!3 fix CVE-2020-28473
From: @zhanghua1831 Reviewed-by: @wangxiao65,@small_leek Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot
Gitee
commit
bdd8181008
27
CVE-2020-28473.patch
Normal file
27
CVE-2020-28473.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001
|
||||
From: Marcel Hellkamp <marc@gsites.de>
|
||||
Date: Wed, 11 Nov 2020 19:24:29 +0100
|
||||
Subject: [PATCH] Do not split query strings on `;` anymore.
|
||||
|
||||
Using `;` as a separator instead of `&` was allowed a long time ago,
|
||||
but is now obsolete and actually invalid according to the 2014 W3C
|
||||
recommendations. Even if this change is technically backwards-incompatible,
|
||||
no real-world application should depend on broken behavior. If you REALLY
|
||||
need this functionality, monkey-patch the _parse_qsl() function.
|
||||
---
|
||||
bottle.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bottle.py b/bottle.py
|
||||
index bcfc5e62..417b01b9 100644
|
||||
--- a/bottle.py
|
||||
+++ b/bottle.py
|
||||
@@ -2585,7 +2585,7 @@ def parse_range_header(header, maxlen=0):
|
||||
|
||||
def _parse_qsl(qs):
|
||||
r = []
|
||||
- for pair in qs.replace(';','&').split('&'):
|
||||
+ for pair in qs.split('&'):
|
||||
if not pair: continue
|
||||
nv = pair.split('=', 1)
|
||||
if len(nv) != 2: nv.append('')
|
||||
@ -1,10 +1,11 @@
|
||||
Name: python-bottle
|
||||
Version: 0.12.13
|
||||
Release: 8
|
||||
Release: 9
|
||||
Summary: WSGI micro web-framework for Python.
|
||||
License: MIT
|
||||
URL: https://github.com/bottlepy/bottle
|
||||
Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz
|
||||
Patch0000: CVE-2020-28473.patch
|
||||
BuildArch: noarch
|
||||
BuildRequires: python3-devel python3-setuptools
|
||||
|
||||
@ -23,7 +24,7 @@ It is distributed as a single file module and has no dependencies other than
|
||||
the Python Standard Library.
|
||||
|
||||
%prep
|
||||
%autosetup -n bottle-%{version}
|
||||
%autosetup -n bottle-%{version} -p1
|
||||
sed -i '/^#!/d' bottle.py
|
||||
|
||||
%build
|
||||
@ -42,6 +43,9 @@ sed -i '/^#!/d' bottle.py
|
||||
%exclude %{_bindir}/bottle.py
|
||||
|
||||
%changelog
|
||||
* Fri Feb 19 2021 zhanghua <zhanghua40@huawei.com> - 0.12.13-9
|
||||
- fix CVE-2020-28473
|
||||
|
||||
* Wed Oct 21 2020 chengzihan <chengzihan2@huawei.com> - 0.12.13-8
|
||||
- Modify url and remove subpackage python2-bottle
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user