From 27b9925ad3ac716a6db3a3d1214b3fe2a260c5c8 Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@koston.org>
Date: Wed, 13 Nov 2024 08:50:36 -0600
Subject: [PATCH] Fix incorrect parsing of chunk extensions with the pure
 Python parser (#9853)

Upstream-Status: Backport
[https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71]

CVE: CVE-2024-52304

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
---
 CHANGES/9851.bugfix.rst | 1 +
 aiohttp/http_parser.py  | 7 +++++++
 2 files changed, 8 insertions(+)
 create mode 100644 CHANGES/9851.bugfix.rst

diff --git a/CHANGES/9851.bugfix.rst b/CHANGES/9851.bugfix.rst
new file mode 100644
index 0000000..02541a9
--- /dev/null
+++ b/CHANGES/9851.bugfix.rst
@@ -0,0 +1 @@
+Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:`bdraco`.
diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
index 91e01f4..1ee1269 100644
--- a/aiohttp/http_parser.py
+++ b/aiohttp/http_parser.py
@@ -820,6 +820,13 @@ class HttpPayloadParser:
                         i = chunk.find(CHUNK_EXT, 0, pos)
                         if i >= 0:
                             size_b = chunk[:i]  # strip chunk-extensions
+                            # Verify no LF in the chunk-extension
+                            if b"\n" in (ext := chunk[i:pos]):
+                                exc = BadHttpMessage(
+                                    f"Unexpected LF in chunk-extension: {ext!r}"
+                                )
+                                set_exception(self.payload, exc)
+                                raise exc
                         else:
                             size_b = chunk[:pos]
 
-- 
2.25.1