1 files changed, 81 insertions, 0 deletions

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-27306.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-27306.patch
new file mode 100644
index 0000000000..f87ef92679
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-27306.patch
@@ -0,0 +1,81 @@
+From d05042f1a35ec0adb797c056024d457ac1fd7088 Mon Sep 17 00:00:00 2001
+From: Sam Bull <git@sambull.org>
+Date: Thu, 11 Apr 2024 15:54:45 +0100
+Subject: [PATCH] Escape filenames and paths in HTML when generating index
+ pages (#8317) (#8319)
+
+Upstream-Status: Backport
+[https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397]
+
+CVE: CVE-2024-27306
+
+Co-authored-by: J. Nick Koston <nick@koston.org>
+(cherry picked from commit ffbc43233209df302863712b511a11bdb6001b0f)
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ CHANGES/8317.bugfix.rst      |  1 +
+ aiohttp/web_urldispatcher.py | 11 ++++++-----
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+ create mode 100644 CHANGES/8317.bugfix.rst
+
+diff --git a/CHANGES/8317.bugfix.rst b/CHANGES/8317.bugfix.rst
+new file mode 100644
+index 0000000..b24ef2a
+--- /dev/null
++++ b/CHANGES/8317.bugfix.rst
+@@ -0,0 +1 @@
++Escaped filenames in static view -- by :user:`bdraco`.
+diff --git a/aiohttp/web_urldispatcher.py b/aiohttp/web_urldispatcher.py
+index e8a8023..791ab94 100644
+--- a/aiohttp/web_urldispatcher.py
++++ b/aiohttp/web_urldispatcher.py
+@@ -1,7 +1,9 @@
+ import abc
+ import asyncio
+ import base64
++import functools
+ import hashlib
++import html
+ import inspect
+ import keyword
+ import os
+@@ -87,6 +89,7 @@ PATH_SEP: Final[str] = re.escape("/")
+ _ExpectHandler = Callable[[Request], Awaitable[None]]
+ _Resolve = Tuple[Optional["UrlMappingMatchInfo"], Set[str]]
+ 
++html_escape = functools.partial(html.escape, quote=True)
+ 
+ class _InfoDict(TypedDict, total=False):
+     path: str
+@@ -706,7 +709,7 @@ class StaticResource(PrefixResource):
+         assert filepath.is_dir()
+ 
+         relative_path_to_dir = filepath.relative_to(self._directory).as_posix()
+-        index_of = f"Index of /{relative_path_to_dir}"
++        index_of = f"Index of /{html_escape(relative_path_to_dir)}"
+         h1 = f"<h1>{index_of}</h1>"
+ 
+         index_list = []
+@@ -714,7 +717,7 @@ class StaticResource(PrefixResource):
+         for _file in sorted(dir_index):
+             # show file url as relative to static path
+             rel_path = _file.relative_to(self._directory).as_posix()
+-            file_url = self._prefix + "/" + rel_path
++            quoted_file_url = _quote_path(f"{self._prefix}/{rel_path}")
+ 
+             # if file is a directory, add '/' to the end of the name
+             if _file.is_dir():
+@@ -723,9 +726,7 @@ class StaticResource(PrefixResource):
+                 file_name = _file.name
+ 
+             index_list.append(
+-                '<li><a href="{url}">{name}</a></li>'.format(
+-                    url=file_url, name=file_name
+-                )
++                f'<li><a href="{quoted_file_url}">{html_escape(file_name)}</a></li>'
+             )
+         ul = "<ul>\n{}\n</ul>".format("\n".join(index_list))
+         body = f"<body>\n{h1}\n{ul}\n</body>"
+-- 
+2.25.1
+