[AUTO-CHERRYPICK] Added patch for CVE-2023-46136 to python-werkzeug - branch main (#6802)

Co-authored-by: Nick Samson <nick.samson@microsoft.com>

SPECS/python-werkzeug/0001-enable-tests-in-rpm-env.patch

@@ -0,0 +1,32 @@
+From 7bd6337181f1964d3a0203be2faf49f335984402 Mon Sep 17 00:00:00 2001
+From: Nick Samson <nisamson@microsoft.com>
+Date: Mon, 13 Nov 2023 17:02:11 -0800
+Subject: [PATCH] Added pythonpath fix for RPM build testing
+
+---
+ tests/conftest.py | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/tests/conftest.py b/tests/conftest.py
+index b73202cd..0fb9657d 100644
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -105,7 +105,14 @@ def dev_server(xprocess, request, tmp_path):
+             # Extend the existing env, otherwise Windows and CI fails.
+             # Modules will be imported from tmp_path for the reloader.
+             # Unbuffered output so the logs update immediately.
+-            env = {**os.environ, "PYTHONPATH": str(tmp_path), "PYTHONUNBUFFERED": "1"}
++            pypath = os.environ.get("PYTHONPATH", "")
++            if len(pypath) > 0:
++                pypath += os.pathsep
++            env = {
++                **os.environ,
++                "PYTHONPATH": f"{pypath}{str(tmp_path)}",
++                "PYTHONUNBUFFERED": "1",
++            }
+ 
+             @cached_property
+             def pattern(self):
+-- 
+2.34.1
+

SPECS/python-werkzeug/0002-disable-stat-test.patch

@@ -0,0 +1,25 @@
+From ae808cb894699826acaa28c24c716caacc21a101 Mon Sep 17 00:00:00 2001
+From: Nick Samson <nisamson@microsoft.com>
+Date: Thu, 16 Nov 2023 13:14:37 -0800
+Subject: [PATCH] Removed stat test due to environmental concerns
+
+---
+ tests/test_serving.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/test_serving.py b/tests/test_serving.py
+index 4abc755d..eb7d161f 100644
+--- a/tests/test_serving.py
++++ b/tests/test_serving.py
+@@ -148,7 +148,7 @@ def test_windows_get_args_for_reloading(monkeypatch, tmp_path):
+ 
+ 
+ @pytest.mark.filterwarnings("ignore::pytest.PytestUnraisableExceptionWarning")
+-@pytest.mark.parametrize("find", [_find_stat_paths, _find_watchdog_paths])
++@pytest.mark.parametrize("find", [_find_watchdog_paths])
+ def test_exclude_patterns(find):
+     # Select a path to exclude from the unfiltered list, assert that it is present and
+     # then gets excluded.
+-- 
+2.34.1
+

SPECS/python-werkzeug/CVE-2023-46136.patch

@@ -0,0 +1,36 @@
+From b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Srokosz?= <pawel.srokosz@cert.pl>
+Date: Thu, 12 Oct 2023 18:50:04 +0200
+Subject: [PATCH 1/2] Fix: slow multipart parsing for huge files with few CR/LF
+ characters
+
+---
+ src/werkzeug/sansio/multipart.py | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/werkzeug/sansio/multipart.py b/src/werkzeug/sansio/multipart.py
+index 380993af7..fc8735378 100644
+--- a/src/werkzeug/sansio/multipart.py
++++ b/src/werkzeug/sansio/multipart.py
+@@ -251,12 +251,20 @@ def _parse_data(self, data: bytes, *, start: bool) -> tuple[bytes, int, bool]:
+         else:
+             data_start = 0
+ 
+-        if self.buffer.find(b"--" + self.boundary) == -1:
++        boundary = b"--" + self.boundary
++
++        if self.buffer.find(boundary) == -1:
+             # No complete boundary in the buffer, but there may be
+             # a partial boundary at the end. As the boundary
+             # starts with either a nl or cr find the earliest and
+             # return up to that as data.
+             data_end = del_index = self.last_newline(data[data_start:]) + data_start
++            # If amount of data after last newline is far from
++            # possible length of partial boundary, we should
++            # assume that there is no partial boundary in the buffer
++            # and return all pending data.
++            if (len(data) - data_end) > len(b"\n" + boundary):
++                data_end = del_index = len(data)
+             more_data = True
+         else:
+             match = self.boundary_re.search(data)

