new file mode 100644
@@ -0,0 +1,132 @@
+From 832a878c9c324ad23dde6cf16520b7768c1a8c5c Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Sat, 5 Mar 2022 23:26:55 -0800
+Subject: [PATCH] Some tests for GHSA-c2jg-hw38-jrqq
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/22b067793cbcd0fb5dee04cfd9115fa85a7ca110]
+CVE: CVE-2022-24801
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/twisted/web/test/test_http.py | 102 ++++++++++++++++++++++++++++++
+ 1 file changed, 102 insertions(+)
+
+diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
+index 86c85d2..0549ed0 100644
+--- a/src/twisted/web/test/test_http.py
++++ b/src/twisted/web/test/test_http.py
+@@ -1843,6 +1843,56 @@ class ParsingTests(unittest.TestCase):
+ [b"t \ta \tb"],
+ )
+
++ def test_headerStripWhitespace(self):
++ """
++ Leading and trailing space and tab characters are stripped from
++ headers. Other forms of whitespace are preserved.
++
++ See RFC 7230 section 3.2.3 and 3.2.4.
++ """
++ processed = []
++
++ class MyRequest(http.Request):
++ def process(self):
++ processed.append(self)
++ self.finish()
++
++ requestLines = [
++ b"GET / HTTP/1.0",
++ b"spaces: spaces were stripped ",
++ b"tabs: \t\ttabs were stripped\t\t",
++ b"spaces-and-tabs: \t \t spaces and tabs were stripped\t \t",
++ b"line-tab: \v vertical tab was preserved\v\t",
++ b"form-feed: \f form feed was preserved \f ",
++ b"",
++ b"",
++ ]
++
++ self.runRequest(b"\n".join(requestLines), MyRequest, 0)
++ [request] = processed
++ # All leading and trailing whitespace is stripped from the
++ # header-value.
++ self.assertEqual(
++ request.requestHeaders.getRawHeaders(b"spaces"),
++ [b"spaces were stripped"],
++ )
++ self.assertEqual(
++ request.requestHeaders.getRawHeaders(b"tabs"),
++ [b"tabs were stripped"],
++ )
++ self.assertEqual(
++ request.requestHeaders.getRawHeaders(b"spaces-and-tabs"),
++ [b"spaces and tabs were stripped"],
++ )
++ self.assertEqual(
++ request.requestHeaders.getRawHeaders(b"line-tab"),
++ [b"\v vertical tab was preserved\v"],
++ )
++ self.assertEqual(
++ request.requestHeaders.getRawHeaders(b"form-feed"),
++ [b"\f form feed was preserved \f"],
++ )
++
+ def test_tooManyHeaders(self):
+ """
+ C{HTTPChannel} enforces a limit of C{HTTPChannel.maxHeaders} on the
+@@ -2407,6 +2457,58 @@ Hello,
+ ]
+ )
+
++ def test_contentLengthMalformed(self):
++ """
++ A request with a non-integer C{Content-Length} header fails with a 400
++ response without calling L{Request.process}.
++ """
++ self.assertRequestRejected(
++ [
++ b"GET /a HTTP/1.1",
++ b"Content-Length: MORE THAN NINE THOUSAND!",
++ b"Host: host.invalid",
++ b"",
++ b"",
++ b"x" * 9001,
++ ]
++ )
++
++ def test_contentLengthTooPositive(self):
++ """
++ A request with a C{Content-Length} header that begins with a L{+} fails
++ with a 400 response without calling L{Request.process}.
++
++ This is a potential request smuggling vector: see GHSA-c2jg-hw38-jrqq.
++ """
++ self.assertRequestRejected(
++ [
++ b"GET /a HTTP/1.1",
++ b"Content-Length: +100",
++ b"Host: host.invalid",
++ b"",
++ b"",
++ b"x" * 100,
++ ]
++ )
++
++ def test_contentLengthNegative(self):
++ """
++ A request with a C{Content-Length} header that is negative fails with
++ a 400 response without calling L{Request.process}.
++
++ This is a potential request smuggling vector: see GHSA-c2jg-hw38-jrqq.
++ """
++ self.assertRequestRejected(
++ [
++ b"GET /a HTTP/1.1",
++ b"Content-Length: -100",
++ b"Host: host.invalid",
++ b"",
++ b"",
++ b"x" * 200,
++ ]
++ )
++
+ def test_duplicateContentLengthsWithPipelinedRequests(self):
+ """
+ Two pipelined requests, the first of which includes multiple
new file mode 100644
@@ -0,0 +1,63 @@
+From 232c32ca0ecc3f9d263e2184253a839ce99b4f31 Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Mon, 7 Mar 2022 00:02:55 -0800
+Subject: [PATCH] Replace obs-fold with a single space
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/79ee8c564ca0d4c2910c8859e0a6014d2dc40005]
+CVE: CVE-2022-24801
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/twisted/web/http.py | 2 +-
+ src/twisted/web/test/test_http.py | 13 +++++++++----
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index b99480f..5491953 100644
+--- a/src/twisted/web/http.py
++++ b/src/twisted/web/http.py
+@@ -2246,7 +2246,7 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin):
+ self.setRawMode()
+ elif line[0] in b" \t":
+ # Continuation of a multi line header.
+- self.__header = self.__header + b"\n" + line
++ self.__header += b" " + line.lstrip(b" \t")
+ # Regular header line.
+ # Processing of header line is delayed to allow accumulating multi
+ # line headers.
+diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
+index 0549ed0..8a7adc0 100644
+--- a/src/twisted/web/test/test_http.py
++++ b/src/twisted/web/test/test_http.py
+@@ -1795,7 +1795,12 @@ class ParsingTests(unittest.TestCase):
+ Line folded headers are handled by L{HTTPChannel} by replacing each
+ fold with a single space by the time they are made available to the
+ L{Request}. Any leading whitespace in the folded lines of the header
+- value is preserved.
++ value is replaced with a single space, per:
++
++ A server that receives an obs-fold in a request message ... MUST
++ ... replace each received obs-fold with one or more SP octets prior
++ to interpreting the field value or forwarding the message
++ downstream.
+
+ See RFC 7230 section 3.2.4.
+ """
+@@ -1832,15 +1837,15 @@ class ParsingTests(unittest.TestCase):
+ )
+ self.assertEqual(
+ request.requestHeaders.getRawHeaders(b"space"),
+- [b"space space"],
++ [b"space space"],
+ )
+ self.assertEqual(
+ request.requestHeaders.getRawHeaders(b"spaces"),
+- [b"spaces spaces spaces"],
++ [b"spaces spaces spaces"],
+ )
+ self.assertEqual(
+ request.requestHeaders.getRawHeaders(b"tab"),
+- [b"t \ta \tb"],
++ [b"t a b"],
+ )
+
+ def test_headerStripWhitespace(self):
new file mode 100644
@@ -0,0 +1,25 @@
+From 5897923d523b357f93eb844e386bcc52c5490cdc Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Mon, 7 Mar 2022 00:03:50 -0800
+Subject: [PATCH] Strip only spaces and tabs from header values
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/c3a4e1d015740c1d87a3ec7d57570257e75b0062]
+CVE: CVE-2022-24801
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/twisted/web/http.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index 5491953..262da0b 100644
+--- a/src/twisted/web/http.py
++++ b/src/twisted/web/http.py
+@@ -2327,7 +2327,7 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin):
+ return False
+
+ header = header.lower()
+- data = data.strip()
++ data = data.strip(b" \t")
+
+ if not self._maybeChooseTransferDecoder(header, data):
+ return False
new file mode 100644
@@ -0,0 +1,25 @@
+From c6838374d0e323b78877ae546e1471c400e4652d Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Mon, 7 Mar 2022 00:32:14 -0800
+Subject: [PATCH] Reject non-digit Content-Length
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/8ebfa8f6577431226e109ff98ba48f5152a2c416]
+CVE: CVE-2022-24801
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/twisted/web/http.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index 262da0b..5316d81 100644
+--- a/src/twisted/web/http.py
++++ b/src/twisted/web/http.py
+@@ -2274,6 +2274,8 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin):
+
+ # Can this header determine the length?
