Reminder.
On 10-05-2023 19:18, Narpat Mali via lists.openembedded.org wrote:
From: Narpat Mali <[email protected]>
Werkzeug is a comprehensive WSGI web application library. Browsers may allow
"nameless" cookies that look like `=value` instead of `key=value`. A vulnerable
browser may allow a compromised application on an adjacent subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or malicious subdomain
which sets such a cookie using a vulnerable browser, the Werkzeug application
will see the bad cookie value but the valid cookie key. The issue is fixed in
Werkzeug 2.2.3.
Signed-off-by: Narpat Mali <[email protected]>
---
.../python3-werkzeug/CVE-2023-23934.patch | 116 ++++++++++++++++++
.../python/python3-werkzeug_2.1.1.bb | 2 +
2 files changed, 118 insertions(+)
create mode 100644
meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
diff --git
a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
new file mode 100644
index 0000000000..0be97d2888
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -0,0 +1,116 @@
+From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
+From: David Lord <[email protected]>
+Date: Wed, 10 May 2023 11:33:18 +0000
+Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
+
+don't strip leading `=` when parsing cookie
+
+"src/werkzeug/sansio/http.py" file is not available in the current recipe
+version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0
+version, this http.py file was only available in the "src/werkzeug/http.py"
+and we could see the same functions available there which are getting modified
+in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py"
file.
+
+CVE: CVE-2023-23934
+
+Upstream-Status: Backport
[https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028]
+
+Signed-off-by: Narpat Mali <[email protected]>
+---
+ CHANGES.rst | 4 ++++
+ src/werkzeug/_internal.py | 13 +++++++++----
+ src/werkzeug/http.py | 4 ----
+ tests/test_http.py | 4 +++-
+ 4 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/CHANGES.rst b/CHANGES.rst
+index a351d7c..23505d3 100644
+--- a/CHANGES.rst
++++ b/CHANGES.rst
+@@ -1,5 +1,9 @@
+ .. currentmodule:: werkzeug
+
++- A cookie header that starts with ``=`` is treated as an empty key and
discarded,
++ rather than stripping the leading ``==``.
++
++
+ Version 2.1.1
+ -------------
+
+diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
+index a8b3523..d6290ba 100644
+--- a/src/werkzeug/_internal.py
++++ b/src/werkzeug/_internal.py
+@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
+ _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
+ _cookie_re = re.compile(
+ rb"""
+- (?P<key>[^=;]+)
++ (?P<key>[^=;]*)
+ (?:\s*=\s*
+ (?P<val>
+ "(?:[^\\"]|\\.)*" |
+@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) ->
t.Iterator[t.Tuple[bytes, bytes]]:
+ """Lowlevel cookie parsing facility that operates on bytes."""
+ i = 0
+ n = len(b)
++ b += b";"
+
+ while i < n:
+- match = _cookie_re.search(b + b";", i)
++ match = _cookie_re.match(b, i)
++
+ if not match:
+ break
+
+- key = match.group("key").strip()
+- value = match.group("val") or b""
+ i = match.end(0)
++ key = match.group("key").strip()
++
++ if not key:
++ continue
+
++ value = match.group("val") or b""
+ yield key, _cookie_unquote(value)
+
+
+diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
+index 9369900..ae133e3 100644
+--- a/src/werkzeug/http.py
++++ b/src/werkzeug/http.py
+@@ -1205,10 +1205,6 @@ def parse_cookie(
+ def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
+ for key, val in _cookie_parse_impl(header): # type: ignore
+ key_str = _to_str(key, charset, errors, allow_none_charset=True)
+-
+- if not key_str:
+- continue
+-
+ val_str = _to_str(val, charset, errors, allow_none_charset=True)
+ yield key_str, val_str
+
+diff --git a/tests/test_http.py b/tests/test_http.py
+index 5936bfa..59cc179 100644
+--- a/tests/test_http.py
++++ b/tests/test_http.py
+@@ -427,7 +427,8 @@ class TestHTTPUtility:
+ def test_parse_cookie(self):
+ cookies = http.parse_cookie(
+ "dismiss-top=6; CP=null*;
PHPSESSID=0a539d42abc001cdc762809248d4beed;"
+- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
++ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
++ "==__Host-eq=bad;__Host-eq=good;"
+ )
+ assert cookies.to_dict() == {
+ "CP": "null*",
+@@ -438,6 +439,7 @@ class TestHTTPUtility:
+ "fo234{": "bar",
+ "blub": "Blah",
+ '"__Secure-c"': "d",
++ "__Host-eq": "good",
+ }
+
+ def test_dump_cookie(self):
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
index 476a3a5964..ca8705146e 100644
--- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
+++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
@@ -12,6 +12,8 @@ LIC_FILES_CHKSUM =
"file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
PYPI_PACKAGE = "Werkzeug"
+SRC_URI += "file://CVE-2023-23934.patch"
+
SRC_URI[sha256sum] =
"f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74"
inherit pypi setuptools3
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#103198):
https://lists.openembedded.org/g/openembedded-devel/message/103198
Mute This Topic: https://lists.openembedded.org/mt/98806142/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
