!25 Upgrade version to 6.3.2

From: @ysliuci Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-07-31 03:46:40 +00:00 · 2023-07-31 03:46:40 +00:00 · 238326ea1d
commit 238326ea1d
parent 635bea07ad 291296c25f
4 changed files with 6 additions and 39 deletions
--- a/CVE-2023-28370.patch
+++ b/CVE-2023-28370.patch
@ -1,35 +0,0 @@
-From 32ad07c54e607839273b4e1819c347f5c8976b2f Mon Sep 17 00:00:00 2001
-From: Ben Darnell <ben@bendarnell.com>
-Date: Sat, 13 May 2023 20:58:52 -0400
-Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
-
-Under some configurations the default_filename redirect could be exploited
-to redirect to an attacker-controlled site. This change refuses to redirect
-to URLs that could be misinterpreted.
-
-A test case for the specific vulnerable configuration will follow after the
-patch has been available.
---
- tornado/web.py | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/tornado/web.py b/tornado/web.py
-index 3b676e3c2..565140493 100644
--- a/tornado/web.py
-+++ b/tornado/web.py
-@@ -2879,6 +2879,15 @@ def validate_absolute_path(self, root: str, absolute_path: str) -> Optional[str]
-             # but there is some prefix to the path that was already
-             # trimmed by the routing
-             if not self.request.path.endswith("/"):
-+                if self.request.path.startswith("//"):
-+                    # A redirect with two initial slashes is a "protocol-relative" URL.
-+                    # This means the next path segment is treated as a hostname instead
-+                    # of a part of the path, making this effectively an open redirect.
-+                    # Reject paths starting with two slashes to prevent this.
-+                    # This is only reachable under certain configurations.
-+                    raise HTTPError(
-+                        403, "cannot redirect path with two initial slashes"
-+                    )
-                 self.redirect(self.request.path + "/", permanent=True)
-                 return None
-             absolute_path = os.path.join(absolute_path, self.default_filename)
--- a/python-tornado.spec
+++ b/python-tornado.spec
@ -1,12 +1,11 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-tornado
-Version:	6.1
-Release:	2
+Version:	6.3.2
+Release:	1
 Summary:	Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
 License:	ASL 2.0
 URL:		http://www.tornadoweb.org/
-Source0:	https://files.pythonhosted.org/packages/cf/44/cc9590db23758ee7906d40cacff06c02a21c2a6166602e095a56cbf2f6f6/tornado-6.1.tar.gz
-Patch0:         CVE-2023-28370.patch
+Source0:	https://files.pythonhosted.org/packages/30/f0/6e5d85d422a26fd696a1f2613ab8119495c1ebb8f49e29f428d15daf79cc/tornado-6.3.2.tar.gz

 %description
 Tornado is an open source version of the scalable, non-blocking web server and tools.
@ -73,6 +72,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Thu Jul 13 2023 liuyongshuai <ysliuci@isoftstone.com> - 6.3.2-1
+- Upgrade version to 6.3.2-1
+
 * Fri Jun 16 2023 yaoxin <yao_xin001@hoperun.com> - 6.1-2
 - Fix CVE-2023-28370

--- a/tornado-6.1.tar.gz
+++ b/tornado-6.1.tar.gz
--- a/tornado-6.3.2.tar.gz
+++ b/tornado-6.3.2.tar.gz