From ec28f8245952d04cf75579c9946d6e67f366cd0b Mon Sep 17 00:00:00 2001 From: zhanghua1831 Date: Sat, 20 Feb 2021 15:21:11 +0800 Subject: [PATCH 1/6] fix CVE-2020-28473 (cherry picked from commit e941d8331ef0c412c2d587eab1955d52df198b1a) --- CVE-2020-28473.patch | 27 +++++++++++++++++++++++++++ python-bottle.spec | 8 ++++++-- 2 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 CVE-2020-28473.patch diff --git a/CVE-2020-28473.patch b/CVE-2020-28473.patch new file mode 100644 index 0000000..2921ac9 --- /dev/null +++ b/CVE-2020-28473.patch @@ -0,0 +1,27 @@ +From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Wed, 11 Nov 2020 19:24:29 +0100 +Subject: [PATCH] Do not split query strings on `;` anymore. + +Using `;` as a separator instead of `&` was allowed a long time ago, +but is now obsolete and actually invalid according to the 2014 W3C +recommendations. Even if this change is technically backwards-incompatible, +no real-world application should depend on broken behavior. If you REALLY +need this functionality, monkey-patch the _parse_qsl() function. +--- + bottle.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bottle.py b/bottle.py +index bcfc5e62..417b01b9 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -2585,7 +2585,7 @@ def parse_range_header(header, maxlen=0): + + def _parse_qsl(qs): + r = [] +- for pair in qs.replace(';','&').split('&'): ++ for pair in qs.split('&'): + if not pair: continue + nv = pair.split('=', 1) + if len(nv) != 2: nv.append('') diff --git a/python-bottle.spec b/python-bottle.spec index d209c16..acb24f1 100644 --- a/python-bottle.spec +++ b/python-bottle.spec @@ -1,10 +1,11 @@ Name: python-bottle Version: 0.12.13 -Release: 7 +Release: 8 Summary: WSGI micro web-framework for Python. License: MIT URL: http://bottlepy.org Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz +Patch0000: CVE-2020-28473.patch BuildArch: noarch BuildRequires: python2-devel python2-setuptools python3-devel python3-setuptools @@ -32,7 +33,7 @@ It is distributed as a single file module and has no dependencies other than the Python Standard Library. %prep -%autosetup -n bottle-%{version} +%autosetup -n bottle-%{version} -p1 sed -i '/^#!/d' bottle.py %build @@ -59,6 +60,9 @@ sed -i '/^#!/d' bottle.py %{python3_sitelib}/* %changelog +* Fri Feb 19 2021 zhanghua - 0.12.13-8 +- fix CVE-2020-28473 + * Tue Nov 26 2019 zhujunhao - 0.12.13-7 - Package init -- Gitee From da6ae934069d528c57ebcb976ddc7e76939d83ce Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 14 Jun 2022 10:03:42 +0800 Subject: [PATCH 2/6] Fix CVE-2022-31799 (cherry picked from commit 84e31c36d97d5639ed50e302e22bcd4fad7fa72e) --- CVE-2022-31799.patch | 40 ++++++++++++++++++++++++++++++++++++++++ python-bottle.spec | 7 ++++++- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-31799.patch diff --git a/CVE-2022-31799.patch b/CVE-2022-31799.patch new file mode 100644 index 0000000..a508f4e --- /dev/null +++ b/CVE-2022-31799.patch @@ -0,0 +1,40 @@ +From e140e1b54da721a660f2eb9d58a106b7b3ff2f00 Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Thu, 26 May 2022 14:49:32 +0200 +Subject: [PATCH] Gracefully handle errors during early request binding. + +--- + bottle.py | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/bottle.py b/bottle.py +index 04ccf7da..035f99ec 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -848,17 +848,19 @@ def default_error_handler(self, res): + return tob(template(ERROR_PAGE_TEMPLATE, e=res)) + + def _handle(self, environ): +- path = environ['bottle.raw_path'] = environ['PATH_INFO'] +- if py3k: +- try: +- environ['PATH_INFO'] = path.encode('latin1').decode('utf8') +- except UnicodeError: +- return HTTPError(400, 'Invalid path string. Expected UTF-8') +- + try: ++ + environ['bottle.app'] = self + request.bind(environ) + response.bind() ++ ++ path = environ['bottle.raw_path'] = environ['PATH_INFO'] ++ if py3k: ++ try: ++ environ['PATH_INFO'] = path.encode('latin1').decode('utf8') ++ except UnicodeError: ++ return HTTPError(400, 