1 files changed, 149 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0001.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0001.patch
new file mode 100644
index 0000000000..74b39df3a3
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0001.patch
@@ -0,0 +1,149 @@
+From 71b69dfb7df3d912e66bab87fbb1f21f83504967 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Thu, 2 May 2024 11:55:52 -0700
+Subject: [PATCH] restrict debugger trusted hosts
+Add a list of `trusted_hosts` to the `DebuggedApplication` middleware. It defaults to only allowing `localhost`, `.localhost` subdomains, and `127.0.0.1`. `run_simple(use_debugger=True)` adds its `hostname` argument to the trusted list as well. The middleware can be used directly to further modify the trusted list in less common development scenarios.
+The debugger UI uses the full `document.location` instead of only `document.location.pathname`.
+Either of these fixes on their own mitigates the reported vulnerability.
+CVE: CVE-2024-34069
+Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/71b69dfb7df3d912e66bab87fbb1f21f83504967]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ docs/debug.rst                        | 35 +++++++++++++++++++++++----
+ src/werkzeug/debug/__init__.py        | 10 ++++++++
+ src/werkzeug/debug/shared/debugger.js |  4 +--
+ src/werkzeug/serving.py               |  3 +++
+ 4 files changed, 45 insertions(+), 7 deletions(-)
+diff --git a/docs/debug.rst b/docs/debug.rst
+index 25a9f0b..d842135 100644
+--- a/docs/debug.rst
+++ b/docs/debug.rst
+@@ -16,7 +16,8 @@ interactive debug console to execute code in any frame.
+     The debugger allows the execution of arbitrary code which makes it a
+     major security risk. **The debugger must never be used on production
+     machines. We cannot stress this enough. Do not enable the debugger
+-    in production.**
+    in production.** Production means anything that is not development,
+    and anything that is publicly accessible.
+ .. note::
+@@ -72,10 +73,9 @@ argument to get a detailed list of all the attributes it has.
+ Debugger PIN
+ ------------
+-Starting with Werkzeug 0.11 the debug console is protected by a PIN.
+-This is a security helper to make it less likely for the debugger to be
+-exploited if you forget to disable it when deploying to production. The
+-PIN based authentication is enabled by default.
+The debug console is protected by a PIN. This is a security helper to make it
+less likely for the debugger to be exploited if you forget to disable it when
+deploying to production. The PIN based authentication is enabled by default.
+ The first time a console is opened, a dialog will prompt for a PIN that
+ is printed to the command line. The PIN is generated in a stable way
+@@ -92,6 +92,31 @@ intended to make it harder for an attacker to exploit the debugger.
+ Never enable the debugger in production.**
+Allowed Hosts
+-------------
+
+The debug console will only be served if the request comes from a trusted host.
+If a request comes from a browser page that is not served on a trusted URL, a
+400 error will be returned.
+
+By default, ``localhost``, any ``.localhost`` subdomain, and ``127.0.0.1`` are
+trusted. ``run_simple`` will trust its ``hostname`` argument as well. To change
+this further, use the debug middleware directly rather than through
+``use_debugger=True``.
+
+.. code-block:: python
+
+    if os.environ.get("USE_DEBUGGER") in {"1", "true"}:
+        app = DebuggedApplication(app, evalex=True)
+        app.trusted_hosts = [...]
+
+    run_simple("localhost", 8080, app)
+
+**This feature is not meant to entirely secure the debugger. It is
+intended to make it harder for an attacker to exploit the debugger.
+Never enable the debugger in production.**
+
+
+ Pasting Errors
+ --------------
+diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
+index 49001e0..87e68c4 100644
+--- a/src/werkzeug/debug/__init__.py
+++ b/src/werkzeug/debug/__init__.py
+@@ -290,6 +290,14 @@ class DebuggedApplication:
+             self._pin, self._pin_cookie = pin_cookie  # type: ignore
+         return self._pin
+        self.trusted_hosts: list[str] = [".localhost", "127.0.0.1"]
+        """List of domains to allow requests to the debugger from. A leading dot
+        allows all subdomains. This only allows ``".localhost"`` domains by
+        default.
+
+        .. versionadded:: 3.0.3
+        """
+
+     @pin.setter
+     def pin(self, value: str) -> None:
+         self._pin = value
+@@ -475,6 +483,8 @@ class DebuggedApplication:
+         # form data!  Otherwise the application won't have access to that data
+         # any more!
