rpms/python-pymongo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 3.2.1 (#1304137).

Browse Source 
Additionally:
- Remove use of needless defattr macros (#1303426).
- Remove lots of if statements as this spec file will only be used on Rawhide.
- Remove dependency on python-backports-ssl_match_hostname as it is not needed in Fedora.
- Rework the patch for CVE-2013-7440 and CVE-2013-2099 so that it exclusively uses code from Python.
This commit is contained in:
Randy Barlow 2016-02-03 22:44:24 -05:00
parent 8d816f0a83
commit 3b0753062e
3 changed files with 170 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch Normal file
View File

@ -0,0 +1,154 @@
From ceb275ef3c63d4324e05539242283de083bd08d6 Mon Sep 17 00:00:00 2001
From: Randy Barlow <randy@electronsweatshop.com>
Date: Wed, 3 Feb 2016 22:10:28 -0500
Subject: [PATCH] Use ssl.match_hostname from the Python stdlib.
---
pymongo/errors.py | 5 +--
pymongo/pool.py | 6 +--
pymongo/ssl_match_hostname.py | 100 ------------------------------------------
3 files changed, 2 insertions(+), 109 deletions(-)
delete mode 100644 pymongo/ssl_match_hostname.py
diff --git a/pymongo/errors.py b/pymongo/errors.py
index fe7b71a..0ba6006 100644
--- a/pymongo/errors.py
+++ b/pymongo/errors.py
@@ -16,10 +16,7 @@
from bson.errors import *
-try:
- from ssl import CertificateError
-except ImportError:
- from pymongo.ssl_match_hostname import CertificateError
+from ssl import CertificateError
class PyMongoError(Exception):
diff --git a/pymongo/pool.py b/pymongo/pool.py
index 904c6b1..5fe663c 100644
--- a/pymongo/pool.py
+++ b/pymongo/pool.py
@@ -44,11 +44,7 @@ from pymongo.server_type import SERVER_TYPE
# main thread, to avoid the deadlock. See PYTHON-607.
u('foo').encode('idna')
-try:
- from ssl import match_hostname, CertificateError
-except ImportError:
- # These don't require the ssl module
- from pymongo.ssl_match_hostname import match_hostname, CertificateError
+from ssl import match_hostname, CertificateError
def _raise_connection_failure(address, error):
diff --git a/pymongo/ssl_match_hostname.py b/pymongo/ssl_match_hostname.py
deleted file mode 100644
index f74df15..0000000
--- a/pymongo/ssl_match_hostname.py
+++ /dev/null
@@ -1,100 +0,0 @@
-# Backport of the match_hostname logic introduced in python 3.2
-# http://hg.python.org/releasing/3.3.5/file/993955b807b3/Lib/ssl.py
-
-import re
-
-
-class CertificateError(ValueError):
- pass
-
-
-def _dnsname_match(dn, hostname, max_wildcards=1):
- """Matching according to RFC 6125, section 6.4.3
-
- http://tools.ietf.org/html/rfc6125#section-6.4.3
- """
- pats = []
- if not dn:
- return False
-
- parts = dn.split(r'.')
- leftmost = parts[0]
- remainder = parts[1:]
-
- wildcards = leftmost.count('*')
- if wildcards > max_wildcards:
- # Issue #17980: avoid denials of service by refusing more
- # than one wildcard per fragment. A survey of established
- # policy among SSL implementations showed it to be a
- # reasonable choice.
- raise CertificateError(
- "too many wildcards in certificate DNS name: " + repr(dn))
-
- # speed up common case w/o wildcards
- if not wildcards:
- return dn.lower() == hostname.lower()
-
- # RFC 6125, section 6.4.3, subitem 1.
- # The client SHOULD NOT attempt to match a presented identifier in which
- # the wildcard character comprises a label other than the left-most label.
- if leftmost == '*':
- # When '*' is a fragment by itself, it matches a non-empty dotless
- # fragment.
