Compare commits
No commits in common. "c8-stream-2.7" and "imports/c8-beta-stream-2.7/python2-pip-9.0.3-15.module+el8.2.0+4505+8af359e9" have entirely different histories.
c8-stream-
...
imports/c8
|
@ -1,90 +0,0 @@
|
||||||
From ffbfdb53681207b23bcf67dd76368ad6185ade24 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Thu, 16 Jan 2020 07:06:09 +0100
|
|
||||||
Subject: [PATCH] Fix for CVE-2018-18074
|
|
||||||
|
|
||||||
This patch contains the fix for CVE-2018-18074 and
|
|
||||||
a subsequent regression fix combined in one.
|
|
||||||
---
|
|
||||||
sessions.py | 36 +++++++++++++++++++++++++++++-------
|
|
||||||
utils.py | 1 +
|
|
||||||
2 files changed, 30 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/sessions.py b/sessions.py
|
|
||||||
index 6570e73..4038047 100644
|
|
||||||
--- a/sessions.py
|
|
||||||
+++ b/sessions.py
|
|
||||||
@@ -29,7 +29,7 @@ from .adapters import HTTPAdapter
|
|
||||||
|
|
||||||
from .utils import (
|
|
||||||
requote_uri, get_environ_proxies, get_netrc_auth, should_bypass_proxies,
|
|
||||||
- get_auth_from_url, rewind_body
|
|
||||||
+ get_auth_from_url, rewind_body, DEFAULT_PORTS
|
|
||||||
)
|
|
||||||
|
|
||||||
from .status_codes import codes
|
|
||||||
@@ -116,6 +116,32 @@ class SessionRedirectMixin(object):
|
|
||||||
return to_native_string(location, 'utf8')
|
|
||||||
return None
|
|
||||||
|
|
||||||
+
|
|
||||||
+ def should_strip_auth(self, old_url, new_url):
|
|
||||||
+ """Decide whether Authorization header should be removed when redirecting"""
|
|
||||||
+ old_parsed = urlparse(old_url)
|
|
||||||
+ new_parsed = urlparse(new_url)
|
|
||||||
+ if old_parsed.hostname != new_parsed.hostname:
|
|
||||||
+ return True
|
|
||||||
+ # Special case: allow http -> https redirect when using the standard
|
|
||||||
+ # ports. This isn't specified by RFC 7235, but is kept to avoid
|
|
||||||
+ # breaking backwards compatibility with older versions of requests
|
|
||||||
+ # that allowed any redirects on the same host.
|
|
||||||
+ if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
|
|
||||||
+ and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
|
|
||||||
+ return False
|
|
||||||
+
|
|
||||||
+ # Handle default port usage corresponding to scheme.
|
|
||||||
+ changed_port = old_parsed.port != new_parsed.port
|
|
||||||
+ changed_scheme = old_parsed.scheme != new_parsed.scheme
|
|
||||||
+ default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
|
|
||||||
+ if (not changed_scheme and old_parsed.port in default_port
|
|
||||||
+ and new_parsed.port in default_port):
|
|
||||||
+ return False
|
|
||||||
+
|
|
||||||
+ # Standard case: root URI must match
|
|
||||||
+ return changed_port or changed_scheme
|
|
||||||
+
|
|
||||||
def resolve_redirects(self, resp, req, stream=False, timeout=None,
|
|
||||||
verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
|
|
||||||
"""Receives a Response. Returns a generator of Responses or Requests."""
