From 947ad8a5a0c33ebc9efe35565e2fdd9538fd172b Mon Sep 17 00:00:00 2001
From: wangxiao65 <287608437@qq.com>
Date: Mon, 20 Jul 2020 15:55:11 +0800
Subject: [PATCH] fix CVE-2020-11078

---
 CVE-2020-11078.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++
 python-httplib2.spec |  6 +++++-
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-11078.patch

diff --git a/CVE-2020-11078.patch b/CVE-2020-11078.patch
new file mode 100644
index 0000000..0b8a386
--- /dev/null
+++ b/CVE-2020-11078.patch
@@ -0,0 +1,46 @@
+From a1457cc31f3206cf691d11d2bf34e98865873e9e Mon Sep 17 00:00:00 2001
+From: Sergey Shepelev <temotor@gmail.com>
+Date: Wed, 20 May 2020 14:56:12 +0300
+Subject: [PATCH] IMPORTANT security vulnerability CWE-93 CRLF injection
+
+Force %xx quote of space, CR, LF characters in uri.
+
+Special thanks to Recar https://github.com/Ciyfly for discrete notification.
+
+https://cwe.mitre.org/data/definitions/93.html
+---
+ python2/httplib2/__init__.py |  3 +++
+ python3/httplib2/__init__.py |  3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/python2/httplib2/__init__.py b/python2/httplib2/__init__.py
+index 97e06c1..34281b7 100644
+--- a/python2/httplib2/__init__.py
++++ b/python2/httplib2/__init__.py
+@@ -1985,6 +1985,9 @@ class Http(object):
+                 headers["user-agent"] = "Python-httplib2/%s (gzip)" % __version__
+ 
+             uri = iri2uri(uri)
++            # Prevent CWE-75 space injection to manipulate request via part of uri.
++            # Prevent CWE-93 CRLF injection to modify headers via part of uri.
++            uri = uri.replace(" ", "%20").replace("\r", "%0D").replace("\n", "%0A")
+ 
+             (scheme, authority, request_uri, defrag_uri) = urlnorm(uri)
+ 
+diff --git a/python3/httplib2/__init__.py b/python3/httplib2/__init__.py
+index 8785cc1..c0b1418 100644
+--- a/python3/httplib2/__init__.py
++++ b/python3/httplib2/__init__.py
+@@ -1790,6 +1790,9 @@ a string that contains the response entity body.
+                 headers["user-agent"] = "Python-httplib2/%s (gzip)" % __version__
+ 
+             uri = iri2uri(uri)
++            # Prevent CWE-75 space injection to manipulate request via part of uri.
++            # Prevent CWE-93 CRLF injection to modify headers via part of uri.
++            uri = uri.replace(" ", "%20").replace("\r", "%0D").replace("\n", "%0A")
+ 
+             (scheme, authority, request_uri, defrag_uri) = urlnorm(uri)
+ 
+-- 
+2.23.0
+
diff --git a/python-httplib2.spec b/python-httplib2.spec
index 0e16205..6fc0d29 100644
--- a/python-httplib2.spec
+++ b/python-httplib2.spec
@@ -1,10 +1,11 @@
 Name:		python-httplib2
 Version:	0.13.1
-Release:	4
+Release:	5
 Summary:	Small, fast HTTP client library for Python.
 License:	MIT
 URL:	        https://github.com/httplib2/httplib2
 Source0:	https://files.pythonhosted.org/packages/78/23/bb9606e87a66fd8c72a2b1a75b049d3859a122bc2648915be845bc44e04f/httplib2-0.13.1.tar.gz
+Patch0001:      CVE-2020-11078.patch
 	
 BuildRequires:	python2-setuptools python2-devel 
 
@@ -71,6 +72,9 @@ popd
 %endif
 
 %changelog
+* Mon Jul 20 2020 wangxiao <wangxiao65@huawei.com> - 0.13.1-5
+- fix CVE-2020-11078
+
 * Tue Jan 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.13.1-4
 - Delete the useless patch