- pats.append('[^.]+')
- elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
- # RFC 6125, section 6.4.3, subitem 3.
- # The client SHOULD NOT attempt to match a presented identifier
- # where the wildcard character is embedded within an A-label or
- # U-label of an internationalized domain name.
- pats.append(re.escape(leftmost))
- else:
- # Otherwise, '*' matches any dotless string, e.g. www*
- pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))
-
- # add the remaining fragments, ignore any wildcards
- for frag in remainder:
- pats.append(re.escape(frag))
-
- pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
- return pat.match(hostname)
-
-
-def match_hostname(cert, hostname):
- """Verify that *cert* (in decoded format as returned by
- SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
- rules are followed, but IP addresses are not accepted for *hostname*.
-
- CertificateError is raised on failure. On success, the function
- returns nothing.
- """
- if not cert:
- raise ValueError("empty or no certificate")
- dnsnames = []
- san = cert.get('subjectAltName', ())
- for key, value in san:
- if key == 'DNS':
- if _dnsname_match(value, hostname):
- return
- dnsnames.append(value)
- if not dnsnames:
- # The subject is only checked when there is no dNSName entry
- # in subjectAltName
- for sub in cert.get('subject', ()):
- for key, value in sub:
- # XXX according to RFC 2818, the most specific Common Name
- # must be used.
- if key == 'commonName':
- if _dnsname_match(value, hostname):
- return
- dnsnames.append(value)
- if len(dnsnames) > 1:
- raise CertificateError("hostname %r "
- "doesn't match either of %s"
- % (hostname, ', '.join(map(repr, dnsnames))))
- elif len(dnsnames) == 1:
- raise CertificateError("hostname %r "
- "doesn't match %r"
- % (hostname, dnsnames[0]))
- else:
- raise CertificateError("no appropriate commonName or "
- "subjectAltName fields were found")
--
2.7.0

39
0002-Use-ssl_match_hostname-from-backports.patch
View File

@ -1,39 +0,0 @@
From d6d5496f555e1bdb3d5f4ca44a0141ce3bd80074 Mon Sep 17 00:00:00 2001
From: Haikel Guemar <hguemar@fedoraproject.org>
Date: Thu, 1 Oct 2015 11:45:17 +0200
Subject: [PATCH 2/2] Use ssl_match_hostname from backports
---
pymongo/errors.py | 2 +-
pymongo/pool.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/pymongo/errors.py b/pymongo/errors.py
index bcd0df5..82bfd5f 100644
--- a/pymongo/errors.py
+++ b/pymongo/errors.py
@@ -19,7 +19,7 @@ from bson.errors import *
try:
from ssl import CertificateError
except ImportError:
- from pymongo.ssl_match_hostname import CertificateError
+ from backports.ssl_match_hostname import CertificateError
class PyMongoError(Exception):
diff --git a/pymongo/pool.py b/pymongo/pool.py
index e557ab5..50593bd 100644
--- a/pymongo/pool.py
+++ b/pymongo/pool.py
@@ -45,7 +45,7 @@ try:
from ssl import match_hostname, CertificateError
except ImportError:
# These don't require the ssl module
- from pymongo.ssl_match_hostname import match_hostname, CertificateError
+ from backports.ssl_match_hostname import match_hostname, CertificateError
def _raise_connection_failure(address, error):
--
2.5.0

82
python-pymongo.spec
View File

@ -1,13 +1,3 @@
%if 0%{?fedora}
%global with_python3 1
%endif
%if 0%{?rhel} && 0%{?rhel} <= 6
%{!?__python2: %global __python2 /usr/bin/python2}
%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%endif
# Fix private-shared-object-provides error
%{?filter_setup:
%filter_provides_in %{python_sitearch}.*\.so$
@ -15,33 +5,27 @@
}
Name: python-pymongo
Version: 3.2
Version: 3.2.1
Release: 1%{?dist}
Summary: Python driver for MongoDB
Group: Development/Languages
Summary: Python driver for MongoDB
# All code is ASL 2.0 except bson/time64*.{c,h} which is MIT
License: ASL 2.0 and MIT
URL: http://api.mongodb.org/python
Source0: https://github.com/mongodb/mongo-python-driver/archive/%{version}.tar.gz
Patch01: 0001-Serverless-test-suite-workaround.patch
Patch02: 0002-Use-ssl_match_hostname-from-backports.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# This patch removes the bundled ssl.match_hostname library as it was vulnerable to CVE-2013-7440
