From 48f2bf2fdbc4217d44d4cc17e656d0d3d7c398e8 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Thu, 31 Jul 2025 08:55:21 +0800
Subject: [PATCH] Fix CVE-2023-46136

(cherry picked from commit 49ec6b964c8bbbfd12b1197d0222590b1aa06075)
---
 CVE-2023-46136.patch | 35 +++++++++++++++++++++++++++++++++++
 python-werkzeug.spec |  6 +++++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-46136.patch

diff --git a/CVE-2023-46136.patch b/CVE-2023-46136.patch
new file mode 100644
index 0000000..e119e9b
--- /dev/null
+++ b/CVE-2023-46136.patch
@@ -0,0 +1,35 @@
+From: =?utf-8?q?Pawe=C5=82_Srokosz?= <pawel.srokosz@cert.pl>
+Date: Thu, 12 Oct 2023 18:50:04 +0200
+Subject: Fix: slow multipart parsing for huge files with few CR/LF characters
+
+(cherry picked from commit b1916c0c083e0be1c9d887ee2f3d696922bfc5c1)
+---
+ src/werkzeug/sansio/multipart.py | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/werkzeug/sansio/multipart.py b/src/werkzeug/sansio/multipart.py
+index 2684e5d..2c0947d 100644
+--- a/src/werkzeug/sansio/multipart.py
++++ b/src/werkzeug/sansio/multipart.py
+@@ -206,12 +206,20 @@ class MultipartDecoder:
+                 self._search_position = max(0, len(self.buffer) - SEARCH_EXTRA_LENGTH)
+ 
+         elif self.state == State.DATA:
+-            if self.buffer.find(b"--" + self.boundary) == -1:
++            boundary = b"--" + self.boundary
++
++            if self.buffer.find(boundary) == -1:
+                 # No complete boundary in the buffer, but there may be
+                 # a partial boundary at the end. As the boundary
+                 # starts with either a nl or cr find the earliest and
+                 # return up to that as data.
+                 data_length = del_index = self.last_newline()
++                # If amount of data after last newline is far from
++                # possible length of partial boundary, we should
++                # assume that there is no partial boundary in the buffer
++                # and return all pending data.
++                if (len(self.buffer) - data_length) > len(b"\n" + boundary):
++                    data_length = del_index = len(self.buffer)
+                 more_data = True
+             else:
+                 match = self.boundary_re.search(self.buffer)
diff --git a/python-werkzeug.spec b/python-werkzeug.spec
index 1a0f0ba..e9a1b5d 100644
--- a/python-werkzeug.spec
+++ b/python-werkzeug.spec
@@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-werkzeug
 Version:	2.2.3
-Release:	3
+Release:	4
 Summary:	The comprehensive WSGI web application library.
 License:	BSD-3-Clause
 URL:		https://palletsprojects.com/p/werkzeug/
@@ -12,6 +12,7 @@ Source1:        https://github.com/Yelp/ephemeral-port-reserve/blob/master/ephem
 Patch01:        CVE-2024-34069-restrict-debugger-trusted-hosts.patch
 Patch02:        CVE-2024-34069-only-require-trusted-host-for-evalex.patch
 Patch03:        CVE-2024-49767--apply-max_form_memory_size-another-level-up.patch
+Patch04:        CVE-2023-46136.patch
 
 BuildArch:	noarch
 BuildRequires:	python3-werkzeug python3-markupsafe
@@ -175,6 +176,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest -k 'not (test_serving)'
 %{_docdir}/*
 
 %changelog
+* Thu Jul 31 2025 yaoxin <1024769339@qq.com> - 2.2.3-4
+- Fix CVE-2023-46136
+
 * Sat Oct 26 2024 liningjie <liningjie@xfusion.com> - 2.2.3-3
 - Fix CVE-2024-49767
 
-- 
Gitee