python-werkzeug: fix for CVE-2023-23934 (#5079)

* Add patch for CVE-2023-23934

* Upgrade python-werkzeug to 2.2.3 instead of patching to resolve CVE-2023-23934 and CVE-2023-25577

* Update changelog

* Update cgmanifest.json

* Fix SPEC-linting for python-werkzeug

* Change order for SPEC-linting

* Update SPECS/python-werkzeug/python-werkzeug.spec

Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>

* Remove unnecessary patches

---------

Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>

SPECS/python-werkzeug/CVE-2023-25577.patch

@@ -1,128 +0,0 @@
-diff -ruN a/tests/test_formparser.py b/tests/test_formparser.py
---- a/tests/test_formparser.py	2022-02-07 13:02:05.000000000 -0800
-+++ b/tests/test_formparser.py	2023-02-24 15:07:44.833250855 -0800
-@@ -127,6 +127,15 @@
-         req.max_form_memory_size = 400
-         assert req.form["foo"] == "Hello World"
- 
-+        req = Request.from_values(
-+            input_stream=io.BytesIO(data),
-+            content_length=len(data),
-+            content_type="multipart/form-data; boundary=foo",
-+            method="POST",
-+        )
-+        req.max_form_parts = 1
-+        pytest.raises(RequestEntityTooLarge, lambda: req.form["foo"])
-+
-     def test_missing_multipart_boundary(self):
-         data = (
-             b"--foo\r\nContent-Disposition: form-field; name=foo\r\n\r\n"
-diff -ruN a/src/werkzeug/wrappers/request.py b/src/werkzeug/wrappers/request.py
---- a/src/werkzeug/wrappers/request.py	2022-02-07 13:02:05.000000000 -0800
-+++ b/src/werkzeug/wrappers/request.py	2023-02-24 15:07:02.992685621 -0800
-@@ -81,6 +81,13 @@
-     #: .. versionadded:: 0.5
-     max_form_memory_size: t.Optional[int] = None
- 
-+    #: The maximum number of multipart parts to parse, passed to
-+    #: :attr:`form_data_parser_class`. Parsing form data with more than this
-+    #: many parts will raise :exc:`~.RequestEntityTooLarge`.
-+    #:
-+    #: .. versionadded:: 2.2.3
-+    max_form_parts = 1000
-+
-     #: The form data parser that shoud be used.  Can be replaced to customize
-     #: the form date parsing.
-     form_data_parser_class: t.Type[FormDataParser] = FormDataParser
-@@ -265,6 +272,7 @@
-             self.max_form_memory_size,
-             self.max_content_length,
-             self.parameter_storage_class,
-+            max_form_parts=self.max_form_parts,
-         )
- 
-     def _load_form_data(self) -> None:
-diff -ruN a/src/werkzeug/sansio/multipart.py b/src/werkzeug/sansio/multipart.py
---- a/src/werkzeug/sansio/multipart.py	2022-02-07 13:02:05.000000000 -0800
-+++ b/src/werkzeug/sansio/multipart.py	2023-02-24 15:06:03.811888559 -0800
-@@ -83,10 +83,13 @@
-         self,
-         boundary: bytes,
-         max_form_memory_size: Optional[int] = None,
-+        *,
-+        max_parts: Optional[int] = None,
-     ) -> None:
-         self.buffer = bytearray()
-         self.complete = False
-         self.max_form_memory_size = max_form_memory_size
-+        self.max_parts = max_parts
-         self.state = State.PREAMBLE
-         self.boundary = boundary
- 
-@@ -113,6 +116,7 @@
-             % (LINE_BREAK, re.escape(boundary), LINE_BREAK, LINE_BREAK),
-             re.MULTILINE,
-         )
-+        self._parts_decoded = 0
- 
-     def last_newline(self) -> int:
-         try:
-@@ -177,7 +181,10 @@
-                         name=name,
-                     )
-                 self.state = State.DATA
-+                self._parts_decoded += 1
- 
-+                if self.max_parts is not None and self._parts_decoded > self.max_parts:
-+                    raise RequestEntityTooLarge()
-         elif self.state == State.DATA:
-             if self.buffer.find(b"--" + self.boundary) == -1:
-                 # No complete boundary in the buffer, but there may be
-diff -ruN a/docs/request_data.rst b/docs/request_data.rst
---- a/docs/request_data.rst	2022-02-07 13:02:05.000000000 -0800
-+++ b/docs/request_data.rst	2023-02-24 15:02:12.800811229 -0800
-@@ -73,23 +73,26 @@
- Limiting Request Data
- ---------------------
- 
--To avoid being the victim of a DDOS attack you can set the maximum
--accepted content length and request field sizes.  The :class:`Request`
--class has two attributes for that: :attr:`~Request.max_content_length`
--and :attr:`~Request.max_form_memory_size`.
--
--The first one can be used to limit the total content length.  For example
--by setting it to ``1024 * 1024 * 16`` the request won't accept more than
--16MB of transmitted data.
--
--Because certain data can't be moved to the hard disk (regular post data)
--whereas temporary files can, there is a second limit you can set.  The
--:attr:`~Request.max_form_memory_size` limits the size of `POST`
--transmitted form data.  By setting it to ``1024 * 1024 * 2`` you can make
--sure that all in memory-stored fields are not more than 2MB in size.
--
--This however does *not* affect in-memory stored files if the
--`stream_factory` used returns a in-memory file.
-+The :class:`Request` class provides a few attributes to control how much data is
-+processed from the request body. This can help mitigate DoS attacks that craft the
-+request in such a way that the server uses too many resources to handle it. Each of
-+these limits will raise a :exc:`~werkzeug.exceptions.RequestEntityTooLarge` if they are
-+exceeded.
-+
-+-   :attr:`~Request.max_content_length` Stop reading request data after this number
-+    of bytes. It's better to configure this in the WSGI server or HTTP server, rather
-+    than the WSGI application.
-+-   :attr:`~Request.max_form_memory_size` Stop reading request data if any form part is
-+    larger than this number of bytes. While file parts can be moved to disk, regular
-+    form field data is stored in memory only.
-+-   :attr:`~Request.max_form_parts` Stop reading request data if more than this number
-+    of parts are sent in multipart form data. This is useful to stop a very large number
-+    of very small parts, especially file parts. The default is 1000.
-+
-+Using Werkzeug to set these limits is only one layer of protection. WSGI servers
-+and HTTPS servers should set their own limits on size and timeouts. The operating system
-+or container manager should set limits on memory and processing time for server
-+processes.
- 
- 
- How to extend Parsing?
- 

