diff --git a/CVE-2024-52804.patch b/CVE-2024-52804.patch deleted file mode 100644 index 349a7ec1889d5782c06d9896c27376fd9c88eb00..0000000000000000000000000000000000000000 --- a/CVE-2024-52804.patch +++ /dev/null @@ -1,138 +0,0 @@ -From d5ba4a1695fbf7c6a3e54313262639b198291533 Mon Sep 17 00:00:00 2001 -From: Ben Darnell -Date: Thu, 21 Nov 2024 14:48:05 -0500 -Subject: [PATCH] httputil: Fix quadratic performance of cookie parsing - -Maliciously-crafted cookies can cause Tornado to -spend an unreasonable amount of CPU time and block -the event loop. - -This change replaces the quadratic algorithm with -a more efficient one. The implementation is copied -from the Python 3.13 standard library (the -previous one was from Python 3.5). - -Fixes CVE-2024-52804 -See CVE-2024-7592 for a similar vulnerability in cpython. - -Thanks to github.com/kexinoh for the report. ---- - tornado/httputil.py | 38 ++++++++--------------------- - tornado/test/httputil_test.py | 46 +++++++++++++++++++++++++++++++++++ - 2 files changed, 56 insertions(+), 28 deletions(-) - -diff --git a/tornado/httputil.py b/tornado/httputil.py -index 9ce992d82b..ebdc8059c1 100644 ---- a/tornado/httputil.py -+++ b/tornado/httputil.py -@@ -1057,15 +1057,20 @@ def qs_to_qsl(qs: Dict[str, List[AnyStr]]) -> Iterable[Tuple[str, AnyStr]]: - yield (k, v) - - --_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]") --_QuotePatt = re.compile(r"[\\].") --_nulljoin = "".join -+_unquote_sub = re.compile(r"\\(?:([0-3][0-7][0-7])|(.))").sub -+ -+ -+def _unquote_replace(m: re.Match) -> str: -+ if m[1]: -+ return chr(int(m[1], 8)) -+ else: -+ return m[2] - - - def _unquote_cookie(s: str) -> str: - """Handle double quotes and escaping in cookie values. - -- This method is copied verbatim from the Python 3.5 standard -+ This method is copied verbatim from the Python 3.13 standard - library (http.cookies._unquote) so we don't have to depend on - non-public interfaces. - """ -@@ -1086,30 +1091,7 @@ def _unquote_cookie(s: str) -> str: - # \012 --> \n - # \" --> " - # -- i = 0 -- n = len(s) -- res = [] -- while 0 <= i < n: -- o_match = _OctalPatt.search(s, i) -- q_match = _QuotePatt.search(s, i) -- if not o_match and not q_match: # Neither matched -- res.append(s[i:]) -- break -- # else: -- j = k = -1 -- if o_match: -- j = o_match.start(0) -- if q_match: -- k = q_match.start(0) -- if q_match and (not o_match or k < j): # QuotePatt matched -- res.append(s[i:k]) -- res.append(s[k + 1]) -- i = k + 2 -- else: # OctalPatt matched -- res.append(s[i:j]) -- res.append(chr(int(s[j + 1 : j + 4], 8))) -- i = j + 4 -- return _nulljoin(res) -+ return _unquote_sub(_unquote_replace, s) - - - def parse_cookie(cookie: str) -> Dict[str, str]: -diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py -index 6d618839e0..975900aa9c 100644 ---- a/tornado/test/httputil_test.py -+++ b/tornado/test/httputil_test.py -@@ -560,3 +560,49 @@ def test_invalid_cookies(self): - self.assertEqual( - parse_cookie(" = b ; ; = ; c = ; "), {"": "b", "c": ""} - ) -+ -+ def test_unquote(self): -+ # Copied from -+ # https://github.com/python/cpython/blob/dc7a2b6522ec7af41282bc34f405bee9b306d611/Lib/test/test_http_cookies.py#L62 -+ cases = [ -+ (r'a="b=\""', 