2 files changed, 225 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-23334.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-23334.patch
new file mode 100644
index 0000000000..29909529aa
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-23334.patch
@@ -0,0 +1,222 @@
+From 1c335944d6a8b1298baf179b7c0b3069f10c514b
+From: Sam Bull <git@sambull.org>
+Date:   Sun Jan 28 18:13:06 2024 +0000
+Subject: [PATCH] python3-aiohttp: Validate static paths (#8079)
+Co-authored-by: J. Nick Koston <nick@koston.org>
+CVE: CVE-2024-23334
+Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b]
+Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
+---
+ CHANGES/8079.bugfix.rst         |  1 +
+ aiohttp/web_urldispatcher.py    | 18 +++++--
+ docs/web_advanced.rst           | 16 ++++--
+ docs/web_reference.rst          | 12 +++--
+ tests/test_web_urldispatcher.py | 91 +++++++++++++++++++++++++++++++++
+ 5 files changed, 128 insertions(+), 10 deletions(-)
+ create mode 100644 CHANGES/8079.bugfix.rst
+diff --git a/CHANGES/8079.bugfix.rst b/CHANGES/8079.bugfix.rst
+new file mode 100644
+index 0000000..57bc8bf
+--- /dev/null
+++ b/CHANGES/8079.bugfix.rst
+@@ -0,0 +1 @@
+Improved validation of paths for static resources -- by :user:`bdraco`.
+diff --git a/aiohttp/web_urldispatcher.py b/aiohttp/web_urldispatcher.py
+index 5942e35..e8a8023 100644
+--- a/aiohttp/web_urldispatcher.py
+++ b/aiohttp/web_urldispatcher.py
+@@ -593,9 +593,14 @@ class StaticResource(PrefixResource):
+             url = url / filename
+         if append_version:
+            unresolved_path = self._directory.joinpath(filename)
+             try:
+-                filepath = self._directory.joinpath(filename).resolve()
+-                if not self._follow_symlinks:
+                if self._follow_symlinks:
+                    normalized_path = Path(os.path.normpath(unresolved_path))
+                    normalized_path.relative_to(self._directory)
+                    filepath = normalized_path.resolve()
+                else:
+                    filepath = unresolved_path.resolve()
+                     filepath.relative_to(self._directory)
+             except (ValueError, FileNotFoundError):
+                 # ValueError for case when path point to symlink
+@@ -660,8 +665,13 @@ class StaticResource(PrefixResource):
+                 # /static/\\machine_name\c$ or /static/D:\path
+                 # where the static dir is totally different
+                 raise HTTPForbidden()
+-            filepath = self._directory.joinpath(filename).resolve()
+-            if not self._follow_symlinks:
+            unresolved_path = self._directory.joinpath(filename)
+            if self._follow_symlinks:
+                normalized_path = Path(os.path.normpath(unresolved_path))
+                normalized_path.relative_to(self._directory)
+                filepath = normalized_path.resolve()
+            else:
+                filepath = unresolved_path.resolve()
+                 filepath.relative_to(self._directory)
+         except (ValueError, FileNotFoundError) as error:
+             # relatively safe
+diff --git a/docs/web_advanced.rst b/docs/web_advanced.rst
+index 3a98b78..5129397 100644
+--- a/docs/web_advanced.rst
+++ b/docs/web_advanced.rst
+@@ -136,12 +136,22 @@ instead could be enabled with ``show_index`` parameter set to ``True``::
+    web.static('/prefix', path_to_static_folder, show_index=True)
+-When a symlink from the static directory is accessed, the server responses to
+-client with ``HTTP/404 Not Found`` by default. To allow the server to follow
+-symlinks, parameter ``follow_symlinks`` should be set to ``True``::
+When a symlink that leads outside the static directory is accessed, the server
+responds to the client with ``HTTP/404 Not Found`` by default. To allow the server to
+follow symlinks that lead outside the static root, the parameter ``follow_symlinks``
+should be set to ``True``::
+    web.static('/prefix', path_to_static_folder, follow_symlinks=True)
+.. caution::
+
+   Enabling ``follow_symlinks`` can be a security risk, and may lead to
+   a directory transversal attack. You do NOT need this option to follow symlinks
+   which point to somewhere else within the static directory, this option is only
+   used to break out of the security sandbox. Enabling this option is highly
+   discouraged, and only expected to be used for edge cases in a local
+   development setting where remote users do not have access to the server.
