Overview

File CVE-2023-49081.patch of Package python-aiohttp.40456

From 70756a76fab97769659ab344b588b27a5e37895b Mon Sep 17 00:00:00 2001
From: Sam Bull <git@sambull.org>
Date: Mon, 13 Nov 2023 22:36:04 +0000
Subject: [PATCH] Disallow arbitrary sequence types in version (#7835) (#7836)

(cherry picked from commit 1e86b777e61cf4eefc7d92fa57fa19dcc676013b)
---
 CHANGES/7835.bugfix          |    1 +
 aiohttp/client_reqrep.py     |    5 +++--
 tests/test_client_request.py |   20 +++++++++++++++++---
 3 files changed, 21 insertions(+), 5 deletions(-)
 create mode 100644 CHANGES/7835.bugfix

Index: aiohttp-3.6.0/CHANGES/7835.bugfix
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ aiohttp-3.6.0/CHANGES/7835.bugfix	2025-09-03 23:13:29.389196533 +0200
@@ -0,0 +1 @@
+Fixed arbitrary sequence types being allowed to inject headers via version parameter -- by :user:`Dreamsorcerer`
Index: aiohttp-3.6.0/aiohttp/client_reqrep.py
===================================================================
--- aiohttp-3.6.0.orig/aiohttp/client_reqrep.py	2019-09-06 14:54:33.000000000 +0200
+++ aiohttp-3.6.0/aiohttp/client_reqrep.py	2025-09-03 23:13:29.389491755 +0200
@@ -625,8 +625,9 @@
             self.headers[hdrs.CONNECTION] = connection
 
         # status + headers
-        status_line = '{0} {1} HTTP/{2[0]}.{2[1]}'.format(
-            self.method, path, self.version)
+        status_line = '{0} {1} HTTP/{v.major}.{v.minor}'.format(
+            self.method, path, v=self.version
+        )
         await writer.write_headers(status_line, self.headers)
 
         self._writer = self.loop.create_task(self.write_bytes(writer, conn))
Index: aiohttp-3.6.0/tests/test_client_request.py
===================================================================
--- aiohttp-3.6.0.orig/tests/test_client_request.py	2019-09-06 14:54:33.000000000 +0200
+++ aiohttp-3.6.0/tests/test_client_request.py	2025-09-03 23:13:29.389838102 +0200
@@ -22,6 +22,7 @@
     Fingerprint,
     _merge_ssl_params,
 )
+from aiohttp.http import HttpVersion
 from aiohttp.test_utils import make_mocked_coro
 
 
@@ -552,18 +553,18 @@
     req.headers.clear()
 
     req.keep_alive.return_value = True
-    req.version = (1, 1)
+    req.version = HttpVersion(1, 1)
     req.headers.clear()
     await req.send(conn)
     assert req.headers.get('CONNECTION') is None
 
-    req.version = (1, 0)
+    req.version = HttpVersion(1, 0)
     req.headers.clear()
     await req.send(conn)
     assert req.headers.get('CONNECTION') == 'keep-alive'
 
     req.keep_alive.return_value = False
-    req.version = (1, 1)
+    req.version = HttpVersion(1, 1)
     req.headers.clear()
     await req.send(conn)
     assert req.headers.get('CONNECTION') == 'close'
@@ -1152,6 +1153,19 @@
     resp.close()
 
 
+async def test_bad_version(loop, conn) -> None:
+    req = ClientRequest(
+        "GET",
+        URL("http://python.org"),
+        loop=loop,
+        headers={"Connection": "Close"},
+        version=("1", "1\r\nInjected-Header: not allowed"),
+    )
+
+    with pytest.raises(AttributeError):
+        await req.send(conn)
+
+
 async def test_custom_response_class(loop, conn) -> None:
     class CustomResponse(ClientResponse):
         def read(self, decode=False):
openSUSE Build Service is sponsored by
Places