From 6943dcf556610ece2ff3cddb39e59a05ef110661 Mon Sep 17 00:00:00 2001
From: Delta Regeer <bertjw@regeer.org>
Date: Sat, 26 Oct 2024 22:10:36 -0600
Subject: [PATCH 1/4] Make DummySock() look more like an actual socket

Fix CVE-2024-49768.
---
 docs/arguments.rst      | 14 ++++++
 src/waitress/channel.py | 11 ++++-
 tests/test_channel.py   | 98 +++++++++++++++++++++++++++++++++++++----
 3 files changed, 114 insertions(+), 9 deletions(-)

diff --git a/docs/arguments.rst b/docs/arguments.rst
index f9b9310..20fdfd0 100644
--- a/docs/arguments.rst
+++ b/docs/arguments.rst
@@ -301,3 +301,17 @@ url_prefix
     be stripped of the prefix.
 
     Default: ``''``
+
+channel_request_lookahead
+    Sets the amount of requests we can continue to read from the socket, while
+    we are processing current requests. The default value won't allow any
+    lookahead, increase it above ``0`` to enable.
+
+    When enabled this inserts a callable ``waitress.client_disconnected`` into
+    the environment that allows the task to check if the client disconnected
+    while waiting for the response at strategic points in the execution and to
+    cancel the operation.
+
+    Default: ``0``
+
+    .. versionadded:: 2.0.0
\ No newline at end of file
diff --git a/src/waitress/channel.py b/src/waitress/channel.py
index 296a16a..20d0bb1 100644
--- a/src/waitress/channel.py
+++ b/src/waitress/channel.py
@@ -139,7 +139,7 @@ class HTTPChannel(wasyncore.dispatcher):
         # 1. We're not already about to close the connection.
         # 2. We're not waiting to flush remaining data before closing the
         #    connection
-        # 3. There are not too many tasks already queued
+        # 3. There are not too many tasks already queued (if lookahead is enabled)
         # 4. There's no data in the output buffer that needs to be sent
         #    before we potentially create a new task.
 
@@ -194,6 +194,15 @@ class HTTPChannel(wasyncore.dispatcher):
             return False
 
         with self.requests_lock:
+            # Don't bother processing anymore data if this connection is about
+            # to close. This may happen if readable() returned True, on the
+            # main thread before the service thread set the close_when_flushed
+            # flag, and we read data but our service thread is attempting to
+            # shut down the connection due to an error. We want to make sure we
+            # do this while holding the request_lock so that we can't race
+            if self.will_close or self.close_when_flushed:
+                return False
+
             while data:
                 if self.request is None:
                     self.request = self.parser_class(self.adj)
diff --git a/tests/test_channel.py b/tests/test_channel.py
index d86dbbe..bfe083a 100644
--- a/tests/test_channel.py
+++ b/tests/test_channel.py
@@ -18,7 +18,7 @@ class TestHTTPChannel(unittest.TestCase):
         map = {}
         inst = self._makeOne(sock, "127.0.0.1", adj, map=map)
         inst.outbuf_lock = DummyLock()
-        return inst, sock, map
+        return inst, sock.local(), map
 
     def test_ctor(self):
         inst, _, map = self._makeOneWithMap()
@@ -303,7 +303,7 @@ class TestHTTPChannel(unittest.TestCase):
         inst.total_outbufs_len = len(inst.outbufs[0])
         inst.adj.send_bytes = 1
         inst.adj.outbuf_high_watermark = 2
-        sock.send = lambda x: False
+        sock.remote.send = lambda x: False
         inst.will_close = False
         inst.last_activity = 0
         result = inst.handle_write()
@@ -327,7 +327,7 @@ class TestHTTPChannel(unittest.TestCase):
 
     def test__flush_some_full_outbuf_socket_returns_zero(self):
         inst, sock, map = self._makeOneWithMap()
-        sock.send = lambda x: False
+        sock.remote.send = lambda x: False
         inst.outbufs[0].append(b"abc")
         inst.total_outbufs_len = sum(len(x) for x in inst.outbufs)
         result = inst._flush_some()
@@ -732,11 +732,12 @@ class TestHTTPChannelLookahead(TestHTTPChannel):
         )
         return [body]
 
