Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.
Details
These problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:
The expression HTTP/(\d).(\d) lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result: HTTP/(\d)\.(\d)).
The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.
Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 token.
PoC
GET / HTTP/1ΓΆ1GET / HTTP/1.πGET/: HTTP/1.1Content-Encoding?: chunked
Impact
Primarily concerns running an aiohttp server without llhttp:
behind a proxy: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.
directly accessible or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.
Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.
Details
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
i.e. An application is only vulnerable with setup code like:
app.router.add_routes([
web.static("/static", "static/", follow_symlinks=True), # Remove follow_symlinks to avoid the vulnerability
])
Impact
This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with follow_symlinks set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the follow_symlinks parameter.
Workaround
Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.
If using follow_symlinks=True outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.
Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.
An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.
Impact
An attacker can stop the application from serving requests after sending a single request.
For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in _read_chunk_from_length()):
diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@​@​ -338,6 +338,8 @​@​ class BodyPartReader:
assert self._length is not None, "Content-Length required for chunked read"
chunk_size = min(size, self._length - self._read_bytes)
chunk = await self._content.read(chunk_size)
+ if self._content.at_eof():
+ self._at_eof = True
return chunk
async def _read_chunk_from_stream(self, size: int) -> bytes:
aio-libs/aiohttp (aiohttp)
### [`v3.9.4`](https://togithub.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#394-2024-04-11)
[Compare Source](https://togithub.com/aio-libs/aiohttp/compare/v3.9.3...v3.9.4)
\==================
## Bug fixes
- The asynchronous internals now set the underlying causes
when assigning exceptions to the future objects
\-- by :user:`webknjaz`.
*Related issues and pull requests on GitHub:*
:issue:`8089`.
- Treated values of `Accept-Encoding` header as case-insensitive when checking
for gzip files -- by :user:`steverep`.
*Related issues and pull requests on GitHub:*
:issue:`8104`.
- Improved the DNS resolution performance on cache hit -- by :user:`bdraco`.
This is achieved by avoiding an :mod:`asyncio` task creation in this case.
*Related issues and pull requests on GitHub:*
:issue:`8163`.
- Changed the type annotations to allow `dict` on :meth:`aiohttp.MultipartWriter.append`,
:meth:`aiohttp.MultipartWriter.append_json` and
:meth:`aiohttp.MultipartWriter.append_form` -- by :user:`cakemanny`
*Related issues and pull requests on GitHub:*
:issue:`7741`.
- Ensure websocket transport is closed when client does not close it
\-- by :user:`bdraco`.
The transport could remain open if the client did not close it. This
change ensures the transport is closed when the client does not close
it.
*Related issues and pull requests on GitHub:*
:issue:`8200`.
- Leave websocket transport open if receive times out or is cancelled
\-- by :user:`bdraco`.
This restores the behavior prior to the change in [#7978](https://togithub.com/aio-libs/aiohttp/issues/7978).
*Related issues and pull requests on GitHub:*
:issue:`8251`.
- Fixed content not being read when an upgrade request was not supported with the pure Python implementation.
\-- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`8252`.
- Fixed a race condition with incoming connections during server shutdown -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`8271`.
- Fixed `multipart/form-data` compliance with :rfc:`7578` -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`8280`.
- Fixed blocking I/O in the event loop while processing files in a POST request
\-- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`8283`.
- Escaped filenames in static view -- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`8317`.
- Fixed the pure python parser to mark a connection as closing when a
response has no length -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`8320`.
## Features
- Upgraded *llhttp* to 9.2.1, and started rejecting obsolete line folding
in Python parser to match -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`8146`, :issue:`8292`.
## Deprecations (removal in next major release)
- Deprecated `content_transfer_encoding` parameter in :py:meth:`FormData.add_field() ` -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`8280`.
## Improved documentation
- Added a note about canceling tasks to avoid delaying server shutdown -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`8267`.
## Contributor-facing changes
- The pull request template is now asking the contributors to
answer a question about the long-term maintenance challenges
they envision as a result of merging their patches
\-- by :user:`webknjaz`.
*Related issues and pull requests on GitHub:*
:issue:`8099`.
