From cb4570120b0d033c728a788e04b7c75129529a4e Mon Sep 17 00:00:00 2001 From: Ankur Tyagi Date: Sun, 25 Jan 2026 14:24:02 +1300 Subject: python3-twisted: patch CVE-2024-41810 Though nvd[1] mentions commit[2] as part of the fix for CVE-2024-41671, but it is actually a fix[3] for CVE-2024-41810. Rename patch files accordingly. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-41671 [2] https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33 [3] https://nvd.nist.gov/vuln/detail/CVE-2024-41810 Signed-off-by: Ankur Tyagi Signed-off-by: Anuj Mittal --- .../python/python3-twisted/CVE-2024-41810.patch | 93 ++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch (limited to 'meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch') diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch new file mode 100644 index 0000000000..e41d9667f0 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch @@ -0,0 +1,93 @@ +From 046a164f89a0f08d3239ecebd750360f8914df33 Mon Sep 17 00:00:00 2001 +From: Adi Roiban +Date: Mon Jul 29 14:28:03 2024 +0100 +Subject: [PATCH] Merge commit from fork + +Added HTML output encoding the "URL" parameter of the "redirectTo" function + +CVE: CVE-2024-41810 + +Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33] + +Signed-off-by: Soumya Sambu + +Dropped newsfragements change from the original commit. + +Signed-off-by: Ankur Tyagi +--- + src/twisted/web/_template_util.py | 2 +- + src/twisted/web/test/test_util.py | 39 ++++++++++++++++++++++++++++++- + 2 files changed, 39 insertions(+), 2 deletions(-) + +diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py +index 230c33f..7266079 100644 +--- a/src/twisted/web/_template_util.py ++++ b/src/twisted/web/_template_util.py +@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IRequest) -> bytes: + + + """ % { +- b"url": URL ++ b"url": escape(URL.decode("utf-8")).encode("utf-8") + } + return content + +diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py +index 1e76300..9847dcb 100644 +--- a/src/twisted/web/test/test_util.py ++++ b/src/twisted/web/test/test_util.py +@@ -5,7 +5,6 @@ + Tests for L{twisted.web.util}. + """ + +- + import gc + + from twisted.internet import defer +@@ -64,6 +63,44 @@ class RedirectToTests(TestCase): + targetURL = "http://target.example.com/4321" + self.assertRaises(TypeError, redirectTo, targetURL, request) + ++ def test_legitimateRedirect(self): ++ """ ++ Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo(b"https://twisted.org/", request) ++ expected = b""" ++ ++ ++ ++ ++ ++ click here ++ ++ ++""" ++ self.assertEqual(html, expected) ++ ++ def test_maliciousRedirect(self): ++ """ ++ Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo( ++ b'https://twisted.org/">', request ++ ) ++ expected = b""" ++ ++ ++ ++ ++ ++ click here ++ ++ ++""" ++ self.assertEqual(html, expected) ++ + + class ParentRedirectTests(SynchronousTestCase): + """ +-- +2.40.0 -- cgit v1.2.3-54-g00ecf