Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): update dependency aiohttp to v3.10.2 [security] #246

Merged
merged 1 commit into from
Aug 9, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 9, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp 3.10.0 -> 3.10.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-42367

Summary

Static routes which contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

Details

The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing Path.stat() and Path.open() to send the file.

Impact

Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.


Patch: https://github.com/aio-libs/aiohttp/pull/8653/files


Release Notes

aio-libs/aiohttp (aiohttp)

v3.10.2: 3.10.2

Compare Source

Bug fixes

  • Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

    Related issues and pull requests on GitHub:
    #​8565.

  • Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8597.

  • Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8611.

  • Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    #​8632.

  • Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

    There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

    Related issues and pull requests on GitHub:
    #​8641.

  • Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

    Related issues and pull requests on GitHub:
    #​8652.

Removals and backward incompatible breaking changes

  • Removed Request.wait_for_disconnection(), which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8636.

Contributor-facing changes

  • Fixed monkey patches for Path.stat() and Path.is_dir() for Python 3.13 compatibility -- by :user:steverep.

    Related issues and pull requests on GitHub:
    #​8551.

Miscellaneous internal changes

  • Improved WebSocket performance when messages are sent or received frequently -- by :user:bdraco.

    The WebSocket heartbeat scheduling algorithm was improved to reduce the asyncio scheduling overhead by decreasing the number of asyncio.TimerHandle creations and cancellations.

    Related issues and pull requests on GitHub:
    #​8608.

  • Minor improvements to various type annotations -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8634.


v3.10.1

Compare Source


Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Aug 9, 2024
@renovate renovate bot assigned trim21 Aug 9, 2024
@trim21 trim21 merged commit 14a7b10 into master Aug 9, 2024
3 of 4 checks passed
@trim21 trim21 deleted the renovate/pypi-aiohttp-vulnerability branch August 9, 2024 17:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file size/XS
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant