rpms/python-bottle
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:c8s
rpms:imports/c10s/python-bottle-0.12.13-8.el10
rpms:imports/c8/python-bottle-0.12.13-3.el8
...
pull from: rpms:c10s
Branches Tags
rpms:c10s
rpms:c8s
rpms:c8
rpms:imports/c10s/python-bottle-0.12.13-8.el10
rpms:imports/c8/python-bottle-0.12.13-3.el8

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

11 changed files with 193 additions and 3 deletions
Show Stats Expand all files Collapse all files

8
.gitignore vendored
View File

@ -1 +1,7 @@
SOURCES/bottle-0.12.13.tar.gz /bottle-0.9.5.tar.gz
/bottle-0.10.7.tar.gz
/bottle-0.11.6.tar.gz
/bottle-0.11.7.tar.gz
/bottle-0.12.6.tar.gz
/bottle-0.12.9.tar.gz
/bottle-0.12.13.tar.gz

1
.python-bottle.metadata
View File

@ -1 +0,0 @@
c21f52c1ea93336a830f857000ee38c7938a4539 SOURCES/bottle-0.12.13.tar.gz

33
0001-bottle-0.12.13-CVE-2020-28473.patch Normal file
View File

@ -0,0 +1,33 @@
From 6406338d47034d3d2e6678bdbdafafa6a6e35b2c Mon Sep 17 00:00:00 2001
From: Marcel Hellkamp <marc@gsites.de>
Date: Wed, 11 Nov 2020 19:24:29 +0100
Subject: [PATCH] Do not split query strings on `;` anymore.
Using `;` as a separator instead of `&` was allowed a long time ago,
but is now obsolete and actually invalid according to the 2014 W3C
recommendations. Even if this change is technically backwards-incompatible,
no real-world application should depend on broken behavior. If you REALLY
need this functionality, monkey-patch the _parse_qsl() function.
Upstream-commit: 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
bottle.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bottle.py b/bottle.py
index 250a925..94fe8a6 100644
--- a/bottle.py
+++ b/bottle.py
@@ -2576,7 +2576,7 @@ def parse_range_header(header, maxlen=0):
def _parse_qsl(qs):
r = []
- for pair in qs.replace(';','&').split('&'):
+ for pair in qs.split('&'):
if not pair: continue
nv = pair.split('=', 1)
if len(nv) != 2: nv.append('')
--
2.26.3

45
0002-bottle-0.12.13-CVE-2022-31799.patch Normal file
View File

@ -0,0 +1,45 @@
From db0c0e711b0eb95df592d22890a043e2c0dd741e Mon Sep 17 00:00:00 2001
From: Marcel Hellkamp <marc@gsites.de>
Date: Thu, 26 May 2022 14:49:32 +0200
Subject: [PATCH] Gracefully handle errors during early request binding.
Upstream-commit: e140e1b54da721a660f2eb9d58a106b7b3ff2f00
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
bottle.py | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/bottle.py b/bottle.py
index 94fe8a6..74cb169 100644
--- a/bottle.py
+++ b/bottle.py
@@ -841,17 +841,19 @@ class Bottle(object):
return tob(template(ERROR_PAGE_TEMPLATE, e=res))
def _handle(self, environ):
- path = environ['bottle.raw_path'] = environ['PATH_INFO']
- if py3k:
- try:
- environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
- except UnicodeError:
- return HTTPError(400, 'Invalid path string. Expected UTF-8')
-
try:
+
environ['bottle.app'] = self
request.bind(environ)
response.bind()
+
+ path = environ['bottle.raw_path'] = environ['PATH_INFO']
+ if py3k:
+ try:
+ environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
+ except UnicodeError:
+ return HTTPError(400, 'Invalid path string. Expected UTF-8')
+
try:
self.trigger_hook('before_request')
route, args = self.router.match(environ)
--
2.37.1

