saltbundle/saltbundlepy-tornado
SHA256
7
0
Fork 0
Code Pull Requests 1 Activity

Compare commits

base: saltbundle:bundle_next
Branches Tags
saltbundle:bundle saltbundle:bundle_testing saltbundle:security-sync-next saltbundle:bundle_next
..
compare: saltbundle:security-sync-next
Branches Tags
saltbundle:bundle_testing saltbundle:security-sync-next saltbundle:bundle_next saltbundle:bundle

3 Commits
bundle_nex ... security-s

Author SHA256 Message Date
Pablo Suárez Hernández
267c3c9df5 Add missing changelog entry 2026-01-14 10:50:42 +00:00
Pablo Suárez Hernández
f501be246c Refresh patch files so they apply cleanly 2026-01-14 10:45:00 +00:00
Marek Czernek
0fc69973d3 Add CVE patches 2026-01-13 13:36:28 +01:00
8 changed files with 384 additions and 26 deletions
Expand all files Collapse all files

22
CVE-2024-52804-avoid-quadratic-cookie-parsing.patch
View File

@@ -21,11 +21,11 @@ Thanks to github.com/kexinoh for the report.
tornado/test/httputil_test.py | 46 +++++++++++++++++++++++++++++++++++
2 files changed, 56 insertions(+), 28 deletions(-)
diff --git a/tornado/httputil.py b/tornado/httputil.py
index 9ce992d82b..ebdc8059c1 100644
--- a/tornado/httputil.py
+++ b/tornado/httputil.py
@@ -1057,15 +1057,20 @@ def qs_to_qsl(qs: Dict[str, List[AnyStr]]) -> Iterable[Tuple[str, AnyStr]]:
Index: tornado-6.3.2/tornado/httputil.py
===================================================================
--- tornado-6.3.2.orig/tornado/httputil.py
+++ tornado-6.3.2/tornado/httputil.py
@@ -1055,15 +1055,20 @@ def qs_to_qsl(qs: Dict[str, List[AnyStr]
yield (k, v)
@@ -50,7 +50,7 @@ index 9ce992d82b..ebdc8059c1 100644
library (http.cookies._unquote) so we don't have to depend on
non-public interfaces.
"""
@@ -1086,30 +1091,7 @@ def _unquote_cookie(s: str) -> str:
@@ -1084,30 +1089,7 @@ def _unquote_cookie(s: str) -> str:
# \012 --> \n
# \" --> "
#
@@ -82,11 +82,11 @@ index 9ce992d82b..ebdc8059c1 100644
def parse_cookie(cookie: str) -> Dict[str, str]:
diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py
index 6d618839e0..975900aa9c 100644
--- a/tornado/test/httputil_test.py
+++ b/tornado/test/httputil_test.py
@@ -560,3 +560,49 @@ def test_invalid_cookies(self):
Index: tornado-6.3.2/tornado/test/httputil_test.py
===================================================================
--- tornado-6.3.2.orig/tornado/test/httputil_test.py
+++ tornado-6.3.2/tornado/test/httputil_test.py
@@ -519,3 +519,49 @@ class ParseCookieTest(unittest.TestCase)
self.assertEqual(
parse_cookie(" = b ; ; = ; c = ; "), {"": "b", "c": ""}
)