+ if header == b"content-length":
++ if not data.isdigit():
++ return fail()
+ try:
+ length = int(data)
+ except ValueError:
new file mode 100644
@@ -0,0 +1,71 @@
+From 8859df3b77eabf99a9b40c5e595bccaae4539ae0 Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Sun, 13 Mar 2022 23:19:39 -0700
+Subject: [PATCH] Test for malformed chunk size and extensions
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/f22d0d9c889822adb7eaf84b42a20ff5f7c4d421]
+CVE: CVE-2022-24801
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/twisted/web/test/test_http.py | 34 +++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
+index 8a7adc0..e686aeb 100644
+--- a/src/twisted/web/test/test_http.py
++++ b/src/twisted/web/test/test_http.py
+@@ -1371,6 +1371,22 @@ class ChunkedTransferEncodingTests(unittest.TestCase):
+ p.dataReceived(b"3; x-foo=bar\r\nabc\r\n")
+ self.assertEqual(L, [b"abc"])
+
++ def test_extensionsMalformed(self):
++ """
++ L{_ChunkedTransferDecoder.dataReceived} raises
++ L{_MalformedChunkedDataError} when the chunk extension fields contain
++ invalid characters.
++
++ This is a potential request smuggling vector: see GHSA-c2jg-hw38-jrqq.
++ """
++ for b in [*range(0, 0x09), *range(0x10, 0x21), *range(0x74, 0x80)]:
++ data = b"3; " + bytes((b,)) + b"\r\nabc\r\n"
++ p = http._ChunkedTransferDecoder(
++ lambda b: None, # pragma: nocov
++ lambda b: None, # pragma: nocov
++ )
++ self.assertRaises(http._MalformedChunkedDataError, p.dataReceived, data)
++
+ def test_oversizedChunkSizeLine(self):
+ """
+ L{_ChunkedTransferDecoder.dataReceived} raises
+@@ -1426,6 +1442,22 @@ class ChunkedTransferEncodingTests(unittest.TestCase):
+ http._MalformedChunkedDataError, p.dataReceived, b"-3\r\nabc\r\n"
+ )
+
++ def test_malformedChunkSizeHex(self):
++ """
++ L{_ChunkedTransferDecoder.dataReceived} raises
++ L{_MalformedChunkedDataError} when the chunk size is prefixed with
++ "0x", as if it were a Python integer literal.
++
++ This is a potential request smuggling vector: see GHSA-c2jg-hw38-jrqq.
++ """
++ p = http._ChunkedTransferDecoder(
++ lambda b: None, # pragma: nocov
++ lambda b: None, # pragma: nocov
++ )
++ self.assertRaises(
++ http._MalformedChunkedDataError, p.dataReceived, b"0x3\r\nabc\r\n"
++ )
++
+ def test_malformedChunkEnd(self):
+ r"""
+ L{_ChunkedTransferDecoder.dataReceived} raises
+@@ -1538,6 +1570,8 @@ class ChunkingTests(unittest.TestCase, ResponseTestMixin):
+ chunked = b"".join(http.toChunk(s))
+ self.assertEqual((s, b""), http.fromChunk(chunked))
+ self.assertRaises(ValueError, http.fromChunk, b"-5\r\nmalformed!\r\n")
++ self.assertRaises(ValueError, http.fromChunk, b"0xa\r\nmalformed!\r\n")
++ self.assertRaises(ValueError, http.fromChunk, b"0XA\r\nmalformed!\r\n")
+
+ def testConcatenatedChunks(self):
+ chunked = b"".join([b"".join(http.toChunk(t)) for t in self.strings])
new file mode 100644
@@ -0,0 +1,129 @@
+From e33f7fc231845487f969a9c0fbf7956226ac8dfa Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Sun, 13 Mar 2022 23:51:52 -0700
+Subject: [PATCH] Reject malformed chunk sizes
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/0275152f147506c82868ff1dabd9bf655ab67946]
+CVE: CVE-2022-24801
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/twisted/web/http.py | 35 +++++++++++++++++++++++----
+ src/twisted/web/test/test_http.py | 40 +++++++++++++++++++++++++++++++
+ 2 files changed, 71 insertions(+), 4 deletions(-)
+
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index 5316d81..940ff9f 100644
+--- a/src/twisted/web/http.py
++++ b/src/twisted/web/http.py
+@@ -108,7 +108,7 @@ import tempfile
+ import time
+ import warnings
+ from io import BytesIO
+-from typing import AnyStr, Callable, Optional
++from typing import AnyStr, Callable, Optional, Tuple
+ from urllib.parse import (
+ ParseResultBytes,
+ unquote_to_bytes as unquote,
+@@ -410,7 +410,33 @@ def toChunk(data):
+ return (networkString(f"{len(data):x}"), b"\r\n", data, b"\r\n")
+
+
+-def fromChunk(data):
++def _ishexdigits(b: bytes) -> bool:
++ """
++ Is the string case-insensitively hexidecimal?
