processed in parallel.
+     """
+     requests = (
+         b"POST / HTTP/1.1\r\n"
+         b"Content-Length: 10\r\n"
+         b"\r\n"
+-        b"0123456789POST / HTTP/1.1\r\n"
+-        b"Content-Length: 10\r\n"
+-        b"\r\n"
+         b"0123456789"
+        # Chunk encoded request.
+        b"POST / HTTP/1.1\r\n"
+        b"Transfer-Encoding: chunked\r\n"
+        b"\r\n"
+        b"a\r\n"
+        b"0123456789\r\n"
+        b"0\r\n"
+        b"\r\n"
+     )
+     expectedResponses = [
+@@ -590,14 +596,16 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+             b"Request: /",
+             b"Command: POST",
+             b"Version: HTTP/1.1",
+-            b"Content-Length: 21",
+-            b"'''\n10\n0123456789'''\n",
+            b"Content-Length: 23",
+            b"'''\nNone\n0123456789'''\n",
+         ),
+     ]
+-    def test_noPipelining(self):
+    def test_stepwiseTinyTube(self):
+         """
+-        Test that pipelined requests get buffered, not processed in parallel.
+        Imitate a slow connection that delivers one byte at a time.
+        The request handler (L{DelayedHTTPHandler}) is puppeted to
+        step through the handling of each request.
+         """
+         b = StringTransport()
+         a = http.HTTPChannel()
+@@ -606,10 +614,9 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+         # one byte at a time, to stress it.
+         for byte in iterbytes(self.requests):
+             a.dataReceived(byte)
+-        value = b.value()
+         # So far only one request should have been dispatched.
+-        self.assertEqual(value, b"")
+        self.assertEqual(b.value(), b"")
+         self.assertEqual(1, len(a.requests))
+         # Now, process each request one at a time.
+@@ -618,8 +625,91 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+             request = a.requests[0].original
+             request.delayedProcess()
+-        value = b.value()
+-        self.assertResponseEquals(value, self.expectedResponses)
+        self.assertResponseEquals(b.value(), self.expectedResponses)
+
+    def test_stepwiseDumpTruck(self):
+        """
+        Imitate a fast connection where several pipelined
+        requests arrive in a single read. The request handler
+        (L{DelayedHTTPHandler}) is puppeted to step through the
+        handling of each request.
+        """
+        b = StringTransport()
+        a = http.HTTPChannel()
+        a.requestFactory = DelayedHTTPHandlerProxy
+        a.makeConnection(b)
+
+        a.dataReceived(self.requests)
+
+        # So far only one request should have been dispatched.
+        self.assertEqual(b.value(), b"")
+        self.assertEqual(1, len(a.requests))
+
+        # Now, process each request one at a time.
+        while a.requests:
+            self.assertEqual(1, len(a.requests))
+            request = a.requests[0].original
+            request.delayedProcess()
+
+        self.assertResponseEquals(b.value(), self.expectedResponses)
+
+    def test_immediateTinyTube(self):
+        """
+        Imitate a slow connection that delivers one byte at a time.
+        (L{DummyHTTPHandler}) immediately responds, but no more
+        than one
+        """
+        b = StringTransport()
+        a = http.HTTPChannel()
+        a.requestFactory = DummyHTTPHandlerProxy  # "sync"
+        a.makeConnection(b)
+
+        # one byte at a time, to stress it.
+        for byte in iterbytes(self.requests):
+            a.dataReceived(byte)
+            # There is never more than one request dispatched at a time:
+            self.assertLessEqual(len(a.requests), 1)
+
+        self.assertResponseEquals(b.value(), self.expectedResponses)
+
+    def test_immediateDumpTruck(self):
+        """
+        Imitate a fast connection where several pipelined
+        requests arrive in a single read. The request handler
+        (L{DummyHTTPHandler}) immediately responds.
+        This doesn't check the at-most-one pending request
+        invariant but exercises otherwise uncovered code paths.
+        See GHSA-c8m8-j448-xjx7.
+        """
+        b = StringTransport()
+        a = http.HTTPChannel()
+        a.requestFactory = DummyHTTPHandlerProxy
+        a.makeConnection(b)
+
+        # All bytes at once to ensure there's stuff to buffer.
+        a.dataReceived(self.requests)
+
+        self.assertResponseEquals(b.value(), self.expectedResponses)
+
+    def test_immediateABiggerTruck(self):
+        """
+        Imitate a fast connection where a so many pipelined
+        requests arrive in a single read that backpressure is indicated.
