| Message ID | 20250916125600.1274823-1-soumya.sambu@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-python,kirkstone,1/1] python3-twisted: Fix CVE-2024-41810 | expand |
On Tue, 2025-09-16 at 18:26 +0530, Soumya via lists.openembedded.org wrote: > From: Soumya Sambu <soumya.sambu@windriver.com> > > Twisted is an event-based framework for internet applications, > supporting Python 3.6+. > The `twisted.web.util.redirectTo` function contains an HTML injection > vulnerability. > If application code allows an attacker to control the redirect URL > this vulnerability > may result in Reflected Cross-Site Scripting (XSS) in the redirect > response HTML body. > This vulnerability is fixed in 24.7.0rc1. This CVE is applicable to scarthgap too. Can you send a patch for that branch as well please? Thanks, Anuj > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2024-41810 > > Upstream patch: > https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33 > > Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> > --- > .../python3-twisted/CVE-2024-41810.patch | 109 > ++++++++++++++++++ > .../python/python3-twisted_22.2.0.bb | 3 +- > 2 files changed, 111 insertions(+), 1 deletion(-) > create mode 100644 meta-python/recipes-devtools/python/python3- > twisted/CVE-2024-41810.patch > > diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE- > 2024-41810.patch b/meta-python/recipes-devtools/python/python3- > twisted/CVE-2024-41810.patch > new file mode 100644 > index 0000000000..c0842304dc > --- /dev/null > +++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024- > 41810.patch > @@ -0,0 +1,109 @@ > +From 046a164f89a0f08d3239ecebd750360f8914df33 Mon Sep 17 00:00:00 > 2001 > +From: Adi Roiban <adiroiban@gmail.com> > +Date: Mon Jul 29 14:28:03 2024 +0100 > +Subject: [PATCH] Merge commit from fork > + > +Added HTML output encoding the "URL" parameter of the "redirectTo" > function > + > +CVE: CVE-2024-41810 > + > +Upstream-Status: Backport > [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd7 > 50360f8914df33] > + > +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> > +--- > + src/twisted/web/_template_util.py | 2 +- > + src/twisted/web/newsfragments/12263.bugfix | 1 + > + src/twisted/web/newsfragments/9839.bugfix | 1 + > + src/twisted/web/test/test_util.py | 39 > +++++++++++++++++++++- > + 4 files changed, 41 insertions(+), 2 deletions(-) > + create mode 100644 src/twisted/web/newsfragments/12263.bugfix > + create mode 100644 src/twisted/web/newsfragments/9839.bugfix > + > +diff --git a/src/twisted/web/_template_util.py > b/src/twisted/web/_template_util.py > +index bd081bd..3fb56e5 100644 > +--- a/src/twisted/web/_template_util.py > ++++ b/src/twisted/web/_template_util.py > +@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IRequest) -> > bytes: > + </body> > + </html> > + """ % { > +- b"url": URL > ++ b"url": escape(URL.decode("utf-8")).encode("utf-8") > + } > + return content > + > +diff --git a/src/twisted/web/newsfragments/12263.bugfix > b/src/twisted/web/newsfragments/12263.bugfix > +new file mode 100644 > +index 0000000..b3982ca > +--- /dev/null > ++++ b/src/twisted/web/newsfragments/12263.bugfix > +@@ -0,0 +1 @@ > ++twisted.web.util.redirectTo now HTML-escapes the provided URL in > the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The > issue is being tracked with CVE-2024-41810. > +\ No newline at end of file > +diff --git a/src/twisted/web/newsfragments/9839.bugfix > b/src/twisted/web/newsfragments/9839.bugfix > +new file mode 100644 > +index 0000000..1e2e7f7 > +--- /dev/null > ++++ b/src/twisted/web/newsfragments/9839.bugfix > +@@ -0,0 +1 @@ > ++twisted.web.util.redirectTo