|
|
||||||
@@ -232,14 +258,10 @@ class SessionRedirectMixin(object):
|
|
||||||
headers = prepared_request.headers
|
|
||||||
url = prepared_request.url
|
|
||||||
|
|
||||||
- if 'Authorization' in headers:
|
|
||||||
+ if 'Authorization' in headers and self.should_strip_auth(response.request.url, url):
|
|
||||||
# If we get redirected to a new host, we should strip out any
|
|
||||||
# authentication headers.
|
|
||||||
- original_parsed = urlparse(response.request.url)
|
|
||||||
- redirect_parsed = urlparse(url)
|
|
||||||
-
|
|
||||||
- if (original_parsed.hostname != redirect_parsed.hostname):
|
|
||||||
- del headers['Authorization']
|
|
||||||
+ del headers['Authorization']
|
|
||||||
|
|
||||||
# .netrc might have more auth for us on our new host.
|
|
||||||
new_auth = get_netrc_auth(url) if self.trust_env else None
|
|
||||||
diff --git a/utils.py b/utils.py
|
|
||||||
index 5c47de9..5695ab0 100644
|
|
||||||
--- a/utils.py
|
|
||||||
+++ b/utils.py
|
|
||||||
@@ -38,6 +38,7 @@ NETRC_FILES = ('.netrc', '_netrc')
|
|
||||||
|
|
||||||
DEFAULT_CA_BUNDLE_PATH = certs.where()
|
|
||||||
|
|
||||||
+DEFAULT_PORTS = {'http': 80, 'https': 443}
|
|
||||||
|
|
||||||
if platform.system() == 'Windows':
|
|
||||||
# provide a proxy_bypass version on Windows without DNS lookups
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
|
@ -1,94 +0,0 @@
|
||||||
From c734f873270cf9ca414832423f7aad98443c379f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Thu, 9 Jan 2020 11:26:24 +0100
|
|
||||||
Subject: [PATCH] CVE-2018-20060
|
|
||||||
|
|
||||||
---
|
|
||||||
poolmanager.py | 11 ++++++++++-
|
|
||||||
util/retry.py | 12 +++++++++++-
|
|
||||||
2 files changed, 21 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/poolmanager.py b/poolmanager.py
|
|
||||||
index 4ae9174..bfa5115 100644
|
|
||||||
--- a/poolmanager.py
|
|
||||||
+++ b/poolmanager.py
|
|
||||||
@@ -312,8 +312,9 @@ class PoolManager(RequestMethods):
|
|
||||||
|
|
||||||
kw['assert_same_host'] = False
|
|
||||||
kw['redirect'] = False
|
|
||||||
+
|
|
||||||
if 'headers' not in kw:
|
|
||||||
- kw['headers'] = self.headers
|
|
||||||
+ kw['headers'] = self.headers.copy()
|
|
||||||
|
|
||||||
if self.proxy is not None and u.scheme == "http":
|
|
||||||
response = conn.urlopen(method, url, **kw)
|
|
||||||
@@ -335,6 +336,14 @@ class PoolManager(RequestMethods):
|
|
||||||
if not isinstance(retries, Retry):
|
|
||||||
retries = Retry.from_int(retries, redirect=redirect)
|
|
||||||
|
|
||||||
+ # Strip headers marked as unsafe to forward to the redirected location.
|
|
||||||
+ # Check remove_headers_on_redirect to avoid a potential network call within
|
|
||||||
+ # conn.is_same_host() which may use socket.gethostbyname() in the future.
|
|
||||||
+ if (retries.remove_headers_on_redirect
|
|
||||||
+ and not conn.is_same_host(redirect_location)):
|
|
||||||
+ for header in retries.remove_headers_on_redirect:
|
|
||||||
+ kw['headers'].pop(header, None)
|
|
||||||
+
|
|
||||||
try:
|
|
||||||
retries = retries.increment(method, url, response=response, _pool=conn)
|
|
||||||
except MaxRetryError:
|
|
||||||
diff --git a/util/retry.py b/util/retry.py
|
|
||||||
index c603cb4..0b83963 100644
|
|
||||||
--- a/util/retry.py
|
|
||||||
+++ b/util/retry.py
|
|
||||||
@@ -126,6 +126,11 @@ class Retry(object):
|
|
||||||
exhausted, to raise a MaxRetryError, or to return a response with a
|
|
||||||
response code in the 3xx range.