- Updated CI and documentation to use NPM clean install and upgrade
node to version 18 -- by :user:`steverep`.
*Related issues and pull requests on GitHub:*
:issue:`8116`.
- A pytest fixture `hello_txt` was introduced to aid
static file serving tests in
:file:`test_web_sendfile_functional.py`. It dynamically
provisions `hello.txt` file variants shared across the
tests in the module.
\-- by :user:`steverep`
*Related issues and pull requests on GitHub:*
:issue:`8136`.
## Packaging updates and notes for downstreams
- Added an `internal` pytest marker for tests which should be skipped
by packagers (use `-m 'not internal'` to disable them) -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`8299`.
***
### [`v3.9.3`](https://togithub.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#393-2024-01-29)
[Compare Source](https://togithub.com/aio-libs/aiohttp/compare/v3.9.2...v3.9.3)
\==================
## Bug fixes
- Fixed backwards compatibility breakage (in 3.9.2) of `ssl` parameter when set outside
of `ClientSession` (e.g. directly in `TCPConnector`) -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`8097`, :issue:`8098`.
## Miscellaneous internal changes
- Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.
*Related issues and pull requests on GitHub:*
:issue:`3957`.
***
### [`v3.9.2`](https://togithub.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#392-2024-01-28)
[Compare Source](https://togithub.com/aio-libs/aiohttp/compare/v3.9.1...v3.9.2)
\==================
## Bug fixes
- Fixed server-side websocket connection leak.
*Related issues and pull requests on GitHub:*
:issue:`7978`.
- Fixed `web.FileResponse` doing blocking I/O in the event loop.
*Related issues and pull requests on GitHub:*
:issue:`8012`.
- Fixed double compress when compression enabled and compressed file exists in server file responses.
*Related issues and pull requests on GitHub:*
:issue:`8014`.
- Added runtime type check for `ClientSession` `timeout` parameter.
*Related issues and pull requests on GitHub:*
:issue:`8021`.
- Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:`pajod`.
Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:`9110#section-5.6.2` and are not known to be of any legitimate use.
*Related issues and pull requests on GitHub:*
:issue:`8074`.
- Improved validation of paths for static resources requests to the server -- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
:issue:`8079`.
## Features
- Added support for passing :py:data:`True` to `ssl` parameter in `ClientSession` while
deprecating :py:data:`None` -- by :user:`xiangyan99`.
*Related issues and pull requests on GitHub:*
:issue:`7698`.
## Breaking changes
- Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:`pajod`.
Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:`9110#section-5.6.2` and are not known to be of any legitimate use.
*Related issues and pull requests on GitHub:*
:issue:`8074`.
## Improved documentation
- Fixed examples of `fallback_charset_resolver` function in the :doc:`client_advanced` document. -- by :user:`henry0312`.
*Related issues and pull requests on GitHub:*
:issue:`7995`.
- The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs -- by :user:`webknjaz`.
*Related issues and pull requests on GitHub:*
:issue:`8067`.
## Packaging updates and notes for downstreams
- The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:`webknjaz`.
The new category tags are:
* ``bugfix``
* ``feature``
* ``deprecation``
* ``breaking`` (previously, ``removal``)
* ``doc``
* ``packaging``
* ``contrib``
* ``misc``
*Related issues and pull requests on GitHub:*
:issue:`8066`.
## Contributor-facing changes
- Updated :ref:`contributing/Tests coverage ` section to show how we use `codecov` -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
:issue:`7916`.
- The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:`webknjaz`.
The new category tags are:
* ``bugfix``
* ``feature``
* ``deprecation``
* ``breaking`` (previously, ``removal``)
* ``doc``
* ``packaging``
* ``contrib``
* ``misc``
*Related issues and pull requests on GitHub:*
:issue:`8066`.
## Miscellaneous internal changes
- Replaced all `tmpdir` fixtures with `tmp_path` in test suite.
*Related issues and pull requests on GitHub:*
:issue:`3551`.
***
### [`v3.9.1`](https://togithub.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#391-2023-11-26)
[Compare Source](https://togithub.com/aio-libs/aiohttp/compare/v3.9.0...v3.9.1)
\==================
## Bugfixes
- Fixed importing aiohttp under PyPy on Windows.
