python3-werkzeug: fix for CVE-2023-23934

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3. Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Narpat Mali <narpat.mali@windriver.com> 2023-05-10 13:48:49 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-06-11 11:43:33 -0400
commit: bdad2a789e30703a825b876279665720d06d55dc (patch)
tree: 62650a9342a8dc72737dfbb060d094d52987d068 /meta-python/recipes-devtools/python/python3-werkzeug
parent: fca236e75a88063489b899e42f7c11b2051a62aa (diff)
download: meta-openembedded-bdad2a789e30703a825b876279665720d06d55dc.tar.gz
1 files changed, 116 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
new file mode 100644
index 0000000000..0be97d2888
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -0,0 +1,116 @@
+From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Wed, 10 May 2023 11:33:18 +0000
+Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
+don't strip leading `=` when parsing cookie
+"src/werkzeug/sansio/http.py" file is not available in the current recipe
+version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0
+version, this http.py file was only available in the "src/werkzeug/http.py"
+and we could see the same functions available there which are getting modified
+in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" file.
+CVE: CVE-2023-23934
+Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ CHANGES.rst               |  4 ++++
+ src/werkzeug/_internal.py | 13 +++++++++----
+ src/werkzeug/http.py      |  4 ----
+ tests/test_http.py        |  4 +++-
+ 4 files changed, 16 insertions(+), 9 deletions(-)
+diff --git a/CHANGES.rst b/CHANGES.rst
+index a351d7c..23505d3 100644
+--- a/CHANGES.rst
+++ b/CHANGES.rst
+@@ -1,5 +1,9 @@
+ .. currentmodule:: werkzeug
+-   A cookie header that starts with ``=`` is treated as an empty key and discarded,
+    rather than stripping the leading ``==``.
+
+
+ Version 2.1.1
+ -------------
+diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
+index a8b3523..d6290ba 100644
+--- a/src/werkzeug/_internal.py
+++ b/src/werkzeug/_internal.py
+@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
+ _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
+ _cookie_re = re.compile(
+     rb"""
+-    (?P<key>[^=;]+)
+    (?P<key>[^=;]*)
+     (?:\s*=\s*
+         (?P<val>
+             "(?:[^\\"]|\\.)*" |
+@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]:
+     """Lowlevel cookie parsing facility that operates on bytes."""
+     i = 0
+     n = len(b)
+    b += b";"
+     while i < n:
+-        match = _cookie_re.search(b + b";", i)
+        match = _cookie_re.match(b, i)
+
+         if not match:
+             break
+-        key = match.group("key").strip()
+-        value = match.group("val") or b""
+         i = match.end(0)
+        key = match.group("key").strip()
+
+        if not key:
+            continue
+        value = match.group("val") or b""
+         yield key, _cookie_unquote(value)
+diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
+index 9369900..ae133e3 100644
+--- a/src/werkzeug/http.py
+++ b/src/werkzeug/http.py
+@@ -1205,10 +1205,6 @@ def parse_cookie(
+     def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
+         for key, val in _cookie_parse_impl(header):  # type: ignore
+             key_str = _to_str(key, charset, errors, allow_none_charset=True)
+-
+-            if not key_str:
+-                continue
+-
+             val_str = _to_str(val, charset, errors, allow_none_charset=True)
+             yield key_str, val_str
+diff --git a/tests/test_http.py b/tests/test_http.py
+index 5936bfa..59cc179 100644
+--- a/tests/test_http.py
+++ b/tests/test_http.py
+@@ -427,7 +427,8 @@ class TestHTTPUtility:
+     def test_parse_cookie(self):
+         cookies = http.parse_cookie(
+             "dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;"
+-            'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
+            'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
+            "==__Host-eq=bad;__Host-eq=good;"
+         )
+         assert cookies.to_dict() == {
+             "CP": "null*",
+@@ -438,6 +439,7 @@ class TestHTTPUtility:
+             "fo234{": "bar",
+             "blub": "Blah",
+             '"__Secure-c"': "d",
+            "__Host-eq": "good",
+         }
+     def test_dump_cookie(self):
+--
+2.40.0
author	Narpat Mali <narpat.mali@windriver.com>	2023-05-10 13:48:49 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-06-11 11:43:33 -0400
commit	bdad2a789e30703a825b876279665720d06d55dc (patch)
tree	62650a9342a8dc72737dfbb060d094d52987d068 /meta-python/recipes-devtools/python/python3-werkzeug
parent	fca236e75a88063489b899e42f7c11b2051a62aa (diff)
download	meta-openembedded-bdad2a789e30703a825b876279665720d06d55dc.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch new file mode 100644 index 0000000000..0be97d2888 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -0,0 +1,116 @@
	1	From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
	2	From: David Lord <davidism@gmail.com>
	3	Date: Wed, 10 May 2023 11:33:18 +0000
	4	Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
	5
	6	don't strip leading `=` when parsing cookie
	7
	8	"src/werkzeug/sansio/http.py" file is not available in the current recipe
	9	version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0
	10	version, this http.py file was only available in the "src/werkzeug/http.py"
	11	and we could see the same functions available there which are getting modified
	12	in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" file.