'b="'), -+ (r'a="b=\\"', "b=\\"), -+ (r'a="b=\="', "b=="), -+ (r'a="b=\n"', "b=n"), -+ (r'a="b=\042"', 'b="'), -+ (r'a="b=\134"', "b=\\"), -+ (r'a="b=\377"', "b=\xff"), -+ (r'a="b=\400"', "b=400"), -+ (r'a="b=\42"', "b=42"), -+ (r'a="b=\\042"', "b=\\042"), -+ (r'a="b=\\134"', "b=\\134"), -+ (r'a="b=\\\""', 'b=\\"'), -+ (r'a="b=\\\042"', 'b=\\"'), -+ (r'a="b=\134\""', 'b=\\"'), -+ (r'a="b=\134\042"', 'b=\\"'), -+ ] -+ for encoded, decoded in cases: -+ with self.subTest(encoded): -+ c = parse_cookie(encoded) -+ self.assertEqual(c["a"], decoded) -+ -+ def test_unquote_large(self): -+ # Adapted from -+ # https://github.com/python/cpython/blob/dc7a2b6522ec7af41282bc34f405bee9b306d611/Lib/test/test_http_cookies.py#L87 -+ # Modified from that test because we handle semicolons differently from the stdlib. -+ # -+ # This is a performance regression test: prior to improvements in Tornado 6.4.2, this test -+ # would take over a minute with n= 100k. Now it runs in tens of milliseconds. -+ n = 100000 -+ for encoded in r"\\", r"\134": -+ with self.subTest(encoded): -+ start = time.time() -+ data = 'a="b=' + encoded * n + '"' -+ value = parse_cookie(data)["a"] -+ end = time.time() -+ self.assertEqual(value[:3], "b=\\") -+ self.assertEqual(value[-3:], "\\\\\\") -+ self.assertEqual(len(value), n + 2) -+ -+ # Very loose performance check to avoid false positives -+ self.assertLess(end - start, 1, "Test took too long") diff --git a/python-tornado.spec b/python-tornado.spec index 810223eab0a8687307c06f63758283bfa10ed4f8..c7041b98eefa1666f3465106be636cc044aafecc 100644 --- a/python-tornado.spec +++ b/python-tornado.spec @@ -1,14 +1,12 @@ %global _empty_manifest_terminate_build 0 Name: python-tornado -Version: 6.3.3 -Release: 2 +Version: 6.5 +Release: 1 Summary: Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. -License: ASL 2.0 +License: Apache-2.0 URL: http://www.tornadoweb.org/ Source0: https://files.pythonhosted.org/packages/source/t/tornado/tornado-%{version}.tar.gz -Patch3000: CVE-2024-52804.patch - %description Tornado is an open source version of the scalable, non-blocking web server and tools. @@ -74,9 +72,19 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog -* Tue Nov 26 2024 liyajie - 6.3.3-2 +* Tue May 20 2025 lijunhen - 6.5-1 +- Update to 6.5 for fix CVE-2025-47287 + +* Tue Nov 26 2024 liyajie - 6.4.1-2 - Fix CVE-2024-52804 +* Wed Jun 19 2024 yaoxin - 6.4.1-1 +- Update to 6.4.1 + * Parsing of the ``Transfer-Encoding`` header is now stricter. + * Handling of whitespace in headers now matches the RFC more closely. + * ``tornado.curl_httpclient`` now prohibits carriage return and linefeed headers in HTTP headers + (matching the behavior of ``simple_httpclient``). + * Fri Oct 13 2023 wen-minjuan - 6.3.3-1 - Upgrade version to 6.3.3-1 diff --git a/tornado-6.3.3.tar.gz b/tornado-6.3.3.tar.gz deleted file mode 100644 index 45d1363aa42b54c15f05a64363b15d578a7f66ca..0000000000000000000000000000000000000000 Binary files a/tornado-6.3.3.tar.gz and /dev/null differ diff --git a/tornado-6.5.tar.gz b/tornado-6.5.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..8b0636bf2c52b441ae8092a4ca0bf28ced85dd9e Binary files /dev/null and b/tornado-6.5.tar.gz differ