`#7848 `\_
- Fixed async concurrency safety in websocket compressor.
`#7865 `\_
- Fixed `ClientResponse.close()` releasing the connection instead of closing.
`#7869 `\_
- Fixed a regression where connection may get closed during upgrade. -- by :user:`Dreamsorcerer`
`#7879 `\_
- Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:`Dreamsorcerer`
`#7895 `\_
***
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
==3.9.0->==3.9.4GitHub Vulnerability Alerts
CVE-2024-23829
Summary
Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.
Details
These problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:
The expression
HTTP/(\d).(\d)lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result:HTTP/(\d)\.(\d)).The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.
Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110
token.PoC
GET / HTTP/1ΓΆ1GET / HTTP/1.πGET/: HTTP/1.1Content-Encoding?: chunkedImpact
Primarily concerns running an aiohttp server without llhttp:
Patch: https://github.com/aio-libs/aiohttp/pull/8074/files
CVE-2024-23334
Summary
Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.
Details
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
i.e. An application is only vulnerable with setup code like:
Impact
This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with
follow_symlinksset to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of thefollow_symlinksparameter.Workaround
Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.
If using
follow_symlinks=Trueoutside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.
Patch: https://github.com/aio-libs/aiohttp/pull/8079/files
CVE-2024-27306
Summary
A XSS vulnerability exists on index pages for static file handling.
Details
When using
web.static(..., show_index=True), the resulting index pages do not escape file names.If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.
Workaround
We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.
Other users can disable
show_indexif unable to upgrade.Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
CVE-2024-30251
Summary
An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.
Impact
An attacker can stop the application from serving requests after sending a single request.
For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in
_read_chunk_from_length()):This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in: https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866
Release Notes
aio-libs/aiohttp (aiohttp)
### [`v3.9.4`](https://togithub.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#394-2024-04-11) [Compare Source](https://togithub.com/aio-libs/aiohttp/compare/v3.9.3...v3.9.4) \================== ## Bug fixes - The asynchronous internals now set the underlying causes when assigning exceptions to the future objects \-- by :user:`webknjaz`. *Related issues and pull requests on GitHub:* :issue:`8089`. - Treated values of `Accept-Encoding` header as case-insensitive when checking for gzip files -- by :user:`steverep`. *Related issues and pull requests on GitHub:* :issue:`8104`. - Improved the DNS resolution performance on cache hit -- by :user:`bdraco`. This is achieved by avoiding an :mod:`asyncio` task creation in this case. *Related issues and pull requests on GitHub:* :issue:`8163`. - Changed the type annotations to allow `dict` on :meth:`aiohttp.MultipartWriter.append`, :meth:`aiohttp.MultipartWriter.append_json` and :meth:`aiohttp.MultipartWriter.append_form` -- by :user:`cakemanny` *Related issues and pull requests on GitHub:* :issue:`7741`. - Ensure websocket transport is closed when client does not close it \-- by :user:`bdraco`. The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it. *Related issues and pull requests on GitHub:* :issue:`8200`. - Leave websocket transport open if receive times out or is cancelled \-- by :user:`bdraco`. This restores the behavior prior to the change in [#7978](https://togithub.com/aio-libs/aiohttp/issues/7978). *Related issues and pull requests on GitHub:* :issue:`8251`. - Fixed content not being read when an upgrade request was not supported with the pure Python implementation. \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8252`. - Fixed a race condition with incoming connections during server shutdown -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8271`. - Fixed `multipart/form-data` compliance with :rfc:`7578` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8280`. - Fixed blocking I/O in the event loop while processing files in a POST request \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8283`. - Escaped filenames in static view -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8317`. - Fixed the pure python parser to mark a connection as closing when a response has no length -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8320`. ## Features - Upgraded *llhttp* to 9.2.1, and started rejecting obsolete line folding in Python parser to match -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8146`, :issue:`8292`. ## Deprecations (removal in next major release) - Deprecated `content_transfer_encoding` parameter in :py:meth:`FormData.add_field()Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.