From de5542f2fcfe359333a88ae1d2b176e71fd71f0f Mon Sep 17 00:00:00 2001
From: zhanghua1831 <zhanghua1831@163.com>
Date: Sat, 20 Feb 2021 15:21:11 +0800
Subject: [PATCH] fix CVE-2020-28473

(cherry picked from commit e941d8331ef0c412c2d587eab1955d52df198b1a)
---
 CVE-2020-28473.patch | 27 +++++++++++++++++++++++++++
 python-bottle.spec   |  8 ++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2020-28473.patch

diff --git a/CVE-2020-28473.patch b/CVE-2020-28473.patch
new file mode 100644
index 0000000..2921ac9
--- /dev/null
+++ b/CVE-2020-28473.patch
@@ -0,0 +1,27 @@
+From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001
+From: Marcel Hellkamp <marc@gsites.de>
+Date: Wed, 11 Nov 2020 19:24:29 +0100
+Subject: [PATCH] Do not split query strings on `;` anymore.
+
+Using `;` as a separator instead of `&` was allowed a long time ago,
+but is now obsolete and actually invalid according to the 2014 W3C
+recommendations. Even if this change is technically backwards-incompatible,
+no real-world application should depend on broken behavior. If you REALLY
+need this functionality, monkey-patch the _parse_qsl() function.
+---
+ bottle.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bottle.py b/bottle.py
+index bcfc5e62..417b01b9 100644
+--- a/bottle.py
++++ b/bottle.py
+@@ -2585,7 +2585,7 @@ def parse_range_header(header, maxlen=0):
+ 
+ def _parse_qsl(qs):
+     r = []
+-    for pair in qs.replace(';','&').split('&'):
++    for pair in qs.split('&'):
+         if not pair: continue
+         nv = pair.split('=', 1)
+         if len(nv) != 2: nv.append('')
diff --git a/python-bottle.spec b/python-bottle.spec
index d209c16..acb24f1 100644
--- a/python-bottle.spec
+++ b/python-bottle.spec
@@ -1,10 +1,11 @@
 Name:           python-bottle
 Version:        0.12.13
-Release:        7
+Release:        8
 Summary:        WSGI micro web-framework for Python.
 License:        MIT
 URL:            http://bottlepy.org
 Source0:        https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz
+Patch0000:      CVE-2020-28473.patch
 BuildArch:      noarch
 BuildRequires:  python2-devel python2-setuptools python3-devel python3-setuptools
 
@@ -32,7 +33,7 @@ It is distributed as a single file module and has no dependencies other than
 the Python Standard Library.
 
 %prep
-%autosetup -n bottle-%{version}
+%autosetup -n bottle-%{version} -p1
 sed -i '/^#!/d' bottle.py
 
 %build
@@ -59,6 +60,9 @@ sed -i '/^#!/d' bottle.py
 %{python3_sitelib}/*
 
 %changelog
+* Fri Feb 19 2021 zhanghua <zhanghua40@huawei.com> - 0.12.13-8
+- fix CVE-2020-28473
+
 * Tue Nov 26 2019 zhujunhao <zhujunhao5@huawei.com> - 0.12.13-7
 - Package init
 
-- 
Gitee