SPECS/python-werkzeug/python-werkzeug.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "werkzeug-2.0.3.tar.gz": "d064bfb538a8cb5f561ec599e478689757f10e720e442eff6cc4de6853f097e0"
+  "werkzeug-2.2.3.tar.gz": "8b5729f88b3e18b8fbb5a722e374bf00a1d9b77da447e846e2c64b8108c0522a"
  }
 }

SPECS/python-werkzeug/python-werkzeug.spec

@@ -1,14 +1,13 @@
 Summary:        The Swiss Army knife of Python web development
 Name:           python-werkzeug
-Version:        2.0.3
-Release:        2%{?dist}
+Version:        2.2.3
+Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages/Python
 URL:            https://github.com/pallets/werkzeug
 Source0:        https://github.com/pallets/werkzeug/archive/%{version}.tar.gz#/werkzeug-%{version}.tar.gz
-Patch0:         CVE-2023-25577.patch
 BuildArch:      noarch
 
 %description
@@ -20,13 +19,13 @@ BuildRequires:  python3-devel
 BuildRequires:  python3-libs
 BuildRequires:  python3-setuptools
 BuildRequires:  python3-xml
+Requires:       python3
 %if %{with_check}
 BuildRequires:  curl-devel
 BuildRequires:  openssl-devel
 BuildRequires:  python3-pip
 BuildRequires:  python3-requests
 %endif
-Requires:       python3
 
 %description -n python3-werkzeug
 Werkzeug started as simple collection of various utilities for WSGI applications and has become one of the most advanced WSGI utility modules. It includes a powerful debugger, full featured request and response objects, HTTP utilities to handle entity tags, cache control headers, HTTP dates, cookie handling, file uploads, a powerful URL routing system and a bunch of community contributed addon modules.
@@ -50,6 +49,10 @@ LANG=en_US.UTF-8 PYTHONPATH=./  python3 setup.py test
 %{python3_sitelib}/*
 
 %changelog
+* Tue Mar 14 2023 Rakshaa Viswanathan <rviswanathan@microsoft.com> - 2.2.3-1
+- Updated to version 2.2.3 for CVE-2023-23934 adn CVE-2023-25577
+- Remove patch for CVE-2023-25577
+
 * Fri Feb 24 2023 Minghe Ren <mingheren@microsoft.com> - 2.0.3-2
 - Add patch for CVE-2023-25577
 

cgmanifest.json

@@ -24504,8 +24504,8 @@
         "type": "other",
         "other": {
           "name": "python-werkzeug",
-          "version": "2.0.3",
-          "downloadUrl": "https://github.com/pallets/werkzeug/archive/2.0.3.tar.gz"
+          "version": "2.2.3",
+          "downloadUrl": "https://github.com/pallets/werkzeug/archive/2.2.3.tar.gz"
         }
       }
     },
@@ -30317,4 +30317,4 @@
     }
   ],
   "Version": 1
-}
+}