python-waitress/0006-This-patch-is-a-backpo...

From ef0b3d7cb9f532c062052082f71174ef94d4a3e3 Mon Sep 17 00:00:00 2001
From: Renata Ravanelli <renata.ravanelli@gmail.com>
Date: Fri, 15 Sep 2023 12:41:52 -0300
Subject: [PATCH 6/6] This patch is a backport of commit bd22869

From bd22869 Mon Sep 17 00:00:00 2001
From: Bert JW Regeer <bertjw@regeer.org>
Date: Sat, 12 Mar 2022 19:16:23 -0700
Subject: [PATCH] Remove extraneous calls to .strip() in Chunked Encoding

To be valid chunked encoding we should not be removing any whitespace as
the standard does not allow for optional whitespace.

If whitespace is encountered in the wrong place, it should lead to a 400
Bad Request instead.

Backport:
  * Patch refresh - no functional change.

Signed-off-by: Renata Ravanelli <renata.ravanelli@gmail.com>
---
 src/waitress/receiver.py | 6 +-----
 tests/test_receiver.py   | 4 +++-
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/waitress/receiver.py b/src/waitress/receiver.py
index 9e4bffe..806ff87 100644
--- a/src/waitress/receiver.py
+++ b/src/waitress/receiver.py
@@ -135,7 +135,6 @@ class ChunkedReceiver(object):
                     line = s[:pos]
                     s = s[pos + 2 :]
                     self.control_line = b""
-                    line = line.strip()
 
                     if line:
                         # Begin a new chunk.
@@ -153,9 +152,6 @@ class ChunkedReceiver(object):
 
                             line = line[:semi]
 
-                        # Remove any whitespace
-                        line = line.strip()
-
                         if not ONLY_HEXDIG_RE.match(line):
                             self.error = BadRequest("Invalid chunk size")
                             self.all_chunks_received = True
@@ -164,7 +160,7 @@ class ChunkedReceiver(object):
 
                         # Can not fail due to matching against the regular
                         # expression above
-                        sz = int(line.strip(), 16)  # hexadecimal
+                        sz = int(line, 16)  # hexadecimal
 
                         if sz > 0:
                             # Start a new chunk.
diff --git a/tests/test_receiver.py b/tests/test_receiver.py
index 17328d4..014f785 100644
--- a/tests/test_receiver.py
+++ b/tests/test_receiver.py
@@ -262,7 +262,9 @@ class TestChunkedReceiverParametrized:
         assert result == len(data)
         assert inst.error == None
 
-    @pytest.mark.parametrize("invalid_size", [b"0x04", b"+0x04", b"x04", b"+04"])
+    @pytest.mark.parametrize(
+        "invalid_size", [b"0x04", b"+0x04", b"x04", b"+04", b" 04", b" 0x04"]
+    )
     def test_received_invalid_size(self, invalid_size):
         from waitress.utilities import BadRequest
 
-- 
2.39.2 (Apple Git-143)
Backport fix for CVE-2022-24761 Backport changes based in the fix done for RHEL 923591398b8553c7ba295dfede592671b653f946 Signed-off-by: Renata Andrade Matos Ravanelli <rravanel@redhat.com> 1 year ago			`From ef0b3d7cb9f532c062052082f71174ef94d4a3e3 Mon Sep 17 00:00:00 2001`
			`From: Renata Ravanelli <renata.ravanelli@gmail.com>`
			`Date: Fri, 15 Sep 2023 12:41:52 -0300`
			`Subject: [PATCH 6/6] This patch is a backport of commit bd22869`

			`From bd22869 Mon Sep 17 00:00:00 2001`
			`From: Bert JW Regeer <bertjw@regeer.org>`
			`Date: Sat, 12 Mar 2022 19:16:23 -0700`
			`Subject: [PATCH] Remove extraneous calls to .strip() in Chunked Encoding`

			`To be valid chunked encoding we should not be removing any whitespace as`
			`the standard does not allow for optional whitespace.`

			`If whitespace is encountered in the wrong place, it should lead to a 400`
			`Bad Request instead.`

			`Backport:`
			`* Patch refresh - no functional change.`

			`Signed-off-by: Renata Ravanelli <renata.ravanelli@gmail.com>`
			`---`
			`src/waitress/receiver.py \| 6 +-----`
			`tests/test_receiver.py \| 4 +++-`
			`2 files changed, 4 insertions(+), 6 deletions(-)`

			`diff --git a/src/waitress/receiver.py b/src/waitress/receiver.py`
			`index 9e4bffe..806ff87 100644`
			`--- a/src/waitress/receiver.py`
			`+++ b/src/waitress/receiver.py`
			`@@ -135,7 +135,6 @@ class ChunkedReceiver(object):`
			`line = s[:pos]`
			`s = s[pos + 2 :]`
			`self.control_line = b""`
			`- line = line.strip()`

			`if line:`
			`# Begin a new chunk.`
			`@@ -153,9 +152,6 @@ class ChunkedReceiver(object):`

			`line = line[:semi]`

			`- # Remove any whitespace`
			`- line = line.strip()`
			`-`
			`if not ONLY_HEXDIG_RE.match(line):`
			`self.error = BadRequest("Invalid chunk size")`
			`self.all_chunks_received = True`
			`@@ -164,7 +160,7 @@ class ChunkedReceiver(object):`

			`# Can not fail due to matching against the regular`
			`# expression above`
			`- sz = int(line.strip(), 16) # hexadecimal`
			`+ sz = int(line, 16) # hexadecimal`

			`if sz > 0:`
			`# Start a new chunk.`
			`diff --git a/tests/test_receiver.py b/tests/test_receiver.py`
			`index 17328d4..014f785 100644`
			`--- a/tests/test_receiver.py`
			`+++ b/tests/test_receiver.py`
			`@@ -262,7 +262,9 @@ class TestChunkedReceiverParametrized:`
			`assert result == len(data)`
			`assert inst.error == None`

			`- @pytest.mark.parametrize("invalid_size", [b"0x04", b"+0x04", b"x04", b"+04"])`
			`+ @pytest.mark.parametrize(`
			`+ "invalid_size", [b"0x04", b"+0x04", b"x04", b"+04", b" 04", b" 0x04"]`
			`+ )`
			`def test_received_invalid_size(self, invalid_size):`
			`from waitress.utilities import BadRequest`

			`--`
			`2.39.2 (Apple Git-143)`