CVE-2020-28473
This commit is contained in:
zhanghua1831
parent
b0f9ce6cd5
commit
0b8d00678f
27
CVE-2020-28473.patch
Normal file
27
CVE-2020-28473.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Marcel Hellkamp <marc@gsites.de>
|
||||||
|
Date: Wed, 11 Nov 2020 19:24:29 +0100
|
||||||
|
Subject: [PATCH] Do not split query strings on `;` anymore.
|
||||||
|
|
||||||
|
Using `;` as a separator instead of `&` was allowed a long time ago,
|
||||||
|
but is now obsolete and actually invalid according to the 2014 W3C
|
||||||
|
recommendations. Even if this change is technically backwards-incompatible,
|
||||||
|
no real-world application should depend on broken behavior. If you REALLY
|
||||||
|
need this functionality, monkey-patch the _parse_qsl() function.
|
||||||
|
---
|
||||||
|
bottle.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/bottle.py b/bottle.py
|
||||||
|
index bcfc5e62..417b01b9 100644
|
||||||
|
--- a/bottle.py
|
||||||
|
+++ b/bottle.py
|
||||||
|
@@ -2585,7 +2585,7 @@ def parse_range_header(header, maxlen=0):
|
||||||
|
|
||||||
|
def _parse_qsl(qs):
|
||||||
|
r = []
|
||||||
|
- for pair in qs.replace(';','&').split('&'):
|
||||||
|
+ for pair in qs.split('&'):
|
||||||
|
if not pair: continue
|
||||||
|
nv = pair.split('=', 1)
|
||||||
|
if len(nv) != 2: nv.append('')
|
||||||
@ -1,10 +1,11 @@
|
|||||||
Name: python-bottle
|
Name: python-bottle
|
||||||
Version: 0.12.13
|
Version: 0.12.13
|
||||||
Release: 8
|
Release: 9
|
||||||
Summary: WSGI micro web-framework for Python.
|
Summary: WSGI micro web-framework for Python.
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://github.com/bottlepy/bottle
|
URL: https://github.com/bottlepy/bottle
|
||||||
Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz
|
Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz
|
||||||
|
Patch0000: CVE-2020-28473.patch
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: python3-devel python3-setuptools
|
BuildRequires: python3-devel python3-setuptools
|
||||||
|
|
||||||
@ -23,7 +24,7 @@ It is distributed as a single file module and has no dependencies other than
|
|||||||
the Python Standard Library.
|
the Python Standard Library.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -n bottle-%{version}
|
%autosetup -n bottle-%{version} -p1
|
||||||
sed -i '/^#!/d' bottle.py
|
sed -i '/^#!/d' bottle.py
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -42,6 +43,9 @@ sed -i '/^#!/d' bottle.py
|
|||||||
%exclude %{_bindir}/bottle.py
|
%exclude %{_bindir}/bottle.py
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 19 2021 zhanghua <zhanghua40@huawei.com> - 0.12.13-9
|
||||||
|
- fix CVE-2020-28473
|
||||||
|
|
||||||
* Wed Oct 21 2020 chengzihan <chengzihan2@huawei.com> - 0.12.13-8
|
* Wed Oct 21 2020 chengzihan <chengzihan2@huawei.com> - 0.12.13-8
|
||||||
- Modify url and remove subpackage python2-bottle
|
- Modify url and remove subpackage python2-bottle
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user