+        The request handler (L{DummyHTTPHandler}) immediately responds.
+        This doesn't check the at-most-one pending request
+        invariant but exercises otherwise uncovered code paths.
+        See GHSA-c8m8-j448-xjx7.
+        @see: L{http.HTTPChannel._optimisticEagerReadSize}
+        """
+        b = StringTransport()
+        a = http.HTTPChannel()
+        a.requestFactory = DummyHTTPHandlerProxy
+        a.makeConnection(b)
+
+        overLimitCount = a._optimisticEagerReadSize // len(self.requests) * 10
+        a.dataReceived(self.requests * overLimitCount)
+
+        self.assertResponseEquals(b.value(), self.expectedResponses * overLimitCount)
+     def test_pipeliningReadLimit(self):
+         """
+@@ -1522,7 +1612,11 @@ class ChunkedTransferEncodingTests(unittest.TestCase):
+             lambda b: None,  # pragma: nocov
+         )
+         p._maxTrailerHeadersSize = 10
+-        p.dataReceived(b"3\r\nabc\r\n0\r\n0123456789")
+        # 9 bytes are received so far, in 2 packets.
+        # For now, all is ok.
+        p.dataReceived(b"3\r\nabc\r\n0\r\n01234567")
+        p.dataReceived(b"\r")
+        # Once the 10th byte is received, the processing fails.
+         self.assertRaises(
+             http._MalformedChunkedDataError,
+             p.dataReceived,
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb b/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb
index 336c173893..272aecb8b0 100644
--- a/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb
+++ b/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb
@@ -6,6 +6,11 @@ HOMEPAGE = "https://twisted.org"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c1c5d2c2493b848f83864bdedd67bbf5"
+SRC_URI += " \
+    file://CVE-2024-41671-0001.patch \
+    file://CVE-2024-41671-0002.patch \
+"
 SRC_URI[sha256sum] = "6b38b6ece7296b5e122c9eb17da2eeab3d98a198f50ca9efd00fb03e5b4fd4ae"
 inherit pypi python_hatchling
author	Soumya Sambu <soumya.sambu@windriver.com>	2024-08-25 18:41:03 +0000
committer	Armin Kuster <akuster808@gmail.com>	2024-08-25 15:15:10 -0400
commit	1235dd4ed4a57e67683c045ad76b6a0f9e896b45 (patch)
tree	65920197df4ef699c5a8fb83b369a8e2a443714f
parent	399b7b9051bb985dc37850c153a1029e1d3491bd (diff)
download	meta-openembedded-1235dd4ed4a57e67683c045ad76b6a0f9e896b45.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch new file mode 100644 index 0000000000..1f6bf6bbfc --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch
@@ -0,0 +1,89 @@
		1	From 046a164f89a0f08d3239ecebd750360f8914df33 Mon Sep 17 00:00:00 2001
		2	From: Adi Roiban <adiroiban@gmail.com>
		3	Date: Mon Jul 29 14:28:03 2024 +0100
		4	Subject: [PATCH] Merge commit from fork
		5
		6	Added HTML output encoding the "URL" parameter of the "redirectTo" function
		7
		8	CVE: CVE-2024-41671
		9
		10	Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33]
		11
		12	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		13	---
		14	src/twisted/web/_template_util.py \| 2 +-
		15	src/twisted/web/test/test_util.py \| 39 ++++++++++++++++++++++++++++++-
		16	2 files changed, 39 insertions(+), 2 deletions(-)
		17
		18	diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py
		19	index 230c33f..7266079 100644
		20	--- a/src/twisted/web/_template_util.py
		21	+++ b/src/twisted/web/_template_util.py
		22	@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IRequest) -> bytes:
		23	</body>
		24	</html>
		25	""" % {
		26	- b"url": URL
		27	+ b"url": escape(URL.decode("utf-8")).encode("utf-8")
