From 3615869ee05d39668adcfffeedd7e193e8dbb094 Mon Sep 17 00:00:00 2001 From: Adam Samalik Date: Mon, 8 May 2023 10:57:12 +0200 Subject: [PATCH] import sources --- .gitignore | 1 + 0001-bottle-0.12.13-CVE-2020-28473.patch | 33 ++++ 0002-bottle-0.12.13-CVE-2022-31799.patch | 45 ++++++ python-bottle.spec | 184 +++++++++++++++++++++++ sources | 1 + 5 files changed, 264 insertions(+) create mode 100644 .gitignore create mode 100644 0001-bottle-0.12.13-CVE-2020-28473.patch create mode 100644 0002-bottle-0.12.13-CVE-2022-31799.patch create mode 100644 python-bottle.spec create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8170d38 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/bottle-0.12.13.tar.gz diff --git a/0001-bottle-0.12.13-CVE-2020-28473.patch b/0001-bottle-0.12.13-CVE-2020-28473.patch new file mode 100644 index 0000000..04068a9 --- /dev/null +++ b/0001-bottle-0.12.13-CVE-2020-28473.patch @@ -0,0 +1,33 @@ +From 6406338d47034d3d2e6678bdbdafafa6a6e35b2c Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Wed, 11 Nov 2020 19:24:29 +0100 +Subject: [PATCH] Do not split query strings on `;` anymore. + +Using `;` as a separator instead of `&` was allowed a long time ago, +but is now obsolete and actually invalid according to the 2014 W3C +recommendations. Even if this change is technically backwards-incompatible, +no real-world application should depend on broken behavior. If you REALLY +need this functionality, monkey-patch the _parse_qsl() function. + +Upstream-commit: 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b +Signed-off-by: Kamil Dudka +--- + bottle.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bottle.py b/bottle.py +index 250a925..94fe8a6 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -2576,7 +2576,7 @@ def parse_range_header(header, maxlen=0): + + def _parse_qsl(qs): + r = [] +- for pair in qs.replace(';','&').split('&'): ++ for pair in qs.split('&'): + if not pair: continue + nv = pair.split('=', 1) + if len(nv) != 2: nv.append('') +-- +2.26.3 + diff --git a/0002-bottle-0.12.13-CVE-2022-31799.patch b/0002-bottle-0.12.13-CVE-2022-31799.patch new file mode 100644 index 0000000..8f44153 --- /dev/null +++ b/0002-bottle-0.12.13-CVE-2022-31799.patch @@ -0,0 +1,45 @@ +From db0c0e711b0eb95df592d22890a043e2c0dd741e Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Thu, 26 May 2022 14:49:32 +0200 +Subject: [PATCH] Gracefully handle errors during early request binding. + +Upstream-commit: e140e1b54da721a660f2eb9d58a106b7b3ff2f00 +Signed-off-by: Kamil Dudka +--- + bottle.py | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/bottle.py b/bottle.py +index 94fe8a6..74cb169 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -841,17 +841,19 @@ class Bottle(object): + return tob(template(ERROR_PAGE_TEMPLATE, e=res)) + + def _handle(self, environ): +- path = environ['bottle.raw_path'] = environ['PATH_INFO'] +- if py3k: +- try: +- environ['PATH_INFO'] = path.encode('latin1').decode('utf8') +- except UnicodeError: +- return HTTPError(400, 'Invalid path string. Expected UTF-8') +- + try: ++ + environ['bottle.app'] = self + request.bind(environ) + response.bind() ++ ++ path = environ['bottle.raw_path'] = environ['PATH_INFO'] ++ if py3k: ++ try: ++ environ['PATH_INFO'] = path.encode('latin1').decode('utf8') ++ except UnicodeError: ++ return HTTPError(400, 'Invalid path string. Expected UTF-8') ++ + try: + self.trigger_hook('before_request') + route, args = self.router.match(environ) +-- +2.37.1 + diff --git a/python-bottle.spec b/python-bottle.spec new file mode 100644 index 0000000..62148d5 --- /dev/null +++ b/python-bottle.spec @@ -0,0 +1,184 @@ +%global srcname bottle + +%if 0%{?rhel} > 7 +# Disable python2 build by default +%bcond_with python2 +%else +%bcond_without python2 +%endif + +Name: python-%{srcname} +Version: 0.12.13 +Release: 7%{?dist} +Summary: Fast and simple WSGI-framework for small web-applications + +Group: Development/Languages +License: MIT +URL: http://bottlepy.org +Source0: https://github.com/bottlepy/%{srcname}/archive/%{version}.tar.gz#/%{srcname}-%{version}.tar.gz + +# Do not split query strings on `;` anymore (CVE-2020-28473) +Patch1: 0001-bottle-0.12.13-CVE-2020-28473.patch + +# Gracefully handle errors during early request binding (CVE-2022-31799) +Patch2: 0002-bottle-0.12.13-CVE-2022-31799.patch + +BuildArch: noarch +%if %{with python2} +BuildRequires: python2-devel +BuildRequires: python2-setuptools +%endif # with python2 + +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-setuptools + +%description +Bottle is a fast and simple micro-framework for small web-applications. +It offers request dispatching (Routes) with URL parameter support, Templates, +a built-in HTTP Server and adapters for many third party WSGI/HTTP-server