mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-04-02 19:09:26 +00:00
b7ab23179d
Changelog:
==========
The development server does not set Transfer-Encoding: chunked for 1xx, 204, 304, and HEAD responses.
Response HTML for exceptions and redirects starts with <!doctype html> and <html lang=en>.
Fix ability to set some cache_control attributes to False.
Disable keep-alive connections in the development server, which are not supported sufficiently by Python’s http.server.
Signed-off-by: Xu Huan <xuhuan.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0704ebad0d31eec1737e0313b0f221085a9e8166)
Rebased patches in Kirkstone.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
232 lines
9.0 KiB
Diff
232 lines
9.0 KiB
Diff
From 5a56cdcbaec2153cd67596c6c2c8056e1ea5ed56 Mon Sep 17 00:00:00 2001
|
|
From: David Lord <davidism@gmail.com>
|
|
Date: Tue, 2 May 2023 11:31:10 +0000
|
|
Subject: [PATCH] Merge pull request from GHSA-xg9f-g7g7-2323
|
|
|
|
limit the maximum number of multipart form parts
|
|
|
|
CVE: CVE-2023-25577
|
|
|
|
Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1]
|
|
|
|
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
|
|
---
|
|
CHANGES.rst | 5 +++++
|
|
docs/request_data.rst | 37 +++++++++++++++++---------------
|
|
src/werkzeug/formparser.py | 12 ++++++++++-
|
|
src/werkzeug/sansio/multipart.py | 8 +++++++
|
|
src/werkzeug/wrappers/request.py | 8 +++++++
|
|
tests/test_formparser.py | 9 ++++++++
|
|
6 files changed, 61 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/CHANGES.rst b/CHANGES.rst
|
|
index a351d7c..6e809ba 100644
|
|
--- a/CHANGES.rst
|
|
+++ b/CHANGES.rst
|
|
@@ -1,5 +1,10 @@
|
|
.. currentmodule:: werkzeug
|
|
|
|
+- Specify a maximum number of multipart parts, default 1000, after which a
|
|
+ ``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS
|
|
+ attack where a larger number of form/file parts would result in disproportionate
|
|
+ resource use.
|
|
+
|
|
Version 2.1.2
|
|
-------------
|
|
|
|
diff --git a/docs/request_data.rst b/docs/request_data.rst
|
|
index 83c6278..e55841e 100644
|
|
--- a/docs/request_data.rst
|
|
+++ b/docs/request_data.rst
|
|
@@ -73,23 +73,26 @@ read the stream *or* call :meth:`~Request.get_data`.
|
|
Limiting Request Data
|
|
---------------------
|
|
|
|
-To avoid being the victim of a DDOS attack you can set the maximum
|
|
-accepted content length and request field sizes. The :class:`Request`
|
|
-class has two attributes for that: :attr:`~Request.max_content_length`
|
|
-and :attr:`~Request.max_form_memory_size`.
|
|
-
|
|
-The first one can be used to limit the total content length. For example
|
|
-by setting it to ``1024 * 1024 * 16`` the request won't accept more than
|
|
-16MB of transmitted data.
|
|
-
|
|
-Because certain data can't be moved to the hard disk (regular post data)
|
|
-whereas temporary files can, there is a second limit you can set. The
|
|
-:attr:`~Request.max_form_memory_size` limits the size of `POST`
|
|
-transmitted form data. By setting it to ``1024 * 1024 * 2`` you can make
|
|
-sure that all in memory-stored fields are not more than 2MB in size.
|
|
-
|
|
-This however does *not* affect in-memory stored files if the
|
|
-`stream_factory` used returns a in-memory file.
|
|
+The :class:`Request` class provides a few attributes to control how much data is
|
|
+processed from the request body. This can help mitigate DoS attacks that craft the
|
|
+request in such a way that the server uses too many resources to handle it. Each of
|
|
+these limits will raise a :exc:`~werkzeug.exceptions.RequestEntityTooLarge` if they are
|
|
+exceeded.