SPECS/python-werkzeug/python-werkzeug.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "werkzeug-2.2.3.tar.gz": "8b5729f88b3e18b8fbb5a722e374bf00a1d9b77da447e846e2c64b8108c0522a"
+  "werkzeug-2.3.7.tar.gz": "d9a68679b430e099b668a61130f1eb6e6768ac663a8667745ad637955ca1dd9d"
  }
 }

SPECS/python-werkzeug/python-werkzeug.spec

@@ -1,6 +1,6 @@
 Summary:        The Swiss Army knife of Python web development
 Name:           python-werkzeug
-Version:        2.2.3
+Version:        2.3.7
 Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
@@ -8,6 +8,16 @@ Distribution:   Mariner
 Group:          Development/Languages/Python
 URL:            https://github.com/pallets/werkzeug
 Source0:        https://github.com/pallets/werkzeug/archive/%{version}.tar.gz#/werkzeug-%{version}.tar.gz
+Patch0:         0001-enable-tests-in-rpm-env.patch
+# Werkzeug really doesn't like running tests in the RPM build environment.
+# The %%tox macro explicitly sets PYTHONPATH rather than using a virtualenv and,
+# crucially, also puts Werkzeug in a directory considered to be a system directory.
+# Normally, Werkzeug is tested using an editable installation, where the source
+# directory is added to PYTHONPATH but not installed in a system directory.
+# This means all files this function would normally find are considered system files
+# and are excluded.
+Patch1:         0002-disable-stat-test.patch
+Patch2:         CVE-2023-46136.patch
 BuildArch:      noarch
 
 %description
@@ -17,14 +27,19 @@ The Swiss Army knife of Python web development
 Summary:        The Swiss Army knife of Python web development
 BuildRequires:  python3-devel
 BuildRequires:  python3-libs
+BuildRequires:  pyproject-rpm-macros
 BuildRequires:  python3-setuptools
 BuildRequires:  python3-xml
+BuildRequires:  python3-flit-core
+BuildRequires:  python3-pip
+BuildRequires:  python3-wheel
 Requires:       python3
+Requires:       python3-markupsafe
 %if %{with_check}
 BuildRequires:  curl-devel
 BuildRequires:  openssl-devel
-BuildRequires:  python3-pip
 BuildRequires:  python3-requests
+BuildRequires:  python3-markupsafe
 %endif
 
 %description -n python3-werkzeug
@@ -33,22 +48,34 @@ Werkzeug started as simple collection of various utilities for WSGI applications
 %prep
 %autosetup -n werkzeug-%{version} -p1
 
+%generate_buildrequires
+%pyproject_buildrequires %{?with_tests:-t}
+
 %build
-%py3_build
+%pyproject_wheel
 
 %install
-%py3_install
+%pyproject_install
+%pyproject_save_files werkzeug
 
 %check
-pip3 install pytest hypothesis
-LANG=en_US.UTF-8 PYTHONPATH=./  python3 setup.py test
+pip3 install tox==4.6.3 tox-current-env
+pip3 install -r requirements/tests.txt
+%tox
 
-%files -n python3-werkzeug
+%files -n python3-werkzeug -f %{pyproject_files}
 %defattr(-,root,root)
+%doc README.rst
+%doc CHANGES.rst
 %license LICENSE.rst
-%{python3_sitelib}/*
 
 %changelog
+* Mon Nov 06 2023 Nick Samson <nisamson@microsoft.com> - 2.3.7-1
+- Upgraded to version 2.3.7
+- Migrated to pyproject build
+- Added required MarkupSafe dependency
+- Added patch for CVE-2023-46136
+
 * Tue Mar 14 2023 Rakshaa Viswanathan <rviswanathan@microsoft.com> - 2.2.3-1
 - Updated to version 2.2.3 for CVE-2023-23934 adn CVE-2023-25577
 - Remove patch for CVE-2023-25577

cgmanifest.json

@@ -24954,8 +24954,8 @@
         "type": "other",
         "other": {
           "name": "python-werkzeug",
-          "version": "2.2.3",
-          "downloadUrl": "https://github.com/pallets/werkzeug/archive/2.2.3.tar.gz"
+          "version": "2.3.7",
+          "downloadUrl": "https://github.com/pallets/werkzeug/archive/2.3.7.tar.gz"
         }
       }
     },