File CVE-2023-49081.patch of Package python-aiohttp.31991
From 70756a76fab97769659ab344b588b27a5e37895b Mon Sep 17 00:00:00 2001
From: Sam Bull <git@sambull.org>
Date: Mon, 13 Nov 2023 22:36:04 +0000
Subject: [PATCH] Disallow arbitrary sequence types in version (#7835) (#7836)
(cherry picked from commit 1e86b777e61cf4eefc7d92fa57fa19dcc676013b)
---
CHANGES/7835.bugfix | 1 +
aiohttp/client_reqrep.py | 5 +++--
tests/test_client_request.py | 20 +++++++++++++++++---
3 files changed, 21 insertions(+), 5 deletions(-)
create mode 100644 CHANGES/7835.bugfix
diff --git a/CHANGES/7835.bugfix b/CHANGES/7835.bugfix
new file mode 100644
index 00000000..4ce3af4f
--- /dev/null
+++ b/CHANGES/7835.bugfix
@@ -0,0 +1 @@
+Fixed arbitrary sequence types being allowed to inject headers via version parameter -- by :user:`Dreamsorcerer`
diff --git a/aiohttp/client_reqrep.py b/aiohttp/client_reqrep.py
index 48074534..8ccdc0d8 100644
--- a/aiohttp/client_reqrep.py
+++ b/aiohttp/client_reqrep.py
@@ -625,8 +625,9 @@ class ClientRequest:
self.headers[hdrs.CONNECTION] = connection
# status + headers
- status_line = '{0} {1} HTTP/{2[0]}.{2[1]}'.format(
- self.method, path, self.version)
+ status_line = '{0} {1} HTTP/{v.major}.{v.minor}'.format(
+ self.method, path, v=self.version
+ )
await writer.write_headers(status_line, self.headers)
self._writer = self.loop.create_task(self.write_bytes(writer, conn))
diff --git a/tests/test_client_request.py b/tests/test_client_request.py
index d6105ef9..0418e01f 100644
--- a/tests/test_client_request.py
+++ b/tests/test_client_request.py
@@ -22,6 +22,7 @@ from aiohttp.client_reqrep import (
Fingerprint,
_merge_ssl_params,
)
+from aiohttp.http import HttpVersion
from aiohttp.test_utils import make_mocked_coro
@@ -552,18 +553,18 @@ async def test_connection_header(loop, conn) -> None:
req.headers.clear()
req.keep_alive.return_value = True
- req.version = (1, 1)
+ req.version = HttpVersion(1, 1)
req.headers.clear()
await req.send(conn)
assert req.headers.get('CONNECTION') is None
- req.version = (1, 0)
+ req.version = HttpVersion(1, 0)
req.headers.clear()
await req.send(conn)
assert req.headers.get('CONNECTION') == 'keep-alive'
req.keep_alive.return_value = False
- req.version = (1, 1)
+ req.version = HttpVersion(1, 1)
req.headers.clear()
await req.send(conn)
assert req.headers.get('CONNECTION') == 'close'
@@ -1152,6 +1153,19 @@ async def test_close_deprecated(loop, buf, conn) -> None:
resp.close()
+async def test_bad_version(loop, conn) -> None:
+ req = ClientRequest(
+ "GET",
+ URL("http://python.org"),
+ loop=loop,
+ headers={"Connection": "Close"},
+ version=("1", "1\r\nInjected-Header: not allowed"),
+ )
+
+ with pytest.raises(AttributeError):
+ await req.send(conn)
+
+
async def test_custom_response_class(loop, conn) -> None:
class CustomResponse(ClientResponse):
def read(self, decode=False):
--
2.43.0