1 files changed, 18 insertions, 17 deletions
diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
index 0be97d2888..3a0f4324a1 100644
--- a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
+++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -1,4 +1,4 @@
-From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
+From db1457abec7fe27148673f5f8bfdf5c52eb7f29f Mon Sep 17 00:00:00 2001
 From: David Lord <davidism@gmail.com>
 Date: Wed, 10 May 2023 11:33:18 +0000
 Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
@@ -17,26 +17,26 @@ Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42ac
 Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
 ---
- CHANGES.rst               |  4 ++++
+ CHANGES.rst               |  3 +++
 src/werkzeug/_internal.py | 13 +++++++++----
 src/werkzeug/http.py      |  4 ----
 tests/test_http.py        |  4 +++-
- 4 files changed, 16 insertions(+), 9 deletions(-)
+ 4 files changed, 15 insertions(+), 9 deletions(-)
 diff --git a/CHANGES.rst b/CHANGES.rst
-index a351d7c..23505d3 100644
+index 6e809ba..13ef75b 100644
 --- a/CHANGES.rst
 +++ b/CHANGES.rst
-@@ -1,5 +1,9 @@
+@@ -4,6 +4,9 @@
- .. currentmodule:: werkzeug
+     ``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS
+     attack where a larger number of form/file parts would result in disproportionate
+     resource use.
 +-   A cookie header that starts with ``=`` is treated as an empty key and discarded,
 +    rather than stripping the leading ``==``.
 +
-+
+ 
 Version 2.1.1
 -------------
 diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
 index a8b3523..d6290ba 100644
 --- a/src/werkzeug/_internal.py
@@ -55,14 +55,14 @@ index a8b3523..d6290ba 100644
     i = 0
     n = len(b)
 +    b += b";"
+ 
     while i < n:
 -        match = _cookie_re.search(b + b";", i)
 +        match = _cookie_re.match(b, i)
 +
         if not match:
             break
+ 
 -        key = match.group("key").strip()
 -        value = match.group("val") or b""
         i = match.end(0)
@@ -70,11 +70,11 @@ index a8b3523..d6290ba 100644
 +
 +        if not key:
 +            continue
+ 
 +        value = match.group("val") or b""
         yield key, _cookie_unquote(value)
+ 
+ 
 diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
 index 9369900..ae133e3 100644
 --- a/src/werkzeug/http.py
@@ -89,7 +89,7 @@ index 9369900..ae133e3 100644
 -
             val_str = _to_str(val, charset, errors, allow_none_charset=True)
             yield key_str, val_str
+ 
 diff --git a/tests/test_http.py b/tests/test_http.py
 index 5936bfa..59cc179 100644
 --- a/tests/test_http.py
@@ -110,7 +110,8 @@ index 5936bfa..59cc179 100644
             '"__Secure-c"': "d",
 +            "__Host-eq": "good",
         }
+ 
     def test_dump_cookie(self):
--
+-- 
 2.40.0

diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch index 0be97d2888..3a0f4324a1 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -1,4 +1,4 @@
1	From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001	1	From db1457abec7fe27148673f5f8bfdf5c52eb7f29f Mon Sep 17 00:00:00 2001
2	From: David Lord <davidism@gmail.com>	2	From: David Lord <davidism@gmail.com>
3	Date: Wed, 10 May 2023 11:33:18 +0000	3	Date: Wed, 10 May 2023 11:33:18 +0000
4	Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q	4	Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
@@ -17,26 +17,26 @@ Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42ac
17		17
18	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>	18	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
19	---	19	---
20	CHANGES.rst \| 4 ++++	20	CHANGES.rst \| 3 +++
21	src/werkzeug/_internal.py \| 13 +++++++++----	21	src/werkzeug/_internal.py \| 13 +++++++++----
22	src/werkzeug/http.py \| 4 ----	22	src/werkzeug/http.py \| 4 ----
23	tests/test_http.py \| 4 +++-	23	tests/test_http.py \| 4 +++-
24	4 files changed, 16 insertions(+), 9 deletions(-)	24	4 files changed, 15 insertions(+), 9 deletions(-)
25		25
26	diff --git a/CHANGES.rst b/CHANGES.rst	26	diff --git a/CHANGES.rst b/CHANGES.rst
27	index a351d7c..23505d3 100644	27	index 6e809ba..13ef75b 100644
28	--- a/CHANGES.rst	28	--- a/CHANGES.rst
29	+++ b/CHANGES.rst	29	+++ b/CHANGES.rst
30	@@ -1,5 +1,9 @@	30	@@ -4,6 +4,9 @@
31	.. currentmodule:: werkzeug	31	``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS
32		32	attack where a larger number of form/file parts would result in disproportionate
		33	resource use.
33	+- A cookie header that starts with ``=`` is treated as an empty key and discarded,	34	+- A cookie header that starts with ``=`` is treated as an empty key and discarded,
34	+ rather than stripping the leading ``==``.	35	+ rather than stripping the leading ``==``.
35	+	36	+
36	+	37
37	Version 2.1.1	38	Version 2.1.1
38	-------------	39	-------------
39
40	diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py	40	diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
41	index a8b3523..d6290ba 100644	41	index a8b3523..d6290ba 100644
42	--- a/src/werkzeug/_internal.py	42	--- a/src/werkzeug/_internal.py
@@ -55,14 +55,14 @@ index a8b3523..d6290ba 100644
55	i = 0	55	i = 0
56	n = len(b)	56	n = len(b)
57	+ b += b";"	57	+ b += b";"
58		58
59	while i < n:	59	while i < n:
60	- match = _cookie_re.search(b + b";", i)	60	- match = _cookie_re.search(b + b";", i)
61	+ match = _cookie_re.match(b, i)	61	+ match = _cookie_re.match(b, i)
62	+	62	+
63	if not match:	63	if not match:
64	break	64	break
65		65
66	- key = match.group("key").strip()	66	- key = match.group("key").strip()
67	- value = match.group("val") or b""	67	- value = match.group("val") or b""
68	i = match.end(0)	68	i = match.end(0)
@@ -70,11 +70,11 @@ index a8b3523..d6290ba 100644
70	+	70	+
71	+ if not key:	71	+ if not key:
72	+ continue	72	+ continue
73		73
74	+ value = match.group("val") or b""	74	+ value = match.group("val") or b""
75	yield key, _cookie_unquote(value)	75	yield key, _cookie_unquote(value)
76		76
77		77
78	diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py	78	diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
79	index 9369900..ae133e3 100644	79	index 9369900..ae133e3 100644
80	--- a/src/werkzeug/http.py	80	--- a/src/werkzeug/http.py
@@ -89,7 +89,7 @@ index 9369900..ae133e3 100644
89	-	89	-
90	val_str = _to_str(val, charset, errors, allow_none_charset=True)	90	val_str = _to_str(val, charset, errors, allow_none_charset=True)
91	yield key_str, val_str	91	yield key_str, val_str
92		92
93	diff --git a/tests/test_http.py b/tests/test_http.py	93	diff --git a/tests/test_http.py b/tests/test_http.py
94	index 5936bfa..59cc179 100644	94	index 5936bfa..59cc179 100644
95	--- a/tests/test_http.py	95	--- a/tests/test_http.py
@@ -110,7 +110,8 @@ index 5936bfa..59cc179 100644
110	'"__Secure-c"': "d",	110	'"__Secure-c"': "d",
111	+ "__Host-eq": "good",	111	+ "__Host-eq": "good",
112	}	112	}
113		113
114	def test_dump_cookie(self):	114	def test_dump_cookie(self):
115	--	115	--
116	2.40.0	116	2.40.0
		117