	13
	14	CVE: CVE-2023-23934
	15
	16	Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028]
	17
	18	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
	19	---
	20	CHANGES.rst \| 4 ++++
	21	src/werkzeug/_internal.py \| 13 +++++++++----
	22	src/werkzeug/http.py \| 4 ----
	23	tests/test_http.py \| 4 +++-
	24	4 files changed, 16 insertions(+), 9 deletions(-)
	25
	26	diff --git a/CHANGES.rst b/CHANGES.rst
	27	index a351d7c..23505d3 100644
	28	--- a/CHANGES.rst
	29	+++ b/CHANGES.rst
	30	@@ -1,5 +1,9 @@
	31	.. currentmodule:: werkzeug
	32
	33	+- A cookie header that starts with ``=`` is treated as an empty key and discarded,
	34	+ rather than stripping the leading ``==``.
	35	+
	36	+
	37	Version 2.1.1
	38	-------------
	39
	40	diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
	41	index a8b3523..d6290ba 100644
	42	--- a/src/werkzeug/_internal.py
	43	+++ b/src/werkzeug/_internal.py
	44	@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
	45	_legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\\|\)\(\?\}\{\=]"
	46	_cookie_re = re.compile(
	47	rb"""
	48	- (?P<key>[^=;]+)
	49	+ (?P<key>[^=;]*)
	50	(?:\s=\s
	51	(?P<val>
	52	"(?:[^\\"]\|\\.)*" \|
	53	@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]:
	54	"""Lowlevel cookie parsing facility that operates on bytes."""
	55	i = 0
	56	n = len(b)
	57	+ b += b";"
	58
	59	while i < n:
	60	- match = _cookie_re.search(b + b";", i)
	61	+ match = _cookie_re.match(b, i)
	62	+
	63	if not match:
	64	break
	65
	66	- key = match.group("key").strip()
	67	- value = match.group("val") or b""
	68	i = match.end(0)
	69	+ key = match.group("key").strip()
	70	+
	71	+ if not key:
	72	+ continue
	73
	74	+ value = match.group("val") or b""
	75	yield key, _cookie_unquote(value)
	76
	77
	78	diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
	79	index 9369900..ae133e3 100644
	80	--- a/src/werkzeug/http.py
	81	+++ b/src/werkzeug/http.py
	82	@@ -1205,10 +1205,6 @@ def parse_cookie(
	83	def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
	84	for key, val in _cookie_parse_impl(header): # type: ignore
	85	key_str = _to_str(key, charset, errors, allow_none_charset=True)
	86	-
	87	- if not key_str:
	88	- continue
	89	-
	90	val_str = _to_str(val, charset, errors, allow_none_charset=True)
	91	yield key_str, val_str
	92
	93	diff --git a/tests/test_http.py b/tests/test_http.py
	94	index 5936bfa..59cc179 100644
	95	--- a/tests/test_http.py
	96	+++ b/tests/test_http.py
	97	@@ -427,7 +427,8 @@ class TestHTTPUtility:
	98	def test_parse_cookie(self):
	99	cookies = http.parse_cookie(
	100	"dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;"
	101	- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
	102	+ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
	103	+ "==__Host-eq=bad;__Host-eq=good;"
	104	)
	105	assert cookies.to_dict() == {
	106	"CP": "null*",
	107	@@ -438,6 +439,7 @@ class TestHTTPUtility:
	108	"fo234{": "bar",
	109	"blub": "Blah",
	110	'"__Secure-c"': "d",
	111	+ "__Host-eq": "good",
	112	}
	113
	114	def test_dump_cookie(self):
	115	--
	116	2.40.0