'Invalid path string. Expected UTF-8') ++ + try: + self.trigger_hook('before_request') + route, args = self.router.match(environ) diff --git a/python-bottle.spec b/python-bottle.spec index acb24f1..68db801 100644 --- a/python-bottle.spec +++ b/python-bottle.spec @@ -1,11 +1,13 @@ Name: python-bottle Version: 0.12.13 -Release: 8 +Release: 9 Summary: WSGI micro web-framework for Python. License: MIT URL: http://bottlepy.org Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz Patch0000: CVE-2020-28473.patch +#https://github.com/bottlepy/bottle/commit/e140e1b54da721a660f2eb9d58a106b7b3ff2f00 +Patch0001: CVE-2022-31799.patch BuildArch: noarch BuildRequires: python2-devel python2-setuptools python3-devel python3-setuptools @@ -60,6 +62,9 @@ sed -i '/^#!/d' bottle.py %{python3_sitelib}/* %changelog +* Tue Jun 14 2022 yaoxin - 0.12.13-9 +- - Fix CVE-2022-31799 + * Fri Feb 19 2021 zhanghua - 0.12.13-8 - fix CVE-2020-28473 -- Gitee From 293d3593a57007ab160a0bd3f816d96b152a6773 Mon Sep 17 00:00:00 2001 From: zhang-liang-pengkun Date: Thu, 2 Nov 2023 17:23:01 +0800 Subject: [PATCH 3/6] fix #1065 gevent-1.3.0 removes 'fast' wsgi implementation. Signed-off-by: zhang-liang-pengkun --- ...1.3.0-removes-fast-wsgi-implementati.patch | 37 +++++++++++++++++++ python-bottle.spec | 6 ++- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch diff --git a/0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch b/0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch new file mode 100644 index 0000000..5b358c1 --- /dev/null +++ b/0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch @@ -0,0 +1,37 @@ +From 19a12f898b7343e16f0d08821de6aac169143752 Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Tue, 27 Nov 2018 19:27:54 +0100 +Subject: [PATCH] fix #1065 gevent-1.3.0 removes 'fast' wsgi implementation. + +--- + bottle.py | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/bottle.py b/bottle.py +index 3a51b38..cb46893 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -2904,14 +2904,16 @@ class GeventServer(ServerAdapter): + * See gevent.wsgi.WSGIServer() documentation for more options. + """ + def run(self, handler): +- from gevent import wsgi, pywsgi, local ++ from gevent import pywsgi, local + if not isinstance(threading.local(), local.local): + msg = "Bottle requires gevent.monkey.patch_all() (before import)" + raise RuntimeError(msg) +- if not self.options.pop('fast', None): wsgi = pywsgi +- self.options['log'] = None if self.quiet else 'default' ++ if self.options.pop('fast', None): ++ depr('The "fast" option has been deprecated and removed by Gevent.') ++ if self.quiet: ++ self.options['log'] = None + address = (self.host, self.port) +- server = wsgi.WSGIServer(address, handler, **self.options) ++ server = pywsgi.WSGIServer(address, handler, **self.options) + if 'BOTTLE_CHILD' in os.environ: + import signal + signal.signal(signal.SIGINT, lambda s, f: server.stop()) +-- +2.39.0.windows.2 + diff --git a/python-bottle.spec b/python-bottle.spec index 68db801..35d2799 100644 --- a/python-bottle.spec +++ b/python-bottle.spec @@ -1,6 +1,6 @@ Name: python-bottle Version: 0.12.13 -Release: 9 +Release: 10 Summary: WSGI micro web-framework for Python. License: MIT URL: http://bottlepy.org @@ -8,6 +8,7 @@ Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{v Patch0000: CVE-2020-28473.patch #https://github.com/bottlepy/bottle/commit/e140e1b54da721a660f2eb9d58a106b7b3ff2f00 Patch0001: CVE-2022-31799.patch +Patch0002: 0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch BuildArch: noarch BuildRequires: python2-devel python2-setuptools python3-devel python3-setuptools @@ -62,6 +63,9 @@ sed -i '/^#!