Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:Update
python-Werkzeug.36256
CVE-2024-49767.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2024-49767.patch of Package python-Werkzeug.36256
Index: Werkzeug-2.3.6/CHANGES.rst =================================================================== --- Werkzeug-2.3.6.orig/CHANGES.rst +++ Werkzeug-2.3.6/CHANGES.rst @@ -8,6 +8,9 @@ Released 2023-06-08 - ``FileStorage.content_length`` does not fail if the form data did not provide a value. :issue:`2726` +- Fix how ``max_form_memory_size`` is applied when parsing large non-file + fields. :ghsa:`q34m-jh98-gwm2` + Version 2.3.5 ------------- Index: Werkzeug-2.3.6/src/werkzeug/formparser.py =================================================================== --- Werkzeug-2.3.6.orig/src/werkzeug/formparser.py +++ Werkzeug-2.3.6/src/werkzeug/formparser.py @@ -480,6 +480,7 @@ class MultiPartParser: self, stream: t.IO[bytes], boundary: bytes, content_length: int | None ) -> tuple[MultiDict, MultiDict]: current_part: Field | File + field_size: int | None = None container: t.IO[bytes] | list[bytes] _write: t.Callable[[bytes], t.Any] @@ -498,13 +499,23 @@ class MultiPartParser: while not isinstance(event, (Epilogue, NeedData)): if isinstance(event, Field): current_part = event + field_size = 0 container = [] _write = container.append elif isinstance(event, File): current_part = event + field_size = None container = self.start_file_streaming(event, content_length) _write = container.write elif isinstance(event, Data): + if self.max_form_memory_size is not None and field_size is not None: + # Ensure that accumulated data events do not exceed limit. + # Also checked within single event in MultipartDecoder. + field_size += len(event.data) + + if field_size > self.max_form_memory_size: + raise RequestEntityTooLarge() + _write(event.data) if not event.more_data: if isinstance(current_part, Field): Index: Werkzeug-2.3.6/src/werkzeug/sansio/multipart.py =================================================================== --- Werkzeug-2.3.6.orig/src/werkzeug/sansio/multipart.py +++ Werkzeug-2.3.6/src/werkzeug/sansio/multipart.py @@ -140,6 +140,8 @@ class MultipartDecoder: self.max_form_memory_size is not None and len(self.buffer) + len(data) > self.max_form_memory_size ): + # Ensure that data within single event does not exceed limit. + # Also checked across accumulated events in MultiPartParser. raise RequestEntityTooLarge() else: self.buffer.extend(data) Index: Werkzeug-2.3.6/tests/test_formparser.py =================================================================== --- Werkzeug-2.3.6.orig/tests/test_formparser.py +++ Werkzeug-2.3.6/tests/test_formparser.py @@ -448,3 +448,15 @@ class TestMultiPartParser: ) as request: assert request.files["rfc2231"].filename == "a b c d e f.txt" assert request.files["rfc2231"].read() == b"file contents" + + +def test_multipart_max_form_memory_size() -> None: + """max_form_memory_size is tracked across multiple data events.""" + data = b"--bound\r\nContent-Disposition: form-field; name=a\r\n\r\n" + data += b"a" * 15 + b"\r\n--bound--" + # The buffer size is less than the max size, so multiple data events will be + # returned. The field size is greater than the max. + parser = formparser.MultiPartParser(max_form_memory_size=10, buffer_size=5) + + with pytest.raises(RequestEntityTooLarge): + parser.parse(io.BytesIO(data), b"bound", None)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
