!44 [sync] PR-43: Fix CVE-2024-52804

From: @openeuler-sync-bot 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001

CVE-2023-28370.patch

@@ -0,0 +1,35 @@
+From 32ad07c54e607839273b4e1819c347f5c8976b2f Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Sat, 13 May 2023 20:58:52 -0400
+Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
+
+Under some configurations the default_filename redirect could be exploited
+to redirect to an attacker-controlled site. This change refuses to redirect
+to URLs that could be misinterpreted.
+
+A test case for the specific vulnerable configuration will follow after the
+patch has been available.
+---
+ tornado/web.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/tornado/web.py b/tornado/web.py
+index 3b676e3c2..565140493 100644
+--- a/tornado/web.py
++++ b/tornado/web.py
+@@ -2879,6 +2879,15 @@ def validate_absolute_path(self, root: str, absolute_path: str) -> Optional[str]
+             # but there is some prefix to the path that was already
+             # trimmed by the routing
+             if not self.request.path.endswith("/"):
++                if self.request.path.startswith("//"):
++                    # A redirect with two initial slashes is a "protocol-relative" URL.
++                    # This means the next path segment is treated as a hostname instead
++                    # of a part of the path, making this effectively an open redirect.
++                    # Reject paths starting with two slashes to prevent this.
++                    # This is only reachable under certain configurations.
++                    raise HTTPError(
++                        403, "cannot redirect path with two initial slashes"
++                    )
+                 self.redirect(self.request.path + "/", permanent=True)
+                 return None
+             absolute_path = os.path.join(absolute_path, self.default_filename)

