ALP-pool/python-tornado6
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 python-tornado6 revision b571b03142a94db52bf9697e03e4aa22

Browse Source
This commit is contained in:
Adrian Schröter
2025-06-23 15:40:33 +02:00
parent 120cae1d7a
commit 3216d0fe6d
3 changed files with 237 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

228
CVE-2025-47287.patch Normal file
View File

@@ -0,0 +1,228 @@
From cc61050e8f26697463142d99864b562e8470b41d Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Thu, 8 May 2025 13:29:43 -0400
Subject: [PATCH] httputil: Raise errors instead of logging in
multipart/form-data parsing
We used to continue after logging an error, which allowed repeated
errors to spam the logs. The error raised here will still be logged,
but only once per request, consistent with other error handling in
Tornado.
---
tornado/httputil.py | 30 +++++++++++-------------------
tornado/test/httpserver_test.py | 4 ++--
tornado/test/httputil_test.py | 13 ++++++++-----
tornado/web.py | 17 +++++++++++++----
4 files changed, 34 insertions(+), 30 deletions(-)
Index: tornado-6.4/tornado/httputil.py
===================================================================
--- tornado-6.4.orig/tornado/httputil.py
+++ tornado-6.4/tornado/httputil.py
@@ -34,7 +34,6 @@ import unicodedata
from urllib.parse import urlencode, urlparse, urlunparse, parse_qsl
from tornado.escape import native_str, parse_qs_bytes, utf8
-from tornado.log import gen_log
from tornado.util import ObjectDict, unicode_type
@@ -759,25 +758,22 @@ def parse_body_arguments(
"""
if content_type.startswith("application/x-www-form-urlencoded"):
if headers and "Content-Encoding" in headers:
- gen_log.warning(
- "Unsupported Content-Encoding: %s", headers["Content-Encoding"]
+ raise HTTPInputError(
+ "Unsupported Content-Encoding: %s" % headers["Content-Encoding"]
)
- return
try:
# real charset decoding will happen in RequestHandler.decode_argument()
uri_arguments = parse_qs_bytes(body, keep_blank_values=True)
except Exception as e:
- gen_log.warning("Invalid x-www-form-urlencoded body: %s", e)
- uri_arguments = {}
+ raise HTTPInputError("Invalid x-www-form-urlencoded body: %s" % e) from e
for name, values in uri_arguments.items():
if values:
arguments.setdefault(name, []).extend(values)
elif content_type.startswith("multipart/form-data"):
if headers and "Content-Encoding" in headers:
- gen_log.warning(
- "Unsupported Content-Encoding: %s", headers["Content-Encoding"]
+ raise HTTPInputError(
+ "Unsupported Content-Encoding: %s" % headers["Content-Encoding"]
)
- return
try:
fields = content_type.split(";")
for field in fields:
@@ -786,9 +782,9 @@ def parse_body_arguments(
parse_multipart_form_data(utf8(v), body, arguments, files)
break
else:
- raise ValueError("multipart boundary not found")
+ raise HTTPInputError("multipart boundary not found")
except Exception as e:
- gen_log.warning("Invalid multipart/form-data: %s", e)
+ raise HTTPInputError("Invalid multipart/form-data: %s" % e) from e
def parse_multipart_form_data(
@@ -817,26 +813,22 @@ def parse_multipart_form_data(
boundary = boundary[1:-1]
final_boundary_index = data.rfind(b"--" + boundary + b"--")
if final_boundary_index == -1:
- gen_log.warning("Invalid multipart/form-data: no final boundary")
- return
+ raise HTTPInputError("Invalid multipart/form-data: no final boundary found")
parts = data[:final_boundary_index].split(b"--" + boundary + b"\r\n")
for part in parts:
if not part:
continue
eoh = part.find(b"\r\n\r\n")
if eoh == -1:
- gen_log.warning("multipart/form-data missing headers")
- continue
+ raise HTTPInputError("multipart/form-data missing headers")
headers = HTTPHeaders.parse(part[:eoh].decode("utf-8"))
disp_header = headers.get("Content-Disposition", "")
disposition, disp_params = _parse_header(disp_header)
if disposition != "form-data" or not part.endswith(b"\r\n"):
- gen_log.warning("Invalid multipart/form-data")
- continue
+ raise HTTPInputError("Invalid multipart/form-data")
value = part[eoh + 4 : -2]
if not disp_params.get("name"):
- gen_log.warning("multipart/form-data value missing name")
- continue
+ raise HTTPInputError("multipart/form-data missing name")
name = disp_params["name"]
if disp_params.get("filename"):
ctype = headers.get("Content-Type", "application/unknown")
Index: tornado-6.4/tornado/test/httpserver_test.py
===================================================================
--- tornado-6.4.orig/tornado/test/httpserver_test.py
+++ tornado-6.4/tornado/test/httpserver_test.py
@@ -1061,9 +1061,9 @@ class GzipUnsupportedTest(GzipBaseTest,
# Gzip support is opt-in; without it the server fails to parse
# the body (but parsing form bodies is currently just a log message,
# not a fatal error).
- with ExpectLog(gen_log, "Unsupported Content-Encoding"):
+ with ExpectLog(gen_log, ".*Unsupported Content-Encoding"):
