Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-Quart for openSUSE:Factory checked in at 2024-11-07 16:24:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-Quart (Old) and /work/SRC/openSUSE:Factory/.python-Quart.new.2020 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-Quart" Thu Nov 7 16:24:16 2024 rev:2 rq:1221774 version:0.19.8 Changes: -------- --- /work/SRC/openSUSE:Factory/python-Quart/python-Quart.changes 2024-09-19 21:18:07.384411931 +0200 +++ /work/SRC/openSUSE:Factory/.python-Quart.new.2020/python-Quart.changes 2024-11-07 16:24:26.370287945 +0100 @@ -1,0 +2,9 @@ +Wed Nov 6 12:52:26 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaub...@suse.com> + +- Update to 0.19.8 + * Bugfix Fix missing check that caused the previous fix to raise an error. +- from version 0.19.7 + * Security Fix how ``max_form_memory_size`` is applied when parsing large + non-file fields. https://github.com/advisories/GHSA-q34m-jh98-gwm2 + +------------------------------------------------------------------- Old: ---- quart-0.19.6.tar.gz New: ---- quart-0.19.8.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-Quart.spec ++++++ --- /var/tmp/diff_new_pack.w9LsCW/_old 2024-11-07 16:24:26.882309219 +0100 +++ /var/tmp/diff_new_pack.w9LsCW/_new 2024-11-07 16:24:26.886309386 +0100 @@ -19,7 +19,7 @@ # Can't build for Python 3.10 due to missing hypercorn %define skip_python310 1 Name: python-Quart -Version: 0.19.6 +Version: 0.19.8 Release: 0 Summary: A Python ASGI web microframework with the same API as Flask License: MIT ++++++ quart-0.19.6.tar.gz -> quart-0.19.8.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/quart-0.19.6/CHANGES.rst new/quart-0.19.8/CHANGES.rst --- old/quart-0.19.6/CHANGES.rst 2024-05-19 21:57:58.000000000 +0200 +++ new/quart-0.19.8/CHANGES.rst 2024-10-26 00:33:21.000000000 +0200 @@ -1,3 +1,14 @@ +0.19.8 2024-10-25 +----------------- + +* Bugfix Fix missing check that caused the previous fix to raise an error. #366 + +0.19.7 2024-10-25 +----------------- + +* Security Fix how ``max_form_memory_size`` is applied when parsing large + non-file fields. https://github.com/advisories/GHSA-q34m-jh98-gwm2 + 0.19.6 2024-05-19 ----------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/quart-0.19.6/pyproject.toml new/quart-0.19.8/pyproject.toml --- old/quart-0.19.6/pyproject.toml 2024-05-19 21:57:58.000000000 +0200 +++ new/quart-0.19.8/pyproject.toml 2024-10-26 00:33:21.000000000 +0200 @@ -1,6 +1,6 @@ [tool.poetry] name = "Quart" -version = "0.19.6" +version = "0.19.8" description = "A Python ASGI web microframework with the same API as Flask" authors = ["pgjones <philip.graham.jo...@googlemail.com>"] classifiers = [ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/quart-0.19.6/src/quart/formparser.py new/quart-0.19.8/src/quart/formparser.py --- old/quart-0.19.6/src/quart/formparser.py 2024-05-19 21:57:58.000000000 +0200 +++ new/quart-0.19.8/src/quart/formparser.py 2024-10-26 00:33:21.000000000 +0200 @@ -15,6 +15,7 @@ from urllib.parse import parse_qsl from werkzeug.datastructures import Headers, MultiDict +from werkzeug.exceptions import RequestEntityTooLarge from werkzeug.formparser import default_stream_factory from werkzeug.http import parse_options_header from werkzeug.sansio.multipart import Data, Epilogue, Field, File, MultipartDecoder, NeedData @@ -173,19 +174,28 @@ files = [] current_part: Field | File + field_size: int | None = None async for data in body: parser.receive_data(data) event = parser.next_event() while not isinstance(event, (Epilogue, NeedData)): if isinstance(event, Field): current_part = event + field_size = 0 container = [] _write = container.append elif isinstance(event, File): current_part = event + field_size = None container = self.start_file_streaming(event, content_length) _write = container.write elif isinstance(event, Data): + if self.max_form_memory_size is not None and field_size is not None: + field_size += len(event.data) + + if field_size > self.max_form_memory_size: + raise RequestEntityTooLarge() + _write(event.data) if not event.more_data: if isinstance(current_part, Field): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/quart-0.19.6/tests/test_formparser.py new/quart-0.19.8/tests/test_formparser.py --- old/quart-0.19.6/tests/test_formparser.py 1970-01-01 01:00:00.000000000 +0100 +++ new/quart-0.19.8/tests/test_formparser.py 2024-10-26 00:33:21.000000000 +0200 @@ -0,0 +1,21 @@ +from __future__ import annotations + +import pytest +from werkzeug.exceptions import RequestEntityTooLarge + +from quart.formparser import MultiPartParser +from quart.wrappers.request import Body + + +async def test_multipart_max_form_memory_size() -> None: + """max_form_memory_size is tracked across multiple data events.""" + data = b"--bound\r\nContent-Disposition: form-field; name=a\r\n\r\n" + data += b"a" * 15 + b"\r\n--bound--" + body = Body(None, None) + body.set_result(data) + # The buffer size is less than the max size, so multiple data events will be + # returned. The field size is greater than the max. + parser = MultiPartParser(max_form_memory_size=10, buffer_size=5) + + with pytest.raises(RequestEntityTooLarge): + await parser.parse(body, b"bound", 0)