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

19
SPECS/python-bottle.spec → python-bottle.spec
View File

@ -9,7 +9,7 @@
Name: python-%{srcname} Name: python-%{srcname}
Version: 0.12.13 Version: 0.12.13
Release: 3%{?dist} Release: 8%{?dist}
Summary: Fast and simple WSGI-framework for small web-applications Summary: Fast and simple WSGI-framework for small web-applications
Group: Development/Languages Group: Development/Languages
@ -17,6 +17,12 @@ License: MIT
URL: http://bottlepy.org URL: http://bottlepy.org
Source0: https://github.com/bottlepy/%{srcname}/archive/%{version}.tar.gz#/%{srcname}-%{version}.tar.gz Source0: https://github.com/bottlepy/%{srcname}/archive/%{version}.tar.gz#/%{srcname}-%{version}.tar.gz
# Do not split query strings on `;` anymore (CVE-2020-28473)
Patch1: 0001-bottle-0.12.13-CVE-2020-28473.patch
# Gracefully handle errors during early request binding (CVE-2022-31799)
Patch2: 0002-bottle-0.12.13-CVE-2022-31799.patch
BuildArch: noarch BuildArch: noarch
%if %{with python2} %if %{with python2}
BuildRequires: python2-devel BuildRequires: python2-devel
@ -60,6 +66,8 @@ Python Standard Library.
%prep %prep
%setup -q -n %{srcname}-%{version} %setup -q -n %{srcname}-%{version}
sed -i '/^#!/d' bottle.py sed -i '/^#!/d' bottle.py
%patch1 -p1
%patch2 -p1
%build %build
%if %{with python2} %if %{with python2}
@ -97,6 +105,15 @@ rm %{buildroot}%{_bindir}/bottle.py
%{python3_sitelib}/*.py %{python3_sitelib}/*.py
%changelog %changelog
* Tue Aug 15 2023 Lukáš Zaoral <lzaoral@redhat.com> - 0.12.13-8
- rebuild for sync
* Tue Aug 23 2022 Kamil Dudka <kdudka@redhat.com> - 0.12.13-7
- Gracefully handle errors during early request binding (CVE-2022-31799)
* Fri Mar 26 2021 Kamil Dudka <kdudka@redhat.com> - 0.12.13-6
- Do not split query strings on `;` anymore (CVE-2020-28473)
* Fri Jun 08 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.12.13-3 * Fri Jun 08 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.12.13-3
- Conditionalize the python2 subpackage - Conditionalize the python2 subpackage

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (bottle-0.12.13.tar.gz) = 8487e1e339d84964f1448503ee894d2f4f313218417175341911f0b8a48c383d7d4334fb27bd477ea6267e8c1a2e41e2d91c86e56f0f95aa57248a7ea36a2b8e

13
tests/build-pycurl/runtest.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
# exit immediately if any command returns non-zero exit code
set -e
# print commands as they are executed by the shell interpreter
set -x
# download source RPM of python-pycurl
yum download --source python-pycurl
# rebuild the source RPM (%check uses bottle)
rpmbuild --rebuild ./python-pycurl-*.src.rpm

8
tests/simple-server/hello.py Executable file
View File

@ -0,0 +1,8 @@
#!/usr/bin/python3
from bottle import route, run, template
@route('/hello/<name>')
def index(name):
return template('<b>Hello {{name}}</b>!', name=name)
run(host='localhost', port=1234)

38
tests/simple-server/runtest.sh Executable file
View File

@ -0,0 +1,38 @@
#!/bin/bash
# exit immediately if any command returns non-zero exit code
set -e
# print commands as they are executed by the shell interpreter
set -x
# global constants
HOST="localhost"
PORT="1234"
URL="http://${HOST}:${PORT}/hello/rhel"
CURL_OUT="./curl.out"
CURL_ERR="./curl.err"
# print versions of related pkgs
PKGS="$(set +x; eval echo {lib,}curl python3-bottle)"
rpm -q $PKGS | sort -V
rpm -V $PKGS
# run HTTP server in the background
./hello.py &
BOTTLE_PID=$!
# FIXME: wait for open port instead
sleep 2
# check that HTTP server works using curl
curl -fsvo $CURL_OUT $URL
# check whether the received data matches the expected contents
diff <(printf "<b>Hello rhel</b>!") $CURL_OUT
# kill nghttpd running in the background
kill $BOTTLE_PID
# wait till the background process finishes
wait

24
tests/tests.yml Normal file
View File

@ -0,0 +1,24 @@
- hosts: localhost
roles:
- role: standard-test-basic
tags:
- classic
tests:
- simple-server:
dir: simple-server
run: ./runtest.sh
- build-pycurl:
dir: build-pycurl
run: ./runtest.sh
required_packages:
- curl
- dnf
- gcc
- libcurl-devel
- make
- openssl-devel
- python3-devel
- python3-bottle
- python3-nose
- rpm-build
- vsftpd