CVE-2024-52804.patch

@@ -0,0 +1,138 @@
+From d5ba4a1695fbf7c6a3e54313262639b198291533 Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Thu, 21 Nov 2024 14:48:05 -0500
+Subject: [PATCH] httputil: Fix quadratic performance of cookie parsing
+
+Maliciously-crafted cookies can cause Tornado to
+spend an unreasonable amount of CPU time and block
+the event loop.
+
+This change replaces the quadratic algorithm with
+a more efficient one. The implementation is copied
+from the Python 3.13 standard library (the
+previous one was from Python 3.5).
+
+Fixes CVE-2024-52804
+See CVE-2024-7592 for a similar vulnerability in cpython.
+
+Thanks to github.com/kexinoh for the report.
+---
+ tornado/httputil.py           | 38 ++++++++---------------------
+ tornado/test/httputil_test.py | 46 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 56 insertions(+), 28 deletions(-)
+
+diff --git a/tornado/httputil.py b/tornado/httputil.py
+index 9ce992d82b..ebdc8059c1 100644
+--- a/tornado/httputil.py
++++ b/tornado/httputil.py
+@@ -1057,15 +1057,20 @@ def qs_to_qsl(qs: Dict[str, List[AnyStr]]) -> Iterable[Tuple[str, AnyStr]]:
+             yield (k, v)
+ 
+ 
+-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
+-_QuotePatt = re.compile(r"[\\].")
+-_nulljoin = "".join
++_unquote_sub = re.compile(r"\\(?:([0-3][0-7][0-7])|(.))").sub
++
++
++def _unquote_replace(m: re.Match) -> str:
++    if m[1]:
++        return chr(int(m[1], 8))
++    else:
++        return m[2]
+ 
+ 
+ def _unquote_cookie(s: str) -> str:
+     """Handle double quotes and escaping in cookie values.
+ 
+-    This method is copied verbatim from the Python 3.5 standard
++    This method is copied verbatim from the Python 3.13 standard
+     library (http.cookies._unquote) so we don't have to depend on
+     non-public interfaces.
+     """
+@@ -1086,30 +1091,7 @@ def _unquote_cookie(s: str) -> str:
+     #    \012 --> \n
+     #    \"   --> "
+     #
+-    i = 0
+-    n = len(s)
+-    res = []
+-    while 0 <= i < n:
+-        o_match = _OctalPatt.search(s, i)
+-        q_match = _QuotePatt.search(s, i)
+-        if not o_match and not q_match:  # Neither matched
+-            res.append(s[i:])
+-            break
+-        # else:
+-        j = k = -1
+-        if o_match:
+-            j = o_match.start(0)
+-        if q_match:
+-            k = q_match.start(0)
+-        if q_match and (not o_match or k < j):  # QuotePatt matched
+-            res.append(s[i:k])
+-            res.append(s[k + 1])
+-            i = k + 2
+-        else:  # OctalPatt matched
+-            res.append(s[i:j])
+-            res.append(chr(int(s[j + 1 : j + 4], 8)))
+-            i = j + 4
+-    return _nulljoin(res)
++    return _unquote_sub(_unquote_replace, s)
+ 
+ 
+ def parse_cookie(cookie: str) -> Dict[str, str]:
+diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py
+index 6d618839e0..975900aa9c 100644
+--- a/tornado/test/httputil_test.py
++++ b/tornado/test/httputil_test.py
+@@ -560,3 +560,49 @@ def test_invalid_cookies(self):
+         self.assertEqual(
+             parse_cookie("  =  b  ;  ;  =  ;   c  =  ;  "), {"": "b", "c": ""}
+         )
++
++    def test_unquote(self):
++        # Copied from
++        # https://github.com/python/cpython/blob/dc7a2b6522ec7af41282bc34f405bee9b306d611/Lib/test/test_http_cookies.py#L62
++        cases = [
++            (r'a="b=\""', 'b="'),
++            (r'a="b=\\"', "b=\\"),
++            (r'a="b=\="', "b=="),
++            (r'a="b=\n"', "b=n"),
++            (r'a="b=\042"', 'b="'),
++            (r'a="b=\134"', "b=\\"),
++            (r'a="b=\377"', "b=\xff"),
++            (r'a="b=\400"', "b=400"),
++            (r'a="b=\42"', "b=42"),
++            (r'a="b=\\042"', "b=\\042"),
++            (r'a="b=\\134"', "b=\\134"),
++            (r'a="b=\\\""', 'b=\\"'),
++            (r'a="b=\\\042"', 'b=\\"'),
++            (r'a="b=\134\""', 'b=\\"'),
++            (r'a="b=\134\042"', 'b=\\"'),
++        ]
++        for encoded, decoded in cases:
++            with self.subTest(encoded):
++                c = parse_cookie(encoded)
++                self.assertEqual(c["a"], decoded)
++
++    def test_unquote_large(self):
++        # Adapted from
++        # https://github.com/python/cpython/blob/dc7a2b6522ec7af41282bc34f405bee9b306d611/Lib/test/test_http_cookies.py#L87
++        # Modified from that test because we handle semicolons differently from the stdlib.
++        #
++        # This is a performance regression test: prior to improvements in Tornado 6.4.2, this test
++        # would take over a minute with n= 100k. Now it runs in tens of milliseconds.
++        n = 100000
++        for encoded in r"\\", r"\134":
++            with self.subTest(encoded):
++                start = time.time()
++                data = 'a="b=' + encoded * n + '"'
++                value = parse_cookie(data)["a"]
++                end = time.time()
++                self.assertEqual(value[:3], "b=\\")
++                self.assertEqual(value[-3:], "\\\\\\")
++                self.assertEqual(len(value), n + 2)
++
++                # Very loose performance check to avoid false positives
++                self.assertLess(end - start, 1, "Test took too long")

fix-erroneous-deprecation-warnings.patch

@@ -1,13 +0,0 @@
-diff --git a/tornado/test/runtests.py b/tornado/test/runtests.py
-index d5bd769..e4f938d 100644
---- a/tornado/test/runtests.py
-+++ b/tornado/test/runtests.py
-@@ -137,6 +137,8 @@ def main():
-     # 2.7 and 3.2
-     warnings.filterwarnings("ignore", category=DeprecationWarning,
-                             message="Please use assert.* instead")
-+    warnings.filterwarnings("ignore", category=PendingDeprecationWarning,
-+                            message="Please use assert.* instead")
-     # Twisted 15.0.0 triggers some warnings on py3 with -bb.
-     warnings.filterwarnings("ignore", category=BytesWarning,
-                             module=r"twisted\..*")

python-tornado.spec

@@ -1,65 +1,93 @@
-Name:             python-tornado
-Version:          5.0.2
-Release:          5
-Summary:          a Python web framework and asynchronous networking library
-License:          ASL 2.0
-URL:              http://www.tornadoweb.org
-Source0:          https://files.pythonhosted.org/packages/source/t/tornado/tornado-%{version}.tar.gz
-Patch0:           fix-erroneous-deprecation-warnings.patch
-
-BuildRequires:    gcc python2-devel python2-singledispatch python3-devel
+%global _empty_manifest_terminate_build 0
+Name:		python-tornado
+Version:	6.1
+Release:	3
+Summary:	Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
+License:	ASL 2.0
+URL:		http://www.tornadoweb.org/
+Source0:	https://files.pythonhosted.org/packages/cf/44/cc9590db23758ee7906d40cacff06c02a21c2a6166602e095a56cbf2f6f6/tornado-6.1.tar.gz
+Patch0:         CVE-2023-28370.patch
+Patch1:         CVE-2024-52804.patch
 
