Update dependency aiohttp to v3.9.4 [SECURITY] #18
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.9.2->==3.9.4GitHub Vulnerability Alerts
CVE-2024-27306
Summary
A XSS vulnerability exists on index pages for static file handling.
Details
When using
web.static(..., show_index=True), the resulting index pages do not escape file names.If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.
Workaround
We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.
Other users can disable
show_indexif unable to upgrade.Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
CVE-2024-30251
Summary
An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.
Impact
An attacker can stop the application from serving requests after sending a single request.
For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in
_read_chunk_from_length()):This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
aio-libs/aiohttp@cebe526
aio-libs/aiohttp@7eecdff
aio-libs/aiohttp@f21c6f2
Release Notes
aio-libs/aiohttp (aiohttp)
v3.9.4Compare Source
==================
Bug fixes
The asynchronous internals now set the underlying causes
when assigning exceptions to the future objects
-- by :user:
webknjaz.Related issues and pull requests on GitHub:
:issue:
8089.Treated values of
Accept-Encodingheader as case-insensitive when checkingfor gzip files -- by :user:
steverep.Related issues and pull requests on GitHub:
:issue:
8104.Improved the DNS resolution performance on cache hit -- by :user:
bdraco.This is achieved by avoiding an :mod:
asynciotask creation in this case.Related issues and pull requests on GitHub:
:issue:
8163.Changed the type annotations to allow
dicton :meth:aiohttp.MultipartWriter.append,:meth:
aiohttp.MultipartWriter.append_jsonand:meth:
aiohttp.MultipartWriter.append_form-- by :user:cakemannyRelated issues and pull requests on GitHub:
:issue:
7741.Ensure websocket transport is closed when client does not close it
-- by :user:
bdraco.The transport could remain open if the client did not close it. This
change ensures the transport is closed when the client does not close
it.
Related issues and pull requests on GitHub:
:issue:
8200.Leave websocket transport open if receive times out or is cancelled
-- by :user:
bdraco.This restores the behavior prior to the change in #β7978.
Related issues and pull requests on GitHub:
:issue:
8251.Fixed content not being read when an upgrade request was not supported with the pure Python implementation.
-- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
8252.Fixed a race condition with incoming connections during server shutdown -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8271.Fixed
multipart/form-datacompliance with :rfc:7578-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8280.Fixed blocking I/O in the event loop while processing files in a POST request
-- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
8283.Escaped filenames in static view -- by :user:
bdraco.Related issues and pull requests on GitHub:
:issue:
8317.Fixed the pure python parser to mark a connection as closing when a
response has no length -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8320.Features
Upgraded llhttp to 9.2.1, and started rejecting obsolete line folding
in Python parser to match -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8146, :issue:8292.Deprecations (removal in next major release)
Deprecated
content_transfer_encodingparameter in :py:meth:FormData.add_field() <aiohttp.FormData.add_field>-- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8280.Improved documentation
Added a note about canceling tasks to avoid delaying server shutdown -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8267.Contributor-facing changes
The pull request template is now asking the contributors to
answer a question about the long-term maintenance challenges
they envision as a result of merging their patches
-- by :user:
webknjaz.Related issues and pull requests on GitHub:
:issue:
8099.Updated CI and documentation to use NPM clean install and upgrade
node to version 18 -- by :user:
steverep.Related issues and pull requests on GitHub:
:issue:
8116.A pytest fixture
hello_txtwas introduced to aidstatic file serving tests in
:file:
test_web_sendfile_functional.py. It dynamicallyprovisions
hello.txtfile variants shared across thetests in the module.
-- by :user:
steverepRelated issues and pull requests on GitHub:
:issue:
8136.Packaging updates and notes for downstreams
Added an
internalpytest marker for tests which should be skippedby packagers (use
-m 'not internal'to disable them) -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8299.v3.9.3Compare Source
==================
Bug fixes
Fixed backwards compatibility breakage (in 3.9.2) of
sslparameter when set outsideof
ClientSession(e.g. directly inTCPConnector) -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8097, :issue:8098.Miscellaneous internal changes
Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.
Related issues and pull requests on GitHub:
:issue:
3957.Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.