fix rejecting URLs with unsafe characters in is_valid_endpoint_url()

2022-03-31 10:42:37 +08:00 · 2022-03-31 10:42:37 +08:00 · a4e6369276
commit a4e6369276
parent d0b9302278
2 changed files with 54 additions and 2 deletions
--- a/Fix-rejecting-URLs-with-unsafe-characters-in.patch
+++ b/Fix-rejecting-URLs-with-unsafe-characters-in.patch
@ -0,0 +1,47 @@
+From 4f7cc3a38802c2ec54b1168815792b49656f7fa0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
+Date: Fri, 7 May 2021 10:49:27 +0200
+Subject: [PATCH] Fix rejecting URLs with unsafe characters in
+
+---
+ botocore/utils.py | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/botocore/utils.py b/botocore/utils.py
+index cf61e7a..57f6194 100644
+--- a/botocore/utils.py
+++ b/botocore/utils.py
+@@ -173,6 +173,10 @@ ZONE_ID_PAT = "(?:%25|%)(?:[" + UNRESERVED_PAT + "]|%[a-fA-F0-9]{2})+"
+ IPV6_ADDRZ_PAT = r"\[" + IPV6_PAT + r"(?:" + ZONE_ID_PAT + r")?\]"
+ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$")
+ 
+# These are the characters that are stripped by post-bpo-43882 urlparse().
+UNSAFE_URL_CHARS = frozenset('\t\r\n')
+
+
+ def ensure_boolean(val):
+     """Ensures a boolean value if a string or boolean is provided
+ 
+@@ -977,6 +981,8 @@ class ArgumentGenerator(object):
+ 
+ 
+ def is_valid_ipv6_endpoint_url(endpoint_url):
+    if UNSAFE_URL_CHARS.intersection(endpoint_url):
+        return False
+     netloc = urlparse(endpoint_url).netloc
+     return IPV6_ADDRZ_RE.match(netloc) is not None
+ 
+@@ -990,6 +996,10 @@ def is_valid_endpoint_url(endpoint_url):
+     :return: True if the endpoint url is valid. False otherwise.
+ 
+     """
+    # post-bpo-43882 urlsplit() strips unsafe characters from URL, causing
+    # it to pass hostname validation below.  Detect them early to fix that.
+    if UNSAFE_URL_CHARS.intersection(endpoint_url):
+        return False
+     parts = urlsplit(endpoint_url)
+     hostname = parts.hostname
+     if hostname is None:
+-- 
+2.27.0
+
--- a/python-botocore.spec
+++ b/python-botocore.spec
@ -1,11 +1,13 @@
 %global pypi_name botocore
 Name:                python-%{pypi_name}
 Version:             1.20.26
-Release:             1
+Release:             2
 Summary:             Low-level, data-driven core of boto 3
 License:             Apache-2.0
 URL:                 https://github.com/boto/botocore
 Source0:              https://files.pythonhosted.org/packages/09/e9/3f85aac6fcf346a12b59e7f946aa23a732c0689a39c9a658dd3dc91c3ea6/botocore-1.20.26.tar.gz
+# https://github.com/boto/botocore/issues/2377
+Patch00:             Fix-rejecting-URLs-with-unsafe-characters-in.patch
 BuildArch:           noarch
 %description
 A low-level interface to a growing number of Amazon Web Services. The
@ -29,7 +31,7 @@ A low-level interface to a growing number of Amazon Web Services. The
 botocore package is the foundation for the AWS CLI as well as boto3.

 %prep
-%autosetup -n %{pypi_name}-%{version}
+%autosetup -n %{pypi_name}-%{version} -p1
 # unable to import "botocore". I'm not 100% sure why this happened but for now
 # just exclude this one test and run all the other functional tests.
 rm -vr tests/functional/leak
@ -51,6 +53,9 @@ nosetests-%{python3_version} unit functional
 %{python3_sitelib}/%{pypi_name}-*.egg-info/

 %changelog
+* Thu Mar 31 202 wulei <wulei80@huawei.com> - 1.20.26.2
+- Fix rejecting URLs with unsafe characters in is_valid_endpoint_url()
+
 * Mon Jul 26 2021 OpenStack_SIG <openstack@openeuler.org> - 1.20.26-1
 - update to 1.20.26