blob: a76968c6ca984a57c510aafb2f1a13c167490a08 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From 27b9925ad3ac716a6db3a3d1214b3fe2a260c5c8 Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@koston.org>
Date: Wed, 13 Nov 2024 08:50:36 -0600
Subject: [PATCH] Fix incorrect parsing of chunk extensions with the pure
Python parser (#9853)
Upstream-Status: Backport
[https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71]
CVE: CVE-2024-52304
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
---
CHANGES/9851.bugfix.rst | 1 +
aiohttp/http_parser.py | 7 +++++++
2 files changed, 8 insertions(+)
create mode 100644 CHANGES/9851.bugfix.rst
diff --git a/CHANGES/9851.bugfix.rst b/CHANGES/9851.bugfix.rst
new file mode 100644
index 0000000..02541a9
--- /dev/null
+++ b/CHANGES/9851.bugfix.rst
@@ -0,0 +1 @@
+Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:`bdraco`.
diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
index 91e01f4..1ee1269 100644
--- a/aiohttp/http_parser.py
+++ b/aiohttp/http_parser.py
@@ -820,6 +820,13 @@ class HttpPayloadParser:
i = chunk.find(CHUNK_EXT, 0, pos)
if i >= 0:
size_b = chunk[:i] # strip chunk-extensions
+ # Verify no LF in the chunk-extension
+ if b"\n" in (ext := chunk[i:pos]):
+ exc = BadHttpMessage(
+ f"Unexpected LF in chunk-extension: {ext!r}"
+ )
+ set_exception(self.payload, exc)
+ raise exc
else:
size_b = chunk[:pos]
--
2.25.1
|
