blob: 45dda012b6dd9f8150ef999869e735828eaf9a6b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
From 2353500dc28eab63b47930851c75e9268a69ef1e Mon Sep 17 00:00:00 2001
From: sebsrt <s@sebsrt.xyz>
Date: Mon, 11 Aug 2025 11:46:28 +0200
Subject: [PATCH] [SECURITY] Fix request smuggling vulnerability by discarding
trailers (#1062)
The WSGI parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. This patch fix that by discarding trailers.
CVE: CVE-2025-58068
Upstream-Status: Backport [https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb]
(cherry picked from commit 0bfebd1117d392559e25b4bfbfcc941754de88fb)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
eventlet/wsgi.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
index 3b530b18..28ad2666 100644
--- a/eventlet/wsgi.py
+++ b/eventlet/wsgi.py
@@ -153,6 +153,12 @@ class Input:
read = b''
self.position += len(read)
return read
+
+ def _discard_trailers(self, rfile):
+ while True:
+ line = rfile.readline()
+ if not line or line in (b'\r\n', b'\n', b''):
+ break
def _chunked_read(self, rfile, length=None, use_readline=False):
if self.should_send_hundred_continue:
@@ -203,7 +209,7 @@ class Input:
raise ChunkReadError(err)
self.position = 0
if self.chunk_length == 0:
- rfile.readline()
+ self._discard_trailers(rfile)
except greenio.SSL.ZeroReturnError:
pass
return b''.join(response)
|