/d' bottle.py %{python3_sitelib}/* %changelog +* Thu Nov 02 2023 zhangliangpengkun - 0.12.13-10 +- fix #1065 gevent-1.3.0 removes 'fast' wsgi implementation. + * Tue Jun 14 2022 yaoxin - 0.12.13-9 - - Fix CVE-2022-31799 -- Gitee From 23e896d011cb4c83122527ed207912debef29283 Mon Sep 17 00:00:00 2001 From: zhang-liang-pengkun Date: Wed, 22 Nov 2023 17:40:45 +0800 Subject: [PATCH 4/6] Fix #930: DeprecationWarning: Flags not at the start of the expression Signed-off-by: zhang-liang-pengkun --- ...ionWarning-Flags-not-at-the-start-of.patch | 39 +++++++++++++++++++ python-bottle.spec | 6 ++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch diff --git a/0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch b/0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch new file mode 100644 index 0000000..571898d --- /dev/null +++ b/0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch @@ -0,0 +1,39 @@ +From 0c3db605e927e6a58cefaecae3a3c6ef1e34dad5 Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Sat, 1 Dec 2018 17:35:14 +0100 +Subject: [PATCH] Fix #930: DeprecationWarning: Flags not at the start of the + expression + +Backported from 0.13-dev +--- + bottle.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/bottle.py b/bottle.py +index fd663f7..dae4f56 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -3420,7 +3420,7 @@ class StplParser(object): + _re_cache = {} #: Cache for compiled re patterns + # This huge pile of voodoo magic splits python code into 8 different tokens. + # 1: All kinds of python strings (trust me, it works) +- _re_tok = '((?m)[urbURB]?(?:\'\'(?!\')|""(?!")|\'{6}|"{6}' \ ++ _re_tok = '([urbURB]?(?:\'\'(?!\')|""(?!")|\'{6}|"{6}' \ + '|\'(?:[^\\\\\']|\\\\.)+?\'|"(?:[^\\\\"]|\\\\.)+?"' \ + '|\'{3}(?:[^\\\\]|\\\\.|\\n)+?\'{3}' \ + '|"{3}(?:[^\\\\]|\\\\.|\\n)+?"{3}))' +@@ -3443,8 +3443,9 @@ class StplParser(object): + # Match the start tokens of code areas in a template + _re_split = '(?m)^[ \t]*(\\\\?)((%(line_start)s)|(%(block_start)s))(%%?)' + # Match inline statements (may contain python strings) +- _re_inl = '%%(inline_start)s((?:%s|[^\'"\n]*?)+)%%(inline_end)s' % _re_inl +- ++ _re_inl = '(?m)%%(inline_start)s((?:%s|[^\'"\n]*?)+)%%(inline_end)s' % _re_inl ++ _re_tok = '(?m)' + _re_tok ++ + default_syntax = '<% %> % {{ }}' + + def __init__(self, source, syntax=None, encoding='utf8'): +-- +2.39.0.windows.2 + diff --git a/python-bottle.spec b/python-bottle.spec index 35d2799..b20e69b 100644 --- a/python-bottle.spec +++ b/python-bottle.spec @@ -1,6 +1,6 @@ Name: python-bottle Version: 0.12.13 -Release: 10 +Release: 11 Summary: WSGI micro web-framework for Python. License: MIT URL: http://bottlepy.org @@ -9,6 +9,7 @@ Patch0000: CVE-2020-28473.patch #https://github.com/bottlepy/bottle/commit/e140e1b54da721a660f2eb9d58a106b7b3ff2f00 Patch0001: CVE-2022-31799.patch Patch0002: 0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch +Patch0003: 0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch BuildArch: noarch BuildRequires: python2-devel python2-setuptools python3-devel python3-setuptools @@ -63,6 +64,9 @@ sed -i '/^#!/d' bottle.py %{python3_sitelib}/* %changelog +* Wed Nov 22 2023 zhangliangpengkun - 0.12.13-11 +- Fix #930: DeprecationWarning: Flags not at the start of the expression + * Thu Nov 02 2023 zhangliangpengkun - 0.12.13-10 - fix #1065 gevent-1.3.0 removes 'fast' wsgi implementation. -- Gitee From 85383eeca56ca1fcbc2552f2305a42ffbc8d2afe Mon Sep 17 00:00:00 2001 From: zhang-liang-pengkun Date: Fri, 1 Dec 2023 09:59:24 +0800 Subject: [PATCH 5/6] Added Python 3.4-3.7 language classifiers Signed-off-by: zhang-liang-pengkun --- ...-Python-3.4-3.7-language-classifiers.patch | 29 +++++++++++++++++++ python-bottle.spec | 6 +++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 0003-Added-Python-3.4-3.7-language-classifiers.patch diff --git a/0003-Added-Python-3.4-3.7-language-classifiers.patch b/0003-Added-Python-3.4-3.7-language-classifiers.patch new file mode 100644 index 0000000..efb9426 --- /dev/null +++ b/0003-Added-Python-3.4-3.7-language-classifiers.patch @@ -0,0 +1,29 @@ +From b0ce05c2a9e6a3e1ff01c5cbd18f7806df5bf7d6 Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Sat, 1 Dec 2018 18:26:43 +0100 +Subject: [PATCH] Added Python 3.4-3.7 language classifiers + +--- + setup.