1 files changed, 96 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49081.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49081.patch
new file mode 100644
index 0000000000..503b001445
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49081.patch
@@ -0,0 +1,96 @@
+From 67bf97cd1dfa513c8b6374905ee225b4d46cdf20 Mon Sep 17 00:00:00 2001
+From: Sam Bull <git@sambull.org>
+Date: Mon, 13 Nov 2023 22:13:06 +0000
+Subject: [PATCH] Disallow arbitrary sequence types in version (#7835)
+Upstream-Status: Backport
+[https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b]
+CVE: CVE-2023-49081
+Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ CHANGES/7835.bugfix          |  1 +
+ aiohttp/client_reqrep.py     |  4 ++--
+ tests/test_client_request.py | 18 +++++++++++++++---
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+ create mode 100644 CHANGES/7835.bugfix
+diff --git a/CHANGES/7835.bugfix b/CHANGES/7835.bugfix
+new file mode 100644
+index 0000000..4ce3af4
+--- /dev/null
+++ b/CHANGES/7835.bugfix
+@@ -0,0 +1 @@
+Fixed arbitrary sequence types being allowed to inject headers via version parameter -- by :user:`Dreamsorcerer`
+diff --git a/aiohttp/client_reqrep.py b/aiohttp/client_reqrep.py
+index 987d68f..d3cd77e 100644
+--- a/aiohttp/client_reqrep.py
+++ b/aiohttp/client_reqrep.py
+@@ -661,8 +661,8 @@ class ClientRequest:
+             self.headers[hdrs.CONNECTION] = connection
+ 
+         # status + headers
+-        status_line = "{0} {1} HTTP/{2[0]}.{2[1]}".format(
+-            self.method, path, self.version
+        status_line = "{0} {1} HTTP/{v.major}.{v.minor}".format(
+            self.method, path, v=self.version
+         )
+         await writer.write_headers(status_line, self.headers)
+ 
+diff --git a/tests/test_client_request.py b/tests/test_client_request.py
+index 9eeb933..009f1a0 100644
+--- a/tests/test_client_request.py
+++ b/tests/test_client_request.py
+@@ -20,6 +20,7 @@ from aiohttp.client_reqrep import (
+     _merge_ssl_params,
+ )
+ from aiohttp.helpers import PY_311
+from aiohttp.http import HttpVersion
+ from aiohttp.test_utils import make_mocked_coro
+ 
+ 
+@@ -576,18 +577,18 @@ async def test_connection_header(loop, conn) -> None:
+     req.headers.clear()
+ 
+     req.keep_alive.return_value = True
+-    req.version = (1, 1)
+    req.version = HttpVersion(1, 1)
+     req.headers.clear()
+     await req.send(conn)
+     assert req.headers.get("CONNECTION") is None
+ 
+-    req.version = (1, 0)
+    req.version = HttpVersion(1, 0)
+     req.headers.clear()
+     await req.send(conn)
+     assert req.headers.get("CONNECTION") == "keep-alive"
+ 
+     req.keep_alive.return_value = False
+-    req.version = (1, 1)
+    req.version = HttpVersion(1, 1)
+     req.headers.clear()
+     await req.send(conn)
+     assert req.headers.get("CONNECTION") == "close"
+@@ -1113,6 +1114,17 @@ async def test_close(loop, buf, conn) -> None:
+     await req.close()
+     resp.close()
+ 
+async def test_bad_version(loop: Any, conn: Any) -> None:
+    req = ClientRequest(
+        "GET",
+        URL("http://python.org"),
+        loop=loop,
+        headers={"Connection": "Close"},
+        version=("1", "1\r\nInjected-Header: not allowed"),
+    )
+
+    with pytest.raises(AttributeError):
+        await req.send(conn)
+ 
+ async def test_custom_response_class(loop, conn) -> None:
+     class CustomResponse(ClientResponse):
+-- 
+2.25.1