++
++ It must be composed of one or more characters in the ranges a-f, A-F
++ and 0-9.
++ """
++ for c in b:
++ if c not in b'0123456789abcdefABCDEF':
++ return False
++ return bool(b)
++
++
++def _hexint(b: bytes) -> int:
++ """
++ Decode a hexadecimal integer.
++
++ Unlike L{int(b, 16)}, this raises L{ValueError} when the integer has
++ a prefix like C{b'0x'}, C{b'+'}, or C{b'-'}, which is desirable when
++ parsing network protocols.
++ """
++ if not _ishexdigits(b):
++ raise ValueError(b)
++ return int(b, 16)
++
++
++def fromChunk(data: bytes) -> Tuple[bytes, bytes]:
+ """
+ Convert chunk to string.
+
+@@ -422,7 +448,7 @@ def fromChunk(data):
+ byte string.
+ """
+ prefix, rest = data.split(b"\r\n", 1)
+- length = int(prefix, 16)
++ length = _hexint(prefix)
+ if length < 0:
+ raise ValueError("Chunk length must be >= 0, not %d" % (length,))
+ if rest[length : length + 2] != b"\r\n":
+@@ -1883,8 +1909,9 @@ class _ChunkedTransferDecoder:
+ endOfLengthIndex = self._buffer.find(b";", 0, eolIndex)
+ if endOfLengthIndex == -1:
+ endOfLengthIndex = eolIndex
++ rawLength = self._buffer[0:endOfLengthIndex]
+ try:
+- length = int(self._buffer[0:endOfLengthIndex], 16)
++ length = _hexint(rawLength)
+ except ValueError:
+ raise _MalformedChunkedDataError("Chunk-size must be an integer.")
+
+diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
+index e686aeb..201991f 100644
+--- a/src/twisted/web/test/test_http.py
++++ b/src/twisted/web/test/test_http.py
+@@ -4472,3 +4472,43 @@ class HTTPClientSanitizationTests(unittest.SynchronousTestCase):
+ transport.value().splitlines(),
+ [b": ".join([sanitizedBytes, sanitizedBytes])],
+ )
++
++
++class HexHelperTests(unittest.SynchronousTestCase):
++ """
++ Test the L{http._hexint} and L{http._ishexdigits} helper functions.
++ """
++
++ badStrings = (b"", b"0x1234", b"feds", b"-123" b"+123")
++
++ def test_isHex(self):
++ """
++ L{_ishexdigits()} returns L{True} for nonempy bytestrings containing
++ hexadecimal digits.
++ """
++ for s in (b"10", b"abcdef", b"AB1234", b"fed", b"123467890"):
++ self.assertIs(True, http._ishexdigits(s))
++
++ def test_decodes(self):
++ """
++ L{_hexint()} returns the integer equivalent of the input.
++ """
++ self.assertEqual(10, http._hexint(b"a"))
++ self.assertEqual(0x10, http._hexint(b"10"))
++ self.assertEqual(0xABCD123, http._hexint(b"abCD123"))
++
++ def test_isNotHex(self):
++ """
++ L{_ishexdigits()} returns L{False} for bytestrings that don't contain
++ hexadecimal digits, including the empty string.
