diff --git a/0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch b/0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch new file mode 100644 index 0000000000000000000000000000000000000000..5b358c1b543509ff02ae06c8e37c2de75f33b8ed --- /dev/null +++ b/0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch @@ -0,0 +1,37 @@ +From 19a12f898b7343e16f0d08821de6aac169143752 Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Tue, 27 Nov 2018 19:27:54 +0100 +Subject: [PATCH] fix #1065 gevent-1.3.0 removes 'fast' wsgi implementation. + +--- + bottle.py | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/bottle.py b/bottle.py +index 3a51b38..cb46893 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -2904,14 +2904,16 @@ class GeventServer(ServerAdapter): + * See gevent.wsgi.WSGIServer() documentation for more options. + """ + def run(self, handler): +- from gevent import wsgi, pywsgi, local ++ from gevent import pywsgi, local + if not isinstance(threading.local(), local.local): + msg = "Bottle requires gevent.monkey.patch_all() (before import)" + raise RuntimeError(msg) +- if not self.options.pop('fast', None): wsgi = pywsgi +- self.options['log'] = None if self.quiet else 'default' ++ if self.options.pop('fast', None): ++ depr('The "fast" option has been deprecated and removed by Gevent.') ++ if self.quiet: ++ self.options['log'] = None + address = (self.host, self.port) +- server = wsgi.WSGIServer(address, handler, **self.options) ++ server = pywsgi.WSGIServer(address, handler, **self.options) + if 'BOTTLE_CHILD' in os.environ: + import signal + signal.signal(signal.SIGINT, lambda s, f: server.stop()) +-- +2.39.0.windows.2 + diff --git a/0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch b/0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch new file mode 100644 index 0000000000000000000000000000000000000000..571898d22cfccbbd7391d3424d795cb2d9d37a44 --- /dev/null +++ b/0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch @@ -0,0 +1,39 @@ +From 0c3db605e927e6a58cefaecae3a3c6ef1e34dad5 Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Sat, 1 Dec 2018 17:35:14 +0100 +Subject: [PATCH] Fix #930: DeprecationWarning: Flags not at the start of the + expression + +Backported from 0.13-dev +--- + bottle.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/bottle.py b/bottle.py +index fd663f7..dae4f56 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -3420,7 +3420,7 @@ class StplParser(object): + _re_cache = {} #: Cache for compiled re patterns + # This huge pile of voodoo magic splits python code into 8 different tokens. + # 1: All kinds of python strings (trust me, it works) +- _re_tok = '((?m)[urbURB]?(?:\'\'(?!\')|""(?!")|\'{6}|"{6}' \ ++ _re_tok = '([urbURB]?(?:\'\'(?!\')|""(?!")|\'{6}|"{6}' \ + '|\'(?:[^\\\\\']|\\\\.)+?\'|"(?:[^\\\\"]|\\\\.)+?"' \ + '|\'{3}(?:[^\\\\]|\\\\.|\\n)+?\'{3}' \ + '|"{3}(?:[^\\\\]|\\\\.|\\n)+?"{3}))' +@@ -3443,8 +3443,9 @@ class StplParser(object): + # Match the start tokens of code areas in a template + _re_split = '(?m)^[ \t]*(\\\\?)((%(line_start)s)|(%(block_start)s))(%%?)' + # Match inline statements (may contain python strings) +- _re_inl = '%%(inline_start)s((?:%s|[^\'"\n]*?)+)%%(inline_end)s' % _re_inl +- ++ _re_inl = '(?m)%%(inline_start)s((?:%s|[^\'"\n]*?)+)%%(inline_end)s' % _re_inl ++ _re_tok = '(?m)' + _re_tok ++ + default_syntax = '<% %> % {{ }}' + + def __init__(self, source, syntax=None, encoding='utf8'): +-- +2.39.0.windows.2 + diff --git a/0003-Added-Python-3.4-3.7-language-classifiers.patch b/0003-Added-Python-3.4-3.7-language-classifiers.patch new file mode 100644 index 0000000000000000000000000000000000000000..efb942634314486861444199922cecb45e378306 --- /dev/null +++ b/0003-Added-Python-3.4-3.7-language-classifiers.patch @@ -0,0 +1,29 @@ +From b0ce05c2a9e6a3e1ff01c5cbd18f7806df5bf7d6 Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Sat, 1 Dec 2018 18:26:43 +0100 +Subject: [PATCH] Added Python 3.4-3.7 language classifiers + +--- + setup.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/setup.py b/setup.py +index 84ba762..a03d320 100755 +--- a/setup.py ++++ b/setup.py +@@ -36,8 +36,9 @@ setup(name='bottle', + 'Programming Language :: Python :: 3', + 'Programming Language :: Python :: 3.2', + 'Programming Language :: Python :: 3.3', ++ 'Programming Language :: Python :: 3.4', ++ 'Programming Language :: Python :: 3.5', ++ 'Programming Language :: Python :: 3.6', ++ 'Programming Language :: Python :: 3.7', + ], + ) +- +- +- +-- +2.39.0.windows.2 + diff --git a/0004-fix-1115-Some-modules-set-__file__-as-None.patch b/0004-fix-1115-Some-modules-set-__file__-as-None.patch new file mode 100644 index 0000000000000000000000000000000000000000..4908cae3eb0b9c55df5288952d0eb522754c6b55 --- /dev/null +++ b/0004-fix-1115-Some-modules-set-__file__-as-None.patch @@ -0,0 +1,27 @@ +From 076f41759ceacb1a804517270392f0ef75adb07f Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Thu, 13 Dec 2018 08:26:27 +0100 +Subject: [PATCH] fix #1115: Some modules set __file__ as None + +This is not allowed (the __file__ attribute MUST be either a string, or unset), +but seems to happen anyway and is easy to work around in bottle. +--- + bottle.