11 changed files with 193 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,7 @@
-SOURCES/bottle-0.12.13.tar.gz
+/bottle-0.9.5.tar.gz
+/bottle-0.10.7.tar.gz
+/bottle-0.11.6.tar.gz
+/bottle-0.11.7.tar.gz
+/bottle-0.12.6.tar.gz
+/bottle-0.12.9.tar.gz
+/bottle-0.12.13.tar.gz
--- a/.python-bottle.metadata
+++ b/.python-bottle.metadata
@ -1 +0,0 @@
-c21f52c1ea93336a830f857000ee38c7938a4539 SOURCES/bottle-0.12.13.tar.gz
--- a/0001-bottle-0.12.13-CVE-2020-28473.patch
+++ b/0001-bottle-0.12.13-CVE-2020-28473.patch
@ -0,0 +1,33 @@
+From 6406338d47034d3d2e6678bdbdafafa6a6e35b2c Mon Sep 17 00:00:00 2001
+From: Marcel Hellkamp <marc@gsites.de>
+Date: Wed, 11 Nov 2020 19:24:29 +0100
+Subject: [PATCH] Do not split query strings on `;` anymore.
+
+Using `;` as a separator instead of `&` was allowed a long time ago,
+but is now obsolete and actually invalid according to the 2014 W3C
+recommendations. Even if this change is technically backwards-incompatible,
+no real-world application should depend on broken behavior. If you REALLY
+need this functionality, monkey-patch the _parse_qsl() function.
+
+Upstream-commit: 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ bottle.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bottle.py b/bottle.py
+index 250a925..94fe8a6 100644
+--- a/bottle.py
+++ b/bottle.py
+@@ -2576,7 +2576,7 @@ def parse_range_header(header, maxlen=0):
+ 
+ def _parse_qsl(qs):
+     r = []
+-    for pair in qs.replace(';','&').split('&'):
+    for pair in qs.split('&'):
+         if not pair: continue
+         nv = pair.split('=', 1)
+         if len(nv) != 2: nv.append('')
+-- 
+2.26.3
+
--- a/0002-bottle-0.12.13-CVE-2022-31799.patch
+++ b/0002-bottle-0.12.13-CVE-2022-31799.patch
@ -0,0 +1,45 @@
+From db0c0e711b0eb95df592d22890a043e2c0dd741e Mon Sep 17 00:00:00 2001
+From: Marcel Hellkamp <marc@gsites.de>
+Date: Thu, 26 May 2022 14:49:32 +0200
+Subject: [PATCH] Gracefully handle errors during early request binding.
+
+Upstream-commit: e140e1b54da721a660f2eb9d58a106b7b3ff2f00
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ bottle.py | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/bottle.py b/bottle.py
+index 94fe8a6..74cb169 100644
+--- a/bottle.py
+++ b/bottle.py
+@@ -841,17 +841,19 @@ class Bottle(object):
+         return tob(template(ERROR_PAGE_TEMPLATE, e=res))
+ 
+     def _handle(self, environ):
+-        path = environ['bottle.raw_path'] = environ['PATH_INFO']
+-        if py3k:
+-            try:
+-                environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
+-            except UnicodeError:
+-                return HTTPError(400, 'Invalid path string. Expected UTF-8')
+-
+         try:
+
+             environ['bottle.app'] = self
+             request.bind(environ)
+             response.bind()
+
+            path = environ['bottle.raw_path'] = environ['PATH_INFO']
+            if py3k:
+                try:
+                    environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
+                except UnicodeError:
+                    return HTTPError(400, 'Invalid path string. Expected UTF-8')
+
+             try:
+                 self.trigger_hook('before_request')
+                 route, args = self.router.match(environ)
+-- 
+2.37.1
+
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/SPECS/python-bottle.spec
+++ b/SPECS/python-bottle.spec
@ -9,7 +9,7 @@

 Name:           python-%{srcname}
 Version:        0.12.13
-Release:        3%{?dist}
+Release:        8%{?dist}
 Summary:        Fast and simple WSGI-framework for small web-applications

 Group:          Development/Languages
@ -17,6 +17,12 @@ License:        MIT
 URL:            http://bottlepy.org
 Source0:        https://github.com/bottlepy/%{srcname}/archive/%{version}.tar.gz#/%{srcname}-%{version}.tar.gz