++ """
++ for s in self.badStrings:
++ self.assertIs(False, http._ishexdigits(s))
++
++ def test_decodeNotHex(self):
++ """
++ L{_hexint()} raises L{ValueError} for bytestrings that can't
++ be decoded.
++ """
++ for s in self.badStrings:
++ self.assertRaises(ValueError, http._hexint, s)
new file mode 100644
@@ -0,0 +1,27 @@
+From a2fd35cf03bd3a847fd47a6f1a812e359c2dafda Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Sun, 13 Mar 2022 23:57:23 -0700
+Subject: [PATCH] Remove unreachable branch
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/696bfeaf5a1fa7ff952f860c89e2bdcfacef7d7a]
+CVE: CVE-2022-24801
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/twisted/web/http.py | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index 940ff9f..ea77f57 100644
+--- a/src/twisted/web/http.py
++++ b/src/twisted/web/http.py
+@@ -1915,9 +1915,7 @@ class _ChunkedTransferDecoder:
+ except ValueError:
+ raise _MalformedChunkedDataError("Chunk-size must be an integer.")
+
+- if length < 0:
+- raise _MalformedChunkedDataError("Chunk-size must not be negative.")
+- elif length == 0:
++ if length == 0:
+ self.state = "TRAILER"
+ else:
+ self.state = "BODY"
new file mode 100644
@@ -0,0 +1,108 @@
+From 29b4c6ab9a917200a37d6fca1243a7f57caba922 Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Sun, 27 Mar 2022 22:17:30 -0700
+Subject: [PATCH] Correct chunk extension byte validation
+
+Go back to the RFC to figure out the correct allowed ranges.
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/fa9caa54d63399b4ccdfbf0429ba1b504ccc7c89]
+CVE: CVE-2022-24801
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/twisted/web/http.py | 49 ++++++++++++++++++++++++++++++-
+ src/twisted/web/test/test_http.py | 8 ++++-
+ 2 files changed, 55 insertions(+), 2 deletions(-)
+
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index ea77f57..81df437 100644
+--- a/src/twisted/web/http.py
++++ b/src/twisted/web/http.py
+@@ -418,7 +418,7 @@ def _ishexdigits(b: bytes) -> bool:
+ and 0-9.
+ """
+ for c in b:
+- if c not in b'0123456789abcdefABCDEF':
++ if c not in b"0123456789abcdefABCDEF":
+ return False
+ return bool(b)
+
+@@ -1816,6 +1816,47 @@ class _IdentityTransferDecoder:
+ maxChunkSizeLineLength = 1024
+
+
++_chunkExtChars = (
++ b"\t !\"#$%&'()*+,-./0123456789:;<=>?@"
++ b"ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`"
++ b"abcdefghijklmnopqrstuvwxyz{|}~"
++ b"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
++ b"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
++ b"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
++ b"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
++ b"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
++ b"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
++ b"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
++ b"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
++)
++"""
++Characters that are valid in a chunk extension.
++
++See RFC 7230 section 4.1.1:
++
++ chunk-ext = *( ";" chunk-ext-name [ "=" chunk-ext-val ] )
++
++ chunk-ext-name = token
++ chunk-ext-val = token / quoted-string
++
++Section 3.2.6:
++
++ token = 1*tchar
++
++ tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
++ / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
++ / DIGIT / ALPHA
++ ; any VCHAR, except delimiters
++
++ quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE
++ qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text
++ obs-text = %x80-FF
++
++We don't check if chunk extensions are well-formed beyond validating that they
++don't contain characters outside this range.
++"""
++
++
+ class _ChunkedTransferDecoder:
+ """
+ Protocol for decoding I{chunked} Transfer-Encoding, as defined by RFC 7230,
+@@ -1915,6 +1956,12 @@ class _ChunkedTransferDecoder:
+ except ValueError:
+ raise _MalformedChunkedDataError("Chunk-size must be an integer.")
+
++ ext = self._buffer[endOfLengthIndex + 1 : eolIndex]
++ if ext and ext.translate(None, _chunkExtChars) != b"":
++ raise _MalformedChunkedDataError(
++ f"Invalid characters in chunk extensions: {ext!r}."