|
|
||||||
|
|
||||||
+ :param iterable remove_headers_on_redirect:
|
|
||||||
+ Sequence of headers to remove from the request when a response
|
|
||||||
+ indicating a redirect is returned before firing off the redirected
|
|
||||||
+ request
|
|
||||||
+
|
|
||||||
:param bool raise_on_status: Similar meaning to ``raise_on_redirect``:
|
|
||||||
whether we should raise an exception, or return a response,
|
|
||||||
if status falls in ``status_forcelist`` range and retries have
|
|
||||||
@@ -144,6 +149,8 @@ class Retry(object):
|
|
||||||
DEFAULT_METHOD_WHITELIST = frozenset([
|
|
||||||
'HEAD', 'GET', 'PUT', 'DELETE', 'OPTIONS', 'TRACE'])
|
|
||||||
|
|
||||||
+ DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
|
|
||||||
+
|
|
||||||
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
|
|
||||||
|
|
||||||
#: Maximum backoff time.
|
|
||||||
@@ -152,7 +159,8 @@ class Retry(object):
|
|
||||||
def __init__(self, total=10, connect=None, read=None, redirect=None, status=None,
|
|
||||||
method_whitelist=DEFAULT_METHOD_WHITELIST, status_forcelist=None,
|
|
||||||
backoff_factor=0, raise_on_redirect=True, raise_on_status=True,
|
|
||||||
- history=None, respect_retry_after_header=True):
|
|
||||||
+ history=None, respect_retry_after_header=True,
|
|
||||||
+ remove_headers_on_redirect=DEFAULT_REDIRECT_HEADERS_BLACKLIST):
|
|
||||||
|
|
||||||
self.total = total
|
|
||||||
self.connect = connect
|
|
||||||
@@ -171,6 +179,7 @@ class Retry(object):
|
|
||||||
self.raise_on_status = raise_on_status
|
|
||||||
self.history = history or tuple()
|
|
||||||
self.respect_retry_after_header = respect_retry_after_header
|
|
||||||
+ self.remove_headers_on_redirect = remove_headers_on_redirect
|
|
||||||
|
|
||||||
def new(self, **kw):
|
|
||||||
params = dict(
|
|
||||||
@@ -182,6 +191,7 @@ class Retry(object):
|
|
||||||
raise_on_redirect=self.raise_on_redirect,
|
|
||||||
raise_on_status=self.raise_on_status,
|
|
||||||
history=self.history,
|
|
||||||
+ remove_headers_on_redirect=self.remove_headers_on_redirect,
|
|
||||||
)
|
|
||||||
params.update(kw)
|
|
||||||
return type(self)(**params)
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
|
@ -1,43 +0,0 @@
|
||||||
From b40eb0f43daecc6e2e3ce47b0be49cf570d02adc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Thu, 9 Jan 2020 11:14:58 +0100
|
|
||||||
Subject: [PATCH] CVE-2019-9740
|
|
||||||
|
|
||||||
---
|
|
||||||
util/url.py | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/util/url.py b/util/url.py
|
|
||||||
index 6b6f996..2784c85 100644
|
|
||||||
--- a/util/url.py
|
|
||||||
+++ b/util/url.py
|
|
||||||
@@ -1,5 +1,6 @@
|
|
||||||
from __future__ import absolute_import
|
|
||||||
from collections import namedtuple
|
|
||||||
+import re
|
|
||||||
|
|
||||||
from ..exceptions import LocationParseError
|
|
||||||
|
|
||||||
@@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
|
|
||||||
# urllib3 infers URLs without a scheme (None) to be http.
|
|
||||||
NORMALIZABLE_SCHEMES = ('http', 'https', None)
|
|
||||||
|
|
||||||
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
|
|
||||||
+from ..packages.six.moves.urllib.parse import quote
|
|
||||||
|
|
||||||
class Url(namedtuple('Url', url_attrs)):
|
|
||||||
"""
|
|
||||||
@@ -155,6 +158,10 @@ def parse_url(url):
|
|
||||||
# Empty
|
|
||||||
return Url()
|
|
||||||
|
|
||||||
+ # Prevent CVE-2019-9740.
