11 changed files with 3 additions and 193 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1 @@
-/bottle-0.9.5.tar.gz
+SOURCES/bottle-0.12.13.tar.gz
 /bottle-0.10.7.tar.gz
 /bottle-0.11.6.tar.gz
 /bottle-0.11.7.tar.gz
 /bottle-0.12.6.tar.gz
 /bottle-0.12.9.tar.gz
 /bottle-0.12.13.tar.gz
--- a/.python-bottle.metadata
+++ b/.python-bottle.metadata
@ -0,0 +1 @@
 c21f52c1ea93336a830f857000ee38c7938a4539 SOURCES/bottle-0.12.13.tar.gz
--- a/0001-bottle-0.12.13-CVE-2020-28473.patch
+++ b/0001-bottle-0.12.13-CVE-2020-28473.patch
@ -1,33 +0,0 @@
 From 6406338d47034d3d2e6678bdbdafafa6a6e35b2c Mon Sep 17 00:00:00 2001
 From: Marcel Hellkamp <marc@gsites.de>
 Date: Wed, 11 Nov 2020 19:24:29 +0100
 Subject: [PATCH] Do not split query strings on `;` anymore.
 Using `;` as a separator instead of `&` was allowed a long time ago,
 but is now obsolete and actually invalid according to the 2014 W3C
 recommendations. Even if this change is technically backwards-incompatible,
 no real-world application should depend on broken behavior. If you REALLY
 need this functionality, monkey-patch the _parse_qsl() function.
 Upstream-commit: 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 bottle.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/bottle.py b/bottle.py
 index 250a925..94fe8a6 100644
 --- a/bottle.py
 +++ b/bottle.py
@@ -2576,7 +2576,7 @@ def parse_range_header(header, maxlen=0):
 def _parse_qsl(qs):
     r = []
 -    for pair in qs.replace(';','&').split('&'):
 +    for pair in qs.split('&'):
         if not pair: continue
         nv = pair.split('=', 1)
         if len(nv) != 2: nv.append('')
 -- 
 2.26.3
--- a/0002-bottle-0.12.13-CVE-2022-31799.patch
+++ b/0002-bottle-0.12.13-CVE-2022-31799.patch
@ -1,45 +0,0 @@
 From db0c0e711b0eb95df592d22890a043e2c0dd741e Mon Sep 17 00:00:00 2001
 From: Marcel Hellkamp <marc@gsites.de>
 Date: Thu, 26 May 2022 14:49:32 +0200
 Subject: [PATCH] Gracefully handle errors during early request binding.
 Upstream-commit: e140e1b54da721a660f2eb9d58a106b7b3ff2f00
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 bottle.py | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)
 diff --git a/bottle.py b/bottle.py
 index 94fe8a6..74cb169 100644
 --- a/bottle.py
 +++ b/bottle.py
@@ -841,17 +841,19 @@ class Bottle(object):
         return tob(template(ERROR_PAGE_TEMPLATE, e=res))
     def _handle(self, environ):
 -        path = environ['bottle.raw_path'] = environ['PATH_INFO']
 -        if py3k:
 -            try:
 -                environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
 -            except UnicodeError:
 -                return HTTPError(400, 'Invalid path string. Expected UTF-8')
 -
         try:
 +
             environ['bottle.app'] = self
             request.bind(environ)
             response.bind()
 +
 +            path = environ['bottle.raw_path'] = environ['PATH_INFO']
 +            if py3k:
 +                try:
 +                    environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
 +                except UnicodeError:
 +                    return HTTPError(400, 'Invalid path string. Expected UTF-8')
 +
             try:
                 self.trigger_hook('before_request')
                 route, args = self.router.match(environ)
 -- 
 2.37.1
--- a/SPECS/python-bottle.spec
+++ b/SPECS/python-bottle.spec
@ -9,7 +9,7 @@
 Name:           python-%{srcname}
 Version:        0.12.13
-Release:        8%{?dist}
+Release:        3%{?dist}
 Summary:        Fast and simple WSGI-framework for small web-applications
 Group:          Development/Languages
@ -17,12 +17,6 @@ License:        MIT
 URL:            http://bottlepy.org
 Source0:        https://github.com/bottlepy/%{srcname}/archive/%{version}.tar.gz#/%{srcname}-%{version}.tar.gz
 # Do not split query strings on `;` anymore (CVE-2020-28473)
 Patch1:         0001-bottle-0.12.13-CVE-2020-28473.patch
 # Gracefully handle errors during early request binding (CVE-2022-31799)
 Patch2:         0002-bottle-0.12.13-CVE-2022-31799.patch
 BuildArch:      noarch
 %if %{with python2}
 BuildRequires:  python2-devel
@ -66,8 +60,6 @@ Python Standard Library.