		28	}
		29	return content
		30
		31	diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py
		32	index 1e76300..9847dcb 100644
		33	--- a/src/twisted/web/test/test_util.py
		34	+++ b/src/twisted/web/test/test_util.py
		35	@@ -5,7 +5,6 @@
		36	Tests for L{twisted.web.util}.
		37	"""
		38
		39	-
		40	import gc
		41
		42	from twisted.internet import defer
		43	@@ -64,6 +63,44 @@ class RedirectToTests(TestCase):
		44	targetURL = "http://target.example.com/4321"
		45	self.assertRaises(TypeError, redirectTo, targetURL, request)
		46
		47	+ def test_legitimateRedirect(self):
		48	+ """
		49	+ Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation
		50	+ """
		51	+ request = DummyRequest([b""])
		52	+ html = redirectTo(b"https://twisted.org/", request)
		53	+ expected = b"""
		54	+<html>
		55	+ <head>
		56	+ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\">
		57	+ </head>
		58	+ <body bgcolor=\"#FFFFFF\" text=\"#000000\">
		59	+ <a href=\"https://twisted.org/\">click here</a>
		60	+ </body>
		61	+</html>
		62	+"""
		63	+ self.assertEqual(html, expected)
		64	+
		65	+ def test_maliciousRedirect(self):
		66	+ """
		67	+ Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body
		68	+ """
		69	+ request = DummyRequest([b""])
		70	+ html = redirectTo(
		71	+ b'https://twisted.org/"><script>alert(document.location)</script>', request
		72	+ )
		73	+ expected = b"""
		74	+<html>
		75	+ <head>
		76	+ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/"><script>alert(document.location)</script>\">
		77	+ </head>
		78	+ <body bgcolor=\"#FFFFFF\" text=\"#000000\">
		79	+ <a href=\"https://twisted.org/"><script>alert(document.location)</script>\">click here</a>
		80	+ </body>
		81	+</html>
		82	+"""
		83	+ self.assertEqual(html, expected)
		84	+
		85
		86	class ParentRedirectTests(SynchronousTestCase):
		87	"""
		88	--
		89	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch new file mode 100644 index 0000000000..147c21d73d --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch
@@ -0,0 +1,251 @@
		1	From 4a930de12fb67e88fefcb8822104152f42b27abc Mon Sep 17 00:00:00 2001
		2	From: Adi Roiban <adiroiban@gmail.com>
		3	Date: Mon Jul 29 14:27:23 2024 +0100
		4	Subject: [PATCH] Merge commit from fork
		5
		6	Address GHSA-c8m8-j448-xjx7
		7
		8	CVE: CVE-2024-41671
		9
		10	Upstream-Status: Backport [https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc]
		11
		12	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		13	---
		14	src/twisted/web/http.py \| 21 +++--
		15	src/twisted/web/test/test_http.py \| 122 ++++++++++++++++++++++++++----
		16	2 files changed, 122 insertions(+), 21 deletions(-)
		17
		18	diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
		19	index 1c59838..3b784f5 100644
		20	--- a/src/twisted/web/http.py
		21	+++ b/src/twisted/web/http.py
		22	@@ -2000,16 +2000,21 @@ class _ChunkedTransferDecoder:
		23	@returns: C{False}, as there is either insufficient data to continue,
		24	or no data remains.
		25	"""
		26	- if (
		27	- self._receivedTrailerHeadersSize + len(self._buffer)
		28	- > self._maxTrailerHeadersSize
		29	- ):
		30	- raise _MalformedChunkedDataError("Trailer headers data is too long.")
		31	-
		32	eolIndex = self._buffer.find(b"\r\n", self._start)
		33
		34	if eolIndex == -1:
		35	# Still no end of network line marker found.
		36	+ #
		37	+ # Check if we've run up against the trailer size limit: if the next
		38	+ # read contains the terminating CRLF then we'll have this many bytes
		39	+ # of trailers (including the CRLFs).
		40	+ minTrailerSize = (
		41	+ self._receivedTrailerHeadersSize
		42	+ + len(self._buffer)
		43	+ + (1 if self._buffer.endswith(b"\r") else 2)
		44	+ )
		45	+ if minTrailerSize > self._maxTrailerHeadersSize:
		46	+ raise _MalformedChunkedDataError("Trailer headers data is too long.")
		47	# Continue processing more data.
		48	return False
		49
		50	@@ -2019,6 +2024,8 @@ class _ChunkedTransferDecoder:
		51	del self._buffer[0 : eolIndex + 2]
		52	self._start = 0
		53	self._receivedTrailerHeadersSize += eolIndex + 2
		54	+ if self._receivedTrailerHeadersSize > self._maxTrailerHeadersSize:
		55	+ raise _MalformedChunkedDataError("Trailer headers data is too long.")