|
|
||||||
+ # adapted from https://github.com/python/cpython/pull/12755
|
|
||||||
+ url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
|
|
||||||
+
|
|
||||||
scheme = None
|
|
||||||
auth = None
|
|
||||||
host = None
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
|
@ -1,26 +0,0 @@
|
||||||
From 54e768a6dbe3cadeb456dea37bbeaf6e1e17e87c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Thu, 9 Jan 2020 10:47:27 +0100
|
|
||||||
Subject: [PATCH] CVE-2019-11324 Certification mishandle when error should be
|
|
||||||
thrown
|
|
||||||
|
|
||||||
---
|
|
||||||
util/ssl_.py | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/util/ssl_.py b/util/ssl_.py
|
|
||||||
index 32fd9ed..f9f12ff 100644
|
|
||||||
--- a/util/ssl_.py
|
|
||||||
+++ b/util/ssl_.py
|
|
||||||
@@ -319,7 +319,7 @@ def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
|
|
||||||
if e.errno == errno.ENOENT:
|
|
||||||
raise SSLError(e)
|
|
||||||
raise
|
|
||||||
- elif getattr(context, 'load_default_certs', None) is not None:
|
|
||||||
+ elif ssl_context is None and hasattr(context, 'load_default_certs'):
|
|
||||||
# try to load OS default certs; works well on Windows (require Python3.4+)
|
|
||||||
context.load_default_certs()
|
|
||||||
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
|
@ -1,122 +0,0 @@
|
||||||
From 7917dbda14ef64a5e7fdea48383a266577484ac8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Orsava <torsava@redhat.com>
|
|
||||||
Date: Wed, 19 Aug 2020 12:51:16 +0200
|
|
||||||
Subject: [PATCH 2/2] FIX #6413 pip install <url> allow directory traversal
|
|
||||||
(tests)
|
|
||||||
|
|
||||||
---
|
|
||||||
tests/unit/test_download.py | 85 +++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 85 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/tests/unit/test_download.py b/tests/unit/test_download.py
|
|
||||||
index ee4b11c..15f99ec 100644
|
|
||||||
--- a/tests/unit/test_download.py
|
|
||||||
+++ b/tests/unit/test_download.py
|
|
||||||
@@ -1,5 +1,6 @@
|
|
||||||
import hashlib
|
|
||||||
import os
|
|
||||||
+import sys
|
|
||||||
from io import BytesIO
|
|
||||||
from shutil import rmtree, copy
|
|
||||||
from tempfile import mkdtemp
|
|
||||||
@@ -13,6 +14,7 @@ import pip
|
|
||||||
from pip.exceptions import HashMismatch
|
|
||||||
from pip.download import (
|
|
||||||
PipSession, SafeFileCache, path_to_url, unpack_http_url, url_to_path,
|
|
||||||
+ _download_http_url, parse_content_disposition, sanitize_content_filename,
|
|
||||||
unpack_file_url,
|
|
||||||
)
|
|
||||||
from pip.index import Link
|
|
||||||
@@ -123,6 +125,89 @@ def test_unpack_http_url_bad_downloaded_checksum(mock_unpack_file):
|
|
||||||
rmtree(download_dir)
|
|
||||||
|
|
||||||
|
|
||||||
+@pytest.mark.parametrize("filename, expected", [
|
|
||||||
+ ('dir/file', 'file'),
|
|
||||||
+ ('../file', 'file'),
|
|
||||||
+ ('../../file', 'file'),
|
|
||||||
+ ('../', ''),
|
|
||||||
+ ('../..', '..'),
|
|
||||||
+ ('/', ''),
|
|
||||||
+])
|
|
||||||
+def test_sanitize_content_filename(filename, expected):
|
|
||||||
+ """
|
|
||||||
+ Test inputs where the result is the same for Windows and non-Windows.