 %prep
 %setup -q -n %{srcname}-%{version}
 sed -i '/^#!/d' bottle.py
 %patch1 -p1
 %patch2 -p1
 %build
 %if %{with python2}
@ -105,15 +97,6 @@ rm %{buildroot}%{_bindir}/bottle.py
 %{python3_sitelib}/*.py
 %changelog
 * Tue Aug 15 2023 Lukáš Zaoral <lzaoral@redhat.com> - 0.12.13-8
 - rebuild for sync
 * Tue Aug 23 2022 Kamil Dudka <kdudka@redhat.com> - 0.12.13-7
 - Gracefully handle errors during early request binding (CVE-2022-31799)
 * Fri Mar 26 2021 Kamil Dudka <kdudka@redhat.com> - 0.12.13-6
 - Do not split query strings on `;` anymore (CVE-2020-28473)
 * Fri Jun 08 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.12.13-3
 - Conditionalize the python2 subpackage
--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
 --- !Policy
 product_versions:
  - rhel-8
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/1
+++ b/1
@ -1 +0,0 @@
 SHA512 (bottle-0.12.13.tar.gz) = 8487e1e339d84964f1448503ee894d2f4f313218417175341911f0b8a48c383d7d4334fb27bd477ea6267e8c1a2e41e2d91c86e56f0f95aa57248a7ea36a2b8e
--- a/tests/build-pycurl/runtest.sh
+++ b/tests/build-pycurl/runtest.sh
@ -1,13 +0,0 @@
 #!/bin/bash
 # exit immediately if any command returns non-zero exit code
 set -e
 # print commands as they are executed by the shell interpreter
 set -x
 # download source RPM of python-pycurl
 yum download --source python-pycurl
 # rebuild the source RPM (%check uses bottle)
 rpmbuild --rebuild ./python-pycurl-*.src.rpm
--- a/tests/simple-server/hello.py
+++ b/tests/simple-server/hello.py
@ -1,8 +0,0 @@
 #!/usr/bin/python3
 from bottle import route, run, template
@route('/hello/<name>')
 def index(name):
    return template('<b>Hello {{name}}</b>!', name=name)
 run(host='localhost', port=1234)
--- a/tests/simple-server/runtest.sh
+++ b/tests/simple-server/runtest.sh
@ -1,38 +0,0 @@
 #!/bin/bash
 # exit immediately if any command returns non-zero exit code
 set -e
 # print commands as they are executed by the shell interpreter
 set -x
 # global constants
 HOST="localhost"
 PORT="1234"
 URL="http://${HOST}:${PORT}/hello/rhel"
 CURL_OUT="./curl.out"
 CURL_ERR="./curl.err"
 # print versions of related pkgs
 PKGS="$(set +x; eval echo {lib,}curl python3-bottle)"
 rpm -q $PKGS | sort -V
 rpm -V $PKGS
 # run HTTP server in the background
 ./hello.py &
 BOTTLE_PID=$!
 # FIXME: wait for open port instead
 sleep 2
 # check that HTTP server works using curl
 curl -fsvo $CURL_OUT $URL
 # check whether the received data matches the expected contents
 diff <(printf "<b>Hello rhel</b>!") $CURL_OUT
 # kill nghttpd running in the background
 kill $BOTTLE_PID
 # wait till the background process finishes
 wait
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -1,24 +0,0 @@
 - hosts: localhost
  roles:
  - role: standard-test-basic
    tags:
    - classic
    tests:
     - simple-server:
        dir: simple-server
        run: ./runtest.sh
     - build-pycurl:
        dir: build-pycurl
        run: ./runtest.sh
    required_packages:
    - curl
    - dnf
    - gcc
    - libcurl-devel
    - make
    - openssl-devel
    - python3-devel
    - python3-bottle
    - python3-nose
    - rpm-build
    - vsftpd
		`@ -0,0 +1 @@`
							`c21f52c1ea93336a830f857000ee38c7938a4539 SOURCES/bottle-0.12.13.tar.gz`
		`@ -1 +0,0 @@`
			`SHA512 (bottle-0.12.13.tar.gz) = 8487e1e339d84964f1448503ee894d2f4f313218417175341911f0b8a48c383d7d4334fb27bd477ea6267e8c1a2e41e2d91c86e56f0f95aa57248a7ea36a2b8e`