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/setup.py b/setup.py +index 84ba762..a03d320 100755 +--- a/setup.py ++++ b/setup.py +@@ -36,8 +36,9 @@ setup(name='bottle', + 'Programming Language :: Python :: 3', + 'Programming Language :: Python :: 3.2', + 'Programming Language :: Python :: 3.3', ++ 'Programming Language :: Python :: 3.4', ++ 'Programming Language :: Python :: 3.5', ++ 'Programming Language :: Python :: 3.6', ++ 'Programming Language :: Python :: 3.7', + ], + ) +- +- +- +-- +2.39.0.windows.2 + diff --git a/python-bottle.spec b/python-bottle.spec index b20e69b..269929b 100644 --- a/python-bottle.spec +++ b/python-bottle.spec @@ -1,6 +1,6 @@ Name: python-bottle Version: 0.12.13 -Release: 11 +Release: 12 Summary: WSGI micro web-framework for Python. License: MIT URL: http://bottlepy.org @@ -10,6 +10,7 @@ Patch0000: CVE-2020-28473.patch Patch0001: CVE-2022-31799.patch Patch0002: 0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch Patch0003: 0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch +Patch0004: 0003-Added-Python-3.4-3.7-language-classifiers.patch BuildArch: noarch BuildRequires: python2-devel python2-setuptools python3-devel python3-setuptools @@ -64,6 +65,9 @@ sed -i '/^#!/d' bottle.py %{python3_sitelib}/* %changelog +* Thu Nov 30 2023 zhangliangpengkun - 0.12.13-12 +- Added Python 3.4-3.7 language classifiers + * Wed Nov 22 2023 zhangliangpengkun - 0.12.13-11 - Fix #930: DeprecationWarning: Flags not at the start of the expression -- Gitee From b073ca98152564078164590f2cbd9a76bc93803e Mon Sep 17 00:00:00 2001 From: zhang-liang-pengkun Date: Tue, 5 Dec 2023 20:01:10 +0800 Subject: [PATCH 6/6] fix #1115: Some modules set __file__ as None Signed-off-by: zhang-liang-pengkun --- ...15-Some-modules-set-__file__-as-None.patch | 27 +++++++++++++++++++ python-bottle.spec | 6 ++++- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 0004-fix-1115-Some-modules-set-__file__-as-None.patch diff --git a/0004-fix-1115-Some-modules-set-__file__-as-None.patch b/0004-fix-1115-Some-modules-set-__file__-as-None.patch new file mode 100644 index 0000000..4908cae --- /dev/null +++ b/0004-fix-1115-Some-modules-set-__file__-as-None.patch @@ -0,0 +1,27 @@ +From 076f41759ceacb1a804517270392f0ef75adb07f Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp +Date: Thu, 13 Dec 2018 08:26:27 +0100 +Subject: [PATCH] fix #1115: Some modules set __file__ as None + +This is not allowed (the __file__ attribute MUST be either a string, or unset), +but seems to happen anyway and is easy to work around in bottle. +--- + bottle.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bottle.py b/bottle.py +index 01b581e..f254bac 100644 +--- a/bottle.py ++++ b/bottle.py +@@ -3156,7 +3156,7 @@ class FileCheckerThread(threading.Thread): + files = dict() + + for module in list(sys.modules.values()): +- path = getattr(module, '__file__', '') ++ path = getattr(module, '__file__', '') or '' + if path[-4:] in ('.pyo', '.pyc'): path = path[:-1] + if path and exists(path): files[path] = mtime(path) + +-- +2.39.0.windows.2 + diff --git a/python-bottle.spec b/python-bottle.spec index 269929b..6eeadfa 100644 --- a/python-bottle.spec +++ b/python-bottle.spec @@ -1,6 +1,6 @@ Name: python-bottle Version: 0.12.13 -Release: 12 +Release: 13 Summary: WSGI micro web-framework for Python. License: MIT URL: http://bottlepy.org @@ -11,6 +11,7 @@ Patch0001: CVE-2022-31799.patch Patch0002: 0001-fix-1065-gevent-1.3.0-removes-fast-wsgi-implementati.patch Patch0003: 0002-Fix-930-DeprecationWarning-Flags-not-at-the-start-of.patch Patch0004: 0003-Added-Python-3.4-3.7-language-classifiers.patch +Patch0005: 0004-fix-1115-Some-modules-set-__file__-as-None.patch BuildArch: noarch BuildRequires: python2-devel python2-setuptools python3-devel python3-setuptools @@ -65,6 +66,9 @@ sed -i '/^#!/d' bottle.py %{python3_sitelib}/* %changelog +* Tue Dec 05 2023 zhangliangpengkun - 0.12.13-13 +- fix #1115: Some modules set __file__ as None + * Thu Nov 30 2023 zhangliangpengkun - 0.12.13-12 - Added Python 3.4-3.7 language classifiers -- Gitee