python3-twisted: Fix CVE-2024-41810

Twisted is an event-based framework for internet applications, supporting Python 3.6+.
The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability.
If application code allows an attacker to control the redirect URL this vulnerability
may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.
This vulnerability is fixed in 24.7.0rc1.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41810

Upstream patch:
https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

2 files changed, 111 insertions, 1 deletions

diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch
new file mode 100644
index 0000000000..c0842304dc
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch
@@ -0,0 +1,109 @@
+From 046a164f89a0f08d3239ecebd750360f8914df33 Mon Sep 17 00:00:00 2001
+From: Adi Roiban <adiroiban@gmail.com>
+Date: Mon Jul 29 14:28:03 2024 +0100
+Subject: [PATCH] Merge commit from fork
+
+Added HTML output encoding the "URL" parameter of the "redirectTo" function
+
+CVE: CVE-2024-41810
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/twisted/web/_template_util.py          |  2 +-
+ src/twisted/web/newsfragments/12263.bugfix |  1 +
+ src/twisted/web/newsfragments/9839.bugfix  |  1 +
+ src/twisted/web/test/test_util.py          | 39 +++++++++++++++++++++-
+ 4 files changed, 41 insertions(+), 2 deletions(-)
+ create mode 100644 src/twisted/web/newsfragments/12263.bugfix
+ create mode 100644 src/twisted/web/newsfragments/9839.bugfix
+
+diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py
+index bd081bd..3fb56e5 100644
+--- a/src/twisted/web/_template_util.py
++++ b/src/twisted/web/_template_util.py
+@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IRequest) -> bytes:
+     </body>
+ </html>
+ """ % {
+-        b"url": URL
++        b"url": escape(URL.decode("utf-8")).encode("utf-8")
+     }
+     return content
+ 
+diff --git a/src/twisted/web/newsfragments/12263.bugfix b/src/twisted/web/newsfragments/12263.bugfix
+new file mode 100644
+index 0000000..b3982ca
+--- /dev/null
++++ b/src/twisted/web/newsfragments/12263.bugfix
+@@ -0,0 +1 @@
++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810.
+\ No newline at end of file
+diff --git a/src/twisted/web/newsfragments/9839.bugfix b/src/twisted/web/newsfragments/9839.bugfix
+new file mode 100644
+index 0000000..1e2e7f7
+--- /dev/null
++++ b/src/twisted/web/newsfragments/9839.bugfix
+@@ -0,0 +1 @@
++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810).
+diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py
+index 996b0d0..87282ce 100644
+--- a/src/twisted/web/test/test_util.py
++++ b/src/twisted/web/test/test_util.py
+@@ -5,7 +5,6 @@
+ Tests for L{twisted.web.util}.
+ """
+ 
+-
+ import gc
+ 
+ from twisted.internet import defer
+@@ -64,6 +63,44 @@ class RedirectToTests(TestCase):
+         targetURL = "http://target.example.com/4321"
+         self.assertRaises(TypeError, redirectTo, targetURL, request)
+ 
++    def test_legitimateRedirect(self):
++        """
++        Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation
++        """
++        request = DummyRequest([b""])
++        html = redirectTo(b"https://twisted.org/", request)
++        expected = b"""
++<html>
++    <head>
++        <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\">
++    </head>
++    <body bgcolor=\"#FFFFFF\" text=\"#000000\">
++    <a href=\"https://twisted.org/\">click here</a>
++    </body>
++</html>
++"""
++        self.assertEqual(html, expected)
++
++    def test_maliciousRedirect(self):
++        """
++        Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body
++        """
++        request = DummyRequest([b""])
++        html = redirectTo(
++            b'https://twisted.org/"><script>alert(document.location)</script>', request
++        )
++        expected = b"""
++<html>
++    <head>
++        <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/&quot;&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">
++    </head>
++    <body bgcolor=\"#FFFFFF\" text=\"#000000\">
++    <a href=\"https://twisted.org/&quot;&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">click here</a>
++    </body>
++</html>
++"""
++        self.assertEqual(html, expected)
++
+ 
+ class ParentRedirectTests(SynchronousTestCase):
+     """
+-- 
+2.40.0
+
diff --git a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
index da83f0123a..ef602890ea 100644
--- a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
+++ b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
@@ -12,7 +12,8 @@ SRC_URI[sha256sum] = "57f32b1f6838facb8c004c89467840367ad38e9e535f8252091345dba5
 PYPI_PACKAGE = "Twisted"
 
 SRC_URI += "file://CVE-2024-41671-0001.patch \
-            file://CVE-2024-41671-0002.patch"
+            file://CVE-2024-41671-0002.patch \
+            file://CVE-2024-41810.patch"
 
 inherit pypi python_setuptools_build_meta