add patch for python-werkzeug CVE-2023-25577 (#4927)

* modify cloud.cfg * add patch for werkzeug CVE
2023-02-27 10:25:31 -08:00 · 2023-02-27 10:25:31 -08:00 · 17e7d919b9
--- a/SPECS/python-werkzeug/CVE-2023-25577.patch
+++ b/SPECS/python-werkzeug/CVE-2023-25577.patch
@ -0,0 +1,128 @@
+diff -ruN a/tests/test_formparser.py b/tests/test_formparser.py
+--- a/tests/test_formparser.py	2022-02-07 13:02:05.000000000 -0800
+++ b/tests/test_formparser.py	2023-02-24 15:07:44.833250855 -0800
+@@ -127,6 +127,15 @@
+         req.max_form_memory_size = 400
+         assert req.form["foo"] == "Hello World"
+ 
+        req = Request.from_values(
+            input_stream=io.BytesIO(data),
+            content_length=len(data),
+            content_type="multipart/form-data; boundary=foo",
+            method="POST",
+        )
+        req.max_form_parts = 1
+        pytest.raises(RequestEntityTooLarge, lambda: req.form["foo"])
+
+     def test_missing_multipart_boundary(self):
+         data = (
+             b"--foo\r\nContent-Disposition: form-field; name=foo\r\n\r\n"
+diff -ruN a/src/werkzeug/wrappers/request.py b/src/werkzeug/wrappers/request.py
+--- a/src/werkzeug/wrappers/request.py	2022-02-07 13:02:05.000000000 -0800
+++ b/src/werkzeug/wrappers/request.py	2023-02-24 15:07:02.992685621 -0800
+@@ -81,6 +81,13 @@
+     #: .. versionadded:: 0.5
+     max_form_memory_size: t.Optional[int] = None
+ 
+    #: The maximum number of multipart parts to parse, passed to
+    #: :attr:`form_data_parser_class`. Parsing form data with more than this
+    #: many parts will raise :exc:`~.RequestEntityTooLarge`.
+    #:
+    #: .. versionadded:: 2.2.3
+    max_form_parts = 1000
+
+     #: The form data parser that shoud be used.  Can be replaced to customize
+     #: the form date parsing.
+     form_data_parser_class: t.Type[FormDataParser] = FormDataParser
+@@ -265,6 +272,7 @@
+             self.max_form_memory_size,
+             self.max_content_length,
+             self.parameter_storage_class,
+            max_form_parts=self.max_form_parts,
+         )
+ 
+     def _load_form_data(self) -> None:
+diff -ruN a/src/werkzeug/sansio/multipart.py b/src/werkzeug/sansio/multipart.py
+--- a/src/werkzeug/sansio/multipart.py	2022-02-07 13:02:05.000000000 -0800
+++ b/src/werkzeug/sansio/multipart.py	2023-02-24 15:06:03.811888559 -0800
+@@ -83,10 +83,13 @@
+         self,
+         boundary: bytes,
+         max_form_memory_size: Optional[int] = None,
+        *,
+        max_parts: Optional[int] = None,
+     ) -> None:
+         self.buffer = bytearray()
+         self.complete = False
+         self.max_form_memory_size = max_form_memory_size
+        self.max_parts = max_parts
+         self.state = State.PREAMBLE
+         self.boundary = boundary
+ 
+@@ -113,6 +116,7 @@
+             % (LINE_BREAK, re.escape(boundary), LINE_BREAK, LINE_BREAK),
+             re.MULTILINE,
+         )
+        self._parts_decoded = 0
+ 
+     def last_newline(self) -> int:
+         try:
+@@ -177,7 +181,10 @@
+                         name=name,
+                     )
+                 self.state = State.DATA
+                self._parts_decoded += 1
+ 
+                if self.max_parts is not None and self._parts_decoded > self.max_parts:
+                    raise RequestEntityTooLarge()
+         elif self.state == State.DATA:
+             if self.buffer.find(b"--" + self.boundary) == -1:
+                 # No complete boundary in the buffer, but there may be
+diff -ruN a/docs/request_data.rst b/docs/request_data.rst
+--- a/docs/request_data.rst	2022-02-07 13:02:05.000000000 -0800
+++ b/docs/request_data.rst	2023-02-24 15:02:12.800811229 -0800
+@@ -73,23 +73,26 @@
+ Limiting Request Data
+ ---------------------
+ 
+-To avoid being the victim of a DDOS attack you can set the maximum
+-accepted content length and request field sizes.  The :class:`Request`
+-class has two attributes for that: :attr:`~Request.max_content_length`
+-and :attr:`~Request.max_form_memory_size`.
+-
+-The first one can be used to limit the total content length.  For example
+-by setting it to ``1024 * 1024 * 16`` the request won't accept more than
+-16MB of transmitted data.
+-
+-Because certain data can't be moved to the hard disk (regular post data)
+-whereas temporary files can, there is a second limit you can set.  The
+-:attr:`~Request.max_form_memory_size` limits the size of `POST`
+-transmitted form data.  By setting it to ``1024 * 1024 * 2`` you can make
+-sure that all in memory-stored fields are not more than 2MB in size.
+-
+-This however does *not* affect in-memory stored files if the
+-`stream_factory` used returns a in-memory file.
+The :class:`Request` class provides a few attributes to control how much data is
+processed from the request body. This can help mitigate DoS attacks that craft the
+request in such a way that the server uses too many resources to handle it. Each of
+these limits will raise a :exc:`~werkzeug.exceptions.RequestEntityTooLarge` if they are
+exceeded.
+
+-   :attr:`~Request.max_content_length` Stop reading request data after this number
+    of bytes. It's better to configure this in the WSGI server or HTTP server, rather
+    than the WSGI application.
+-   :attr:`~Request.max_form_memory_size` Stop reading request data if any form part is
+    larger than this number of bytes. While file parts can be moved to disk, regular
+    form field data is stored in memory only.
+-   :attr:`~Request.max_form_parts` Stop reading request data if more than this number
+    of parts are sent in multipart form data. This is useful to stop a very large number
+    of very small parts, especially file parts. The default is 1000.
+
+Using Werkzeug to set these limits is only one layer of protection. WSGI servers
+and HTTPS servers should set their own limits on size and timeouts. The operating system
+or container manager should set limits on memory and processing time for server
+processes.
+ 
+ 
+ How to extend Parsing?
+ 
--- a/SPECS/python-werkzeug/python-werkzeug.spec
+++ b/SPECS/python-werkzeug/python-werkzeug.spec
@ -1,13 +1,14 @@
 Summary:        The Swiss Army knife of Python web development
 Name:           python-werkzeug
 Version:        2.0.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages/Python
 URL:            https://github.com/pallets/werkzeug
 Source0:        https://github.com/pallets/werkzeug/archive/%{version}.tar.gz#/werkzeug-%{version}.tar.gz
+Patch0:         CVE-2023-25577.patch
 BuildArch:      noarch

 %description
@ -49,6 +50,9 @@ LANG=en_US.UTF-8 PYTHONPATH=./  python3 setup.py test
 %{python3_sitelib}/*

 %changelog
+* Fri Feb 24 2023 Minghe Ren <mingheren@microsoft.com> - 2.0.3-2
+- Add patch for CVE-2023-25577
+
 * Fri Mar 25 2022 Andrew Phelps <anphel@microsoft.com> - 2.0.3-1
 - Updated to version 2.0.3
 - Switch to github source and URL