|
|
+
|
|
+- :attr:`~Request.max_content_length` Stop reading request data after this number
|
|
+ of bytes. It's better to configure this in the WSGI server or HTTP server, rather
|
|
+ than the WSGI application.
|
|
+- :attr:`~Request.max_form_memory_size` Stop reading request data if any form part is
|
|
+ larger than this number of bytes. While file parts can be moved to disk, regular
|
|
+ form field data is stored in memory only.
|
|
+- :attr:`~Request.max_form_parts` Stop reading request data if more than this number
|
|
+ of parts are sent in multipart form data. This is useful to stop a very large number
|
|
+ of very small parts, especially file parts. The default is 1000.
|
|
+
|
|
+Using Werkzeug to set these limits is only one layer of protection. WSGI servers
|
|
+and HTTPS servers should set their own limits on size and timeouts. The operating system
|
|
+or container manager should set limits on memory and processing time for server
|
|
+processes.
|
|
|
|
|
|
How to extend Parsing?
|
|
diff --git a/src/werkzeug/formparser.py b/src/werkzeug/formparser.py
|
|
index 10d58ca..bebb2fc 100644
|
|
--- a/src/werkzeug/formparser.py
|
|
+++ b/src/werkzeug/formparser.py
|
|
@@ -179,6 +179,8 @@ class FormDataParser:
|
|
:param cls: an optional dict class to use. If this is not specified
|
|
or `None` the default :class:`MultiDict` is used.
|
|
:param silent: If set to False parsing errors will not be caught.
|
|
+ :param max_form_parts: The maximum number of parts to be parsed. If this is
|
|
+ exceeded, a :exc:`~exceptions.RequestEntityTooLarge` exception is raised.
|
|
"""
|
|
|
|
def __init__(
|
|
@@ -190,6 +192,8 @@ class FormDataParser:
|
|
max_content_length: t.Optional[int] = None,
|
|
cls: t.Optional[t.Type[MultiDict]] = None,
|
|
silent: bool = True,
|
|
+ *,
|
|
+ max_form_parts: t.Optional[int] = None,
|
|
) -> None:
|
|
if stream_factory is None:
|
|
stream_factory = default_stream_factory
|
|
@@ -199,6 +203,7 @@ class FormDataParser:
|
|
self.errors = errors
|
|
self.max_form_memory_size = max_form_memory_size
|
|
self.max_content_length = max_content_length
|
|
+ self.max_form_parts = max_form_parts
|
|
|
|
if cls is None:
|
|
cls = MultiDict
|
|
@@ -281,6 +286,7 @@ class FormDataParser:
|
|
self.errors,
|
|
max_form_memory_size=self.max_form_memory_size,
|
|
cls=self.cls,
|
|
+ max_form_parts=self.max_form_parts,
|
|
)
|
|
boundary = options.get("boundary", "").encode("ascii")
|
|
|
|
@@ -346,10 +352,12 @@ class MultiPartParser:
|
|
max_form_memory_size: t.Optional[int] = None,
|
|
cls: t.Optional[t.Type[MultiDict]] = None,
|
|
buffer_size: int = 64 * 1024,
|
|
+ max_form_parts: t.Optional[int] = None,
|
|
) -> None:
|
|
self.charset = charset
|
|
self.errors = errors
|
|
self.max_form_memory_size = max_form_memory_size
|
|
+ self.max_form_parts = max_form_parts
|
|
|
|
if stream_factory is None:
|
|
stream_factory = default_stream_factory
|
|
@@ -409,7 +417,9 @@ class MultiPartParser:
|
|
[None],
|
|
)
|
|
|
|
- parser = MultipartDecoder(boundary, self.max_form_memory_size)
|
|
+ parser = MultipartDecoder(