-    def _make_app_with_lookahead(self):
+    def _make_app_with_lookahead(self, recv_bytes=8192):
         """
         Setup a channel with lookahead and store it and the socket in self
         """
         adj = DummyAdjustments()
+        adj.recv_bytes = recv_bytes
         adj.channel_request_lookahead = 5
         channel, sock, map = self._makeOneWithMap(adj=adj)
         channel.server.application = self.app_check_disconnect
@@ -828,13 +829,65 @@ class TestHTTPChannelLookahead(TestHTTPChannel):
         self.assertEqual(data.split("\r\n")[-1], "finished")
         self.assertEqual(self.request_body, b"x")
 
+    def test_lookahead_bad_request_drop_extra_data(self):
+        """
+        Send two requests, the first one being bad, split on the recv_bytes
+        limit, then emulate a race that could happen whereby we read data from
+        the socket while the service thread is cleaning up due to an error
+        processing the request.
+        """
+
+        invalid_request = [
+            "GET / HTTP/1.1",
+            "Host: localhost:8080",
+            "Content-length: -1",
+            "",
+        ]
+
+        invalid_request_len = len("".join([x + "\r\n" for x in invalid_request]))
+
+        second_request = [
+            "POST / HTTP/1.1",
+            "Host: localhost:8080",
+            "Content-Length: 1",
+            "",
+            "x",
+        ]
+
+        full_request = invalid_request + second_request
+
+        self._make_app_with_lookahead(recv_bytes=invalid_request_len)
+        self._send(*full_request)
+        self.channel.handle_read()
+        self.assertEqual(len(self.channel.requests), 1)
+        self.channel.server.tasks[0].service()
+        self.assertTrue(self.channel.close_when_flushed)
+        # Read all of the next request
+        self.channel.handle_read()
+        self.channel.handle_read()
+        # Validate that there is no more data to be read
+        self.assertEqual(self.sock.remote.local_sent, b"")
+        # Validate that we dropped the data from the second read, and did not
+        # create a new request
+        self.assertEqual(len(self.channel.requests), 0)
+        data = self.sock.recv(256).decode("ascii")
+        self.assertFalse(self.channel.readable())
+        self.assertTrue(self.channel.writable())
+
+        # Handle the write, which will close the socket
+        self.channel.handle_write()
+        self.assertTrue(self.sock.closed)
+
+        data = self.sock.recv(256)
+        self.assertEqual(len(data), 0)
 
 class DummySock:
     blocking = False
     closed = False
 
     def __init__(self):
-        self.sent = b""
+        self.local_sent = b""
+        self.remote_sent = b""
 
     def setblocking(self, *arg):
         self.blocking = True
@@ -852,14 +905,43 @@ class DummySock:
         self.closed = True
 
     def send(self, data):
-        self.sent += data
+        self.remote_sent += data
         return len(data)
 
     def recv(self, buffer_size):
-        result = self.sent[:buffer_size]
-        self.sent = self.sent[buffer_size:]
+        result = self.local_sent[:buffer_size]
+        self.local_sent = self.local_sent[buffer_size:]
         return result
 
+    def local(self):
+        outer = self
+
+        class LocalDummySock:
+            def send(self, data):
+                outer.local_sent += data
+                return len(data)
+
+            def recv(self, buffer_size):
+                result = outer.remote_sent[:buffer_size]
+                outer.remote_sent = outer.remote_sent[buffer_size:]
+                return result
+
+            def close(self):
+                outer.closed = True
+
+            @property
+            def sent(self):
+                return outer.remote_sent
+
+            @property
+            def closed(self):
+                return outer.closed
+
+            @property
+            def remote(self):
+                return outer
+
+        return LocalDummySock()
 
 class DummyLock:
     notified = False
-- 
2.27.0