|
|
||||||
+ """
|
|
||||||
+ assert sanitize_content_filename(filename) == expected
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.mark.parametrize("filename, win_expected, non_win_expected", [
|
|
||||||
+ ('dir\\file', 'file', 'dir\\file'),
|
|
||||||
+ ('..\\file', 'file', '..\\file'),
|
|
||||||
+ ('..\\..\\file', 'file', '..\\..\\file'),
|
|
||||||
+ ('..\\', '', '..\\'),
|
|
||||||
+ ('..\\..', '..', '..\\..'),
|
|
||||||
+ ('\\', '', '\\'),
|
|
||||||
+])
|
|
||||||
+def test_sanitize_content_filename__platform_dependent(
|
|
||||||
+ filename,
|
|
||||||
+ win_expected,
|
|
||||||
+ non_win_expected
|
|
||||||
+):
|
|
||||||
+ """
|
|
||||||
+ Test inputs where the result is different for Windows and non-Windows.
|
|
||||||
+ """
|
|
||||||
+ if sys.platform == 'win32':
|
|
||||||
+ expected = win_expected
|
|
||||||
+ else:
|
|
||||||
+ expected = non_win_expected
|
|
||||||
+ assert sanitize_content_filename(filename) == expected
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.mark.parametrize("content_disposition, default_filename, expected", [
|
|
||||||
+ ('attachment;filename="../file"', 'df', 'file'),
|
|
||||||
+])
|
|
||||||
+def test_parse_content_disposition(
|
|
||||||
+ content_disposition,
|
|
||||||
+ default_filename,
|
|
||||||
+ expected
|
|
||||||
+):
|
|
||||||
+ actual = parse_content_disposition(content_disposition, default_filename)
|
|
||||||
+ assert actual == expected
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_download_http_url__no_directory_traversal(tmpdir):
|
|
||||||
+ """
|
|
||||||
+ Test that directory traversal doesn't happen on download when the
|
|
||||||
+ Content-Disposition header contains a filename with a ".." path part.
|
|
||||||
+ """
|
|
||||||
+ mock_url = 'http://www.example.com/whatever.tgz'
|
|
||||||
+ contents = b'downloaded'
|
|
||||||
+ link = Link(mock_url)
|
|
||||||
+
|
|
||||||
+ session = Mock()
|
|
||||||
+ resp = MockResponse(contents)
|
|
||||||
+ resp.url = mock_url
|
|
||||||
+ resp.headers = {
|
|
||||||
+ # Set the content-type to a random value to prevent
|
|
||||||
+ # mimetypes.guess_extension from guessing the extension.
|
|
||||||
+ 'content-type': 'random',
|
|
||||||
+ 'content-disposition': 'attachment;filename="../out_dir_file"'
|
|
||||||
+ }
|
|
||||||
+ session.get.return_value = resp
|
|
||||||
+
|
|
||||||
+ download_dir = tmpdir.join('download')
|
|
||||||
+ os.mkdir(download_dir)
|
|
||||||
+ file_path, content_type = _download_http_url(
|
|
||||||
+ link,
|
|
||||||
+ session,
|
|
||||||
+ download_dir,
|
|
||||||
+ hashes=None,
|
|
||||||
+ )
|
|
||||||
+ # The file should be downloaded to download_dir.