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bottle.py b/bottle.py +index 01b581e..f254bac 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -3156,7 +3156,7 @@ class FileCheckerThread(threading.Thread): + files = dict() + + for module in list(sys.modules.values()): +- path = getattr(module, '__file__', '') ++ path = getattr(module, '__file__', '') or '' + if path[-4:] in ('.pyo', '.pyc'): path = path[:-1] + if path and exists(path): files[path] = mtime(path) + +-- +2.39.0.windows.2 + diff --git a/CVE-2020-28473.patch b/CVE-2020-28473.patch new file mode 100644 index 0000000000000000000000000000000000000000..2921ac9a0fb107545dfc2ade6171fc3437a8c443 --- /dev/null +++ b/CVE-2020-28473.patch @@ -0,0 +1,27 @@ +From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Wed, 11 Nov 2020 19:24:29 +0100 +Subject: [PATCH] Do not split query strings on `;` anymore. + +Using `;` as a separator instead of `&` was allowed a long time ago, +but is now obsolete and actually invalid according to the 2014 W3C +recommendations. Even if this change is technically backwards-incompatible, +no real-world application should depend on broken behavior. If you REALLY +need this functionality, monkey-patch the _parse_qsl() function. +--- + bottle.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bottle.py b/bottle.py +index bcfc5e62..417b01b9 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -2585,7 +2585,7 @@ def parse_range_header(header, maxlen=0): + + def _parse_qsl(qs): + r = [] +- for pair in qs.replace(';','&').split('&'): ++ for pair in qs.split('&'): + if not pair: continue + nv = pair.split('=', 1) + if len(nv) != 2: nv.append('') diff --git a/CVE-2022-31799.patch b/CVE-2022-31799.patch new file mode 100644 index 0000000000000000000000000000000000000000..a508f4e4d7f9ffc7308141c86f083c2105f09378 --- /dev/null +++ b/CVE-2022-31799.patch @@ -0,0 +1,40 @@ +From e140e1b54da721a660f2eb9d58a106b7b3ff2f00 Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Thu, 26 May 2022 14:49:32 +0200 +Subject: [PATCH] Gracefully handle errors during early request binding. + +--- + bottle.py | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/bottle.py b/bottle.py +index 04ccf7da..035f99ec 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -848,17 +848,19 @@ def default_error_handler(self, res): + return tob(template(ERROR_PAGE_TEMPLATE, e=res)) + + def _handle(self, environ): +- path = environ['bottle.raw_path'] = environ['PATH_INFO'] +- if py3k: +- try: +- environ['PATH_INFO'] = path.encode('latin1').decode('utf8') +- except UnicodeError: +- return HTTPError(400, 'Invalid path string. Expected UTF-8') +- + try: ++ + environ['bottle.app'] = self + request.bind(environ) + response.bind() ++ ++ path = environ['bottle.raw_path'] = environ['PATH_INFO'] ++ if py3k: ++ try: ++ environ['PATH_INFO'] = path.encode('latin1').decode('utf8') ++ except UnicodeError: ++ return HTTPError(400, 'Invalid path string. Expected UTF-8') ++ + try: + self.trigger_hook('before_request') + route, args = self.router.match(environ) diff --git a/python-bottle.spec b/python-bottle.spec index d209c1660b79cc33f0d905f78973d64a13852091..6eeadfab2d2da9d11b022118dd3ecce91b22d41b 100644 --- a/python-bottle.spec +++ b/python-bottle.spec @@ -1,10 +1,17 @@ Name: python-bottle Version: 0.12.13 -Release: 7 +Release: 13 Summary: WSGI micro web-framework for Python. License: MIT URL: http://bottlepy.org Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz +Patch0000: CVE-2020-28473.patch +#https://github.com/bottlepy/bottle/commit/e140e1b54da721a660f2eb9d58a106b7b3ff2f00 +Patch0001: CVE-2022-31799.patch +Patch0002: 0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch +Patch0003: 0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch +Patch0004: 0003-Added-Python-3.4-3.7-language-classifiers.patch +Patch0005: 0004-fix-1115-Some-modules-set-__file__-as-None.patch BuildArch: noarch BuildRequires: python2-devel python2-setuptools python3-devel python3-setuptools @@ -32,7 +39,7 @@ It is distributed as a single file module and has no dependencies other than the Python Standard Library. %prep -%autosetup -n bottle-%{version} +%autosetup -n bottle-%{version} -p1 sed -i '/^#!/d' bottle.py %build @@ -59,6 +66,24 @@ sed -i '/^#!/d' bottle.py %{python3_sitelib}/* %changelog +* Tue Dec 05 2023 zhangliangpengkun - 0.12.13-13 +- fix #1115: Some modules set __file__ as None + +* Thu Nov 30 2023 zhangliangpengkun - 0.12.13-12 +- Added Python 3.4-3.7 language classifiers + +* Wed Nov 22 2023 zhangliangpengkun - 0.12.13-11 +- Fix #930: DeprecationWarning: Flags not at the start of the expression + +* Thu Nov 02 2023 zhangliangpengkun - 0.12.13-10 +- fix #1065 gevent-1.3.0 removes 'fast' wsgi implementation. + +* Tue Jun 14 2022 yaoxin - 0.12.13-9 +- - Fix CVE-2022-31799 + +* Fri Feb 19 2021 zhanghua - 0.12.13-8 +- fix CVE-2020-28473 + * Tue Nov 26 2019 zhujunhao - 0.12.13-7 - Package init