File CVE-2021-21330.patch of Package python-aiohttp.31991
diff -Nru aiohttp-3.5.4.orig/aiohttp/http_parser.py aiohttp-3.5.4/aiohttp/http_parser.py
--- aiohttp-3.5.4.orig/aiohttp/http_parser.py 2019-01-12 11:13:41.000000000 +0100
+++ aiohttp-3.5.4/aiohttp/http_parser.py 2022-05-04 12:41:04.477998722 +0200
@@ -432,6 +432,9 @@
str(self.max_line_size),
str(len(path)))
+ path_part, _hash_separator, url_fragment = path.partition("#")
+ path_part, _question_mark_separator, qs_part = path_part.partition("?")
+
# method
if not METHRE.match(method):
raise BadStatusLine(method)
@@ -457,9 +460,26 @@
close = False
return RawRequestMessage(
- method, path, version_o, headers, raw_headers,
- close, compression, upgrade, chunked, URL(path))
-
+ method,
+ path,
+ version_o,
+ headers,
+ raw_headers,
+ close,
+ compression,
+ upgrade,
+ chunked,
+ # NOTE: `yarl.URL.build()` is used to mimic what the Cython-based
+ # NOTE: parser does, otherwise it results into the same
+ # NOTE: HTTP Request-Line input producing different
+ # NOTE: `yarl.URL()` objects
+ URL.build(
+ path=path_part,
+ query_string=qs_part,
+ fragment=url_fragment,
+ encoded=True,
+ ),
+ )
class HttpResponseParser(HttpParser):
"""Read response status line and headers.
diff -Nru aiohttp-3.5.4.orig/tests/test_http_parser.py aiohttp-3.5.4/tests/test_http_parser.py
--- aiohttp-3.5.4.orig/tests/test_http_parser.py 2019-01-12 11:13:41.000000000 +0100
+++ aiohttp-3.5.4/tests/test_http_parser.py 2022-05-04 12:36:25.681823873 +0200
@@ -535,6 +535,7 @@
assert msg.method == 'GET'
assert msg.path == '//path'
+ assert msg.url.path == "//path"
assert msg.version == (1, 1)
assert not msg.should_close
assert msg.compression is None
