!26 [sync] PR-23: Fix CVE-2024-49768

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
2024-10-30 07:02:59 +00:00 · 2024-10-30 07:02:59 +00:00 · 0716df1e62
commit 0716df1e62
parent 55b620f973 57ca6654bc
2 changed files with 230 additions and 1 deletions
--- a/CVE-2024-49768.patch
+++ b/CVE-2024-49768.patch
@ -0,0 +1,225 @@
 From 6943dcf556610ece2ff3cddb39e59a05ef110661 Mon Sep 17 00:00:00 2001
 From: Delta Regeer <bertjw@regeer.org>
 Date: Sat, 26 Oct 2024 22:10:36 -0600
 Subject: [PATCH 1/4] Make DummySock() look more like an actual socket
 Fix CVE-2024-49768.
 ---
 docs/arguments.rst      | 14 ++++++
 src/waitress/channel.py | 11 ++++-
 tests/test_channel.py   | 98 +++++++++++++++++++++++++++++++++++++----
 3 files changed, 114 insertions(+), 9 deletions(-)
 diff --git a/docs/arguments.rst b/docs/arguments.rst
 index f9b9310..20fdfd0 100644
 --- a/docs/arguments.rst
 +++ b/docs/arguments.rst
@@ -301,3 +301,17 @@ url_prefix
     be stripped of the prefix.
     Default: ``''``
 +
 +channel_request_lookahead
 +    Sets the amount of requests we can continue to read from the socket, while
 +    we are processing current requests. The default value won't allow any
 +    lookahead, increase it above ``0`` to enable.
 +
 +    When enabled this inserts a callable ``waitress.client_disconnected`` into
 +    the environment that allows the task to check if the client disconnected
 +    while waiting for the response at strategic points in the execution and to
 +    cancel the operation.
 +
 +    Default: ``0``
 +
 +    .. versionadded:: 2.0.0
 \ No newline at end of file
 diff --git a/src/waitress/channel.py b/src/waitress/channel.py
 index 296a16a..20d0bb1 100644
 --- a/src/waitress/channel.py
 +++ b/src/waitress/channel.py
@@ -139,7 +139,7 @@ class HTTPChannel(wasyncore.dispatcher):
         # 1. We're not already about to close the connection.
         # 2. We're not waiting to flush remaining data before closing the
         #    connection
 -        # 3. There are not too many tasks already queued
 +        # 3. There are not too many tasks already queued (if lookahead is enabled)
         # 4. There's no data in the output buffer that needs to be sent
         #    before we potentially create a new task.
@@ -194,6 +194,15 @@ class HTTPChannel(wasyncore.dispatcher):
             return False
         with self.requests_lock:
 +            # Don't bother processing anymore data if this connection is about
 +            # to close. This may happen if readable() returned True, on the
 +            # main thread before the service thread set the close_when_flushed
 +            # flag, and we read data but our service thread is attempting to
 +            # shut down the connection due to an error. We want to make sure we
 +            # do this while holding the request_lock so that we can't race
 +            if self.will_close or self.close_when_flushed:
 +                return False
 +
             while data:
                 if self.request is None:
                     self.request = self.parser_class(self.adj)
 diff --git a/tests/test_channel.py b/tests/test_channel.py
 index d86dbbe..bfe083a 100644
 --- a/tests/test_channel.py
 +++ b/tests/test_channel.py
@@ -18,7 +18,7 @@ class TestHTTPChannel(unittest.TestCase):
         map = {}
         inst = self._makeOne(sock, "127.0.0.1", adj, map=map)
         inst.outbuf_lock = DummyLock()
 -        return inst, sock, map
 +        return inst, sock.local(), map
     def test_ctor(self):
         inst, _, map = self._makeOneWithMap()
@@ -303,7 +303,7 @@ class TestHTTPChannel(unittest.TestCase):
         inst.total_outbufs_len = len(inst.outbufs[0])
         inst.adj.send_bytes = 1
         inst.adj.outbuf_high_watermark = 2
 -        sock.send = lambda x: False
 +        sock.remote.send = lambda x: False
         inst.will_close = False
         inst.last_activity = 0
         result = inst.handle_write()
@@ -327,7 +327,7 @@ class TestHTTPChannel(unittest.TestCase):
     def test__flush_some_full_outbuf_socket_returns_zero(self):
         inst, sock, map = self._makeOneWithMap()
 -        sock.send = lambda x: False
 +        sock.remote.send = lambda x: False
         inst.outbufs[0].append(b"abc")
         inst.total_outbufs_len = sum(len(x) for x in inst.outbufs)
         result = inst._flush_some()
@@ -732,11 +732,12 @@ class TestHTTPChannelLookahead(TestHTTPChannel):
         )
         return [body]
 -    def _make_app_with_lookahead(self):
 +    def _make_app_with_lookahead(self, recv_bytes=8192):
         """
         Setup a channel with lookahead and store it and the socket in self
         """
         adj = DummyAdjustments()
 +        adj.recv_bytes = recv_bytes
         adj.channel_request_lookahead = 5
         channel, sock, map = self._makeOneWithMap(adj=adj)
         channel.server.application = self.app_check_disconnect
@@ -828,13 +829,65 @@ class TestHTTPChannelLookahead(TestHTTPChannel):
         self.assertEqual(data.split("\r\n")[-1], "finished")
         self.assertEqual(self.request_body, b"x")
 +    def test_lookahead_bad_request_drop_extra_data(self):
 +        """
 +        Send two requests, the first one being bad, split on the recv_bytes
 +        limit, then emulate a race that could happen whereby we read data from
 +        the socket while the service thread is cleaning up due to an error
 +        processing the request.
