File CVE-2021-21330.patch of Package python-aiohttp.19333
diff -Nru aiohttp-3.4.4.orig/aiohttp/http_parser.py aiohttp-3.4.4/aiohttp/http_parser.py
--- aiohttp-3.4.4.orig/aiohttp/http_parser.py 2018-09-05 09:40:54.000000000 +0200
+++ aiohttp-3.4.4/aiohttp/http_parser.py 2021-04-22 10:52:04.712257494 +0200
@@ -370,6 +370,9 @@
raise LineTooLong(
'Status line is too long', self.max_line_size, len(path))
+ path_part, _hash_separator, url_fragment = path.partition("#")
+ path_part, _question_mark_separator, qs_part = path_part.partition("?")
+
# method
method = method.upper()
if not METHRE.match(method):
@@ -396,8 +399,26 @@
close = False
return RawRequestMessage(
- method, path, version, headers, raw_headers,
- close, compression, upgrade, chunked, URL(path))
+ method,
+ path,
+ version,
+ headers,
+ raw_headers,
+ close,
+ compression,
+ upgrade,
+ chunked,
+ # NOTE: `yarl.URL.build()` is used to mimic what the Cython-based
+ # NOTE: parser does, otherwise it results into the same
+ # NOTE: HTTP Request-Line input producing different
+ # NOTE: `yarl.URL()` objects
+ URL.build(
+ path=path_part,
+ query_string=qs_part,
+ fragment=url_fragment,
+ encoded=True,
+ ),
+ )
class HttpResponseParser(HttpParser):
diff -Nru aiohttp-3.4.4.orig/tests/test_http_parser.py aiohttp-3.4.4/tests/test_http_parser.py
--- aiohttp-3.4.4.orig/tests/test_http_parser.py 2018-09-05 09:40:55.000000000 +0200
+++ aiohttp-3.4.4/tests/test_http_parser.py 2021-04-22 10:52:46.953355109 +0200
@@ -531,6 +531,7 @@
assert msg.method == 'GET'
assert msg.path == '//path'
+ assert msg.url.path == "//path"
assert msg.version == (1, 1)
assert not msg.should_close
assert msg.compression is None
