mirror of
https://git.yoctoproject.org/git/poky
synced 2026-01-01 13:58:04 +00:00
b9843e68be
References: https://nvd.nist.gov/vuln/detail/CVE-2025-66418 https://nvd.nist.gov/vuln/detail/CVE-2025-66471 (From OE-Core rev: d9f52c5f86bcc4716e384fe5c01c03d386d60446) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
81 lines
2.9 KiB
Diff
81 lines
2.9 KiB
Diff
From 3bf7db860ef730e828b68264e88210190120cacf Mon Sep 17 00:00:00 2001
|
|
From: Illia Volochii <illia.volochii@gmail.com>
|
|
Date: Fri, 5 Dec 2025 16:41:33 +0200
|
|
Subject: [PATCH] Merge commit from fork
|
|
|
|
* Add a hard-coded limit for the decompression chain
|
|
|
|
* Reuse new list
|
|
|
|
CVE: CVE-2025-66418
|
|
|
|
Upstream-Status: Backport
|
|
[https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8]
|
|
|
|
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
|
|
---
|
|
changelog/GHSA-gm62-xv2j-4w53.security.rst | 4 ++++
|
|
src/urllib3/response.py | 12 +++++++++++-
|
|
test/test_response.py | 10 ++++++++++
|
|
3 files changed, 25 insertions(+), 1 deletion(-)
|
|
create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst
|
|
|
|
diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst
|
|
new file mode 100644
|
|
index 00000000..6646eaa3
|
|
--- /dev/null
|
|
+++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst
|
|
@@ -0,0 +1,4 @@
|
|
+Fixed a security issue where an attacker could compose an HTTP response with
|
|
+virtually unlimited links in the ``Content-Encoding`` header, potentially
|
|
+leading to a denial of service (DoS) attack by exhausting system resources
|
|
+during decoding. The number of allowed chained encodings is now limited to 5.
|
|
diff --git a/src/urllib3/response.py b/src/urllib3/response.py
|
|
index a0273d65..b8e8565c 100644
|
|
--- a/src/urllib3/response.py
|
|
+++ b/src/urllib3/response.py
|
|
@@ -194,8 +194,18 @@ class MultiDecoder(ContentDecoder):
|
|
they were applied.
|
|
"""
|
|
|
|
+ # Maximum allowed number of chained HTTP encodings in the
|
|
+ # Content-Encoding header.
|
|
+ max_decode_links = 5
|
|
+
|
|
def __init__(self, modes: str) -> None:
|
|
- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
|
|
+ encodings = [m.strip() for m in modes.split(",")]
|
|
+ if len(encodings) > self.max_decode_links:
|
|
+ raise DecodeError(
|
|
+ "Too many content encodings in the chain: "
|
|
+ f"{len(encodings)} > {self.max_decode_links}"
|
|
+ )
|
|
+ self._decoders = [_get_decoder(e) for e in encodings]
|
|
|
|
def flush(self) -> bytes:
|
|
return self._decoders[0].flush()
|
|
diff --git a/test/test_response.py b/test/test_response.py
|
|
index c0062771..0e8abd93 100644
|
|
--- a/test/test_response.py
|
|
+++ b/test/test_response.py
|
|
@@ -581,6 +581,16 @@ class TestResponse:
|
|
assert r.read(9 * 37) == b"foobarbaz" * 37
|
|
assert r.read() == b""
|
|
|
|
+ def test_read_multi_decoding_too_many_links(self) -> None:
|
|
+ fp = BytesIO(b"foo")
|
|
+ with pytest.raises(
|
|
+ DecodeError, match="Too many content encodings in the chain: 6 > 5"
|
|
+ ):
|
|
+ HTTPResponse(
|
|
+ fp,
|
|
+ headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"},
|
|
+ )
|
|
+
|
|
def test_body_blob(self) -> None:
|
|
resp = HTTPResponse(b"foo")
|
|
assert resp.data == b"foo"
|
|
--
|
|
2.34.1
|
|
|