2 files changed, 118 insertions, 1 deletions
diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
new file mode 100644
index 0000000000..0be97d2888
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -0,0 +1,116 @@
+From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Wed, 10 May 2023 11:33:18 +0000
+Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
+don't strip leading `=` when parsing cookie
+"src/werkzeug/sansio/http.py" file is not available in the current recipe
+version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0
+version, this http.py file was only available in the "src/werkzeug/http.py"
+and we could see the same functions available there which are getting modified
+in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" file.
+CVE: CVE-2023-23934
+Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ CHANGES.rst               |  4 ++++
+ src/werkzeug/_internal.py | 13 +++++++++----
+ src/werkzeug/http.py      |  4 ----
+ tests/test_http.py        |  4 +++-
+ 4 files changed, 16 insertions(+), 9 deletions(-)
+diff --git a/CHANGES.rst b/CHANGES.rst
+index a351d7c..23505d3 100644
+--- a/CHANGES.rst
+++ b/CHANGES.rst
+@@ -1,5 +1,9 @@
+ .. currentmodule:: werkzeug
+-   A cookie header that starts with ``=`` is treated as an empty key and discarded,
+    rather than stripping the leading ``==``.
+
+
+ Version 2.1.1
+ -------------
+diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
+index a8b3523..d6290ba 100644
+--- a/src/werkzeug/_internal.py
+++ b/src/werkzeug/_internal.py
+@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
+ _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
+ _cookie_re = re.compile(
+     rb"""
+-    (?P<key>[^=;]+)
+    (?P<key>[^=;]*)
+     (?:\s*=\s*
+         (?P<val>
+             "(?:[^\\"]|\\.)*" |
+@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]:
+     """Lowlevel cookie parsing facility that operates on bytes."""
+     i = 0
+     n = len(b)
+    b += b";"
+     while i < n:
+-        match = _cookie_re.search(b + b";", i)
+        match = _cookie_re.match(b, i)
+
+         if not match:
+             break
+-        key = match.group("key").strip()
+-        value = match.group("val") or b""
+         i = match.end(0)
+        key = match.group("key").strip()
+
+        if not key:
+            continue
+        value = match.group("val") or b""
+         yield key, _cookie_unquote(value)
+diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
+index 9369900..ae133e3 100644
+--- a/src/werkzeug/http.py
+++ b/src/werkzeug/http.py
+@@ -1205,10 +1205,6 @@ def parse_cookie(
+     def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
+         for key, val in _cookie_parse_impl(header):  # type: ignore
+             key_str = _to_str(key, charset, errors, allow_none_charset=True)
+-
+-            if not key_str:
+-                continue
+-
+             val_str = _to_str(val, charset, errors, allow_none_charset=True)
+             yield key_str, val_str
+diff --git a/tests/test_http.py b/tests/test_http.py
+index 5936bfa..59cc179 100644
+--- a/tests/test_http.py
+++ b/tests/test_http.py
+@@ -427,7 +427,8 @@ class TestHTTPUtility:
+     def test_parse_cookie(self):
+         cookies = http.parse_cookie(
+             "dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;"
+-            'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
+            'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
+            "==__Host-eq=bad;__Host-eq=good;"
+         )
+         assert cookies.to_dict() == {
+             "CP": "null*",
+@@ -438,6 +439,7 @@ class TestHTTPUtility:
+             "fo234{": "bar",
+             "blub": "Blah",
+             '"__Secure-c"': "d",
+            "__Host-eq": "good",
+         }
+     def test_dump_cookie(self):
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
index 324a4b7996..fc0789a73e 100644
--- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
+++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
@@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
 PYPI_PACKAGE = "Werkzeug"
-SRC_URI += "file://CVE-2023-25577.patch"
+SRC_URI += "file://CVE-2023-25577.patch \
+            file://CVE-2023-23934.patch"
 SRC_URI[sha256sum] = "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74"

diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch new file mode 100644 index 0000000000..0be97d2888 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -0,0 +1,116 @@
		1	From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
		2	From: David Lord <davidism@gmail.com>
		3	Date: Wed, 10 May 2023 11:33:18 +0000
		4	Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
		5
		6	don't strip leading `=` when parsing cookie
		7
		8	"src/werkzeug/sansio/http.py" file is not available in the current recipe
		9	version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0
		10	version, this http.py file was only available in the "src/werkzeug/http.py"
		11	and we could see the same functions available there which are getting modified
		12	in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" file.