# and CVE-2013-2099, and wasn't needed anyway since Fedora >= 22 has the needed module in the Python
# standard library. It also adjusts imports so that they exclusively use the code from Python.
Patch02: 0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch
BuildRequires: python2-devel
BuildRequires: python-nose
BuildRequires: python-setuptools
%if 0%{?rhel} && 0%{?rhel} <= 6
BuildRequires: python-unittest2
%endif
BuildRequires: python-backports-ssl_match_hostname
%if 0%{?with_python3}
BuildRequires: python-tools
BuildRequires: python2-devel
BuildRequires: python2-setuptools
BuildRequires: python2-sphinx
BuildRequires: python3-devel
BuildRequires: python3-setuptools
%endif # if with_python3
# Mongodb must run on a little-endian CPU (see bug #630898)
ExcludeArch: ppc ppc64 %{sparc} s390 s390x
@ -61,7 +45,6 @@ Documentation for python-pymongo.
%package -n python2-bson
Summary: Python bson library
Group: Development/Libraries
%{?python_provide:%python_provide python2-bson}
@ -71,10 +54,8 @@ to be lightweight, traversable, and efficient. BSON, like JSON, supports the
embedding of objects and arrays within other objects and arrays.
%if 0%{?with_python3}
%package -n python3-bson
Summary: Python bson library
Group: Development/Libraries
%{?python_provide:%python_provide python3-bson}
@ -83,15 +64,12 @@ BSON is a binary-encoded serialization of JSON-like documents. BSON is designed
to be lightweight, traversable, and efficient. BSON, like JSON, supports the
embedding of objects and arrays within other objects and arrays. This package
contains the python3 version of this module.
%endif # with_python3
%package -n python2-pymongo
Summary: Python driver for MongoDB
Group: Development/Languages
Requires: python-backports-ssl_match_hostname
Requires: python2-bson = %{version}-%{release}
Requires: python2-bson = %{version}-%{release}
Provides: pymongo = %{version}-%{release}
Obsoletes: pymongo <= 2.1.1-4
%{?python_provide:%python_provide python2-pymongo}
@ -102,10 +80,8 @@ The Python driver for MongoDB. This package contains the python2 version of
this module.
%if 0%{?with_python3}
%package -n python3-pymongo
Summary: Python driver for MongoDB
Group: Development/Languages
Requires: python3-bson = %{version}-%{release}
%{?python_provide:%python_provide python3-pymongo}
@ -113,12 +89,10 @@ Requires: python3-bson = %{version}-%{release}
%description -n python3-pymongo
The Python driver for MongoDB. This package contains the python3 version of
this module.
%endif # with_python3
%package -n python2-pymongo-gridfs
Summary: Python GridFS driver for MongoDB
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{version}-%{release}
Provides: pymongo-gridfs = %{version}-%{release}
Obsoletes: pymongo-gridfs <= 2.1.1-4
@ -129,10 +103,8 @@ Obsoletes: pymongo-gridfs <= 2.1.1-4
GridFS is a storage specification for large objects in MongoDB.