|
|
||||||
+ actual = os.listdir(download_dir)
|
|
||||||
+ assert actual == ['out_dir_file']
|
|
||||||
+
|
|
||||||
+
|
|
||||||
@pytest.mark.skipif("sys.platform == 'win32'")
|
|
||||||
def test_path_to_url_unix():
|
|
||||||
assert path_to_url('/tmp/file') == 'file:///tmp/file'
|
|
||||||
--
|
|
||||||
2.25.4
|
|
||||||
|
|
|
@ -1,79 +0,0 @@
|
||||||
From 8044d9f2fbcb09f09a62b26ac1d8a134976bb2ac Mon Sep 17 00:00:00 2001
|
|
||||||
From: gzpan123 <gzpan123@gmail.com>
|
|
||||||
Date: Wed, 17 Apr 2019 21:25:45 +0800
|
|
||||||
Subject: [PATCH 1/2] FIX #6413 pip install <url> allow directory traversal
|
|
||||||
|
|
||||||
---
|
|
||||||
news/6413.bugfix | 3 +++
|
|
||||||
pip/download.py | 31 ++++++++++++++++++++++++++-----
|
|
||||||
2 files changed, 29 insertions(+), 5 deletions(-)
|
|
||||||
create mode 100644 news/6413.bugfix
|
|
||||||
|
|
||||||
diff --git a/news/6413.bugfix b/news/6413.bugfix
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..68d0a72
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/news/6413.bugfix
|
|
||||||
@@ -0,0 +1,3 @@
|
|
||||||
+Prevent ``pip install <url>`` from permitting directory traversal if e.g.
|
|
||||||
+a malicious server sends a ``Content-Disposition`` header with a filename
|
|
||||||
+containing ``../`` or ``..\\``.
|
|
||||||
diff --git a/pip/download.py b/pip/download.py
|
|
||||||
index 039e55a..b3d169b 100644
|
|
||||||
--- a/pip/download.py
|
|
||||||
+++ b/pip/download.py
|
|
||||||
@@ -54,7 +54,8 @@ __all__ = ['get_file_content',
|
|
||||||
'is_url', 'url_to_path', 'path_to_url',
|
|
||||||
'is_archive_file', 'unpack_vcs_link',
|
|
||||||
'unpack_file_url', 'is_vcs_url', 'is_file_url',
|
|
||||||
- 'unpack_http_url', 'unpack_url']
|
|
||||||
+ 'unpack_http_url', 'unpack_url',
|
|
||||||
+ 'parse_content_disposition', 'sanitize_content_filename']
|
|
||||||
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
@@ -824,6 +825,29 @@ def unpack_url(link, location, download_dir=None,
|
|
||||||
write_delete_marker_file(location)
|
|
||||||
|
|
||||||
|
|
||||||
+def sanitize_content_filename(filename):
|
|
||||||
+ # type: (str) -> str
|
|
||||||
+ """
|
|
||||||
+ Sanitize the "filename" value from a Content-Disposition header.
|
|
||||||
+ """
|
|
||||||
+ return os.path.basename(filename)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def parse_content_disposition(content_disposition, default_filename):
|
|
||||||
+ # type: (str, str) -> str
|
|
||||||
+ """
|
|
||||||
+ Parse the "filename" value from a Content-Disposition header, and
|
|
||||||
+ return the default filename if the result is empty.
|
|
||||||
+ """
|
|
||||||
+ _type, params = cgi.parse_header(content_disposition)
|
|
||||||
+ filename = params.get('filename')
|
|
||||||
+ if filename:
|
|
||||||
+ # We need to sanitize the filename to prevent directory traversal
|
|
||||||
+ # in case the filename contains ".." path parts.
|
|
||||||
+ filename = sanitize_content_filename(filename)
|
|
||||||
+ return filename or default_filename
|
|
||||||
+
|
|
||||||
+
|
|
||||||
def _download_http_url(link, session, temp_dir, hashes):
|
|
||||||
"""Download link url into temp_dir using provided session"""
|
|
||||||
target_url = link.url.split('#', 1)[0]
|
|
||||||
@@ -864,10 +888,7 @@ def _download_http_url(link, session, temp_dir, hashes):
|
|
||||||
# Have a look at the Content-Disposition header for a better guess
|
|
||||||
content_disposition = resp.headers.get('content-disposition')
|
|
||||||
if content_disposition:
|
|
||||||
- type, params = cgi.parse_header(content_disposition)
|
|
||||||
- # We use ``or`` here because we don't want to use an "empty" value
|
|
||||||
- # from the filename param.