+
+ When you want to enable cache busting,
+ parameter ``append_version`` can be set to ``True``
+diff --git a/docs/web_reference.rst b/docs/web_reference.rst
+index a156f47..b100676 100644
+--- a/docs/web_reference.rst
+++ b/docs/web_reference.rst
+@@ -1836,9 +1836,15 @@ Router is any object that implements :class:`~aiohttp.abc.AbstractRouter` interf
+                               by default it's not allowed and HTTP/403 will
+                               be returned on directory access.
+-      :param bool follow_symlinks: flag for allowing to follow symlinks from
+-                              a directory, by default it's not allowed and
+-                              HTTP/404 will be returned on access.
+      :param bool follow_symlinks: flag for allowing to follow symlinks that lead
+                              outside the static root directory, by default it's not allowed and
+                              HTTP/404 will be returned on access.  Enabling ``follow_symlinks``
+                              can be a security risk, and may lead to a directory transversal attack.
+                              You do NOT need this option to follow symlinks which point to somewhere
+                              else within the static directory, this option is only used to break out
+                              of the security sandbox. Enabling this option is highly discouraged,
+                              and only expected to be used for edge cases in a local development
+                              setting where remote users do not have access to the server.
+       :param bool append_version: flag for adding file version (hash)
+                               to the url query string, this value will
+diff --git a/tests/test_web_urldispatcher.py b/tests/test_web_urldispatcher.py
+index f24f451..f40f6a5 100644
+--- a/tests/test_web_urldispatcher.py
+++ b/tests/test_web_urldispatcher.py
+@@ -123,6 +123,97 @@ async def test_follow_symlink(tmp_dir_path, aiohttp_client) -> None:
+     assert (await r.text()) == data
+async def test_follow_symlink_directory_traversal(
+    tmp_path: pathlib.Path, aiohttp_client: AiohttpClient
+) -> None:
+    # Tests that follow_symlinks does not allow directory transversal
+    data = "private"
+
+    private_file = tmp_path / "private_file"
+    private_file.write_text(data)
+
+    safe_path = tmp_path / "safe_dir"
+    safe_path.mkdir()
+
+    app = web.Application()
+
+    # Register global static route:
+    app.router.add_static("/", str(safe_path), follow_symlinks=True)
+    client = await aiohttp_client(app)
+
+    await client.start_server()
+    # We need to use a raw socket to test this, as the client will normalize
+    # the path before sending it to the server.
+    reader, writer = await asyncio.open_connection(client.host, client.port)
+    writer.write(b"GET /../private_file HTTP/1.1\r\n\r\n")
+    response = await reader.readuntil(b"\r\n\r\n")
+    assert b"404 Not Found" in response
+    writer.close()
+    await writer.wait_closed()
+    await client.close()
+
+
+async def test_follow_symlink_directory_traversal_after_normalization(
+    tmp_path: pathlib.Path, aiohttp_client: AiohttpClient
+) -> None:
+    # Tests that follow_symlinks does not allow directory transversal
+    # after normalization
+    #
+    # Directory structure
+    # |-- secret_dir
+    # |   |-- private_file (should never be accessible)
+    # |   |-- symlink_target_dir
+    # |       |-- symlink_target_file (should be accessible via the my_symlink symlink)
+    # |       |-- sandbox_dir
+    # |           |-- my_symlink -> symlink_target_dir
+    #
+    secret_path = tmp_path / "secret_dir"
+    secret_path.mkdir()
+
+    # This file is below the symlink target and should not be reachable
+    private_file = secret_path / "private_file"
+    private_file.write_text("private")
+
+    symlink_target_path = secret_path / "symlink_target_dir"
+    symlink_target_path.mkdir()
+
+    sandbox_path = symlink_target_path / "sandbox_dir"
+    sandbox_path.mkdir()
+
+    # This file should be reachable via the symlink
+    symlink_target_file = symlink_target_path / "symlink_target_file"
+    symlink_target_file.write_text("readable")
+
+    my_symlink_path = sandbox_path / "my_symlink"
+    pathlib.Path(str(my_symlink_path)).symlink_to(str(symlink_target_path), True)
+
+    app = web.Application()
+
+    # Register global static route:
+    app.router.add_static("/", str(sandbox_path), follow_symlinks=True)
+    client = await aiohttp_client(app)
+
+    await client.start_server()
+    # We need to use a raw socket to test this, as the client will normalize
+    # the path before sending it to the server.