113
CVE-2025-67724.patch Normal file
View File

@@ -0,0 +1,113 @@
From 9c163aebeaad9e6e7d28bac1f33580eb00b0e421 Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Wed, 10 Dec 2025 15:15:25 -0500
Subject: [PATCH] web: Harden against invalid HTTP reason phrases
We allow applications to set custom reason phrases for the HTTP status
line (to support custom status codes), but if this were exposed to
untrusted data it could be exploited in various ways. This commit
guards against invalid reason phrases in both HTTP headers and in
error pages.
---
tornado/test/web_test.py | 15 ++++++++++++++-
tornado/web.py | 25 +++++++++++++++++++------
2 files changed, 33 insertions(+), 7 deletions(-)
Index: tornado-6.3.2/tornado/test/web_test.py
===================================================================
--- tornado-6.3.2.orig/tornado/test/web_test.py
+++ tornado-6.3.2/tornado/test/web_test.py
@@ -1666,7 +1666,7 @@ class StatusReasonTest(SimpleHandlerTest
class Handler(RequestHandler):
def get(self):
reason = self.request.arguments.get("reason", [])
- self.set_status(
+ raise HTTPError(
int(self.get_argument("code")),
reason=to_unicode(reason[0]) if reason else None,
)
@@ -1689,6 +1689,19 @@ class StatusReasonTest(SimpleHandlerTest
self.assertEqual(response.code, 682)
self.assertEqual(response.reason, "Unknown")
+ def test_header_injection(self):
+ response = self.fetch("/?code=200&reason=OK%0D%0AX-Injection:injected")
+ self.assertEqual(response.code, 200)
+ self.assertEqual(response.reason, "Unknown")
+ self.assertNotIn("X-Injection", response.headers)
+
+ def test_reason_xss(self):
+ response = self.fetch("/?code=400&reason=<script>alert(1)</script>")
+ self.assertEqual(response.code, 400)
+ self.assertEqual(response.reason, "Unknown")
+ self.assertNotIn(b"script", response.body)
+ self.assertIn(b"Unknown", response.body)
+
class DateHeaderTest(SimpleHandlerTestCase):
class Handler(RequestHandler):
Index: tornado-6.3.2/tornado/web.py
===================================================================
--- tornado-6.3.2.orig/tornado/web.py
+++ tornado-6.3.2/tornado/web.py
@@ -350,8 +350,10 @@ class RequestHandler(object):
:arg int status_code: Response status code.
:arg str reason: Human-readable reason phrase describing the status
- code. If ``None``, it will be filled in from
- `http.client.responses` or "Unknown".
+ code (for example, the "Not Found" in ``HTTP/1.1 404 Not Found``).
+ Normally determined automatically from `http.client.responses`; this
+ argument should only be used if you need to use a non-standard
+ status code.
.. versionchanged:: 5.0
@@ -360,6 +362,14 @@ class RequestHandler(object):
"""
self._status_code = status_code
if reason is not None:
+ if "<" in reason or not httputil._ABNF.reason_phrase.fullmatch(reason):
+ # Logically this would be better as an exception, but this method
+ # is called on error-handling paths that would need some refactoring
+ # to tolerate internal errors cleanly.
+ #
+ # The check for "<" is a defense-in-depth against XSS attacks (we also
+ # escape the reason when rendering error pages).
+ reason = "Unknown"
self._reason = escape.native_str(reason)
else:
self._reason = httputil.responses.get(status_code, "Unknown")
@@ -1291,7 +1301,8 @@ class RequestHandler(object):
reason = exception.reason
self.set_status(status_code, reason=reason)
try:
- self.write_error(status_code, **kwargs)
+ if status_code != 304:
+ self.write_error(status_code, **kwargs)
except Exception:
app_log.error("Uncaught exception in write_error", exc_info=True)
if not self._finished:
@@ -1319,7 +1330,7 @@ class RequestHandler(object):
self.finish(
"<html><title>%(code)d: %(message)s</title>"
"<body>%(code)d: %(message)s</body></html>"
- % {"code": status_code, "message": self._reason}
+ % {"code": status_code, "message": escape.xhtml_escape(self._reason)}
)
@property
@@ -2465,9 +2476,11 @@ class HTTPError(Exception):
mode). May contain ``%s``-style placeholders, which will be filled
in with remaining positional parameters.
:arg str reason: Keyword-only argument. The HTTP "reason" phrase
- to pass in the status line along with ``status_code``. Normally
+ to pass in the status line along with ``status_code`` (for example,
+ the "Not Found" in ``HTTP/1.1 404 Not Found``). Normally
determined automatically from ``status_code``, but can be used
- to use a non-standard numeric code.
+ to use a non-standard numeric code. This is not a general-purpose
+ error message.
"""
def __init__(

