python3-aiohttp: fix CVE-2024-42367

aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python. Prior to version 3.10.2, static routes which contain files with
compressed variants (`.gz` or `.br` extension) are vulnerable to path
traversal outside the root directory if those variants are symbolic
links. The server protects static routes from path traversal outside the
root directory when `follow_symlinks=False` (default). It does this by
resolving the requested URL to an absolute path and then checking that
path relative to the root. However, these checks are not performed when
looking for compressed variants in the `FileResponse` class, and
symbolic links are then automatically followed when performing the
`Path.stat()` and `Path.open()` to send the file. Version 3.10.2
contains a patch for the issue.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-42367
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj

Upstream patch:
https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

1 files changed, 65 insertions, 0 deletions

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch
new file mode 100644
index 0000000000..dadec31f3a
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch
@@ -0,0 +1,65 @@
+From e19cb50fb529bbe75cc4f1b68eeb0a3f631ad0d0 Mon Sep 17 00:00:00 2001
+From: "J. Nick Koston" <nick@koston.org>
+Date: Thu, 8 Aug 2024 11:19:28 -0500
+Subject: [PATCH] Do not follow symlinks for compressed file variants (#8652)
+
+CVE: CVE-2024-42367
+
+Upstream-Status: Backport
+[https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f]
+
+Co-authored-by: Steve Repsher <steverep@users.noreply.github.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ CHANGES/8652.bugfix.rst     |  1 +
+ aiohttp/web_fileresponse.py | 26 ++++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+ create mode 100644 CHANGES/8652.bugfix.rst
+
+diff --git a/CHANGES/8652.bugfix.rst b/CHANGES/8652.bugfix.rst
+new file mode 100644
+index 000000000..3a1003e50
+--- /dev/null
++++ b/CHANGES/8652.bugfix.rst
+@@ -0,0 +1 @@
++Fixed incorrectly following symlinks for compressed file variants -- by :user:`steverep`.
+diff --git a/aiohttp/web_fileresponse.py b/aiohttp/web_fileresponse.py
+index f41ed3fd0..35dbd41e1 100644
+--- a/aiohttp/web_fileresponse.py
++++ b/aiohttp/web_fileresponse.py
+@@ -127,6 +127,32 @@ class FileResponse(StreamResponse):
+         self.content_length = 0
+         return await super().prepare(request)
+ 
++    def _get_file_path_stat_encoding(
++        self, accept_encoding: str
++    ) -> Tuple[pathlib.Path, os.stat_result, Optional[str]]:
++        """Return the file path, stat result, and encoding.
++
++        If an uncompressed file is returned, the encoding is set to
++        :py:data:`None`.
++
++        This method should be called from a thread executor
++        since it calls os.stat which may block.
++        """
++        file_path = self._path
++        for file_extension, file_encoding in ENCODING_EXTENSIONS.items():
++            if file_encoding not in accept_encoding:
++                continue
++
++            compressed_path = file_path.with_suffix(file_path.suffix + file_extension)
++            with suppress(OSError):
++                # Do not follow symlinks and ignore any non-regular files.
++                st = compressed_path.lstat()
++                if S_ISREG(st.st_mode):
++                    return compressed_path, st, file_encoding
++
++        # Fallback to the uncompressed file
++        return file_path, file_path.stat(), None
++
+     async def prepare(self, request: "BaseRequest") -> Optional[AbstractStreamWriter]:
+         filepath = self._path
+ 
+-- 
+2.34.1
+