From 8bb4ce1486c6c62af171b7c948a64b1b3444e6fe Mon Sep 17 00:00:00 2001 From: wangkaiqiang Date: Thu, 4 Jan 2024 18:51:09 +0800 Subject: [PATCH] don't strip leading = when parsing cookie --- ...-t-strip-leading-when-parsing-cookie.patch | 77 +++++++++++++++++++ python-werkzeug.spec | 10 ++- 2 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 0001-don-t-strip-leading-when-parsing-cookie.patch diff --git a/0001-don-t-strip-leading-when-parsing-cookie.patch b/0001-don-t-strip-leading-when-parsing-cookie.patch new file mode 100644 index 0000000..719272a --- /dev/null +++ b/0001-don-t-strip-leading-when-parsing-cookie.patch @@ -0,0 +1,77 @@ +From 05a2c93273a25682142f11ef95e7a1b6b33b6540 Mon Sep 17 00:00:00 2001 +From: wangkaiqiang +Date: Thu, 4 Jan 2024 19:14:44 +0800 +Subject: [PATCH] don't strip leading = when parsing cookie + +--- + tests/test_http.py | 4 ++-- + werkzeug/_internal.py | 13 +++++++++---- + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/tests/test_http.py b/tests/test_http.py +index b77e3c3..aeefd40 100644 +--- a/tests/test_http.py ++++ b/tests/test_http.py +@@ -354,7 +354,7 @@ class TestHTTPUtility(object): + def test_cookies(self): + strict_eq( + dict(http.parse_cookie('dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cd' +- 'c762809248d4beed; a=42; b="\\\";"')), ++ 'c762809248d4beed; a=42; b="\\\";"'"==__Host-eq=bad;__Host-eq=good;")), + { + 'CP': u'null*', + 'PHPSESSID': u'0a539d42abc001cdc762809248d4beed', +@@ -370,7 +370,7 @@ class TestHTTPUtility(object): + 'Path=/', 'foo="bar baz blub"']) + + strict_eq(dict(http.parse_cookie('fo234{=bar; blub=Blah')), +- {'fo234{': u'bar', 'blub': u'Blah'}) ++ {'fo234{': u'bar', 'blub': u'Blah',"__Host-eq": "good",}) + + def test_cookie_quoting(self): + val = http.dump_cookie("foo", "?foo") +diff --git a/werkzeug/_internal.py b/werkzeug/_internal.py +index 3d1ee09..0964841 100644 +--- a/werkzeug/_internal.py ++++ b/werkzeug/_internal.py +@@ -44,7 +44,7 @@ _octal_re = re.compile(b'\\\\[0-3][0-7][0-7]') + _quote_re = re.compile(b'[\\\\].') + _legal_cookie_chars_re = b'[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]' + _cookie_re = re.compile(b""" +- (?P[^=]+) ++ (?P[^=]*) + \s*=\s* + (?P + "(?:[^\\\\"]|\\\\.)*" | +@@ -246,6 +246,7 @@ def _cookie_unquote(b): + + i = 0 + n = len(b) ++ b +=b";" + rv = bytearray() + _push = rv.extend + +@@ -278,13 +279,17 @@ def _cookie_parse_impl(b): + n = len(b) + + while i < n: +- match = _cookie_re.search(b + b';', i) ++ match = _cookie_re.match(b, i) + if not match: + break + +- key = match.group('key').strip() +- value = match.group('val') + i = match.end(0) ++ key = match.group("key").strip() ++ ++ if not key: ++ continue ++ ++ value = match.group("val") or b"" + + # Ignore parameters. We have no interest in them. + if key.lower() not in _cookie_params: +-- +2.31.1 + diff --git a/python-werkzeug.spec b/python-werkzeug.spec index f69c994..8fe14e6 100644 --- a/python-werkzeug.spec +++ b/python-werkzeug.spec @@ -9,7 +9,7 @@ Name: python-werkzeug Version: 0.12.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: The Swiss Army knife of Python web development Group: Development/Libraries @@ -19,6 +19,8 @@ Source0: https://files.pythonhosted.org/packages/source/W/Werkzeug/%{srcn # Pypi version of werkzeug is missing _themes folder needed to build werkzeug sphinx docs # See https://github.com/mitsuhiko/werkzeug/issues/761 Source1: werkzeug-sphinx-theme.tar.gz +#https://github.com/pallets/werkzeug/commit/8c2b4b82d0cade0d37e6a88e2cd2413878e8ebd4 +Patch0: 0001-don-t-strip-leading-when-parsing-cookie.patch BuildArch: noarch @@ -79,7 +81,8 @@ Documentation and examples for python-werkzeug. %prep -%setup -q -n %{srcname}-%{version} +%autosetup -n %{srcname}-%{version} -p1 + %{__sed} -i 's/\r//' LICENSE %{__sed} -i '1d' tests/multipart/test_collect.py tar -xf %{SOURCE1} @@ -138,6 +141,9 @@ popd %changelog +* Thu Jan 04 2024 Kaiqiang Wang - 0.12.2-5 +- don't strip leading = when parsing cookie(CVE-2023-23934) + * Fri Jun 22 2018 Charalampos Stratakis - 0.12.2-4 - Use python3-sphinx for the docs -- Gitee