1 files changed, 105 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49082.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49082.patch
new file mode 100644
index 0000000000..cfcb980317
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49082.patch
@@ -0,0 +1,105 @@
+From a2200dc43d9fe0ee19b9185b30749c204a4dfd45 Mon Sep 17 00:00:00 2001
+From: Sam Bull <git@sambull.org>
+Date: Wed, 8 Nov 2023 19:25:05 +0000
+Subject: [PATCH] Add HTTP method validation (#6533) (#7806)
+(cherry picked from commit 75fca0b00b4297d0a30c51ae97a65428336eb2c1)
+Upstream-Status: Backport
+[https://github.com/aio-libs/aiohttp/pull/7806/commits/a43bc1779892e7014b7723c59d08fb37a000955e]
+CVE: CVE-2023-49082
+Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ CHANGES/6533.feature         | 1 +
+ aiohttp/client_reqrep.py     | 9 ++++++++-
+ tests/test_client_request.py | 5 +++++
+ tests/test_web_request.py    | 9 +++++++--
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+ create mode 100644 CHANGES/6533.feature
+diff --git a/CHANGES/6533.feature b/CHANGES/6533.feature
+new file mode 100644
+index 0000000..36bcbeb
+--- /dev/null
+++ b/CHANGES/6533.feature
+@@ -0,0 +1 @@
+Add HTTP method validation.
+diff --git a/aiohttp/client_reqrep.py b/aiohttp/client_reqrep.py
+index d3cd77e..a8135b2 100644
+--- a/aiohttp/client_reqrep.py
+++ b/aiohttp/client_reqrep.py
+@@ -78,6 +78,7 @@ if TYPE_CHECKING:  # pragma: no cover
+     from .tracing import Trace
+ 
+ 
+_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
+ json_re = re.compile(r"^application/(?:[\w.+-]+?\+)?json")
+ 
+ 
+@@ -266,10 +267,16 @@ class ClientRequest:
+         proxy_headers: Optional[LooseHeaders] = None,
+         traces: Optional[List["Trace"]] = None,
+     ):
+-
+         if loop is None:
+             loop = asyncio.get_event_loop()
+ 
+        match = _CONTAINS_CONTROL_CHAR_RE.search(method)
+        if match:
+            raise ValueError(
+                f"Method cannot contain non-token characters {method!r} "
+                "(found at least {match.group()!r})"
+            )
+
+         assert isinstance(url, URL), url
+         assert isinstance(proxy, (URL, type(None))), proxy
+         # FIXME: session is None in tests only, need to fix tests
+diff --git a/tests/test_client_request.py b/tests/test_client_request.py
+index 009f1a0..d0f208b 100644
+--- a/tests/test_client_request.py
+++ b/tests/test_client_request.py
+@@ -89,6 +89,11 @@ def test_method3(make_request) -> None:
+     assert req.method == "HEAD"
+ 
+ 
+def test_method_invalid(make_request) -> None:
+    with pytest.raises(ValueError, match="Method cannot contain non-token characters"):
+        make_request("METHOD WITH\nWHITESPACES", "http://python.org/")
+
+
+ def test_version_1_0(make_request) -> None:
+     req = make_request("get", "http://python.org/", version="1.0")
+     assert req.version == (1, 0)
+diff --git a/tests/test_web_request.py b/tests/test_web_request.py
+index c6aeaf8..2bb0cd5 100644
+--- a/tests/test_web_request.py
+++ b/tests/test_web_request.py
+@@ -43,7 +43,10 @@ def test_base_ctor() -> None:
+ 
+     assert "GET" == req.method
+     assert HttpVersion(1, 1) == req.version
+-    assert req.host == socket.getfqdn()
+    # MacOS may return CamelCased host name, need .lower()
+    # FQDN can be wider than host, e.g.
+    # 'fv-az397-495' in 'fv-az397-495.internal.cloudapp.net'
+    assert req.host.lower() in socket.getfqdn().lower()
+     assert "/path/to?a=1&b=2" == req.path_qs
+     assert "/path/to" == req.path
+     assert "a=1&b=2" == req.query_string
+@@ -66,7 +69,9 @@ def test_ctor() -> None:
+     assert "GET" == req.method
+     assert HttpVersion(1, 1) == req.version
+     # MacOS may return CamelCased host name, need .lower()
+-    assert req.host.lower() == socket.getfqdn().lower()
+    # FQDN can be wider than host, e.g.