now HTML-escapes the provided URL in > the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024- > 41810). > +diff --git a/src/twisted/web/test/test_util.py > b/src/twisted/web/test/test_util.py > +index 996b0d0..87282ce 100644 > +--- a/src/twisted/web/test/test_util.py > ++++ b/src/twisted/web/test/test_util.py > +@@ -5,7 +5,6 @@ > + Tests for L{twisted.web.util}. > + """ > + > +- > + import gc > + > + from twisted.internet import defer > +@@ -64,6 +63,44 @@ class RedirectToTests(TestCase): > + targetURL = "http://target.example.com/4321" > + self.assertRaises(TypeError, redirectTo, targetURL, > request) > + > ++ def test_legitimateRedirect(self): > ++ """ > ++ Legitimate URLs are fully interpolated in the `redirectTo` > response body without transformation > ++ """ > ++ request = DummyRequest([b""]) > ++ html = redirectTo(b"https://twisted.org/", request) > ++ expected = b""" > ++<html> > ++ <head> > ++ <meta http-equiv=\"refresh\" > content=\"0;URL=https://twisted.org/\"> > ++ </head> > ++ <body bgcolor=\"#FFFFFF\" text=\"#000000\"> > ++ <a href=\"https://twisted.org/\">click here</a> > ++ </body> > ++</html> > ++""" > ++ self.assertEqual(html, expected) > ++ > ++ def test_maliciousRedirect(self): > ++ """ > ++ Malicious URLs are HTML-escaped before interpolating them > in the `redirectTo` response body > ++ """ > ++ request = DummyRequest([b""]) > ++ html = redirectTo( > ++ > b'https://twisted.org/"><script>alert(document.location)</script>', > request > ++ ) > ++ expected = b""" > ++<html> > ++ <head> > ++ <meta http-equiv=\"refresh\" > content=\"0;URL=https://twisted.org/"><script>alert(doc > ument.location)</script>\"> > ++ </head> > ++ <body bgcolor=\"#FFFFFF\" text=\"#000000\"> > ++ <a > href=\"https://twisted.org/"><script>alert(document.loc > ation)</script>\">click here</a> > ++ </body> > ++</html> > ++""" > ++ self.assertEqual(html, expected) > ++ > + > + class ParentRedirectTests(SynchronousTestCase): > + """ > +-- > +2.40.0 > + > diff --git a/meta-python/recipes-devtools/python/python3- > twisted_22.2.0.bb b/meta-python/recipes-devtools/python/python3- > twisted_22.2.0.bb > index da83f0123a..ef602890ea 100644 > --- a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb > +++ b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb > @@ -12,7 +12,8 @@ SRC_URI[sha256sum] = > "57f32b1f6838facb8c004c89467840367ad38e9e535f8252091345dba5 > PYPI_PACKAGE = "Twisted" > > SRC_URI += "file://CVE-2024-41671-0001.patch \ > - file://CVE-2024-41671-0002.patch" > + file://CVE-2024-41671-0002.patch \ > + file://CVE-2024-41810.patch" > > inherit pypi python_setuptools_build_meta > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#119466): > https://lists.openembedded.org/g/openembedded-devel/message/119466 > Mute This Topic: https://lists.openembedded.org/mt/115272024/3616702 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-devel/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=-
@Mittal, Anuj<mailto:anuj.mittal@intel.com> Thanks for pointing this out. While CVE-2024-41810 was previously addressed in CVE-2024-41671-0001.patch<https://git.openembedded.org/meta-openembedded/tree/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch?h=scarthgap> for the scarthgap branch, I've now submitted<https://lists.openembedded.org/g/openembedded-devel/topic/meta_python_scarthgap_patch/115390026> a dedicated patch to improve traceability. Regards, Soumya
diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch new file mode 100644 index 0000000000..c0842304dc --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch @@ -0,0 +1,109 @@ +From 046a164f89a0f08d3239ecebd750360f8914df33 Mon Sep 17 00:00:00 2001 +From: Adi Roiban <adiroiban@gmail.com> +Date: Mon Jul 29 14:28:03 2024 +0100 +Subject: [PATCH] Merge commit from fork + +Added HTML output encoding the "URL" parameter of the "redirectTo" function + +CVE: CVE-2024-41810 + +Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + src/twisted/web/_template_util.py | 2 +- + src/twisted/web/newsfragments/12263.bugfix | 1 + + src/twisted/web/newsfragments/9839.bugfix | 1 + + src/twisted/web/test/test_util.py | 39 +++++++++++++++++++++- + 4 files changed, 41 insertions(+), 2 deletions(-) + create mode 100644 src/twisted/web/newsfragments/12263.bugfix + create mode 100644 src/twisted/web/newsfragments/9839.bugfix + +diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py +index bd081bd..3fb56e5 100644 +--- a/src/twisted/web/_template_util.py ++++ b/src/twisted/web/_template_util.py +@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IRequest) -> bytes: + </body> + </html> + """ % { +- b"url": URL ++ b"url": escape(URL.decode("utf-8")).encode("utf-8") + } + return content + +diff --git a/src/twisted/web/newsfragments/12263.bugfix b/src/twisted/web/newsfragments/12263.bugfix +new file mode 100644 +index 0000000..b3982ca +--- /dev/null ++++ b/src/twisted/web/newsfragments/12263.bugfix +@@ -0,0 +1 @@ ++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810. +\ No newline at end of file +diff --git a/src/twisted/web/newsfragments/9839.bugfix b/src/twisted/web/newsfragments/9839.bugfix +new file mode 100644 +index 0000000..1e2e7f7 +--- /dev/null ++++ b/src/twisted/web/newsfragments/9839.bugfix +@@ -0,0 +1 @@ ++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810). +diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py +index 996b0d0..87282ce 100644 +--- a/src/twisted/web/test/test_util.py ++++ b/src/twisted/web/test/test_util.py +@@ -5,7 +5,6 @@ + Tests for L{twisted.web.util}. + """ + +- + import gc + + from twisted.internet import defer +@@ -64,6 +63,44 @@ class RedirectToTests(TestCase): + targetURL = "http://target.example.com/4321" + self.assertRaises(TypeError, redirectTo, targetURL, request) + ++ def test_legitimateRedirect(self): ++ """ ++ Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo(b"https://twisted.org/", request) ++ expected = b""" ++<html> ++ <head> ++ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\"> ++ </head> ++ <body bgcolor=\"#FFFFFF\" text=\"#000000\"> ++ <a href=\"https://twisted.org/\">click here</a> ++ </body> ++</html> ++""" ++ self.assertEqual(html, expected) ++ ++ def test_maliciousRedirect(self): ++ """ ++ Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo( ++ b'https://twisted.org/"><script>alert(document.location)</script>', request ++ ) ++ expected = b""" ++<html> ++ <head> ++ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/"><script>alert(document.location)</script>\"> ++ </head> ++ <body bgcolor=\"#FFFFFF\" text=\"#000000\"> ++ <a href=\"https://twisted.org/"><script>alert(document.location)</script>\">click here</a> ++ </body> ++</html> ++""" ++ self.assertEqual(html, expected) ++ + + class ParentRedirectTests(SynchronousTestCase): + """ +-- +2.40.0 + diff --git a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb index da83f0123a..ef602890ea 100644 --- a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb +++ b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb @@ -12,7 +12,8 @@ SRC_URI[sha256sum] = "57f32b1f6838facb8c004c89467840367ad38e9e535f8252091345dba5 PYPI_PACKAGE = "Twisted" SRC_URI += "file://CVE-2024-41671-0001.patch \ - file://CVE-2024-41671-0002.patch" + file://CVE-2024-41671-0002.patch \ + file://CVE-2024-41810.patch" inherit pypi python_setuptools_build_meta