+# Do not split query strings on `;` anymore (CVE-2020-28473)
+Patch1:         0001-bottle-0.12.13-CVE-2020-28473.patch
+
+# Gracefully handle errors during early request binding (CVE-2022-31799)
+Patch2:         0002-bottle-0.12.13-CVE-2022-31799.patch
+
 BuildArch:      noarch
 %if %{with python2}
 BuildRequires:  python2-devel
@ -60,6 +66,8 @@ Python Standard Library.
 %prep
 %setup -q -n %{srcname}-%{version}
 sed -i '/^#!/d' bottle.py
+%patch1 -p1
+%patch2 -p1

 %build
 %if %{with python2}
@ -97,6 +105,15 @@ rm %{buildroot}%{_bindir}/bottle.py
 %{python3_sitelib}/*.py

 %changelog
+* Tue Aug 15 2023 Lukáš Zaoral <lzaoral@redhat.com> - 0.12.13-8
+- rebuild for sync
+
+* Tue Aug 23 2022 Kamil Dudka <kdudka@redhat.com> - 0.12.13-7
+- Gracefully handle errors during early request binding (CVE-2022-31799)
+
+* Fri Mar 26 2021 Kamil Dudka <kdudka@redhat.com> - 0.12.13-6
+- Do not split query strings on `;` anymore (CVE-2020-28473)
+
 * Fri Jun 08 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.12.13-3
 - Conditionalize the python2 subpackage

--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (bottle-0.12.13.tar.gz) = 8487e1e339d84964f1448503ee894d2f4f313218417175341911f0b8a48c383d7d4334fb27bd477ea6267e8c1a2e41e2d91c86e56f0f95aa57248a7ea36a2b8e
--- a/tests/build-pycurl/runtest.sh
+++ b/tests/build-pycurl/runtest.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+
+# exit immediately if any command returns non-zero exit code
+set -e
+
+# print commands as they are executed by the shell interpreter
+set -x
+
+# download source RPM of python-pycurl
+yum download --source python-pycurl
+
+# rebuild the source RPM (%check uses bottle)
+rpmbuild --rebuild ./python-pycurl-*.src.rpm
--- a/tests/simple-server/hello.py
+++ b/tests/simple-server/hello.py
@ -0,0 +1,8 @@
+#!/usr/bin/python3
+from bottle import route, run, template
+
+@route('/hello/<name>')
+def index(name):
+    return template('<b>Hello {{name}}</b>!', name=name)
+
+run(host='localhost', port=1234)
--- a/tests/simple-server/runtest.sh
+++ b/tests/simple-server/runtest.sh
@ -0,0 +1,38 @@
+#!/bin/bash
+
+# exit immediately if any command returns non-zero exit code
+set -e
+
+# print commands as they are executed by the shell interpreter
+set -x
+
+# global constants
+HOST="localhost"
+PORT="1234"
+URL="http://${HOST}:${PORT}/hello/rhel"
+CURL_OUT="./curl.out"
+CURL_ERR="./curl.err"
+
+# print versions of related pkgs
+PKGS="$(set +x; eval echo {lib,}curl python3-bottle)"
+rpm -q $PKGS | sort -V
+rpm -V $PKGS
+
+# run HTTP server in the background
+./hello.py &
+BOTTLE_PID=$!
+
+# FIXME: wait for open port instead
+sleep 2
+
+# check that HTTP server works using curl
+curl -fsvo $CURL_OUT $URL
+
+# check whether the received data matches the expected contents
+diff <(printf "<b>Hello rhel</b>!") $CURL_OUT
+
+# kill nghttpd running in the background
+kill $BOTTLE_PID
+
+# wait till the background process finishes
+wait
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,24 @@
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    tests:
+     - simple-server:
+        dir: simple-server
+        run: ./runtest.sh
+     - build-pycurl:
+        dir: build-pycurl
+        run: ./runtest.sh
+    required_packages:
+    - curl
+    - dnf
+    - gcc
+    - libcurl-devel
+    - make
+    - openssl-devel
+    - python3-devel
+    - python3-bottle
+    - python3-nose
+    - rpm-build
+    - vsftpd
				`@ -1 +0,0 @@`
				`c21f52c1ea93336a830f857000ee38c7938a4539 SOURCES/bottle-0.12.13.tar.gz`
				`@ -0,0 +1 @@`
				`SHA512 (bottle-0.12.13.tar.gz) = 8487e1e339d84964f1448503ee894d2f4f313218417175341911f0b8a48c383d7d4334fb27bd477ea6267e8c1a2e41e2d91c86e56f0f95aa57248a7ea36a2b8e`