		13
		14	CVE: CVE-2023-23934
		15
		16	Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028]
		17
		18	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		19	---
		20	CHANGES.rst \| 4 ++++
		21	src/werkzeug/_internal.py \| 13 +++++++++----
		22	src/werkzeug/http.py \| 4 ----
		23	tests/test_http.py \| 4 +++-
		24	4 files changed, 16 insertions(+), 9 deletions(-)
		25
		26	diff --git a/CHANGES.rst b/CHANGES.rst
		27	index a351d7c..23505d3 100644
		28	--- a/CHANGES.rst
		29	+++ b/CHANGES.rst
		30	@@ -1,5 +1,9 @@
		31	.. currentmodule:: werkzeug
		32
		33	+- A cookie header that starts with ``=`` is treated as an empty key and discarded,
		34	+ rather than stripping the leading ``==``.
		35	+
		36	+
		37	Version 2.1.1
		38	-------------
		39
		40	diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
		41	index a8b3523..d6290ba 100644
		42	--- a/src/werkzeug/_internal.py
		43	+++ b/src/werkzeug/_internal.py
		44	@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
		45	_legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\\|\)\(\?\}\{\=]"
		46	_cookie_re = re.compile(
		47	rb"""
		48	- (?P<key>[^=;]+)
		49	+ (?P<key>[^=;]*)
		50	(?:\s=\s
		51	(?P<val>
		52	"(?:[^\\"]\|\\.)*" \|
		53	@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]:
		54	"""Lowlevel cookie parsing facility that operates on bytes."""
		55	i = 0
		56	n = len(b)
		57	+ b += b";"
		58
		59	while i < n:
		60	- match = _cookie_re.search(b + b";", i)
		61	+ match = _cookie_re.match(b, i)
		62	+
		63	if not match:
		64	break
		65
		66	- key = match.group("key").strip()
		67	- value = match.group("val") or b""
		68	i = match.end(0)
		69	+ key = match.group("key").strip()
		70	+
		71	+ if not key:
		72	+ continue
		73
		74	+ value = match.group("val") or b""
		75	yield key, _cookie_unquote(value)
		76
		77
		78	diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
		79	index 9369900..ae133e3 100644
		80	--- a/src/werkzeug/http.py
		81	+++ b/src/werkzeug/http.py
		82	@@ -1205,10 +1205,6 @@ def parse_cookie(
		83	def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
		84	for key, val in _cookie_parse_impl(header): # type: ignore
		85	key_str = _to_str(key, charset, errors, allow_none_charset=True)
		86	-
		87	- if not key_str:
		88	- continue
		89	-
		90	val_str = _to_str(val, charset, errors, allow_none_charset=True)
		91	yield key_str, val_str
		92
		93	diff --git a/tests/test_http.py b/tests/test_http.py
		94	index 5936bfa..59cc179 100644
		95	--- a/tests/test_http.py
		96	+++ b/tests/test_http.py
		97	@@ -427,7 +427,8 @@ class TestHTTPUtility:
		98	def test_parse_cookie(self):
		99	cookies = http.parse_cookie(
		100	"dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;"
		101	- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
		102	+ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
		103	+ "==__Host-eq=bad;__Host-eq=good;"
		104	)
		105	assert cookies.to_dict() == {
		106	"CP": "null*",
		107	@@ -438,6 +439,7 @@ class TestHTTPUtility:
		108	"fo234{": "bar",
		109	"blub": "Blah",
		110	'"__Secure-c"': "d",
		111	+ "__Host-eq": "good",
		112	}
		113
		114	def test_dump_cookie(self):
		115	--
		116	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb index 324a4b7996..fc0789a73e 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
@@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
12		12
13	PYPI_PACKAGE = "Werkzeug"	13	PYPI_PACKAGE = "Werkzeug"
14		14
15	SRC_URI += "file://CVE-2023-25577.patch"	15	SRC_URI += "file://CVE-2023-25577.patch \
		16	file://CVE-2023-23934.patch"
16		17
17	SRC_URI[sha256sum] = "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74"	18	SRC_URI[sha256sum] = "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74"
18		19