|
|
+ boundary, self.max_form_memory_size, max_parts=self.max_form_parts
|
|
+ )
|
|
|
|
fields = []
|
|
files = []
|
|
diff --git a/src/werkzeug/sansio/multipart.py b/src/werkzeug/sansio/multipart.py
|
|
index 2d54422..e7d742b 100644
|
|
--- a/src/werkzeug/sansio/multipart.py
|
|
+++ b/src/werkzeug/sansio/multipart.py
|
|
@@ -83,10 +83,13 @@ class MultipartDecoder:
|
|
self,
|
|
boundary: bytes,
|
|
max_form_memory_size: Optional[int] = None,
|
|
+ *,
|
|
+ max_parts: Optional[int] = None,
|
|
) -> None:
|
|
self.buffer = bytearray()
|
|
self.complete = False
|
|
self.max_form_memory_size = max_form_memory_size
|
|
+ self.max_parts = max_parts
|
|
self.state = State.PREAMBLE
|
|
self.boundary = boundary
|
|
|
|
@@ -113,6 +116,7 @@ class MultipartDecoder:
|
|
% (LINE_BREAK, re.escape(boundary), LINE_BREAK, LINE_BREAK),
|
|
re.MULTILINE,
|
|
)
|
|
+ self._parts_decoded = 0
|
|
|
|
def last_newline(self) -> int:
|
|
try:
|
|
@@ -177,6 +181,10 @@ class MultipartDecoder:
|
|
name=name,
|
|
)
|
|
self.state = State.DATA
|
|
+ self._parts_decoded += 1
|
|
+
|
|
+ if self.max_parts is not None and self._parts_decoded > self.max_parts:
|
|
+ raise RequestEntityTooLarge()
|
|
|
|
elif self.state == State.DATA:
|
|
if self.buffer.find(b"--" + self.boundary) == -1:
|
|
diff --git a/src/werkzeug/wrappers/request.py b/src/werkzeug/wrappers/request.py
|
|
index 57b739c..a6d5429 100644
|
|
--- a/src/werkzeug/wrappers/request.py
|
|
+++ b/src/werkzeug/wrappers/request.py
|
|
@@ -83,6 +83,13 @@ class Request(_SansIORequest):
|
|
#: .. versionadded:: 0.5
|
|
max_form_memory_size: t.Optional[int] = None
|
|
|
|
+ #: The maximum number of multipart parts to parse, passed to
|
|
+ #: :attr:`form_data_parser_class`. Parsing form data with more than this
|
|
+ #: many parts will raise :exc:`~.RequestEntityTooLarge`.
|
|
+ #:
|
|
+ #: .. versionadded:: 2.2.3
|
|
+ max_form_parts = 1000
|
|
+
|
|
#: The form data parser that should be used. Can be replaced to customize
|
|
#: the form date parsing.
|
|
form_data_parser_class: t.Type[FormDataParser] = FormDataParser
|
|
@@ -246,6 +253,7 @@ class Request(_SansIORequest):
|
|
self.max_form_memory_size,
|
|
self.max_content_length,
|
|
self.parameter_storage_class,
|
|
+ max_form_parts=self.max_form_parts,
|
|
)
|
|
|
|
def _load_form_data(self) -> None:
|
|
diff --git a/tests/test_formparser.py b/tests/test_formparser.py
|
|
index 5fc803e..834324f 100644
|
|
--- a/tests/test_formparser.py
|
|
+++ b/tests/test_formparser.py
|
|
@@ -127,6 +127,15 @@ class TestFormParser:
|
|
req.max_form_memory_size = 400
|
|
assert req.form["foo"] == "Hello World"
|
|
|
|
+ req = Request.from_values(
|
|
+ input_stream=io.BytesIO(data),
|
|
+ content_length=len(data),
|
|
+ content_type="multipart/form-data; boundary=foo",
|
|
+ method="POST",
|
|
+ )
|
|
+ req.max_form_parts = 1
|
|
+ pytest.raises(RequestEntityTooLarge, lambda: req.form["foo"])
|
|
+
|
|
def test_missing_multipart_boundary(self):
|
|
data = (
|
|
b"--foo\r\nContent-Disposition: form-field; name=foo\r\n\r\n"
|
|
--
|
|
2.40.0
|