!22 Fix CVE-2023-49081

From: @wk333 Reviewed-by: @lyn1001 Signed-off-by: @lyn1001
2023-12-01 02:52:19 +00:00 · 2023-12-01 02:52:19 +00:00 · ad603023a6
commit ad603023a6
parent c85a9efd18 eb083e1975
2 changed files with 96 additions and 1 deletions
--- a/CVE-2023-49081.patch
+++ b/CVE-2023-49081.patch
@ -0,0 +1,91 @@
+From 53476dfd4ef4fb1bb74a267714bbc39eda71b403 Mon Sep 17 00:00:00 2001
+From: Sam Bull <git@sambull.org>
+Date: Mon, 13 Nov 2023 22:36:04 +0000
+Subject: [PATCH] Disallow arbitrary sequence types in version (#7835) (#7836)
+
+Origin: https://github.com/aio-libs/aiohttp/commit/53476dfd4ef4fb1bb74a267714bbc39eda71b403
+
+(cherry picked from commit 1e86b777e61cf4eefc7d92fa57fa19dcc676013b)
+---
+ CHANGES/7835.bugfix          |  1 +
+ aiohttp/client_reqrep.py     |  4 ++--
+ tests/test_client_request.py | 20 +++++++++++++++++---
+ 3 files changed, 20 insertions(+), 5 deletions(-)
+ create mode 100644 CHANGES/7835.bugfix
+
+diff --git a/CHANGES/7835.bugfix b/CHANGES/7835.bugfix
+new file mode 100644
+index 0000000000..4ce3af4f6f
+--- /dev/null
+++ b/CHANGES/7835.bugfix
+@@ -0,0 +1 @@
+Fixed arbitrary sequence types being allowed to inject headers via version parameter -- by :user:`Dreamsorcerer`
+diff --git a/aiohttp/client_reqrep.py b/aiohttp/client_reqrep.py
+index 851ab220b8..4cea7466d8 100644
+--- a/aiohttp/client_reqrep.py
+++ b/aiohttp/client_reqrep.py
+@@ -706,8 +706,8 @@ async def send(self, conn: "Connection") -> "ClientResponse":
+             self.headers[hdrs.CONNECTION] = connection
+ 
+         # status + headers
+-        status_line = "{0} {1} HTTP/{2[0]}.{2[1]}".format(
+-            self.method, path, self.version
+        status_line = "{0} {1} HTTP/{v.major}.{v.minor}".format(
+            self.method, path, v=self.version
+         )
+         await writer.write_headers(status_line, self.headers)
+ 
+diff --git a/tests/test_client_request.py b/tests/test_client_request.py
+index 0f58d752de..c8ce98d403 100644
+--- a/tests/test_client_request.py
+++ b/tests/test_client_request.py
+@@ -21,6 +21,7 @@
+     Fingerprint,
+     _merge_ssl_params,
+ )
+from aiohttp.http import HttpVersion
+ from aiohttp.test_utils import make_mocked_coro
+ 
+ 
+@@ -623,18 +624,18 @@ async def test_connection_header(loop, conn) -> None:
+     req.headers.clear()
+ 
+     req.keep_alive.return_value = True
+-    req.version = (1, 1)
+    req.version = HttpVersion(1, 1)
+     req.headers.clear()
+     await req.send(conn)
+     assert req.headers.get("CONNECTION") is None
+ 
+-    req.version = (1, 0)
+    req.version = HttpVersion(1, 0)
+     req.headers.clear()
+     await req.send(conn)
+     assert req.headers.get("CONNECTION") == "keep-alive"
+ 
+     req.keep_alive.return_value = False
+-    req.version = (1, 1)
+    req.version = HttpVersion(1, 1)
+     req.headers.clear()
+     await req.send(conn)
+     assert req.headers.get("CONNECTION") == "close"
+@@ -1161,6 +1162,19 @@ async def gen():
+     resp.close()
+ 
+ 
+async def test_bad_version(loop, conn) -> None:
+    req = ClientRequest(
+        "GET",
+        URL("http://python.org"),
+        loop=loop,
+        headers={"Connection": "Close"},
+        version=("1", "1\r\nInjected-Header: not allowed"),
+    )
+
+    with pytest.raises(AttributeError):
+        await req.send(conn)
+
+
+ async def test_custom_response_class(loop, conn) -> None:
+     class CustomResponse(ClientResponse):
+         def read(self, decode=False):
--- a/python-aiohttp.spec
+++ b/python-aiohttp.spec
@ -1,13 +1,14 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-aiohttp
 Version:	3.7.4
-Release:	3
+Release:	4
 Summary:	Async http client/server framework (asyncio)
 License:	Apache 2
 URL:		https://github.com/aio-libs/aiohttp
 Source0:	https://files.pythonhosted.org/packages/99/f5/90ede947a3ce2d6de1614799f5fea4e93c19b6520a59dc5d2f64123b032f/aiohttp-3.7.4.post0.tar.gz
 Patch0:         change-require-chardet-package-version.patch
 Patch1:         CVE-2023-47641.patch
+Patch2:         CVE-2023-49081.patch

 BuildRequires:	python3-attrs
 BuildRequires:	python3-chardet
@ -78,6 +79,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Fri Dec 01 2023 wangkai <13474090681@163.com> - 3.7.4-4
+- Fix CVE-2023-49081
+
 * Thu Nov 16 2023 yaoxin <yao_xin001@hoperun.com> - 3.7.4-3
 - Fix CVE-2023-47641