+         request = Request(environ)
+        request.trusted_hosts = self.trusted_hosts
+        assert request.host  # will raise 400 error if not trusted
+         response = self.debug_application
+         if request.args.get("__debugger__") == "yes":
+             cmd = request.args.get("cmd")
+diff --git a/src/werkzeug/debug/shared/debugger.js b/src/werkzeug/debug/shared/debugger.js
+index 2354f03..bee079f 100644
+--- a/src/werkzeug/debug/shared/debugger.js
+++ b/src/werkzeug/debug/shared/debugger.js
+@@ -48,7 +48,7 @@ function initPinBox() {
+       btn.disabled = true;
+       fetch(
+-        `${document.location.pathname}?__debugger__=yes&cmd=pinauth&pin=${pin}&s=${encodedSecret}`
+        `${document.location}?__debugger__=yes&cmd=pinauth&pin=${pin}&s=${encodedSecret}`
+       )
+         .then((res) => res.json())
+         .then(({auth, exhausted}) => {
+@@ -79,7 +79,7 @@ function promptForPin() {
+   if (!EVALEX_TRUSTED) {
+     const encodedSecret = encodeURIComponent(SECRET);
+     fetch(
+-      `${document.location.pathname}?__debugger__=yes&cmd=printpin&s=${encodedSecret}`
+      `${document.location}?__debugger__=yes&cmd=printpin&s=${encodedSecret}`
+     );
+     const pinPrompt = document.getElementsByClassName("pin-prompt")[0];
+     fadeIn(pinPrompt);
+diff --git a/src/werkzeug/serving.py b/src/werkzeug/serving.py
+index a19d4bd..84b0664 100644
+--- a/src/werkzeug/serving.py
+++ b/src/werkzeug/serving.py
+@@ -1038,6 +1038,9 @@ def run_simple(
+         from .debug import DebuggedApplication
+         application = DebuggedApplication(application, evalex=use_evalex)
+        # Allow the specified hostname to use the debugger, in addition to
+        # localhost domains.
+        application.trusted_hosts.append(hostname)
+     if not is_running_from_reloader():
+         s = prepare_socket(hostname, port)
+--
+2.40.0

diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0001.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0001.patch new file mode 100644 index 0000000000..74b39df3a3 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0001.patch
@@ -0,0 +1,149 @@
	1	From 71b69dfb7df3d912e66bab87fbb1f21f83504967 Mon Sep 17 00:00:00 2001
	2	From: David Lord <davidism@gmail.com>
	3	Date: Thu, 2 May 2024 11:55:52 -0700
	4	Subject: [PATCH] restrict debugger trusted hosts
	5
	6	Add a list of `trusted_hosts` to the `DebuggedApplication` middleware. It defaults to only allowing `localhost`, `.localhost` subdomains, and `127.0.0.1`. `run_simple(use_debugger=True)` adds its `hostname` argument to the trusted list as well. The middleware can be used directly to further modify the trusted list in less common development scenarios.
	7
	8	The debugger UI uses the full `document.location` instead of only `document.location.pathname`.
	9
	10	Either of these fixes on their own mitigates the reported vulnerability.
	11
	12	CVE: CVE-2024-34069
	13
	14	Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/71b69dfb7df3d912e66bab87fbb1f21f83504967]
	15
	16	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
	17	---
	18	docs/debug.rst \| 35 +++++++++++++++++++++++----
	19	src/werkzeug/debug/__init__.py \| 10 ++++++++
	20	src/werkzeug/debug/shared/debugger.js \| 4 +--
	21	src/werkzeug/serving.py \| 3 +++
	22	4 files changed, 45 insertions(+), 7 deletions(-)
	23
	24	diff --git a/docs/debug.rst b/docs/debug.rst
	25	index 25a9f0b..d842135 100644
	26	--- a/docs/debug.rst
	27	+++ b/docs/debug.rst
	28	@@ -16,7 +16,8 @@ interactive debug console to execute code in any frame.
	29	The debugger allows the execution of arbitrary code which makes it a
	30	major security risk. **The debugger must never be used on production
	31	machines. We cannot stress this enough. Do not enable the debugger
	32	- in production.**
	33	+ in production.** Production means anything that is not development,
	34	+ and anything that is publicly accessible.
	35
	36	.. note::
	37
	38	@@ -72,10 +73,9 @@ argument to get a detailed list of all the attributes it has.
	39	Debugger PIN
	40	------------
	41
	42	-Starting with Werkzeug 0.11 the debug console is protected by a PIN.
	43	-This is a security helper to make it less likely for the debugger to be
	44	-exploited if you forget to disable it when deploying to production. The
	45	-PIN based authentication is enabled by default.
	46	+The debug console is protected by a PIN. This is a security helper to make it
	47	+less likely for the debugger to be exploited if you forget to disable it when
	48	+deploying to production. The PIN based authentication is enabled by default.