+    reader, writer = await asyncio.open_connection(client.host, client.port)
+    writer.write(b"GET /my_symlink/../private_file HTTP/1.1\r\n\r\n")
+    response = await reader.readuntil(b"\r\n\r\n")
+    assert b"404 Not Found" in response
+    writer.close()
+    await writer.wait_closed()
+
+    reader, writer = await asyncio.open_connection(client.host, client.port)
+    writer.write(b"GET /my_symlink/symlink_target_file HTTP/1.1\r\n\r\n")
+    response = await reader.readuntil(b"\r\n\r\n")
+    assert b"200 OK" in response
+    response = await reader.readuntil(b"readable")
+    assert response == b"readable"
+    writer.close()
+    await writer.wait_closed()
+    await client.close()
+
+
+ @pytest.mark.parametrize(
+     "dir_name,filename,data",
+     [
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
index f8ca9a4739..c805e17d86 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
@@ -4,6 +4,9 @@ HOMEPAGE = "https://github.com/aio-libs/aiohttp"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"
+SRC_URI += "file://CVE-2024-23334.patch \
+           "
 SRC_URI[sha256sum] = "b0cf2a4501bff9330a8a5248b4ce951851e415bdcce9dc158e76cfd55e15085c"
 PYPI_PACKAGE = "aiohttp"

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-23334.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-23334.patch new file mode 100644 index 0000000000..29909529aa --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-23334.patch
@@ -0,0 +1,222 @@
		1	From 1c335944d6a8b1298baf179b7c0b3069f10c514b
		2	From: Sam Bull <git@sambull.org>
		3	Date: Sun Jan 28 18:13:06 2024 +0000
		4	Subject: [PATCH] python3-aiohttp: Validate static paths (#8079)
		5
		6	Co-authored-by: J. Nick Koston <nick@koston.org>
		7
		8	CVE: CVE-2024-23334
		9
		10	Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b]
		11
		12	Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
		13	---
		14	CHANGES/8079.bugfix.rst \| 1 +
		15	aiohttp/web_urldispatcher.py \| 18 +++++--
		16	docs/web_advanced.rst \| 16 ++++--
		17	docs/web_reference.rst \| 12 +++--
		18	tests/test_web_urldispatcher.py \| 91 +++++++++++++++++++++++++++++++++
		19	5 files changed, 128 insertions(+), 10 deletions(-)
		20	create mode 100644 CHANGES/8079.bugfix.rst
		21
		22	diff --git a/CHANGES/8079.bugfix.rst b/CHANGES/8079.bugfix.rst
		23	new file mode 100644
		24	index 0000000..57bc8bf
		25	--- /dev/null
		26	+++ b/CHANGES/8079.bugfix.rst
		27	@@ -0,0 +1 @@
		28	+Improved validation of paths for static resources -- by :user:`bdraco`.
		29	diff --git a/aiohttp/web_urldispatcher.py b/aiohttp/web_urldispatcher.py
		30	index 5942e35..e8a8023 100644
		31	--- a/aiohttp/web_urldispatcher.py
		32	+++ b/aiohttp/web_urldispatcher.py
		33	@@ -593,9 +593,14 @@ class StaticResource(PrefixResource):
		34	url = url / filename
		35
		36	if append_version:
		37	+ unresolved_path = self._directory.joinpath(filename)
		38	try:
		39	- filepath = self._directory.joinpath(filename).resolve()
		40	- if not self._follow_symlinks:
		41	+ if self._follow_symlinks:
		42	+ normalized_path = Path(os.path.normpath(unresolved_path))
		43	+ normalized_path.relative_to(self._directory)
		44	+ filepath = normalized_path.resolve()
		45	+ else:
		46	+ filepath = unresolved_path.resolve()
		47	filepath.relative_to(self._directory)
		48	except (ValueError, FileNotFoundError):
		49	# ValueError for case when path point to symlink
		50	@@ -660,8 +665,13 @@ class StaticResource(PrefixResource):
		51	# /static/\\machine_name\c$ or /static/D:\path
		52	# where the static dir is totally different
		53	raise HTTPForbidden()
		54	- filepath = self._directory.joinpath(filename).resolve()
		55	- if not self._follow_symlinks:
		56	+ unresolved_path = self._directory.joinpath(filename)
		57	+ if self._follow_symlinks:
		58	+ normalized_path = Path(os.path.normpath(unresolved_path))
		59	+ normalized_path.relative_to(self._directory)
		60	+ filepath = normalized_path.resolve()
		61	+ else:
		62	+ filepath = unresolved_path.resolve()
		63	filepath.relative_to(self._directory)
		64	except (ValueError, FileNotFoundError) as error:
		65	# relatively safe