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49081.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49081.patch new file mode 100644 index 0000000000..503b001445 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49081.patch
@@ -0,0 +1,96 @@
	1	From 67bf97cd1dfa513c8b6374905ee225b4d46cdf20 Mon Sep 17 00:00:00 2001
	2	From: Sam Bull <git@sambull.org>
	3	Date: Mon, 13 Nov 2023 22:13:06 +0000
	4	Subject: [PATCH] Disallow arbitrary sequence types in version (#7835)
	5
	6	Upstream-Status: Backport
	7	[https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b]
	8
	9	CVE: CVE-2023-49081
	10
	11	Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
	12	Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
	13	---
	14	CHANGES/7835.bugfix \| 1 +
	15	aiohttp/client_reqrep.py \| 4 ++--
	16	tests/test_client_request.py \| 18 +++++++++++++++---
	17	3 files changed, 18 insertions(+), 5 deletions(-)
	18	create mode 100644 CHANGES/7835.bugfix
	19
	20	diff --git a/CHANGES/7835.bugfix b/CHANGES/7835.bugfix
	21	new file mode 100644
	22	index 0000000..4ce3af4
	23	--- /dev/null
	24	+++ b/CHANGES/7835.bugfix
	25	@@ -0,0 +1 @@
	26	+Fixed arbitrary sequence types being allowed to inject headers via version parameter -- by :user:`Dreamsorcerer`
	27	diff --git a/aiohttp/client_reqrep.py b/aiohttp/client_reqrep.py
	28	index 987d68f..d3cd77e 100644
	29	--- a/aiohttp/client_reqrep.py
	30	+++ b/aiohttp/client_reqrep.py
	31	@@ -661,8 +661,8 @@ class ClientRequest:
	32	self.headers[hdrs.CONNECTION] = connection
	33
	34	# status + headers
	35	- status_line = "{0} {1} HTTP/{2[0]}.{2[1]}".format(
	36	- self.method, path, self.version
	37	+ status_line = "{0} {1} HTTP/{v.major}.{v.minor}".format(
	38	+ self.method, path, v=self.version
	39	)
	40	await writer.write_headers(status_line, self.headers)
	41
	42	diff --git a/tests/test_client_request.py b/tests/test_client_request.py
	43	index 9eeb933..009f1a0 100644
	44	--- a/tests/test_client_request.py
	45	+++ b/tests/test_client_request.py
	46	@@ -20,6 +20,7 @@ from aiohttp.client_reqrep import (
	47	_merge_ssl_params,
	48	)
	49	from aiohttp.helpers import PY_311
	50	+from aiohttp.http import HttpVersion
	51	from aiohttp.test_utils import make_mocked_coro
	52
	53
	54	@@ -576,18 +577,18 @@ async def test_connection_header(loop, conn) -> None:
	55	req.headers.clear()
	56
	57	req.keep_alive.return_value = True
	58	- req.version = (1, 1)
	59	+ req.version = HttpVersion(1, 1)
	60	req.headers.clear()
	61	await req.send(conn)
	62	assert req.headers.get("CONNECTION") is None
	63
	64	- req.version = (1, 0)
	65	+ req.version = HttpVersion(1, 0)
	66	req.headers.clear()
	67	await req.send(conn)
	68	assert req.headers.get("CONNECTION") == "keep-alive"
	69
	70	req.keep_alive.return_value = False
	71	- req.version = (1, 1)
	72	+ req.version = HttpVersion(1, 1)
	73	req.headers.clear()
	74	await req.send(conn)
	75	assert req.headers.get("CONNECTION") == "close"
	76	@@ -1113,6 +1114,17 @@ async def test_close(loop, buf, conn) -> None:
	77	await req.close()
	78	resp.close()
	79
	80	+async def test_bad_version(loop: Any, conn: Any) -> None:
	81	+ req = ClientRequest(
	82	+ "GET",
	83	+ URL("http://python.org"),
	84	+ loop=loop,
	85	+ headers={"Connection": "Close"},
	86	+ version=("1", "1\r\nInjected-Header: not allowed"),
	87	+ )
	88	+
	89	+ with pytest.raises(AttributeError):
	90	+ await req.send(conn)
	91
	92	async def test_custom_response_class(loop, conn) -> None:
	93	class CustomResponse(ClientResponse):
	94	--
	95	2.25.1
	96