From 0dd0fcb3e1b042368063013b72baffbd8721df36 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 14 Jun 2022 09:58:14 +0800
Subject: [PATCH] Fix CVE-2022-31799

---
 CVE-2022-31799.patch | 40 ++++++++++++++++++++++++++++++++++++++++
 python-bottle.spec   |  7 ++++++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-31799.patch

diff --git a/CVE-2022-31799.patch b/CVE-2022-31799.patch
new file mode 100644
index 0000000..a508f4e
--- /dev/null
+++ b/CVE-2022-31799.patch
@@ -0,0 +1,40 @@
+From e140e1b54da721a660f2eb9d58a106b7b3ff2f00 Mon Sep 17 00:00:00 2001
+From: Marcel Hellkamp <marc@gsites.de>
+Date: Thu, 26 May 2022 14:49:32 +0200
+Subject: [PATCH] Gracefully handle errors during early request binding.
+
+---
+ bottle.py | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/bottle.py b/bottle.py
+index 04ccf7da..035f99ec 100644
+--- a/bottle.py
++++ b/bottle.py
+@@ -848,17 +848,19 @@ def default_error_handler(self, res):
+         return tob(template(ERROR_PAGE_TEMPLATE, e=res))
+ 
+     def _handle(self, environ):
+-        path = environ['bottle.raw_path'] = environ['PATH_INFO']
+-        if py3k:
+-            try:
+-                environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
+-            except UnicodeError:
+-                return HTTPError(400, 'Invalid path string. Expected UTF-8')
+-
+         try:
++
+             environ['bottle.app'] = self
+             request.bind(environ)
+             response.bind()
++
++            path = environ['bottle.raw_path'] = environ['PATH_INFO']
++            if py3k:
++                try:
++                    environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
++                except UnicodeError:
++                    return HTTPError(400, 'Invalid path string. Expected UTF-8')
++
+             try:
+                 self.trigger_hook('before_request')
+                 route, args = self.router.match(environ)
diff --git a/python-bottle.spec b/python-bottle.spec
index cdcf0bf..c180882 100644
--- a/python-bottle.spec
+++ b/python-bottle.spec
@@ -1,6 +1,6 @@
 Name:           python-bottle
 Version:        0.12.13
-Release:        10
+Release:        11
 Summary:        WSGI micro web-framework for Python.
 License:        MIT
 URL:            https://github.com/bottlepy/bottle
@@ -8,6 +8,8 @@ Source0:        https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{v
 Patch0000:      CVE-2020-28473.patch
 #https://github.com/bottlepy/bottle/commit/eff4960d941b51629f8378b1bd9498ed2aec92c7
 Patch0001:      Fix-Python-3.7-collections.abc-DeprecationWarning.patch
+#https://github.com/bottlepy/bottle/commit/e140e1b54da721a660f2eb9d58a106b7b3ff2f00
+Patch0002:      CVE-2022-31799.patch
 
 BuildArch:      noarch
 BuildRequires:  python3-devel python3-setuptools
@@ -46,6 +48,9 @@ sed -i '/^#!/d' bottle.py
 %exclude %{_bindir}/bottle.py
 
 %changelog
+* Tue Jun 14 2022 yaoxin <yaoxin30@h-partners.com> - 0.12.13-11
+- Fix CVE-2022-31799
+
 * Thu Mar 31 2022 xu_ping <xuping33@huawei.com> - 0.12.13-10
 - Fix Python 3.7 collections.abc DeprecationWarning
 
-- 
Gitee