Overview

File CVE-2025-58068.patch of Package python-eventlet.40407

From b7bf366c4f347676ceb6723ef12fa60a565e040f Mon Sep 17 00:00:00 2001
From: sebsrt <s@sebsrt.xyz>
Date: Mon, 11 Aug 2025 11:46:28 +0200
Subject: [PATCH] [SECURITY] Fix request smuggling vulnerability by discarding
 trailers (#1062)

The WSGI parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. This patch fix that by discarding trailers.
---
 eventlet/wsgi.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
index ef458aa7..1a09c4e4 100644
--- a/eventlet/wsgi.py
+++ b/eventlet/wsgi.py
@@ -143,6 +143,12 @@ class Input(object):
             read = b''
         self.position += len(read)
         return read
+    
+    def _discard_trailers(self, rfile):
+        while True:
+            line = rfile.readline()
+            if not line or line in (b'\r\n', b'\n', b''):
+                break
 
     def _chunked_read(self, rfile, length=None, use_readline=False):
         if self.wfile is not None and not self.is_hundred_continue_response_sent:
@@ -193,7 +199,7 @@ class Input(object):
                         raise ChunkReadError(err)
                     self.position = 0
                     if self.chunk_length == 0:
-                        rfile.readline()
+                        self._discard_trailers(rfile)
         except greenio.SSL.ZeroReturnError:
             pass
         return b''.join(response)
-- 
2.51.0
openSUSE Build Service is sponsored by
Places