|
|
||||||
- filename = params.get('filename') or filename
|
|
||||||
+ filename = parse_content_disposition(content_disposition, filename)
|
|
||||||
ext = splitext(filename)[1]
|
|
||||||
if not ext:
|
|
||||||
ext = mimetypes.guess_extension(content_type)
|
|
||||||
--
|
|
||||||
2.25.4
|
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
Name: python2-%{srcname}
|
Name: python2-%{srcname}
|
||||||
# When updating, update the bundled libraries versions bellow!
|
# When updating, update the bundled libraries versions bellow!
|
||||||
Version: 9.0.3
|
Version: 9.0.3
|
||||||
Release: 19%{?dist}
|
Release: 15%{?dist}
|
||||||
Summary: A tool for installing and managing Python 2 packages
|
Summary: A tool for installing and managing Python 2 packages
|
||||||
|
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
|
@ -55,7 +55,7 @@ Source0: https://files.pythonhosted.org/packages/source/p/%{srcname}/%{sr
|
||||||
# git clone https://github.com/pypa/pip && cd pip
|
# git clone https://github.com/pypa/pip && cd pip
|
||||||
# git checkout 9.0.1 && tar -czvf ../pip-9.0.1-tests.tar.gz tests/
|
# git checkout 9.0.1 && tar -czvf ../pip-9.0.1-tests.tar.gz tests/
|
||||||
%if %{with tests}
|
%if %{with tests}
|
||||||
Source1: pip-%{version}-tests.tar.gz
|
Source1: pip-9.0.1-tests.tar.gz
|
||||||
%endif
|
%endif
|
||||||
# Manpage generated by sphinx from source tarball
|
# Manpage generated by sphinx from source tarball
|
||||||
# cd pip-9.0.3/docs && make man && cp _build/man/pip.1 ../../pip2.1
|
# cd pip-9.0.3/docs && make man && cp _build/man/pip.1 ../../pip2.1
|
||||||
|
@ -86,37 +86,6 @@ Patch3: pip-nowarn-upgrade.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1655253
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1655253
|
||||||
Patch4: dummy-certifi.patch
|
Patch4: dummy-certifi.patch
|
||||||
|
|
||||||
# Patch for CVE in the bundled urllib3
|
|
||||||
# CVE-2018-20060 Cross-host redirect does not remove Authorization header allow for credential exposure
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20060
|
|
||||||
Patch5: CVE-2018-20060.patch
|
|
||||||
|
|
||||||
# Patch for CVE in the bundled urllib3
|
|
||||||
# CVE-2019-11236 CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11236
|
|
||||||
Patch6: CVE-2019-11236.patch
|
|
||||||
|
|
||||||
# Patch for CVE in the bundled urllib3
|
|
||||||
# CVE-2019-11324 Certification mishandle when error should be thrown
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11324
|
|
||||||
Patch7: CVE-2019-11324.patch
|
|
||||||
|
|
||||||
# Patch for CVE in the bundled requests
|
|
||||||
# CVE-2018-18074 Redirect from HTTPS to HTTP does not remove Authorization header
|
|
||||||
# This patch fixes both the CVE
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1643829
|
|
||||||
# and the subsequent regression
|
|
||||||
# https://github.com/psf/requests/pull/4851
|
|
||||||
Patch8: CVE-2018-18074.patch
|
|
||||||
|
|
||||||
# Patch for pip install <url> allow directory traversal, leading to arbitrary file write
|
|
||||||
# - Upstream PR: https://github.com/pypa/pip/pull/6418/files
|
|
||||||
# - Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1870184
|
|
||||||
# Patch9 fixes the issue
|
|
||||||
# Patch10 adds unit tests for the issue
|
|
||||||
Patch9: pip-directory-traversal-security-issue.patch
|
|
||||||
Patch10: pip-directory-traversal-security-issue-tests.patch
|
|
||||||
|
|
||||||
BuildRequires: python2-devel
|
BuildRequires: python2-devel
|
||||||
BuildRequires: python2-setuptools
|
BuildRequires: python2-setuptools
|
||||||
%if %{with tests}
|
%if %{with tests}
|
||||||
|
@ -217,23 +186,8 @@ tar -xf %{SOURCE1}
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
|
|
||||||
# Patching of bundled libraries
|
|
||||||
pushd pip/_vendor/urllib3
|
|
||||||
%patch5 -p1
|
|
||||||
%patch6 -p1
|
|
||||||
%patch7 -p1
|
|
||||||
popd
|
|
||||||
pushd pip/_vendor/requests
|
|
||||||
%patch8 -p1
|
|
||||||
popd
|
|
||||||
%patch9 -p1
|
|
||||||
%if %{with tests}
|
|
||||||
%patch10 -p1
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# this goes together with patch4
|
# this goes together with patch4
|
||||||
rm pip/_vendor/certifi/*.pem
|
rm pip/_vendor/certifi/*.pem
|
||||||
rm pip/_vendor/requests/*.pem
|
|
||||||
sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt
|
sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt
|
||||||
|
|
||||||
sed -i '1d' pip/__init__.py
|
sed -i '1d' pip/__init__.py
|
||||||
|
@ -241,9 +195,6 @@ sed -i '1d' pip/__init__.py
|
||||||
# Remove ordereddict as it is only required for python <= 2.6
|
# Remove ordereddict as it is only required for python <= 2.6
|
||||||
rm pip/_vendor/ordereddict.py
|
rm pip/_vendor/ordereddict.py
|
||||||
|
|
||||||
# Remove windows executable binaries
|
|
||||||
rm -v pip/_vendor/distlib/*.exe
|
|
||||||
sed -i '/\.exe/d' setup.py
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
|
export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
|
||||||
|
@ -359,26 +310,6 @@ py.test-%{python2_version} -m 'not network'
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Oct 14 2021 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-19
|
|
||||||
- Remove bundled windows executables
|
|
||||||
- Resolves: rhbz#2006792
|
|
||||||
|
|
||||||
* Wed Aug 19 2020 Tomas Orsava <torsava@redhat.com> - 9.0.3-18
|
|
||||||
- Patch for pip install <url> allow directory traversal, leading to arbitrary file write
|
|
||||||
Resolves: rhbz#1870184
|
|
||||||
|
|
||||||
* Mon Mar 16 2020 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-17
|
|
||||||
- Remove unused CA bundle from the bundled requests library
|
|
||||||
Resolves: rhbz#1775194
|
|
||||||
|
|
||||||
* Tue Jan 14 2020 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-16
|
|
||||||
- Add four new patches for CVEs in bundled urllib3 and requests
|
|
||||||
CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074
|
|
||||||
Resolves: rhbz#1649153
|
|
||||||
Resolves: rhbz#1700824
|
|
||||||
Resolves: rhbz#1702473
|
|
||||||
Resolves: rhbz#1643829
|
|
||||||
|
|
||||||
* Thu Oct 24 2019 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-15
|
* Thu Oct 24 2019 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-15
|
||||||
- Use the system level root certificate instead of the one bundled in certifi
|
- Use the system level root certificate instead of the one bundled in certifi
|
||||||
Resolves: rhbz#1659551
|
Resolves: rhbz#1659551
|
||||||
|
|
Loading…
Reference in New Issue