		66	diff --git a/docs/web_advanced.rst b/docs/web_advanced.rst
		67	index 3a98b78..5129397 100644
		68	--- a/docs/web_advanced.rst
		69	+++ b/docs/web_advanced.rst
		70	@@ -136,12 +136,22 @@ instead could be enabled with ``show_index`` parameter set to ``True``::
		71
		72	web.static('/prefix', path_to_static_folder, show_index=True)
		73
		74	-When a symlink from the static directory is accessed, the server responses to
		75	-client with ``HTTP/404 Not Found`` by default. To allow the server to follow
		76	-symlinks, parameter ``follow_symlinks`` should be set to ``True``::
		77	+When a symlink that leads outside the static directory is accessed, the server
		78	+responds to the client with ``HTTP/404 Not Found`` by default. To allow the server to
		79	+follow symlinks that lead outside the static root, the parameter ``follow_symlinks``
		80	+should be set to ``True``::
		81
		82	web.static('/prefix', path_to_static_folder, follow_symlinks=True)
		83
		84	+.. caution::
		85	+
		86	+ Enabling ``follow_symlinks`` can be a security risk, and may lead to
		87	+ a directory transversal attack. You do NOT need this option to follow symlinks
		88	+ which point to somewhere else within the static directory, this option is only
		89	+ used to break out of the security sandbox. Enabling this option is highly
		90	+ discouraged, and only expected to be used for edge cases in a local
		91	+ development setting where remote users do not have access to the server.
		92	+
		93	When you want to enable cache busting,
		94	parameter ``append_version`` can be set to ``True``
		95
		96	diff --git a/docs/web_reference.rst b/docs/web_reference.rst
		97	index a156f47..b100676 100644
		98	--- a/docs/web_reference.rst
		99	+++ b/docs/web_reference.rst
		100	@@ -1836,9 +1836,15 @@ Router is any object that implements :class:`~aiohttp.abc.AbstractRouter` interf
		101	by default it's not allowed and HTTP/403 will
		102	be returned on directory access.
		103
		104	- :param bool follow_symlinks: flag for allowing to follow symlinks from
		105	- a directory, by default it's not allowed and
		106	- HTTP/404 will be returned on access.
		107	+ :param bool follow_symlinks: flag for allowing to follow symlinks that lead
		108	+ outside the static root directory, by default it's not allowed and
		109	+ HTTP/404 will be returned on access. Enabling ``follow_symlinks``
		110	+ can be a security risk, and may lead to a directory transversal attack.
		111	+ You do NOT need this option to follow symlinks which point to somewhere
		112	+ else within the static directory, this option is only used to break out
		113	+ of the security sandbox. Enabling this option is highly discouraged,
		114	+ and only expected to be used for edge cases in a local development
		115	+ setting where remote users do not have access to the server.
		116
		117	:param bool append_version: flag for adding file version (hash)
		118	to the url query string, this value will
		119	diff --git a/tests/test_web_urldispatcher.py b/tests/test_web_urldispatcher.py
		120	index f24f451..f40f6a5 100644
		121	--- a/tests/test_web_urldispatcher.py
		122	+++ b/tests/test_web_urldispatcher.py
		123	@@ -123,6 +123,97 @@ async def test_follow_symlink(tmp_dir_path, aiohttp_client) -> None:
		124	assert (await r.text()) == data
		125
		126
		127	+async def test_follow_symlink_directory_traversal(
		128	+ tmp_path: pathlib.Path, aiohttp_client: AiohttpClient
		129	+) -> None:
		130	+ # Tests that follow_symlinks does not allow directory transversal
		131	+ data = "private"
		132	+
		133	+ private_file = tmp_path / "private_file"
		134	+ private_file.write_text(data)
		135	+
		136	+ safe_path = tmp_path / "safe_dir"
		137	+ safe_path.mkdir()
		138	+
		139	+ app = web.Application()
		140	+
		141	+ # Register global static route:
		142	+ app.router.add_static("/", str(safe_path), follow_symlinks=True)
		143	+ client = await aiohttp_client(app)
		144	+
		145	+ await client.start_server()
		146	+ # We need to use a raw socket to test this, as the client will normalize
		147	+ # the path before sending it to the server.