124
CVE-2025-67725.patch Normal file
View File

@@ -0,0 +1,124 @@
From 68e81b4a3385161877408a7a49c7ed12b45a614d Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Tue, 9 Dec 2025 13:27:27 -0500
Subject: [PATCH] httputil: Fix quadratic performance of repeated header lines
Previouisly, when many header lines with the same name were found
in an HTTP request or response, repeated string concatenation would
result in quadratic performance. This change does the concatenation
lazily (with a cache) so that repeated headers can be processed
efficiently.
Security: The previous behavior allowed a denial of service attack
via a maliciously crafted HTTP message, but only if the
max_header_size was increased from its default of 64kB.
---
tornado/httputil.py | 36 ++++++++++++++++++++++++-----------
tornado/test/httputil_test.py | 15 +++++++++++++++
2 files changed, 40 insertions(+), 11 deletions(-)
Index: tornado-6.3.2/tornado/httputil.py
===================================================================
--- tornado-6.3.2.orig/tornado/httputil.py
+++ tornado-6.3.2/tornado/httputil.py
@@ -118,8 +118,14 @@ class HTTPHeaders(collections.abc.Mutabl
pass
def __init__(self, *args: typing.Any, **kwargs: str) -> None: # noqa: F811
- self._dict = {} # type: typing.Dict[str, str]
- self._as_list = {} # type: typing.Dict[str, typing.List[str]]
+ # Formally, HTTP headers are a mapping from a field name to a "combined field value",
+ # which may be constructed from multiple field lines by joining them with commas.
+ # In practice, however, some headers (notably Set-Cookie) do not follow this convention,
+ # so we maintain a mapping from field name to a list of field lines in self._as_list.
+ # self._combined_cache is a cache of the combined field values derived from self._as_list
+ # on demand (and cleared whenever the list is modified).
+ self._as_list: dict[str, list[str]] = {}
+ self._combined_cache: dict[str, str] = {}
self._last_key = None # type: Optional[str]
if len(args) == 1 and len(kwargs) == 0 and isinstance(args[0], HTTPHeaders):
# Copy constructor
@@ -136,9 +142,7 @@ class HTTPHeaders(collections.abc.Mutabl
norm_name = _normalize_header(name)
self._last_key = norm_name
if norm_name in self:
- self._dict[norm_name] = (
- native_str(self[norm_name]) + "," + native_str(value)
- )
+ self._combined_cache.pop(norm_name, None)
self._as_list[norm_name].append(value)
else:
self[norm_name] = value
@@ -172,7 +176,7 @@ class HTTPHeaders(collections.abc.Mutabl
raise HTTPInputError("first header line cannot start with whitespace")
new_part = " " + line.lstrip()
self._as_list[self._last_key][-1] += new_part
- self._dict[self._last_key] += new_part
+ self._combined_cache.pop(self._last_key, None)
else:
try:
name, value = line.split(":", 1)
@@ -208,22 +212,32 @@ class HTTPHeaders(collections.abc.Mutabl
def __setitem__(self, name: str, value: str) -> None:
norm_name = _normalize_header(name)
- self._dict[norm_name] = value
+ self._combined_cache[norm_name] = value
self._as_list[norm_name] = [value]
+ def __contains__(self, name: object) -> bool:
+ # This is an important optimization to avoid the expensive concatenation
+ # in __getitem__ when it's not needed.
+ if not isinstance(name, str):
+ return False
+ return name in self._as_list
+
def __getitem__(self, name: str) -> str:
- return self._dict[_normalize_header(name)]
+ header = _normalize_header(name)
+ if header not in self._combined_cache:
+ self._combined_cache[header] = ",".join(self._as_list[header])
+ return self._combined_cache[header]
def __delitem__(self, name: str) -> None:
norm_name = _normalize_header(name)
- del self._dict[norm_name]
+ del self._combined_cache[norm_name]
del self._as_list[norm_name]
def __len__(self) -> int:
- return len(self._dict)
+ return len(self._as_list)
def __iter__(self) -> Iterator[typing.Any]:
- return iter(self._dict)
+ return iter(self._as_list)
def copy(self) -> "HTTPHeaders":
# defined in dict but not in MutableMapping.
Index: tornado-6.3.2/tornado/test/httputil_test.py
===================================================================
--- tornado-6.3.2.orig/tornado/test/httputil_test.py
+++ tornado-6.3.2/tornado/test/httputil_test.py
@@ -451,6 +451,21 @@ class ParseRequestStartLineTest(unittest
self.assertEqual(parsed_start_line.path, self.PATH)
self.assertEqual(parsed_start_line.version, self.VERSION)
+ def test_linear_performance(self):
+ def f(n):
+ start = time.time()
+ headers = HTTPHeaders()
+ for i in range(n):
+ headers.add("X-Foo", "bar")
+ return time.time() - start
+
+ # This runs under 50ms on my laptop as of 2025-12-09.
+ d1 = f(10_000)
+ d2 = f(100_000)
+ if d2 / d1 > 20:
+ # d2 should be about 10x d1 but allow a wide margin for variability.
+ self.fail(f"HTTPHeaders.add() does not scale linearly: {d1=} vs {d2=}")
+
class ParseCookieTest(unittest.TestCase):
# These tests copied from Django:

94
CVE-2025-67726.patch Normal file
View File

@@ -0,0 +1,94 @@
From 771472cfdaeebc0d89a9cc46e249f8891a6b29cd Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Wed, 10 Dec 2025 10:55:02 -0500
Subject: [PATCH] httputil: Fix quadratic behavior in _parseparam
Prior to this change, _parseparam had O(n^2) behavior when parsing
certain inputs, which could be a DoS vector. This change adapts
logic from the equivalent function in the python standard library
in https://github.com/python/cpython/pull/136072/files
---
tornado/httputil.py | 29 ++++++++++++++++++++++-------
tornado/test/httputil_test.py | 23 +++++++++++++++++++++++
2 files changed, 45 insertions(+), 7 deletions(-)
Index: tornado-6.3.2/tornado/httputil.py
===================================================================
--- tornado-6.3.2.orig/tornado/httputil.py
+++ tornado-6.3.2/tornado/httputil.py
@@ -936,19 +936,34 @@ def parse_response_start_line(line: str)
# It has also been modified to support valueless parameters as seen in
# websocket extension negotiations, and to support non-ascii values in
# RFC 2231/5987 format.
+#
+# _parseparam has been further modified with the logic from
+# https://github.com/python/cpython/pull/136072/files
+# to avoid quadratic behavior when parsing semicolons in quoted strings.
+#
+# TODO: See if we can switch to email.message.Message for this functionality.
+# This is the suggested replacement for the cgi.py module now that cgi has
+# been removed from recent versions of Python. We need to verify that
+# the email module is consistent with our existing behavior (and all relevant
+# RFCs for multipart/form-data) before making this change.
def _parseparam(s: str) -> Generator[str, None, None]:
- while s[:1] == ";":
- s = s[1:]
- end = s.find(";")
- while end > 0 and (s.count('"', 0, end) - s.count('\\"', 0, end)) % 2:
- end = s.find(";", end + 1)
+ start = 0
+ while s.find(";", start) == start:
+ start += 1
+ end = s.find(";", start)
+ ind, diff = start, 0
+ while end > 0:
+ diff += s.count('"', ind, end) - s.count('\\"', ind, end)
+ if diff % 2 == 0:
+ break
+ end, ind = ind, s.find(";", end + 1)
if end < 0:
end = len(s)
- f = s[:end]
+ f = s[start:end]
yield f.strip()
- s = s[end:]
+ start = end
def _parse_header(line: str) -> Tuple[str, Dict[str, str]]:
Index: tornado-6.3.2/tornado/test/httputil_test.py
===================================================================
--- tornado-6.3.2.orig/tornado/test/httputil_test.py
+++ tornado-6.3.2/tornado/test/httputil_test.py
@@ -261,6 +261,29 @@ Foo
self.assertEqual(file["filename"], "ab.txt")
self.assertEqual(file["body"], b"Foo")
+ def test_disposition_param_linear_performance(self):
+ # This is a regression test for performance of parsing parameters
+ # to the content-disposition header, specifically for semicolons within
+ # quoted strings.
+ def f(n):
+ start = time.time()
+ message = (
+ b"--1234\r\nContent-Disposition: form-data; "
+ + b'x="'
+ + b";" * n
+ + b'"; '
+ + b'name="files"; filename="a.txt"\r\n\r\nFoo\r\n--1234--\r\n'
+ )
+ args: dict[str, list[bytes]] = {}
+ files: dict[str, list[HTTPFile]] = {}
+ parse_multipart_form_data(b"1234", message, args, files)
+ return time.time() - start
+
+ d1 = f(1_000)
+ d2 = f(10_000)
+ if d2 / d1 > 20:
+ self.fail(f"Disposition param parsing is not linear: {d1=} vs {d2=}")
+
class HTTPHeadersTest(unittest.TestCase):
def test_multi_line(self):

8
fix-wheel-cp.patch
View File

@@ -1,6 +1,8 @@
--- a/setup.py
+++ b/setup.py
@@ -63,7 +63,7 @@
Index: tornado-6.3.2/setup.py
===================================================================
--- tornado-6.3.2.orig/setup.py
+++ tornado-6.3.2/setup.py
@@ -63,7 +63,7 @@ if wheel is not None:
python, abi, plat = super().get_tag()
if python.startswith("cp"):