++ )
++
+ if length == 0:
+ self.state = "TRAILER"
+ else:
+diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
+index 201991f..eccb9b0 100644
+--- a/src/twisted/web/test/test_http.py
++++ b/src/twisted/web/test/test_http.py
+@@ -1379,7 +1379,13 @@ class ChunkedTransferEncodingTests(unittest.TestCase):
+
+ This is a potential request smuggling vector: see GHSA-c2jg-hw38-jrqq.
+ """
+- for b in [*range(0, 0x09), *range(0x10, 0x21), *range(0x74, 0x80)]:
++ invalidControl = (
++ b"\x00\x01\x02\x03\x04\x05\x06\x07\x08\n\x0b\x0c\r\x0e\x0f"
++ b"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
++ )
++ invalidDelimiter = b"\\"
++ invalidDel = b"\x7f"
++ for b in invalidControl + invalidDelimiter + invalidDel:
+ data = b"3; " + bytes((b,)) + b"\r\nabc\r\n"
+ p = http._ChunkedTransferDecoder(
+ lambda b: None, # pragma: nocov
new file mode 100644
@@ -0,0 +1,25 @@
+From 349771026e1eb80cab7a19ceb8b80aa6d1bb3184 Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Fri, 1 Apr 2022 20:47:59 -0700
+Subject: [PATCH] Address review feedback
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/2bbd6c89110f0d44d2bb109c14d787f65bca9df8]
+CVE: CVE-2022-24801
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/twisted/web/http.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index 81df437..4a2ce1d 100644
+--- a/src/twisted/web/http.py
++++ b/src/twisted/web/http.py
+@@ -420,7 +420,7 @@ def _ishexdigits(b: bytes) -> bool:
+ for c in b:
+ if c not in b"0123456789abcdefABCDEF":
+ return False
+- return bool(b)
++ return b != b""
+
+
+ def _hexint(b: bytes) -> int:
@@ -12,9 +12,19 @@ SRC_URI[sha256sum] = "57f32b1f6838facb8c004c89467840367ad38e9e535f8252091345dba5
PYPI_PACKAGE = "Twisted"
SRC_URI += "file://CVE-2024-41671-0001.patch \
- file://CVE-2024-41671-0002.patch \
- file://CVE-2024-41810.patch \
- file://CVE-2023-46137.patch"
+ file://CVE-2024-41671-0002.patch \
+ file://CVE-2024-41810.patch \
+ file://CVE-2023-46137.patch \
+ file://CVE-2022-24801-1.patch \
+ file://CVE-2022-24801-2.patch \
+ file://CVE-2022-24801-3.patch \
+ file://CVE-2022-24801-4.patch \
+ file://CVE-2022-24801-5.patch \
+ file://CVE-2022-24801-6.patch \
+ file://CVE-2022-24801-7.patch \
+ file://CVE-2022-24801-8.patch \
+ file://CVE-2022-24801-9.patch \
+ "
inherit pypi python_setuptools_build_meta
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-24801 Pick the commits from the pull request that is referenced by the NVD report. (The full set is consisting of 13 patches, but the ones that only updated news/readme/typo fixes in comments were not backported) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../python3-twisted/CVE-2022-24801-1.patch | 132 ++++++++++++++++++ .../python3-twisted/CVE-2022-24801-2.patch | 63 +++++++++ .../python3-twisted/CVE-2022-24801-3.patch | 25 ++++ .../python3-twisted/CVE-2022-24801-4.patch | 25 ++++ .../python3-twisted/CVE-2022-24801-5.patch | 71 ++++++++++ .../python3-twisted/CVE-2022-24801-6.patch | 129 +++++++++++++++++ .../python3-twisted/CVE-2022-24801-7.patch | 27 ++++ .../python3-twisted/CVE-2022-24801-8.patch | 108 ++++++++++++++ .../python3-twisted/CVE-2022-24801-9.patch | 25 ++++ .../python/python3-twisted_22.2.0.bb | 16 ++- 10 files changed, 618 insertions(+), 3 deletions(-) create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-1.patch create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-2.patch create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-3.patch create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-4.patch create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-5.patch create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-6.patch create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-7.patch create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-8.patch create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2022-24801-9.patch