	49
	50	The first time a console is opened, a dialog will prompt for a PIN that
	51	is printed to the command line. The PIN is generated in a stable way
	52	@@ -92,6 +92,31 @@ intended to make it harder for an attacker to exploit the debugger.
	53	Never enable the debugger in production.**
	54
	55
	56	+Allowed Hosts
	57	+-------------
	58	+
	59	+The debug console will only be served if the request comes from a trusted host.
	60	+If a request comes from a browser page that is not served on a trusted URL, a
	61	+400 error will be returned.
	62	+
	63	+By default, ``localhost``, any ``.localhost`` subdomain, and ``127.0.0.1`` are
	64	+trusted. ``run_simple`` will trust its ``hostname`` argument as well. To change
	65	+this further, use the debug middleware directly rather than through
	66	+``use_debugger=True``.
	67	+
	68	+.. code-block:: python
	69	+
	70	+ if os.environ.get("USE_DEBUGGER") in {"1", "true"}:
	71	+ app = DebuggedApplication(app, evalex=True)
	72	+ app.trusted_hosts = [...]
	73	+
	74	+ run_simple("localhost", 8080, app)
	75	+
	76	+**This feature is not meant to entirely secure the debugger. It is
	77	+intended to make it harder for an attacker to exploit the debugger.
	78	+Never enable the debugger in production.**
	79	+
	80	+
	81	Pasting Errors
	82	--------------
	83
	84	diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
	85	index 49001e0..87e68c4 100644
	86	--- a/src/werkzeug/debug/__init__.py
	87	+++ b/src/werkzeug/debug/__init__.py
	88	@@ -290,6 +290,14 @@ class DebuggedApplication:
	89	self._pin, self._pin_cookie = pin_cookie # type: ignore
	90	return self._pin
	91
	92	+ self.trusted_hosts: list[str] = [".localhost", "127.0.0.1"]
	93	+ """List of domains to allow requests to the debugger from. A leading dot
	94	+ allows all subdomains. This only allows ``".localhost"`` domains by
	95	+ default.
	96	+
	97	+ .. versionadded:: 3.0.3
	98	+ """
	99	+
	100	@pin.setter
	101	def pin(self, value: str) -> None:
	102	self._pin = value
	103	@@ -475,6 +483,8 @@ class DebuggedApplication:
	104	# form data! Otherwise the application won't have access to that data
	105	# any more!
	106	request = Request(environ)
	107	+ request.trusted_hosts = self.trusted_hosts
	108	+ assert request.host # will raise 400 error if not trusted
	109	response = self.debug_application
	110	if request.args.get("__debugger__") == "yes":
	111	cmd = request.args.get("cmd")
	112	diff --git a/src/werkzeug/debug/shared/debugger.js b/src/werkzeug/debug/shared/debugger.js
	113	index 2354f03..bee079f 100644
	114	--- a/src/werkzeug/debug/shared/debugger.js
	115	+++ b/src/werkzeug/debug/shared/debugger.js
	116	@@ -48,7 +48,7 @@ function initPinBox() {
	117	btn.disabled = true;
	118
	119	fetch(
	120	- `${document.location.pathname}?__debugger__=yes&cmd=pinauth&pin=${pin}&s=${encodedSecret}`
	121	+ `${document.location}?__debugger__=yes&cmd=pinauth&pin=${pin}&s=${encodedSecret}`
	122	)
	123	.then((res) => res.json())
	124	.then(({auth, exhausted}) => {
	125	@@ -79,7 +79,7 @@ function promptForPin() {
	126	if (!EVALEX_TRUSTED) {
	127	const encodedSecret = encodeURIComponent(SECRET);
	128	fetch(
	129	- `${document.location.pathname}?__debugger__=yes&cmd=printpin&s=${encodedSecret}`
	130	+ `${document.location}?__debugger__=yes&cmd=printpin&s=${encodedSecret}`
	131	);
	132	const pinPrompt = document.getElementsByClassName("pin-prompt")[0];
	133	fadeIn(pinPrompt);
	134	diff --git a/src/werkzeug/serving.py b/src/werkzeug/serving.py
	135	index a19d4bd..84b0664 100644
	136	--- a/src/werkzeug/serving.py
	137	+++ b/src/werkzeug/serving.py
	138	@@ -1038,6 +1038,9 @@ def run_simple(
	139	from .debug import DebuggedApplication
	140
	141	application = DebuggedApplication(application, evalex=use_evalex)
	142	+ # Allow the specified hostname to use the debugger, in addition to
	143	+ # localhost domains.
	144	+ application.trusted_hosts.append(hostname)
	145
	146	if not is_running_from_reloader():
	147	s = prepare_socket(hostname, port)
	148	--
	149	2.40.0