From 5183eed0bc8c2f8a3b124fcdef1b38e635164f7f Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@koston.org>
Date: Mon, 29 Jan 2024 03:25:27 -1000
Subject: [PATCH] Avoid re-encoding the hassio command URL each request
(#109031)
* Avoid reconstructing the hassio command URL each request
The host had to be re-encoded every time which creates an ip_address object
By doing a join we avoid this. It was actually happening twice since
we passed constructed the URL for testing and than passed it as a string
so aiohttp did it as well
* make url the same
---
homeassistant/components/hassio/handler.py | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/homeassistant/components/hassio/handler.py b/homeassistant/components/hassio/handler.py
index 653238709cd..a0061647caa 100644
--- a/homeassistant/components/hassio/handler.py
+++ b/homeassistant/components/hassio/handler.py
@@ -330,6 +330,7 @@ class HassIO:
self.loop = loop
self.websession = websession
self._ip = ip
+ self._base_url = URL(f"http://{ip}")
@_api_bool
def is_connected(self) -> Coroutine:
@@ -559,14 +560,20 @@ class HassIO:
This method is a coroutine.
"""
url = f"http://{self._ip}{command}"
- if url != str(URL(url)):
+ joined_url = self._base_url.join(URL(command))
+ # This check is to make sure the normalized URL string
+ # is the same as the URL string that was passed in. If
+ # they are different, then the passed in command URL
+ # contained characters that were removed by the normalization
+ # such as ../../../../etc/passwd
+ if url != str(joined_url):
_LOGGER.error("Invalid request %s", command)
raise HassioAPIError()
try:
request = await self.websession.request(
method,
- f"http://{self._ip}{command}",
+ joined_url,
json=payload,
headers={
aiohttp.hdrs.AUTHORIZATION: (
--
GitLab