File CVE-2021-21330.patch of Package python-aiohttp.40456
---
aiohttp/http_parser.py | 26 +++++++++++++++++++++++---
tests/test_http_parser.py | 1 +
2 files changed, 24 insertions(+), 3 deletions(-)
Index: aiohttp-3.6.0/aiohttp/http_parser.py
===================================================================
--- aiohttp-3.6.0.orig/aiohttp/http_parser.py 2019-09-06 14:54:33.000000000 +0200
+++ aiohttp-3.6.0/aiohttp/http_parser.py 2025-09-03 23:13:08.589050242 +0200
@@ -432,6 +432,9 @@
str(self.max_line_size),
str(len(path)))
+ path_part, _hash_separator, url_fragment = path.partition("#")
+ path_part, _question_mark_separator, qs_part = path_part.partition("?")
+
# method
if not METHRE.match(method):
raise BadStatusLine(method)
@@ -457,9 +460,26 @@
close = False
return RawRequestMessage(
- method, path, version_o, headers, raw_headers,
- close, compression, upgrade, chunked, URL(path))
-
+ method,
+ path,
+ version_o,
+ headers,
+ raw_headers,
+ close,
+ compression,
+ upgrade,
+ chunked,
+ # NOTE: `yarl.URL.build()` is used to mimic what the Cython-based
+ # NOTE: parser does, otherwise it results into the same
+ # NOTE: HTTP Request-Line input producing different
+ # NOTE: `yarl.URL()` objects
+ URL.build(
+ path=path_part,
+ query_string=qs_part,
+ fragment=url_fragment,
+ encoded=True,
+ ),
+ )
class HttpResponseParser(HttpParser):
"""Read response status line and headers.
Index: aiohttp-3.6.0/tests/test_http_parser.py
===================================================================
--- aiohttp-3.6.0.orig/tests/test_http_parser.py 2019-09-06 14:54:33.000000000 +0200
+++ aiohttp-3.6.0/tests/test_http_parser.py 2025-09-03 23:13:08.589050242 +0200
@@ -535,6 +535,7 @@
assert msg.method == 'GET'
assert msg.path == '//path'
+ assert msg.url.path == "//path"
assert msg.version == (1, 1)
assert not msg.should_close
assert msg.compression is None