		148	+ reader, writer = await asyncio.open_connection(client.host, client.port)
		149	+ writer.write(b"GET /../private_file HTTP/1.1\r\n\r\n")
		150	+ response = await reader.readuntil(b"\r\n\r\n")
		151	+ assert b"404 Not Found" in response
		152	+ writer.close()
		153	+ await writer.wait_closed()
		154	+ await client.close()
		155	+
		156	+
		157	+async def test_follow_symlink_directory_traversal_after_normalization(
		158	+ tmp_path: pathlib.Path, aiohttp_client: AiohttpClient
		159	+) -> None:
		160	+ # Tests that follow_symlinks does not allow directory transversal
		161	+ # after normalization
		162	+ #
		163	+ # Directory structure
		164	+ # \|-- secret_dir
		165	+ # \| \|-- private_file (should never be accessible)
		166	+ # \| \|-- symlink_target_dir
		167	+ # \| \|-- symlink_target_file (should be accessible via the my_symlink symlink)
		168	+ # \| \|-- sandbox_dir
		169	+ # \| \|-- my_symlink -> symlink_target_dir
		170	+ #
		171	+ secret_path = tmp_path / "secret_dir"
		172	+ secret_path.mkdir()
		173	+
		174	+ # This file is below the symlink target and should not be reachable
		175	+ private_file = secret_path / "private_file"
		176	+ private_file.write_text("private")
		177	+
		178	+ symlink_target_path = secret_path / "symlink_target_dir"
		179	+ symlink_target_path.mkdir()
		180	+
		181	+ sandbox_path = symlink_target_path / "sandbox_dir"
		182	+ sandbox_path.mkdir()
		183	+
		184	+ # This file should be reachable via the symlink
		185	+ symlink_target_file = symlink_target_path / "symlink_target_file"
		186	+ symlink_target_file.write_text("readable")
		187	+
		188	+ my_symlink_path = sandbox_path / "my_symlink"
		189	+ pathlib.Path(str(my_symlink_path)).symlink_to(str(symlink_target_path), True)
		190	+
		191	+ app = web.Application()
		192	+
		193	+ # Register global static route:
		194	+ app.router.add_static("/", str(sandbox_path), follow_symlinks=True)
		195	+ client = await aiohttp_client(app)
		196	+
		197	+ await client.start_server()
		198	+ # We need to use a raw socket to test this, as the client will normalize
		199	+ # the path before sending it to the server.
		200	+ reader, writer = await asyncio.open_connection(client.host, client.port)
		201	+ writer.write(b"GET /my_symlink/../private_file HTTP/1.1\r\n\r\n")
		202	+ response = await reader.readuntil(b"\r\n\r\n")
		203	+ assert b"404 Not Found" in response
		204	+ writer.close()
		205	+ await writer.wait_closed()
		206	+
		207	+ reader, writer = await asyncio.open_connection(client.host, client.port)
		208	+ writer.write(b"GET /my_symlink/symlink_target_file HTTP/1.1\r\n\r\n")
		209	+ response = await reader.readuntil(b"\r\n\r\n")
		210	+ assert b"200 OK" in response
		211	+ response = await reader.readuntil(b"readable")
		212	+ assert response == b"readable"
		213	+ writer.close()
		214	+ await writer.wait_closed()
		215	+ await client.close()
		216	+
		217	+
		218	@pytest.mark.parametrize(
		219	"dir_name,filename,data",
		220	[
		221	--
		222	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb index f8ca9a4739..c805e17d86 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
@@ -4,6 +4,9 @@ HOMEPAGE = "https://github.com/aio-libs/aiohttp"
4	LICENSE = "Apache-2.0"	4	LICENSE = "Apache-2.0"
5	LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"	5	LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"
6		6
		7	SRC_URI += "file://CVE-2024-23334.patch \
		8	"
		9
7	SRC_URI[sha256sum] = "b0cf2a4501bff9330a8a5248b4ce951851e415bdcce9dc158e76cfd55e15085c"	10	SRC_URI[sha256sum] = "b0cf2a4501bff9330a8a5248b4ce951851e415bdcce9dc158e76cfd55e15085c"
8		11
9	PYPI_PACKAGE = "aiohttp"	12	PYPI_PACKAGE = "aiohttp"