From 12d4f40a4a5881d2e26741fbed672fd841f557f5 Mon Sep 17 00:00:00 2001
From: Gyorgy Sarvari <skandigraun@gmail.com>
Date: Wed, 14 Jan 2026 08:34:35 +0100
Subject: python3-twisted: patch CVE-2022-24801

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-24801

Pick the commits from the pull request that is referenced by the NVD report.

(The full set is consisting of 13 patches, but the ones that only updated
news/readme/typo fixes in comments were not backported)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python/python3-twisted/CVE-2022-24801-8.patch  | 108 +++++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-8.patch

(limited to 'meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-8.patch')

diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-8.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-8.patch
new file mode 100644
index 0000000000..e426d4d8f2
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-8.patch
@@ -0,0 +1,108 @@
+From 29b4c6ab9a917200a37d6fca1243a7f57caba922 Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Sun, 27 Mar 2022 22:17:30 -0700
+Subject: [PATCH] Correct chunk extension byte validation
+
+Go back to the RFC to figure out the correct allowed ranges.
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/fa9caa54d63399b4ccdfbf0429ba1b504ccc7c89]
+CVE: CVE-2022-24801
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/twisted/web/http.py           | 49 ++++++++++++++++++++++++++++++-
+ src/twisted/web/test/test_http.py |  8 ++++-
+ 2 files changed, 55 insertions(+), 2 deletions(-)
+
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index ea77f57..81df437 100644
+--- a/src/twisted/web/http.py
++++ b/src/twisted/web/http.py
+@@ -418,7 +418,7 @@ def _ishexdigits(b: bytes) -> bool:
+     and 0-9.
+     """
+     for c in b:
+-        if c not in b'0123456789abcdefABCDEF':
++        if c not in b"0123456789abcdefABCDEF":
+             return False
+     return bool(b)
+ 
+@@ -1816,6 +1816,47 @@ class _IdentityTransferDecoder:
+ maxChunkSizeLineLength = 1024
+ 
+ 
++_chunkExtChars = (
++    b"\t !\"#$%&'()*+,-./0123456789:;<=>?@"
++    b"ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`"
++    b"abcdefghijklmnopqrstuvwxyz{|}~"
++    b"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
++    b"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
++    b"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
++    b"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
++    b"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
++    b"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
++    b"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
++    b"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
++)
++"""
++Characters that are valid in a chunk extension.
++
++See RFC 7230 section 4.1.1:
++
++     chunk-ext      = *( ";" chunk-ext-name [ "=" chunk-ext-val ] )
++
++     chunk-ext-name = token
++     chunk-ext-val  = token / quoted-string
++
++Section 3.2.6:
++
++     token          = 1*tchar
++
++     tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
++                    / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
++                    / DIGIT / ALPHA
++                    ; any VCHAR, except delimiters
++
++     quoted-string  = DQUOTE *( qdtext / quoted-pair ) DQUOTE
++     qdtext         = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text
++     obs-text       = %x80-FF
++
++We don't check if chunk extensions are well-formed beyond validating that they
++don't contain characters outside this range.
++"""
++
++
+ class _ChunkedTransferDecoder:
+     """
+     Protocol for decoding I{chunked} Transfer-Encoding, as defined by RFC 7230,
+@@ -1915,6 +1956,12 @@ class _ChunkedTransferDecoder:
+         except ValueError:
+             raise _MalformedChunkedDataError("Chunk-size must be an integer.")
+ 
++        ext = self._buffer[endOfLengthIndex + 1 : eolIndex]
++        if ext and ext.translate(None, _chunkExtChars) != b"":
++            raise _MalformedChunkedDataError(
++                f"Invalid characters in chunk extensions: {ext!r}."
++            )
++
+         if length == 0:
+             self.state = "TRAILER"
+         else:
+diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
+index 201991f..eccb9b0 100644
+--- a/src/twisted/web/test/test_http.py
++++ b/src/twisted/web/test/test_http.py
+@@ -1379,7 +1379,13 @@ class ChunkedTransferEncodingTests(unittest.TestCase):
+ 
+         This is a potential request smuggling vector: see GHSA-c2jg-hw38-jrqq.
+         """
+-        for b in [*range(0, 0x09), *range(0x10, 0x21), *range(0x74, 0x80)]:
++        invalidControl = (
++            b"\x00\x01\x02\x03\x04\x05\x06\x07\x08\n\x0b\x0c\r\x0e\x0f"
++            b"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
++        )
++        invalidDelimiter = b"\\"
++        invalidDel = b"\x7f"
++        for b in invalidControl + invalidDelimiter + invalidDel:
+             data = b"3; " + bytes((b,)) + b"\r\nabc\r\n"
+             p = http._ChunkedTransferDecoder(
+                 lambda b: None,  # pragma: nocov
-- 
cgit v1.2.3-54-g00ecf