+    # 'fv-az397-495' in 'fv-az397-495.internal.cloudapp.net'
+    assert req.host.lower() in socket.getfqdn().lower()
+     assert "/path/to?a=1&b=2" == req.path_qs
+     assert "/path/to" == req.path
+     assert "a=1&b=2" == req.query_string
+-- 
+2.25.1

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49082.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49082.patch new file mode 100644 index 0000000000..cfcb980317 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2023-49082.patch
@@ -0,0 +1,105 @@
	1	From a2200dc43d9fe0ee19b9185b30749c204a4dfd45 Mon Sep 17 00:00:00 2001
	2	From: Sam Bull <git@sambull.org>
	3	Date: Wed, 8 Nov 2023 19:25:05 +0000
	4	Subject: [PATCH] Add HTTP method validation (#6533) (#7806)
	5
	6	(cherry picked from commit 75fca0b00b4297d0a30c51ae97a65428336eb2c1)
	7
	8	Upstream-Status: Backport
	9	[https://github.com/aio-libs/aiohttp/pull/7806/commits/a43bc1779892e7014b7723c59d08fb37a000955e]
	10
	11	CVE: CVE-2023-49082
	12
	13	Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
	14	Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
	15	---
	16	CHANGES/6533.feature \| 1 +
	17	aiohttp/client_reqrep.py \| 9 ++++++++-
	18	tests/test_client_request.py \| 5 +++++
	19	tests/test_web_request.py \| 9 +++++++--
	20	4 files changed, 21 insertions(+), 3 deletions(-)
	21	create mode 100644 CHANGES/6533.feature
	22
	23	diff --git a/CHANGES/6533.feature b/CHANGES/6533.feature
	24	new file mode 100644
	25	index 0000000..36bcbeb
	26	--- /dev/null
	27	+++ b/CHANGES/6533.feature
	28	@@ -0,0 +1 @@
	29	+Add HTTP method validation.
	30	diff --git a/aiohttp/client_reqrep.py b/aiohttp/client_reqrep.py
	31	index d3cd77e..a8135b2 100644
	32	--- a/aiohttp/client_reqrep.py
	33	+++ b/aiohttp/client_reqrep.py
	34	@@ -78,6 +78,7 @@ if TYPE_CHECKING: # pragma: no cover
	35	from .tracing import Trace
	36
	37
	38	+_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`\|~0-9a-zA-Z]")
	39	json_re = re.compile(r"^application/(?:[\w.+-]+?\+)?json")
	40
	41
	42	@@ -266,10 +267,16 @@ class ClientRequest:
	43	proxy_headers: Optional[LooseHeaders] = None,
	44	traces: Optional[List["Trace"]] = None,
	45	):
	46	-
	47	if loop is None:
	48	loop = asyncio.get_event_loop()
	49
	50	+ match = _CONTAINS_CONTROL_CHAR_RE.search(method)
	51	+ if match:
	52	+ raise ValueError(
	53	+ f"Method cannot contain non-token characters {method!r} "
	54	+ "(found at least {match.group()!r})"
	55	+ )
	56	+
	57	assert isinstance(url, URL), url
	58	assert isinstance(proxy, (URL, type(None))), proxy
	59	# FIXME: session is None in tests only, need to fix tests
	60	diff --git a/tests/test_client_request.py b/tests/test_client_request.py
	61	index 009f1a0..d0f208b 100644
	62	--- a/tests/test_client_request.py
	63	+++ b/tests/test_client_request.py
	64	@@ -89,6 +89,11 @@ def test_method3(make_request) -> None:
	65	assert req.method == "HEAD"
	66
	67
	68	+def test_method_invalid(make_request) -> None:
	69	+ with pytest.raises(ValueError, match="Method cannot contain non-token characters"):
	70	+ make_request("METHOD WITH\nWHITESPACES", "http://python.org/")
	71	+
	72	+
	73	def test_version_1_0(make_request) -> None:
	74	req = make_request("get", "http://python.org/", version="1.0")
	75	assert req.version == (1, 0)
	76	diff --git a/tests/test_web_request.py b/tests/test_web_request.py
	77	index c6aeaf8..2bb0cd5 100644
	78	--- a/tests/test_web_request.py
	79	+++ b/tests/test_web_request.py
	80	@@ -43,7 +43,10 @@ def test_base_ctor() -> None:
	81
	82	assert "GET" == req.method
	83	assert HttpVersion(1, 1) == req.version
	84	- assert req.host == socket.getfqdn()
	85	+ # MacOS may return CamelCased host name, need .lower()
	86	+ # FQDN can be wider than host, e.g.
	87	+ # 'fv-az397-495' in 'fv-az397-495.internal.cloudapp.net'
	88	+ assert req.host.lower() in socket.getfqdn().lower()
	89	assert "/path/to?a=1&b=2" == req.path_qs
	90	assert "/path/to" == req.path
	91	assert "a=1&b=2" == req.query_string
	92	@@ -66,7 +69,9 @@ def test_ctor() -> None:
	93	assert "GET" == req.method
	94	assert HttpVersion(1, 1) == req.version
	95	# MacOS may return CamelCased host name, need .lower()
	96	- assert req.host.lower() == socket.getfqdn().lower()
	97	+ # FQDN can be wider than host, e.g.
	98	+ # 'fv-az397-495' in 'fv-az397-495.internal.cloudapp.net'
	99	+ assert req.host.lower() in socket.getfqdn().lower()
	100	assert "/path/to?a=1&b=2" == req.path_qs
	101	assert "/path/to" == req.path
	102	assert "a=1&b=2" == req.query_string
	103	--
	104	2.25.1
	105