 +        """
 +
 +        invalid_request = [
 +            "GET / HTTP/1.1",
 +            "Host: localhost:8080",
 +            "Content-length: -1",
 +            "",
 +        ]
 +
 +        invalid_request_len = len("".join([x + "\r\n" for x in invalid_request]))
 +
 +        second_request = [
 +            "POST / HTTP/1.1",
 +            "Host: localhost:8080",
 +            "Content-Length: 1",
 +            "",
 +            "x",
 +        ]
 +
 +        full_request = invalid_request + second_request
 +
 +        self._make_app_with_lookahead(recv_bytes=invalid_request_len)
 +        self._send(*full_request)
 +        self.channel.handle_read()
 +        self.assertEqual(len(self.channel.requests), 1)
 +        self.channel.server.tasks[0].service()
 +        self.assertTrue(self.channel.close_when_flushed)
 +        # Read all of the next request
 +        self.channel.handle_read()
 +        self.channel.handle_read()
 +        # Validate that there is no more data to be read
 +        self.assertEqual(self.sock.remote.local_sent, b"")
 +        # Validate that we dropped the data from the second read, and did not
 +        # create a new request
 +        self.assertEqual(len(self.channel.requests), 0)
 +        data = self.sock.recv(256).decode("ascii")
 +        self.assertFalse(self.channel.readable())
 +        self.assertTrue(self.channel.writable())
 +
 +        # Handle the write, which will close the socket
 +        self.channel.handle_write()
 +        self.assertTrue(self.sock.closed)
 +
 +        data = self.sock.recv(256)
 +        self.assertEqual(len(data), 0)
 class DummySock:
     blocking = False
     closed = False
     def __init__(self):
 -        self.sent = b""
 +        self.local_sent = b""
 +        self.remote_sent = b""
     def setblocking(self, *arg):
         self.blocking = True
@@ -852,14 +905,43 @@ class DummySock:
         self.closed = True
     def send(self, data):
 -        self.sent += data
 +        self.remote_sent += data
         return len(data)
     def recv(self, buffer_size):
 -        result = self.sent[:buffer_size]
 -        self.sent = self.sent[buffer_size:]
 +        result = self.local_sent[:buffer_size]
 +        self.local_sent = self.local_sent[buffer_size:]
         return result
 +    def local(self):
 +        outer = self
 +
 +        class LocalDummySock:
 +            def send(self, data):
 +                outer.local_sent += data
 +                return len(data)
 +
 +            def recv(self, buffer_size):
 +                result = outer.remote_sent[:buffer_size]
 +                outer.remote_sent = outer.remote_sent[buffer_size:]
 +                return result
 +
 +            def close(self):
 +                outer.closed = True
 +
 +            @property
 +            def sent(self):
 +                return outer.remote_sent
 +
 +            @property
 +            def closed(self):
 +                return outer.closed
 +
 +            @property
 +            def remote(self):
 +                return outer
 +
 +        return LocalDummySock()
 class DummyLock:
     notified = False
 -- 
 2.27.0
--- a/python-waitress.spec
+++ b/python-waitress.spec
@ -2,12 +2,13 @@
 Name:           python-waitress
 Version:        2.0.0
-Release:        3
+Release:        4
 Summary:        A WSGI server for Python 2 and 3
 License:        ZPLv2.1
 URL:            https://github.com/Pylons/waitress
 Source0:        https://github.com/Pylons/waitress/archive/v%{version}/waitress-%{version}.tar.gz
 Patch0:		cve-2022-24761.diff
 Patch1:		CVE-2024-49768.patch
 BuildArch:      noarch
 %description
@ -45,6 +46,9 @@ on PyPy 1.6.0+ on UNIX. It supports HTTP/1.0 and HTTP/1.1.
 %{python3_sitelib}/*
 %changelog
 * Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.0.0-4
 - Fix CVE-2024-49768
 * Mon Apr 18 2022 Shinwell_Hu <micromotive@qq.com> - 2.0.0-3
 - Backport from 2.1.1 to fix CVE-2022-24761