response = self.post_gzip("foo=bar")
- self.assertEqual(json_decode(response.body), {})
+ self.assertEqual(response.code, 400)
class StreamingChunkSizeTest(AsyncHTTPTestCase):
Index: tornado-6.4/tornado/test/httputil_test.py
===================================================================
--- tornado-6.4.orig/tornado/test/httputil_test.py
+++ tornado-6.4/tornado/test/httputil_test.py
@@ -12,7 +12,6 @@ from tornado.httputil import (
)
from tornado.escape import utf8, native_str
from tornado.log import gen_log
-from tornado.testing import ExpectLog
from tornado.test.util import ignore_deprecation
import copy
@@ -195,7 +194,9 @@ Foo
b"\n", b"\r\n"
)
args, files = form_data_args()
- with ExpectLog(gen_log, "multipart/form-data missing headers"):
+ with self.assertRaises(
+ HTTPInputError, msg="multipart/form-data missing headers"
+ ):
parse_multipart_form_data(b"1234", data, args, files)
self.assertEqual(files, {})
@@ -209,7 +210,7 @@ Foo
b"\n", b"\r\n"
)
args, files = form_data_args()
- with ExpectLog(gen_log, "Invalid multipart/form-data"):
+ with self.assertRaises(HTTPInputError, msg="Invalid multipart/form-data"):
parse_multipart_form_data(b"1234", data, args, files)
self.assertEqual(files, {})
@@ -222,7 +223,7 @@ Foo--1234--""".replace(
b"\n", b"\r\n"
)
args, files = form_data_args()
- with ExpectLog(gen_log, "Invalid multipart/form-data"):
+ with self.assertRaises(HTTPInputError, msg="Invalid multipart/form-data"):
parse_multipart_form_data(b"1234", data, args, files)
self.assertEqual(files, {})
@@ -236,7 +237,9 @@ Foo
b"\n", b"\r\n"
)
args, files = form_data_args()
- with ExpectLog(gen_log, "multipart/form-data value missing name"):
+ with self.assertRaises(
+ HTTPInputError, msg="multipart/form-data value missing name"
+ ):
parse_multipart_form_data(b"1234", data, args, files)
self.assertEqual(files, {})
Index: tornado-6.4/tornado/web.py
===================================================================
--- tornado-6.4.orig/tornado/web.py
+++ tornado-6.4/tornado/web.py
@@ -1751,6 +1751,14 @@ class RequestHandler(object):
try:
if self.request.method not in self.SUPPORTED_METHODS:
raise HTTPError(405)
+
+ # If we're not in stream_request_body mode, this is the place where we parse the body.
+ if not _has_stream_request_body(self.__class__):
+ try:
+ self.request._parse_body()
+ except httputil.HTTPInputError as e:
+ raise HTTPError(400, "Invalid body: %s" % e) from e
+
self.path_args = [self.decode_argument(arg) for arg in args]
self.path_kwargs = dict(
(k, self.decode_argument(v, name=k)) for (k, v) in kwargs.items()
@@ -1941,7 +1949,7 @@ def _has_stream_request_body(cls: Type[R
def removeslash(
- method: Callable[..., Optional[Awaitable[None]]]
+ method: Callable[..., Optional[Awaitable[None]]],
) -> Callable[..., Optional[Awaitable[None]]]:
"""Use this decorator to remove trailing slashes from the request path.
@@ -1970,7 +1978,7 @@ def removeslash(
def addslash(
- method: Callable[..., Optional[Awaitable[None]]]
+ method: Callable[..., Optional[Awaitable[None]]],
) -> Callable[..., Optional[Awaitable[None]]]:
"""Use this decorator to add a missing trailing slash to the request path.
@@ -2394,8 +2402,9 @@ class _HandlerDelegate(httputil.HTTPMess
if self.stream_request_body:
future_set_result_unless_cancelled(self.request._body_future, None)
else:
+ # Note that the body gets parsed in RequestHandler._execute so it can be in
+ # the right exception handler scope.
self.request.body = b"".join(self.chunks)
- self.request._parse_body()
self.execute()
def on_connection_close(self) -> None:
@@ -3267,7 +3276,7 @@ class GZipContentEncoding(OutputTransfor
def authenticated(
- method: Callable[..., Optional[Awaitable[None]]]
+ method: Callable[..., Optional[Awaitable[None]]],
) -> Callable[..., Optional[Awaitable[None]]]:
"""Decorate methods with this to require that the user be logged in.

7
python-tornado6.changes
View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon May 26 10:20:14 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- Add patch CVE-2025-47287.patch:
* httputil: Raise errors instead of logging in multipart/form-data parsing
(CVE-2025-47287, bsc#1243268, gh#tornadoweb/tornado#3497)
-------------------------------------------------------------------
Wed Nov 27 04:23:13 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>

2
python-tornado6.spec
View File

@@ -33,6 +33,8 @@ Patch1: openssl-3.2.patch
# PATCH-FIX-UPSTREAM CVE-2024-52804 bsc#1233668
# gh#tornadoweb/tornado#d5ba4a1695fbf7c6a3e54313262639b198291533
Patch2: CVE-2024-52804-avoid-quadratic-cookie-parsing.patch
# PATCH-FIX-UPSTREAM CVE-2025-47287.patch bsc#1243268
Patch3: CVE-2025-47287.patch
BuildRequires: %{python_module base >= 3.8}
BuildRequires: %{python_module devel}
BuildRequires: %{python_module pip}