python3-aiohttp: fix CVE-2023-49081/CVE-2024-30251/CVE-2024-52304/CVE-2023-49082/CVE-2024-27306

CVE-2023-49081:
aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python. Improper validation made it possible for an attacker to modify
the HTTP request (e.g. to insert a new header) or create a new HTTP
request if the attacker controls the HTTP version. The vulnerability
only occurs if the attacker can control the HTTP version of the request.
This issue has been patched in version 3.9.0.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49081

Upstream patches:
https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b

CVE-2024-30251:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
In affected versions an attacker can send a specially crafted POST
(multipart/form-data) request. When the aiohttp server processes it, the server
will enter an infinite loop and be unable to process any further requests. An
attacker can stop the application from serving requests after sending a single
request. This issue has been addressed in version 3.9.4. Users are advised to
upgrade. Users unable to upgrade may manually apply a patch to their systems.
Please see the linked GHSA for instructions.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-30251

Upstream patches:
https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19
https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597
https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866

CVE-2024-52304:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Prior to version 3.10.11, the Python parser parses newlines in chunk extensions
incorrectly which can lead to request smuggling vulnerabilities under certain
conditions. If a pure Python version of aiohttp is installed (i.e. without the
usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may
be able to execute a request smuggling attack to bypass certain firewalls or
proxy protections. Version 3.10.11 fixes the issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-52304

Upstream patches:
https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

CVE-2023-49082:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Improper validation makes it possible for an attacker to modify the HTTP
request (e.g. insert a new header) or even create a new HTTP request if the
attacker controls the HTTP method. The vulnerability occurs only if the
attacker can control the HTTP method (GET, POST etc.) of the request. If the
attacker can control the HTTP version of the request it will be able to modify
the request (request smuggling). This issue has been patched in version 3.9.0.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49082

Upstream patches:
https://github.com/aio-libs/aiohttp/pull/7806/commits/a43bc1779892e7014b7723c59d08fb37a000955e

CVE-2024-27306:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
A XSS vulnerability exists on index pages for static file handling. This
vulnerability is fixed in 3.9.4. We have always recommended using a reverse
proxy server (e.g. nginx) for serving static files. Users following the
recommendation are unaffected. Other users can disable `show_index` if unable
to upgrade.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-27306

Upstream patches:
https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

1 files changed, 81 insertions, 0 deletions

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-27306.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-27306.patch
new file mode 100644
index 0000000000..f87ef92679
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-27306.patch
@@ -0,0 +1,81 @@
+From d05042f1a35ec0adb797c056024d457ac1fd7088 Mon Sep 17 00:00:00 2001
+From: Sam Bull <git@sambull.org>
+Date: Thu, 11 Apr 2024 15:54:45 +0100
+Subject: [PATCH] Escape filenames and paths in HTML when generating index
+ pages (#8317) (#8319)
+
+Upstream-Status: Backport
+[https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397]
+
+CVE: CVE-2024-27306
+
+Co-authored-by: J. Nick Koston <nick@koston.org>
+(cherry picked from commit ffbc43233209df302863712b511a11bdb6001b0f)
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ CHANGES/8317.bugfix.rst      |  1 +
+ aiohttp/web_urldispatcher.py | 11 ++++++-----
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+ create mode 100644 CHANGES/8317.bugfix.rst
+
+diff --git a/CHANGES/8317.bugfix.rst b/CHANGES/8317.bugfix.rst
+new file mode 100644
+index 0000000..b24ef2a
+--- /dev/null
++++ b/CHANGES/8317.bugfix.rst
+@@ -0,0 +1 @@
++Escaped filenames in static view -- by :user:`bdraco`.
+diff --git a/aiohttp/web_urldispatcher.py b/aiohttp/web_urldispatcher.py
+index e8a8023..791ab94 100644
+--- a/aiohttp/web_urldispatcher.py
++++ b/aiohttp/web_urldispatcher.py
+@@ -1,7 +1,9 @@
+ import abc
+ import asyncio
+ import base64
++import functools
+ import hashlib
++import html
+ import inspect
+ import keyword
+ import os
+@@ -87,6 +89,7 @@ PATH_SEP: Final[str] = re.escape("/")
+ _ExpectHandler = Callable[[Request], Awaitable[None]]
+ _Resolve = Tuple[Optional["UrlMappingMatchInfo"], Set[str]]
+ 
++html_escape = functools.partial(html.escape, quote=True)
+ 
+ class _InfoDict(TypedDict, total=False):
+     path: str
+@@ -706,7 +709,7 @@ class StaticResource(PrefixResource):
+         assert filepath.is_dir()
+ 
+         relative_path_to_dir = filepath.relative_to(self._directory).as_posix()
+-        index_of = f"Index of /{relative_path_to_dir}"
++        index_of = f"Index of /{html_escape(relative_path_to_dir)}"
+         h1 = f"<h1>{index_of}</h1>"
+ 
+         index_list = []
+@@ -714,7 +717,7 @@ class StaticResource(PrefixResource):
+         for _file in sorted(dir_index):
+             # show file url as relative to static path
+             rel_path = _file.relative_to(self._directory).as_posix()
+-            file_url = self._prefix + "/" + rel_path
++            quoted_file_url = _quote_path(f"{self._prefix}/{rel_path}")
+ 
+             # if file is a directory, add '/' to the end of the name
+             if _file.is_dir():
+@@ -723,9 +726,7 @@ class StaticResource(PrefixResource):
+                 file_name = _file.name
+ 
+             index_list.append(
+-                '<li><a href="{url}">{name}</a></li>'.format(
+-                    url=file_url, name=file_name
+-                )
++                f'<li><a href="{quoted_file_url}">{html_escape(file_name)}</a></li>'
+             )
+         ul = "<ul>\n{}\n</ul>".format("\n".join(index_list))
+         body = f"<body>\n{h1}\n{ul}\n</body>"
+-- 
+2.25.1
+