 %description
-Tornado is a Python web framework and asynchronous networking library, originally
-developed at FriendFeed. By using non-blocking network I/O, Tornado can scale to
-tens of thousands of open connections, making it ideal for long polling, WebSockets,
-and other applications that require a long-lived connection to each user.
-
-%package -n python2-tornado
-Summary:          a Python web framework and asynchronous networking library
-Requires:         python2-pycurl python2-backports_abc python2-singledispatch python2-futures
-
-%description -n python2-tornado
-Tornado is a Python web framework and asynchronous networking library, originally
-developed at FriendFeed. By using non-blocking network I/O, Tornado can scale to
-tens of thousands of open connections, making it ideal for long polling, WebSockets,
-and other applications that require a long-lived connection to each user.
+Tornado is an open source version of the scalable, non-blocking web server and tools.
 
 %package -n python3-tornado
-Summary:          a Python web framework and asynchronous networking library
-Requires:         python3-pycurl
+Summary:	Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
+Provides:	python-tornado
+BuildRequires:	python3-devel
+BuildRequires:	python3-setuptools
+BuildRequires:	python3-cffi
+BuildRequires:  python3-pycurl
+BuildRequires:	gcc
+BuildRequires:	gdb
 
 %description -n python3-tornado
-Tornado is a Python web framework and asynchronous networking library, originally
-developed at FriendFeed. By using non-blocking network I/O, Tornado can scale to
-tens of thousands of open connections, making it ideal for long polling, WebSockets,
-and other applications that require a long-lived connection to each user.
+Tornado is an open source version of the scalable, non-blocking web server and tools.
+
+%package help
+Summary:	Development documents and examples for tornado
+Provides:	python3-tornado-doc
+
+%description help
+Tornado is an open source version of the scalable, non-blocking web server and tools.
 
 %prep
 %autosetup -n tornado-%{version} -p1
-%{__sed} -i.orig -e '/^#!\//, 1d' *py tornado/*.py tornado/*/*.py
 
 %build
-%py2_build
 %py3_build
 
 %install
-%py2_install
 %py3_install
+install -d -m755 %{buildroot}/%{_pkgdocdir}
+if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
+if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
+if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
+if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
+pushd %{buildroot}
+if [ -d usr/lib ]; then
+	find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/lib64 ]; then
+	find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/bin ]; then
+	find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/sbin ]; then
+	find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+touch doclist.lst
+if [ -d usr/share/man ]; then
+	find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst
+fi
+popd
+mv %{buildroot}/filelist.lst .
+mv %{buildroot}/doclist.lst .
 
-%files -n python2-tornado
-%defattr(-,root,root)
-%license LICENSE
-%doc README.rst
-%{python2_sitearch}/*
 
-%files -n python3-tornado
-%defattr(-,root,root)
-%license LICENSE
-%doc README.rst
-%{python3_sitearch}/*
+%files -n python3-tornado -f filelist.lst
+%dir %{python3_sitearch}/*
+
+%files help -f doclist.lst
+%{_docdir}/*
 
 %changelog
+* Tue Nov 26 2024 liyajie <liyajie15@h-partners.com> - 6.1-3
+- Fix CVE-2024-52804
+
+* Fri Jun 16 2023 yaoxin <yao_xin001@hoperun.com> - 6.1-2
+- Fix CVE-2023-28370
+
+* Thu Jul 08 2021 yaozc701 <yaozc7@foxmail.com> - 6.1-1
+- Upgrade version to 6.1
+
+* Mon May 31 2021 huanghaitao <huanghaitao8@huawei.com> - 5.0.2-7
+- Completing build dependencies
+
+* Fri Sep 11 2020 zhangjiapeng <zhangjiapeng9@huawei.com> - 5.0.2-6
+- Remove python2-tornado subpackage
+
 * Tue Dec 10 2019 openEuler Buildteam <buildteam@openeuler.org> - 5.0.2-5
 - Package init
-

python-tornado.yaml

@@ -1,4 +0,0 @@
-version_control: github
-src_repo: tornadoweb/tornado
-tag_prefix: ^v
-seperator: .