File CVE-2025-69227-raise-exceptions-not-asserts.patch of Package python-aiohttp.42478

From bc1319ec3cbff9438a758951a30907b072561259 Mon Sep 17 00:00:00 2001
From: Sam Bull <git@sambull.org>
Date: Sat, 3 Jan 2026 04:53:29 +0000
Subject: [PATCH] Replace asserts with exceptions (#11897) (#11914)

(cherry picked from commit d5bf65f15c0c718b6b95e9bc9d0914a92c51e60f)

Co-authored-by: J. Nick Koston <nick@home-assistant.io>
---
 aiohttp/multipart.py      | 10 ++++------
 aiohttp/web_request.py    |  8 +++-----
 tests/test_multipart.py   | 12 +++++++++++-
 tests/test_web_request.py | 24 +++++++++++++++++++++++-
 4 files changed, 41 insertions(+), 13 deletions(-)

Index: aiohttp-3.6.0/aiohttp/multipart.py
===================================================================
--- aiohttp-3.6.0.orig/aiohttp/multipart.py
+++ aiohttp-3.6.0/aiohttp/multipart.py
@@ -322,10 +322,8 @@ class BodyPartReader:
         self._read_bytes += len(chunk)
         if self._read_bytes == self._length:
             self._at_eof = True
-        if self._at_eof:
-            clrf = await self._content.readline()
-            assert b'\r\n' == clrf, \
-                'reader did not read all the data or it is malformed'
+        if self._at_eof and await self._content.readline() != b"\r\n":
+            raise ValueError("Reader did not read all the data or it is malformed")
         return chunk
 
     async def _read_chunk_from_length(self, size: int) -> bytes:
@@ -350,7 +348,8 @@ class BodyPartReader:
 
         chunk = await self._content.read(size)
         self._content_eof += int(self._content.at_eof())
-        assert self._content_eof < 3, "Reading after EOF"
+        if self._content_eof > 2:
+            raise ValueError("Reading after EOF")
         assert self._prev_chunk is not None
         window = self._prev_chunk + chunk
         sub = b'\r\n' + self._boundary
Index: aiohttp-3.6.0/tests/test_multipart.py
===================================================================
--- aiohttp-3.6.0.orig/tests/test_multipart.py
+++ aiohttp-3.6.0/tests/test_multipart.py
@@ -5,6 +5,7 @@ import zlib
 from unittest import mock
 
 import pytest
+from multidict import CIMultiDict, CIMultiDictProxy
 
 import aiohttp
 from aiohttp import payload
@@ -194,11 +195,20 @@ class TestPartReader:
         stream = Stream(b'Hello, World!\r\n-')
         obj = aiohttp.BodyPartReader(BOUNDARY, {}, stream)
         result = b''
-        with pytest.raises(AssertionError):
+        with pytest.raises(ValueError):
             for _ in range(4):
                 result += await obj.read_chunk(7)
         assert b'Hello, World!\r\n-' == result
 
+    async def test_read_with_content_length_malformed_crlf(self) -> None:
+        content = b"Hello"
+        h = CIMultiDictProxy(CIMultiDict({"CONTENT-LENGTH": str(len(content))}))
+        # Malformed: "XX" instead of "\r\n" after content
+        stream = Stream(content + b"XX--:--")
+        obj = aiohttp.BodyPartReader(BOUNDARY, h, stream)
+        with pytest.raises(ValueError, match="malformed"):
+            await obj.read()
+
     async def test_read_boundary_with_incomplete_chunk(self) -> None:
         loop = asyncio.get_event_loop()
         stream = Stream(b'')