		56	return True
		57
		58	# eolIndex in this part of code is equal to 0
		59	@@ -2342,8 +2349,8 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin):
		60	self.__header = line
		61
		62	def _finishRequestBody(self, data):
		63	- self.allContentReceived()
		64	self._dataBuffer.append(data)
		65	+ self.allContentReceived()
		66
		67	def _maybeChooseTransferDecoder(self, header, data):
		68	"""
		69	diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
		70	index 33d0a49..1130d31 100644
		71	--- a/src/twisted/web/test/test_http.py
		72	+++ b/src/twisted/web/test/test_http.py
		73	@@ -135,7 +135,7 @@ class DummyHTTPHandler(http.Request):
		74	data = self.content.read()
		75	length = self.getHeader(b"content-length")
		76	if length is None:
		77	- length = networkString(str(length))
		78	+ length = str(length).encode()
		79	request = b"'''\n" + length + b"\n" + data + b"'''\n"
		80	self.setResponseCode(200)
		81	self.setHeader(b"Request", self.uri)
		82	@@ -563,17 +563,23 @@ class HTTP0_9Tests(HTTP1_0Tests):
		83
		84	class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
		85	"""
		86	- Tests that multiple pipelined requests with bodies are correctly buffered.
		87	+ Pipelined requests get buffered and executed in the order received,
		88	+ not processed in parallel.
		89	"""
		90
		91	requests = (
		92	b"POST / HTTP/1.1\r\n"
		93	b"Content-Length: 10\r\n"
		94	b"\r\n"
		95	- b"0123456789POST / HTTP/1.1\r\n"
		96	- b"Content-Length: 10\r\n"
		97	- b"\r\n"
		98	b"0123456789"
		99	+ # Chunk encoded request.
		100	+ b"POST / HTTP/1.1\r\n"
		101	+ b"Transfer-Encoding: chunked\r\n"
		102	+ b"\r\n"
		103	+ b"a\r\n"
		104	+ b"0123456789\r\n"
		105	+ b"0\r\n"
		106	+ b"\r\n"
		107	)
		108
		109	expectedResponses = [
		110	@@ -590,14 +596,16 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
		111	b"Request: /",
		112	b"Command: POST",
		113	b"Version: HTTP/1.1",
		114	- b"Content-Length: 21",
		115	- b"'''\n10\n0123456789'''\n",
		116	+ b"Content-Length: 23",
		117	+ b"'''\nNone\n0123456789'''\n",
		118	),
		119	]
		120
		121	- def test_noPipelining(self):
		122	+ def test_stepwiseTinyTube(self):
		123	"""
		124	- Test that pipelined requests get buffered, not processed in parallel.
		125	+ Imitate a slow connection that delivers one byte at a time.
		126	+ The request handler (L{DelayedHTTPHandler}) is puppeted to
		127	+ step through the handling of each request.
		128	"""
		129	b = StringTransport()
		130	a = http.HTTPChannel()
		131	@@ -606,10 +614,9 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
		132	# one byte at a time, to stress it.
		133	for byte in iterbytes(self.requests):
		134	a.dataReceived(byte)
		135	- value = b.value()
		136
		137	# So far only one request should have been dispatched.
		138	- self.assertEqual(value, b"")
		139	+ self.assertEqual(b.value(), b"")
		140	self.assertEqual(1, len(a.requests))
		141
		142	# Now, process each request one at a time.
		143	@@ -618,8 +625,91 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
		144	request = a.requests[0].original
		145	request.delayedProcess()
		146
		147	- value = b.value()
		148	- self.assertResponseEquals(value, self.expectedResponses)
		149	+ self.assertResponseEquals(b.value(), self.expectedResponses)
		150	+
		151	+ def test_stepwiseDumpTruck(self):
		152	+ """
		153	+ Imitate a fast connection where several pipelined
		154	+ requests arrive in a single read. The request handler
		155	+ (L{DelayedHTTPHandler}) is puppeted to step through the
		156	+ handling of each request.
		157	+ """
		158	+ b = StringTransport()
		159	+ a = http.HTTPChannel()
		160	+ a.requestFactory = DelayedHTTPHandlerProxy
		161	+ a.makeConnection(b)
		162	+
		163	+ a.dataReceived(self.requests)
		164	+
		165	+ # So far only one request should have been dispatched.
		166	+ self.assertEqual(b.value(), b"")
		167	+ self.assertEqual(1, len(a.requests))
		168	+
		169	+ # Now, process each request one at a time.
		170	+ while a.requests:
		171	+ self.assertEqual(1, len(a.requests))
		172	+ request = a.requests[0].original
		173	+ request.delayedProcess()
		174	+
		175	+ self.assertResponseEquals(b.value(), self.expectedResponses)
		176	+
		177	+ def test_immediateTinyTube(self):
		178	+ """
		179	+ Imitate a slow connection that delivers one byte at a time.
