2 files changed, 111 insertions, 1 deletions
diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch
new file mode 100644
index 0000000000..c0842304dc
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch
@@ -0,0 +1,109 @@
+From 046a164f89a0f08d3239ecebd750360f8914df33 Mon Sep 17 00:00:00 2001
+From: Adi Roiban <adiroiban@gmail.com>
+Date: Mon Jul 29 14:28:03 2024 +0100
+Subject: [PATCH] Merge commit from fork
+Added HTML output encoding the "URL" parameter of the "redirectTo" function
+CVE: CVE-2024-41810
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/twisted/web/_template_util.py          |  2 +-
+ src/twisted/web/newsfragments/12263.bugfix |  1 +
+ src/twisted/web/newsfragments/9839.bugfix  |  1 +
+ src/twisted/web/test/test_util.py          | 39 +++++++++++++++++++++-
+ 4 files changed, 41 insertions(+), 2 deletions(-)
+ create mode 100644 src/twisted/web/newsfragments/12263.bugfix
+ create mode 100644 src/twisted/web/newsfragments/9839.bugfix
+diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py
+index bd081bd..3fb56e5 100644
+--- a/src/twisted/web/_template_util.py
+++ b/src/twisted/web/_template_util.py
+@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IRequest) -> bytes:
+     </body>
+ </html>
+ """ % {
+-        b"url": URL
+        b"url": escape(URL.decode("utf-8")).encode("utf-8")
+     }
+     return content
+ 
+diff --git a/src/twisted/web/newsfragments/12263.bugfix b/src/twisted/web/newsfragments/12263.bugfix
+new file mode 100644
+index 0000000..b3982ca
+--- /dev/null
+++ b/src/twisted/web/newsfragments/12263.bugfix
+@@ -0,0 +1 @@
+twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810.
+\ No newline at end of file
+diff --git a/src/twisted/web/newsfragments/9839.bugfix b/src/twisted/web/newsfragments/9839.bugfix
+new file mode 100644
+index 0000000..1e2e7f7
+--- /dev/null
+++ b/src/twisted/web/newsfragments/9839.bugfix
+@@ -0,0 +1 @@
+twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810).
+diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py
+index 996b0d0..87282ce 100644
+--- a/src/twisted/web/test/test_util.py
+++ b/src/twisted/web/test/test_util.py
+@@ -5,7 +5,6 @@
+ Tests for L{twisted.web.util}.
+ """
+ 
+-
+ import gc
+ 
+ from twisted.internet import defer
+@@ -64,6 +63,44 @@ class RedirectToTests(TestCase):
+         targetURL = "http://target.example.com/4321"
+         self.assertRaises(TypeError, redirectTo, targetURL, request)
+ 
+    def test_legitimateRedirect(self):
+        """
+        Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation
+        """
+        request = DummyRequest([b""])
+        html = redirectTo(b"https://twisted.org/", request)
+        expected = b"""
+<html>
+    <head>
+        <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\">
+    </head>
+    <body bgcolor=\"#FFFFFF\" text=\"#000000\">
+    <a href=\"https://twisted.org/\">click here</a>
+    </body>
+</html>
+"""
+        self.assertEqual(html, expected)
+
+    def test_maliciousRedirect(self):
+        """
+        Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body
+        """
+        request = DummyRequest([b""])
+        html = redirectTo(
+            b'https://twisted.org/"><script>alert(document.location)</script>', request
+        )
+        expected = b"""
+<html>
+    <head>
+        <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/&quot;&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">
+    </head>
+    <body bgcolor=\"#FFFFFF\" text=\"#000000\">
+    <a href=\"https://twisted.org/&quot;&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">click here</a>
+    </body>
+</html>
+"""
+        self.assertEqual(html, expected)
+
+ 
+ class ParentRedirectTests(SynchronousTestCase):
+     """
+-- 
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
index da83f0123a..ef602890ea 100644
--- a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
+++ b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
@@ -12,7 +12,8 @@ SRC_URI[sha256sum] = "57f32b1f6838facb8c004c89467840367ad38e9e535f8252091345dba5
 PYPI_PACKAGE = "Twisted"
 SRC_URI += "file://CVE-2024-41671-0001.patch \
-            file://CVE-2024-41671-0002.patch"
+            file://CVE-2024-41671-0002.patch \
+            file://CVE-2024-41810.patch"
 inherit pypi python_setuptools_build_meta

diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch new file mode 100644 index 0000000000..c0842304dc --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch
@@ -0,0 +1,109 @@