%if 0%{?with_python3}
%package -n python3-pymongo-gridfs
Summary: Python GridFS driver for MongoDB
Group: Development/Libraries
Requires: python3-pymongo%{?_isa} = %{version}-%{release}
%{?python_provide:%python_provide python3-pymongo-gridfs}
@ -140,30 +112,23 @@ Requires: python3-pymongo%{?_isa} = %{version}-%{release}
%description -n python3-pymongo-gridfs
GridFS is a storage specification for large objects in MongoDB. This package
contains the python3 version of this module.
%endif # with_python3
%prep
%setup -q -n mongo-python-driver-%{version}
%patch01 -p1 -b .test
%patch02 -p1 -b .ssl
# remove bundled ssl.mast_hostname code
rm pymongo/ssl_match_hostname.py
%if 0%{?with_python3}
rm -rf %{py3dir}
cp -a . %{py3dir}
%endif # with_python3
%build
CFLAGS="%{optflags}" %{__python2} setup.py build
%if 0%{?with_python3}
pushd %{py3dir}
CFLAGS="%{optflags}" %{__python3} setup.py build
popd
%endif # with_python3
pushd doc
make html
@ -177,18 +142,12 @@ rm -rf %{buildroot}
chmod 755 %{buildroot}%{python2_sitearch}/bson/*.so
chmod 755 %{buildroot}%{python2_sitearch}/pymongo/*.so
%if 0%{?with_python3}
pushd %{py3dir}
%{__python3} setup.py install --skip-build --root $RPM_BUILD_ROOT
# Fix permissions
chmod 755 %{buildroot}%{python3_sitearch}/bson/*.so
chmod 755 %{buildroot}%{python3_sitearch}/pymongo/*.so
popd
%endif # with_python3
%clean
rm -rf %{buildroot}
%files doc
@ -197,59 +156,44 @@ rm -rf %{buildroot}
%files -n python2-bson
%defattr(-,root,root,-)
%license LICENSE
%doc README.rst
%{python2_sitearch}/bson
%if 0%{?with_python3}
%files -n python3-bson
%defattr(-,root,root,-)
%license LICENSE
%doc README.rst
%{python3_sitearch}/bson
%endif # with_python3
%files -n python2-pymongo
%defattr(-,root,root,-)
%license LICENSE
%doc README.rst
%{python2_sitearch}/pymongo
%{python2_sitearch}/pymongo-%{version}-*.egg-info
%if 0%{?with_python3}
%files -n python3-pymongo
%defattr(-,root,root,-)
%license LICENSE
%doc README.rst
%{python3_sitearch}/pymongo
%{python3_sitearch}/pymongo-%{version}-*.egg-info
%endif # with_python3
%files -n python2-pymongo-gridfs
%defattr(-,root,root,-)
%license LICENSE
%doc README.rst
%{python2_sitearch}/gridfs
%if 0%{?with_python3}
%files -n python3-pymongo-gridfs
%defattr(-,root,root,-)
%license LICENSE
%doc README.rst
%{python3_sitearch}/gridfs
%endif # with_python3
%check
%if 0%{?rhel} && 0%{?rhel} <= 6
# do not run test under EL6
%else
# Exclude tests that require an active MongoDB connection
exclude='(^test_auth_from_uri$'
exclude+='|^test_auto_auth_login$'
@ -331,10 +275,16 @@ exclude+=')'
pushd test
nosetests --exclude="$exclude"
popd
%endif
%changelog
* Wed Feb 03 2016 Randy Barlow <rbarlow@redhat.com> - 3.2.1-1
- Remove use of needless defattr macros (#1303426).
- Update to 3.2.1 (#1304137).
- Remove lots of if statements as this spec file will only be used on Rawhide.
- Remove dependency on python-backports-ssl_match_hostname as it is not needed in Fedora.
- Rework the patch for CVE-2013-7440 and CVE-2013-2099 so that it exclusively uses code from Python.
* Tue Jan 19 2016 Randy Barlow <rbarlow@redhat.com> - 3.2-1
- Update to 3.2.
- Rename the python- subpackages with a python2- prefix.