		180	+ (L{DummyHTTPHandler}) immediately responds, but no more
		181	+ than one
		182	+ """
		183	+ b = StringTransport()
		184	+ a = http.HTTPChannel()
		185	+ a.requestFactory = DummyHTTPHandlerProxy # "sync"
		186	+ a.makeConnection(b)
		187	+
		188	+ # one byte at a time, to stress it.
		189	+ for byte in iterbytes(self.requests):
		190	+ a.dataReceived(byte)
		191	+ # There is never more than one request dispatched at a time:
		192	+ self.assertLessEqual(len(a.requests), 1)
		193	+
		194	+ self.assertResponseEquals(b.value(), self.expectedResponses)
		195	+
		196	+ def test_immediateDumpTruck(self):
		197	+ """
		198	+ Imitate a fast connection where several pipelined
		199	+ requests arrive in a single read. The request handler
		200	+ (L{DummyHTTPHandler}) immediately responds.
		201	+ This doesn't check the at-most-one pending request
		202	+ invariant but exercises otherwise uncovered code paths.
		203	+ See GHSA-c8m8-j448-xjx7.
		204	+ """
		205	+ b = StringTransport()
		206	+ a = http.HTTPChannel()
		207	+ a.requestFactory = DummyHTTPHandlerProxy
		208	+ a.makeConnection(b)
		209	+
		210	+ # All bytes at once to ensure there's stuff to buffer.
		211	+ a.dataReceived(self.requests)
		212	+
		213	+ self.assertResponseEquals(b.value(), self.expectedResponses)
		214	+
		215	+ def test_immediateABiggerTruck(self):
		216	+ """
		217	+ Imitate a fast connection where a so many pipelined
		218	+ requests arrive in a single read that backpressure is indicated.
		219	+ The request handler (L{DummyHTTPHandler}) immediately responds.
		220	+ This doesn't check the at-most-one pending request
		221	+ invariant but exercises otherwise uncovered code paths.
		222	+ See GHSA-c8m8-j448-xjx7.
		223	+ @see: L{http.HTTPChannel._optimisticEagerReadSize}
		224	+ """
		225	+ b = StringTransport()
		226	+ a = http.HTTPChannel()
		227	+ a.requestFactory = DummyHTTPHandlerProxy
		228	+ a.makeConnection(b)
		229	+
		230	+ overLimitCount = a._optimisticEagerReadSize // len(self.requests) * 10
		231	+ a.dataReceived(self.requests * overLimitCount)
		232	+
		233	+ self.assertResponseEquals(b.value(), self.expectedResponses * overLimitCount)
		234
		235	def test_pipeliningReadLimit(self):
		236	"""
		237	@@ -1522,7 +1612,11 @@ class ChunkedTransferEncodingTests(unittest.TestCase):
		238	lambda b: None, # pragma: nocov
		239	)
		240	p._maxTrailerHeadersSize = 10
		241	- p.dataReceived(b"3\r\nabc\r\n0\r\n0123456789")
		242	+ # 9 bytes are received so far, in 2 packets.
		243	+ # For now, all is ok.
		244	+ p.dataReceived(b"3\r\nabc\r\n0\r\n01234567")
		245	+ p.dataReceived(b"\r")
		246	+ # Once the 10th byte is received, the processing fails.
		247	self.assertRaises(
		248	http._MalformedChunkedDataError,
		249	p.dataReceived,
		250	--
		251	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb b/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb index 336c173893..272aecb8b0 100644 --- a/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb +++ b/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb
@@ -6,6 +6,11 @@ HOMEPAGE = "https://twisted.org"
6	LICENSE = "MIT"	6	LICENSE = "MIT"
7	LIC_FILES_CHKSUM = "file://LICENSE;md5=c1c5d2c2493b848f83864bdedd67bbf5"	7	LIC_FILES_CHKSUM = "file://LICENSE;md5=c1c5d2c2493b848f83864bdedd67bbf5"
8		8
		9	SRC_URI += " \
		10	file://CVE-2024-41671-0001.patch \
		11	file://CVE-2024-41671-0002.patch \
		12	"
		13
9	SRC_URI[sha256sum] = "6b38b6ece7296b5e122c9eb17da2eeab3d98a198f50ca9efd00fb03e5b4fd4ae"	14	SRC_URI[sha256sum] = "6b38b6ece7296b5e122c9eb17da2eeab3d98a198f50ca9efd00fb03e5b4fd4ae"
10		15
11	inherit pypi python_hatchling	16	inherit pypi python_hatchling