		1	From 046a164f89a0f08d3239ecebd750360f8914df33 Mon Sep 17 00:00:00 2001
		2	From: Adi Roiban <adiroiban@gmail.com>
		3	Date: Mon Jul 29 14:28:03 2024 +0100
		4	Subject: [PATCH] Merge commit from fork
		5
		6	Added HTML output encoding the "URL" parameter of the "redirectTo" function
		7
		8	CVE: CVE-2024-41810
		9
		10	Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33]
		11
		12	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		13	---
		14	src/twisted/web/_template_util.py \| 2 +-
		15	src/twisted/web/newsfragments/12263.bugfix \| 1 +
		16	src/twisted/web/newsfragments/9839.bugfix \| 1 +
		17	src/twisted/web/test/test_util.py \| 39 +++++++++++++++++++++-
		18	4 files changed, 41 insertions(+), 2 deletions(-)
		19	create mode 100644 src/twisted/web/newsfragments/12263.bugfix
		20	create mode 100644 src/twisted/web/newsfragments/9839.bugfix
		21
		22	diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py
		23	index bd081bd..3fb56e5 100644
		24	--- a/src/twisted/web/_template_util.py
		25	+++ b/src/twisted/web/_template_util.py
		26	@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IRequest) -> bytes:
		27	</body>
		28	</html>
		29	""" % {
		30	- b"url": URL
		31	+ b"url": escape(URL.decode("utf-8")).encode("utf-8")
		32	}
		33	return content
		34
		35	diff --git a/src/twisted/web/newsfragments/12263.bugfix b/src/twisted/web/newsfragments/12263.bugfix
		36	new file mode 100644
		37	index 0000000..b3982ca
		38	--- /dev/null
		39	+++ b/src/twisted/web/newsfragments/12263.bugfix
		40	@@ -0,0 +1 @@
		41	+twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810.
		42	\ No newline at end of file
		43	diff --git a/src/twisted/web/newsfragments/9839.bugfix b/src/twisted/web/newsfragments/9839.bugfix
		44	new file mode 100644
		45	index 0000000..1e2e7f7
		46	--- /dev/null
		47	+++ b/src/twisted/web/newsfragments/9839.bugfix
		48	@@ -0,0 +1 @@
		49	+twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810).
		50	diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py
		51	index 996b0d0..87282ce 100644
		52	--- a/src/twisted/web/test/test_util.py
		53	+++ b/src/twisted/web/test/test_util.py
		54	@@ -5,7 +5,6 @@
		55	Tests for L{twisted.web.util}.
		56	"""
		57
		58	-
		59	import gc
		60
		61	from twisted.internet import defer
		62	@@ -64,6 +63,44 @@ class RedirectToTests(TestCase):
		63	targetURL = "http://target.example.com/4321"
		64	self.assertRaises(TypeError, redirectTo, targetURL, request)
		65
		66	+ def test_legitimateRedirect(self):
		67	+ """
		68	+ Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation
		69	+ """
		70	+ request = DummyRequest([b""])
		71	+ html = redirectTo(b"https://twisted.org/", request)
		72	+ expected = b"""
		73	+<html>
		74	+ <head>
		75	+ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\">
		76	+ </head>
		77	+ <body bgcolor=\"#FFFFFF\" text=\"#000000\">
		78	+ <a href=\"https://twisted.org/\">click here</a>
		79	+ </body>
		80	+</html>
		81	+"""
		82	+ self.assertEqual(html, expected)
		83	+
		84	+ def test_maliciousRedirect(self):
		85	+ """
		86	+ Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body
		87	+ """
		88	+ request = DummyRequest([b""])
		89	+ html = redirectTo(
		90	+ b'https://twisted.org/"><script>alert(document.location)</script>', request
		91	+ )
		92	+ expected = b"""
		93	+<html>
		94	+ <head>
		95	+ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/"><script>alert(document.location)</script>\">
		96	+ </head>
		97	+ <body bgcolor=\"#FFFFFF\" text=\"#000000\">
		98	+ <a href=\"https://twisted.org/"><script>alert(document.location)</script>\">click here</a>
		99	+ </body>
		100	+</html>
		101	+"""
		102	+ self.assertEqual(html, expected)
		103	+
		104
		105	class ParentRedirectTests(SynchronousTestCase):
		106	"""
		107	--
		108	2.40.0
		109


diff --git a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb index da83f0123a..ef602890ea 100644 --- a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb +++ b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
@@ -12,7 +12,8 @@ SRC_URI[sha256sum] = "57f32b1f6838facb8c004c89467840367ad38e9e535f8252091345dba5
12	PYPI_PACKAGE = "Twisted"	12	PYPI_PACKAGE = "Twisted"
13		13
14	SRC_URI += "file://CVE-2024-41671-0001.patch \	14	SRC_URI += "file://CVE-2024-41671-0001.patch \
15	file://CVE-2024-41671-0002.patch"	15	file://CVE-2024-41671-0002.patch \
		16	file://CVE-2024-41810.patch"
16		17
17	inherit pypi python_setuptools_build_meta	18	inherit pypi python_setuptools_build_meta
18		19