and +template engines. All in a single file and with no dependencies other than the +Python Standard Library. + +%if %{with python2} +%package -n python2-%{srcname} +Summary: Fast and simple WSGI-framework for small web-applications +%{?python_provide:%python_provide python2-%{srcname}} + +%description -n python2-%{srcname} +Bottle is a fast and simple micro-framework for small web-applications. +It offers request dispatching (Routes) with URL parameter support, Templates, +a built-in HTTP Server and adapters for many third party WSGI/HTTP-server and +template engines. All in a single file and with no dependencies other than the +Python Standard Library. +%endif # with python2 + +%package -n python%{python3_pkgversion}-%{srcname} +Summary: Fast and simple WSGI-framework for small web-applications +%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} + +%description -n python%{python3_pkgversion}-%{srcname} +Bottle is a fast and simple micro-framework for small web-applications. +It offers request dispatching (Routes) with URL parameter support, Templates, +a built-in HTTP Server and adapters for many third party WSGI/HTTP-server and +template engines. All in a single file and with no dependencies other than the +Python Standard Library. + +%prep +%setup -q -n %{srcname}-%{version} +sed -i '/^#!/d' bottle.py +%patch1 -p1 +%patch2 -p1 + +%build +%if %{with python2} +%py2_build +%endif # with python2 +%py3_build + +%install +%if %{with python2} +%py2_install +%endif # with python2 +%py3_install +rm %{buildroot}%{_bindir}/bottle.py + +%check +%if %{with python2} +%__python2 test/testall.py verbose +%endif # with python2 +# Fails +# FAIL: test_delete_cookie (test_environ.TestResponse) +%__python3 test/testall.py verbose || : + +%if %{with python2} +%files -n python2-%{srcname} +%license LICENSE +%doc AUTHORS README.rst +%{python2_sitelib}/* +%endif # with python2 + +%files -n python%{python3_pkgversion}-%{srcname} +%license LICENSE +%doc AUTHORS README.rst +%{python3_sitelib}/__pycache__/* +%{python3_sitelib}/*.egg-info +%{python3_sitelib}/*.py + +%changelog +* Tue Aug 23 2022 Kamil Dudka - 0.12.13-7 +- Gracefully handle errors during early request binding (CVE-2022-31799) + +* Fri Mar 26 2021 Kamil Dudka - 0.12.13-6 +- Do not split query strings on `;` anymore (CVE-2020-28473) + +* Fri Jun 08 2018 Charalampos Stratakis - 0.12.13-3 +- Conditionalize the python2 subpackage + +* Fri Feb 09 2018 Fedora Release Engineering - 0.12.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 09 2018 Stratakis Charalampos - 0.12.13-1 +- Update to 0.12.13 + +* Thu Jul 27 2017 Fedora Release Engineering - 0.12.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 0.12.9-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 12 2016 Stratakis Charalampos - 0.12.9-4 +- Rebuild for Python 3.6 + +* Wed Nov 16 2016 Orion Poplawski - 0.12.9-3 +- Do not own __pycache__ dir + +* Tue Jul 19 2016 Fedora Release Engineering - 0.12.9-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Tue Jul 12 2016 Orion Poplawski - 0.12.9-1 +- Update to 0.12.9 +- Run tests but ignore python3 failure for now + +* Tue Jul 12 2016 Orion Poplawski - 0.12.6-5 +- Use modern python packaging guidelines + +* Thu Feb 04 2016 Fedora Release Engineering - 0.12.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 0.12.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Thu Jun 18 2015 Fedora Release Engineering - 0.12.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Jul 12 2014 Rahul Sundaram - 0.12.6-1 +- resolves rhbz#1093257 - JSON content type not restrictive enough + +* Sat Jun 07 2014 Fedora Release Engineering - 0.11.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon May 19 2014 Bohuslav Kabrda - 0.11.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Sun Aug 04 2013 Fedora Release Engineering - 0.11.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Apr 23 2013 Rahul Sundaram - 0.11.6-1 +- upstream release 0.11.6 +- add python3 subpackage. resolves rhbz#949240 +- spec file patch from Haïkel Guémar + +* Thu Feb 14 2013 Fedora Release Engineering - 0.10.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Jul 21 2012 Fedora Release Engineering - 0.10.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Feb 01 2012 Ian Weller - 0.10.7-1 +- Update to 0.10.7 (required by python-mwlib) + +* Sat Jan 14 2012 Fedora Release Engineering - 0.9.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Jul 18 2011 Rahul Sundaram - 0.9.5-1 +- Initial spec diff --git a/sources b/sources new file mode 100644 index 0000000..4998629 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (bottle-0.12.13.tar.gz) = 8487e1e339d84964f1448503ee894d2f4f313218417175341911f0b8a48c383d7d4334fb27bd477ea6267e8c1a2e41e2d91c86e56f0f95aa57248a7ea36a2b8e