24
ignore-resourcewarning-doctests.patch
View File

@@ -1,8 +1,8 @@
Index: tornado-6.0.4/tornado/util.py
Index: tornado-6.3.2/tornado/util.py
===================================================================
--- tornado-6.0.4.orig/tornado/util.py 2020-03-11 11:42:49.610254636 +0100
+++ tornado-6.0.4/tornado/util.py 2020-03-11 11:43:51.470603323 +0100
@@ -468,5 +468,7 @@ else:
--- tornado-6.3.2.orig/tornado/util.py
+++ tornado-6.3.2/tornado/util.py
@@ -458,5 +458,7 @@ else:
def doctests():
# type: () -> unittest.TestSuite
import doctest
@@ -10,11 +10,11 @@ Index: tornado-6.0.4/tornado/util.py
+ warnings.simplefilter("ignore", ResourceWarning)
return doctest.DocTestSuite()
Index: tornado-6.0.4/tornado/httputil.py
Index: tornado-6.3.2/tornado/httputil.py
===================================================================
--- tornado-6.0.4.orig/tornado/httputil.py 2020-03-11 11:42:49.610254636 +0100
+++ tornado-6.0.4/tornado/httputil.py 2020-03-11 11:44:46.178911693 +0100
@@ -1032,6 +1032,8 @@ def encode_username_password(
--- tornado-6.3.2.orig/tornado/httputil.py
+++ tornado-6.3.2/tornado/httputil.py
@@ -1019,6 +1019,8 @@ def encode_username_password(
def doctests():
# type: () -> unittest.TestSuite
import doctest
@@ -23,11 +23,11 @@ Index: tornado-6.0.4/tornado/httputil.py
return doctest.DocTestSuite()
Index: tornado-6.0.4/tornado/iostream.py
Index: tornado-6.3.2/tornado/iostream.py
===================================================================
--- tornado-6.0.4.orig/tornado/iostream.py 2020-03-11 11:42:49.610254636 +0100
+++ tornado-6.0.4/tornado/iostream.py 2020-03-11 11:45:31.015164413 +0100
@@ -1677,5 +1677,7 @@ class PipeIOStream(BaseIOStream):
--- tornado-6.3.2.orig/tornado/iostream.py
+++ tornado-6.3.2/tornado/iostream.py
@@ -1650,5 +1650,7 @@ class PipeIOStream(BaseIOStream):
def doctests() -> Any:
import doctest

18
saltbundlepy-tornado.changes
View File

@@ -1,3 +1,21 @@
-------------------------------------------------------------------
Wed Jan 14 10:48:49 UTC 2026 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Refresh patch files to apply cleanly:
- Modified:
* fix-wheel-cp.patch
* ignore-resourcewarning-doctests.patch
* CVE-2024-52804-avoid-quadratic-cookie-parsing.patch
-------------------------------------------------------------------
Tue Jan 13 12:30:16 UTC 2026 - Marek Czernek <marek.czernek@suse.com>
- Add security patches:
* CVE-2025-67724.patch (bsc#1254903)
* CVE-2025-67725.patch (bsc#1254905)
* CVE-2025-67726.patch (bsc#1254904)
-------------------------------------------------------------------
Thu Oct 2 10:24:02 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>

7
saltbundlepy-tornado.spec
View File

@@ -35,6 +35,13 @@ Patch0: ignore-resourcewarning-doctests.patch
Patch1: CVE-2024-52804-avoid-quadratic-cookie-parsing.patch
# PATCH-FIX-UPSTREAM CVE-2025-47287.patch bsc#1243268
Patch2: CVE-2025-47287.patch
# https://src.suse.de/pool/python-tornado6/pulls/1
# PATCH-FIX-UPSTREAM CVE-2025-67724.patch bsc#1254903
Patch3: CVE-2025-67724.patch
# PATCH-FIX-UPSTREAM CVE-2025-67725.patch bsc#1254905
Patch4: CVE-2025-67725.patch
# PATCH-FIX-UPSTREAM CVE-2025-67726.patch bsc#1254904
Patch5: CVE-2025-67726.patch
# Salt bundle specific patch to avoid fails on building for Python 3.11
Patch100: fix-wheel-cp.patch
BuildRequires: saltbundlepy