From 6c80e10952a5d89ebf3037f66795af1b28e7ce46 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Thu, 15 Aug 2024 11:34:18 +0800
Subject: [PATCH] Fix CVE-2024-42353

(cherry picked from commit 36a70e59e3307c583b3299d0929396c389c30e25)
---
 backport-CVE-2024-42353.patch | 48 +++++++++++++++++++++++++++++++++++
 python-webob.spec             |  7 ++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-42353.patch

diff --git a/backport-CVE-2024-42353.patch b/backport-CVE-2024-42353.patch
new file mode 100644
index 0000000..d0918cf
--- /dev/null
+++ b/backport-CVE-2024-42353.patch
@@ -0,0 +1,48 @@
+From f689bcf4f0a1f64f1735b1d5069aef5be6974b5b Mon Sep 17 00:00:00 2001
+From: Delta Regeer <xistence@0x58.com>
+Date: Wed, 7 Aug 2024 11:15:35 -0600
+Subject: [PATCH] Add fix for open redirect
+
+---
+ src/webob/response.py  |  5 +++++
+ tests/test_response.py | 11 +++++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/webob/response.py b/src/webob/response.py
+index 2aad591c..efc38ecf 100644
+--- a/src/webob/response.py
++++ b/src/webob/response.py
+@@ -1284,6 +1284,11 @@ def _make_location_absolute(environ, value):
+         if SCHEME_RE.search(value):
+             return value
+ 
++        # This is to fix an open redirect issue due to the way that
++        # urlparse.urljoin works. See CVE-2024-42353 and
++        # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
++        if value.startswith("//"):
++            value = "/%2f{}".format(value[2:])
+         new_location = urlparse.urljoin(_request_uri(environ), value)
+         return new_location
+ 
+diff --git a/tests/test_response.py b/tests/test_response.py
+index 9d9f9d37..8a6ac06d 100644
+--- a/tests/test_response.py
++++ b/tests/test_response.py
+@@ -1031,6 +1031,17 @@ def test_location():
+     assert req.get_response(res).location == 'http://localhost/test2.html'
+ 
+ 
++def test_location_no_open_redirect():
++    # This is a test for a fix for CVE-2024-42353 and
++    # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
++    res = Response()
++    res.status = "301"
++    res.location = "//www.example.com/test"
++    assert res.location == "//www.example.com/test"
++    req = Request.blank("/")
++    assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"
++
++
+ @pytest.mark.xfail(sys.version_info < (3,0),
+                    reason="Python 2.x unicode != str, WSGI requires str. Test "
+                    "added due to https://github.com/Pylons/webob/issues/247. "
diff --git a/python-webob.spec b/python-webob.spec
index 513717b..1245879 100644
--- a/python-webob.spec
+++ b/python-webob.spec
@@ -1,11 +1,13 @@
 Name:           python-webob
 Version:        1.8.7
-Release:        2
+Release:        3
 Summary:        WSGI request and response object
 License:        MIT
 URL:            http://pythonpaste.org/webob/
 Source0:        https://files.pythonhosted.org/packages/source/W/WebOb/WebOb-%{version}.tar.gz
 Patch0:		0001-modify-python3.9-supportive-syntax.patch
+# https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b
+Patch3000:      backport-CVE-2024-42353.patch
 BuildArch:      noarch
 
 BuildRequires:  python3-devel, python3-setuptools, python3-pytest
@@ -51,6 +53,9 @@ py.test-3 tests
 %{python3_sitelib}/*
 
 %changelog
+* Thu Aug 15 2024 yaoxin <yao_xin001@hoperun.com> - 1.8.7-3
+- Fix CVE-2024-42353
+
 * Tue Jan 11 2022 baizhonggui <baizhonggui@huawei.com> - 1.8.7-2
 - Fix compat py3.9 syntax
 
-- 
Gitee