diff --git a/backport-Add-check-of-performance-of-ipv6-check.patch b/backport-Add-check-of-performance-of-ipv6-check.patch deleted file mode 100644 index 177697b..0000000 --- a/backport-Add-check-of-performance-of-ipv6-check.patch +++ /dev/null @@ -1,28 +0,0 @@ -From e514826eea15f2b62bbc13da407b71552ef5ff4c Mon Sep 17 00:00:00 2001 -From: Jonathan Huot -Date: Fri, 2 Sep 2022 23:22:17 +0200 -Subject: [PATCH] Add check of performance of ipv6 check - ---- - tests/test_uri_validate.py | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/tests/test_uri_validate.py b/tests/test_uri_validate.py -index 3489d95..1ef8b1f 100644 ---- a/tests/test_uri_validate.py -+++ b/tests/test_uri_validate.py -@@ -31,3 +31,11 @@ class UriValidateTest(TestCase): - self.assertIsNone(is_absolute_uri('wrong')) - self.assertIsNone(is_absolute_uri('http://[:1]:38432/path')) - self.assertIsNone(is_absolute_uri('http://[abcd:efgh::1]/')) -+ -+ def test_recursive_regex(self): -+ from datetime import datetime -+ t0 = datetime.now() -+ self.assertIsNone(is_absolute_uri('http://[::::::::::::::::::::::::::]/path')) -+ t1 = datetime.now() -+ spent = t1 - t0 -+ self.assertGreater(0.1, spent.total_seconds(), "possible recursive loop detected") --- -2.33.0 - diff --git a/backport-CVE-2022-36087.patch b/backport-CVE-2022-36087.patch deleted file mode 100644 index c8c5ceb..0000000 --- a/backport-CVE-2022-36087.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 5d85c61998692643dd9d17e05d2646e06ce391e8 Mon Sep 17 00:00:00 2001 -From: Jonathan Huot -Date: Tue, 6 Sep 2022 21:56:40 +0200 -Subject: [PATCH] Fix IPV6 regex used to check redirect_uri - ---- - oauthlib/uri_validate.py | 2 +- - tests/test_uri_validate.py | 51 +++++++++++++++++++++++++++++++++++--- - 2 files changed, 48 insertions(+), 5 deletions(-) - -diff --git a/oauthlib/uri_validate.py b/oauthlib/uri_validate.py -index 8a6d9c2..a6fe0fb 100644 ---- a/oauthlib/uri_validate.py -+++ b/oauthlib/uri_validate.py -@@ -66,7 +66,7 @@ IPv4address = r"%(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s - ) - - # IPv6address --IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+" -+IPv6address = r"([A-Fa-f0-9:]+[:$])[A-Fa-f0-9]{1,4}" - - # IPvFuture = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" ) - IPvFuture = r"v %(HEXDIG)s+ \. (?: %(unreserved)s | %(sub_delims)s | : )+" % locals() -diff --git a/tests/test_uri_validate.py b/tests/test_uri_validate.py -index 1ef8b1f..6a9f8ea 100644 ---- a/tests/test_uri_validate.py -+++ b/tests/test_uri_validate.py -@@ -1,4 +1,4 @@ --import oauthlib -+import unittest - from oauthlib.uri_validate import is_absolute_uri - - from tests.unittest import TestCase -@@ -7,7 +7,6 @@ from tests.unittest import TestCase - class UriValidateTest(TestCase): - - def test_is_absolute_uri(self): -- - self.assertIsNotNone(is_absolute_uri('schema://example.com/path')) - self.assertIsNotNone(is_absolute_uri('https://example.com/path')) - self.assertIsNotNone(is_absolute_uri('https://example.com')) -@@ -17,16 +16,60 @@ class UriValidateTest(TestCase): - self.assertIsNotNone(is_absolute_uri('http://example.com')) - self.assertIsNotNone(is_absolute_uri('http://example.com/path')) - self.assertIsNotNone(is_absolute_uri('http://example.com:80/path')) -- self.assertIsNotNone(is_absolute_uri('com.example.bundle.id:/')) -+ -+ def test_query(self): -+ self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo')) -+ self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar')) -+ self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar&fruit=banana')) -+ -+ def test_fragment_forbidden(self): -+ self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo')) -+ self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar')) -+ self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar&fruit=banana')) -+ -+ def test_combined_forbidden(self): -+ self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo#bar')) -+ self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo&bar#fruit')) -+ self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar#fruit=banana')) -+ self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar=2#fruit=banana&bar=foo')) -+ -+ def test_custom_scheme(self): -+ self.assertIsNotNone(is_absolute_uri('com.example.bundle.id://')) -+ -+ def test_ipv6_bracket(self): - self.assertIsNotNone(is_absolute_uri('http://[::1]:38432/path')) - self.assertIsNotNone(is_absolute_uri('http://[::1]/path')) - self.assertIsNotNone(is_absolute_uri('http://[fd01:0001::1]/path')) - self.assertIsNotNone(is_absolute_uri('http://[fd01:1::1]/path')) - self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]/path')) -+ self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]:8080/path')) -+ -+ @unittest.skip("ipv6 edge-cases not supported") -+ def test_ipv6_edge_cases(self): -+ self.assertIsNotNone(is_absolute_uri('http://2001:db8::')) -+ self.assertIsNotNone(is_absolute_uri('http://::1234:5678')) -+ self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678')) -+ self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:7777:8888')) -+ self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF')) -+ self.assertIsNotNone(is_absolute_uri('http://0123:4567:89ab:cdef:0123:4567:89ab:cdef/path')) -+ self.assertIsNotNone(is_absolute_uri('http://::')) -+ self.assertIsNotNone(is_absolute_uri('http://2001:0db8:0001:0000:0000:0ab9:C0A8:0102')) -+ -+ @unittest.skip("ipv6 dual ipv4 not supported") -+ def test_ipv6_dual(self): -+ self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:1.2.3.4')) -+ self.assertIsNotNone(is_absolute_uri('http://::11.22.33.44')) -+ self.assertIsNotNone(is_absolute_uri('http://2001:db8::123.123.123.123')) -+ self.assertIsNotNone(is_absolute_uri('http://::1234:5678:91.123.4.56')) -+ self.assertIsNotNone(is_absolute_uri('http://::1234:5678:1.2.3.4')) -+ self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678:5.6.7.8')) -+ -+ def test_ipv4(self): - self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/')) - self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/')) - self.assertIsNotNone(is_absolute_uri('http://127.1:38432/')) - -+ def test_failures(self): - self.assertIsNone(is_absolute_uri('http://example.com:notaport/path')) - self.assertIsNone(is_absolute_uri('wrong')) - self.assertIsNone(is_absolute_uri('http://[:1]:38432/path')) -@@ -35,7 +78,7 @@ class UriValidateTest(TestCase): - def test_recursive_regex(self): - from datetime import datetime - t0 = datetime.now() -- self.assertIsNone(is_absolute_uri('http://[::::::::::::::::::::::::::]/path')) -+ is_absolute_uri('http://[::::::::::::::::::::::::::]/path') - t1 = datetime.now() - spent = t1 - t0 - self.assertGreater(0.1, spent.total_seconds(), "possible recursive loop detected") --- -2.33.0 - diff --git a/oauthlib-3.2.0.tar.gz b/oauthlib-3.2.0.tar.gz deleted file mode 100644 index abaa16b..0000000 Binary files a/oauthlib-3.2.0.tar.gz and /dev/null differ diff --git a/oauthlib-3.2.2.tar.gz b/oauthlib-3.2.2.tar.gz new file mode 100644 index 0000000..9693e9c Binary files /dev/null and b/oauthlib-3.2.2.tar.gz differ diff --git a/python-oauthlib.spec b/python-oauthlib.spec index 296aadf..1a89f60 100644 --- a/python-oauthlib.spec +++ b/python-oauthlib.spec @@ -1,14 +1,11 @@ %global _empty_manifest_terminate_build 0 Name: python-oauthlib -Version: 3.2.0 -Release: 2 +Version: 3.2.2 +Release: 1 Summary: A generic, spec-compliant, thorough implementation of the OAuth request-signing logic License: BSD URL: https://github.com/oauthlib/oauthlib -Source0: https://files.pythonhosted.org/packages/6e/7e/a43cec8b2df28b6494a865324f0ac4be213cb2edcf1e2a717547a93279b0/oauthlib-3.2.0.tar.gz - -Patch6000: backport-Add-check-of-performance-of-ipv6-check.patch -Patch6001: backport-CVE-2022-36087.patch +Source0: https://github.com/oauthlib/oauthlib/archive/refs/tags/v%{version}.tar.gz#/oauthlib-%{version}.tar.gz BuildArch: noarch %description @@ -102,6 +99,12 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Thu Jan 19 2023 Zhipeng Xie - 3.2.2-1 +- Type: requirement +- CVE: NA +- SUG: NA +- DESC: update to 3.2.2 + * Mon Sep 26 2022 zhuofeng - 3.2.0-2 - Type:CVE - CVE:CVE-2022-36087