!11 Fix CVE-2024-42353

From: @starlet-dx 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530

Adapt_py310.patch

@@ -0,0 +1,25 @@
+From ad952b384b2066d4424af8304444e23e95a2f646 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Wed, 2 Mar 2022 18:29:39 +0800
+Subject: [PATCH] to_adapt_py310
+
+---
+ tests/conftest.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/conftest.py b/tests/conftest.py
+index ec47c86..174aebf 100644
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -60,7 +60,7 @@ def serve():
+             log.debug("shutting server down")
+             server.shutdown()
+             worker.join(1)
+-            if worker.isAlive():
++            if worker.is_alive():
+                 log.warning('worker is hanged')
+             else:
+                 log.debug("server stopped")
+-- 
+2.27.0
+

backport-CVE-2024-42353.patch

@@ -0,0 +1,48 @@
+From f689bcf4f0a1f64f1735b1d5069aef5be6974b5b Mon Sep 17 00:00:00 2001
+From: Delta Regeer <xistence@0x58.com>
+Date: Wed, 7 Aug 2024 11:15:35 -0600
+Subject: [PATCH] Add fix for open redirect
+
+---
+ src/webob/response.py  |  5 +++++
+ tests/test_response.py | 11 +++++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/webob/response.py b/src/webob/response.py
+index 2aad591c..efc38ecf 100644
+--- a/src/webob/response.py
++++ b/src/webob/response.py
+@@ -1284,6 +1284,11 @@ def _make_location_absolute(environ, value):
+         if SCHEME_RE.search(value):
+             return value
+ 
++        # This is to fix an open redirect issue due to the way that
++        # urlparse.urljoin works. See CVE-2024-42353 and
++        # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
++        if value.startswith("//"):
++            value = "/%2f{}".format(value[2:])
+         new_location = urlparse.urljoin(_request_uri(environ), value)
+         return new_location
+ 
+diff --git a/tests/test_response.py b/tests/test_response.py
+index 9d9f9d37..8a6ac06d 100644
+--- a/tests/test_response.py
++++ b/tests/test_response.py
+@@ -1031,6 +1031,17 @@ def test_location():
+     assert req.get_response(res).location == 'http://localhost/test2.html'
+ 
+ 
++def test_location_no_open_redirect():
++    # This is a test for a fix for CVE-2024-42353 and
++    # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
++    res = Response()
++    res.status = "301"
++    res.location = "//www.example.com/test"
++    assert res.location == "//www.example.com/test"
++    req = Request.blank("/")
++    assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"
++
++
+ @pytest.mark.xfail(sys.version_info < (3,0),
+                    reason="Python 2.x unicode != str, WSGI requires str. Test "
+                    "added due to https://github.com/Pylons/webob/issues/247. "

python-webob.spec

@@ -1,14 +1,16 @@
 Name:           python-webob
-Version:        1.8.2
+Version:        1.8.7
 Release:        3
 Summary:        WSGI request and response object
 License:        MIT
 URL:            http://pythonpaste.org/webob/
 Source0:        https://files.pythonhosted.org/packages/source/W/WebOb/WebOb-%{version}.tar.gz
+Patch0001:      Adapt_py310.patch
+# https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b
+Patch3000:      backport-CVE-2024-42353.patch
 BuildArch:      noarch
 
-BuildRequires:  python2-devel, python2-setuptools, python2-nose, python2-pytest
-BuildRequires:  python3-devel, python3-setuptools, python3-nose, python3-pytest
+BuildRequires:  python3-devel, python3-pytest
 
 %description
 WebOb provides wrappers around the WSGI request environment,
@@ -16,19 +18,6 @@ and an object to help create WSGI responses. The objects map
 much of the specified behavior of HTTP, including header parsing
 and accessors for other standard parts of the environment.
 
-%package -n python2-webob
-%{?python_provide:%python_provide python2-webob}
-Summary:        WSGI request and response object
-Requires:       python2
-Provides:       python-webob1.2 = %{version}-%{release}
-Obsoletes:      python-webob1.2 < 1.2.3-7
-
-%description -n python2-webob
-WebOb provides wrappers around the WSGI request environment,
-and an object to help create WSGI responses. The objects map
-much of the specified behavior of HTTP, including header parsing
-and accessors for other standard parts of the environment.
-
 %package -n python3-webob
 %{?python_provide:%python_provide python3-webob}
 Summary:        WSGI request and response object
@@ -49,29 +38,32 @@ rm -rf docs/_static/.empty
 mv docs/license.txt license.txt
 
 %build
-%py2_build
 %py3_build
 
 %install
 %py3_install
-%py2_install
 
 %check
-export PYTHONPATH=$RPM_BUILD_ROOT%{python2_sitelib}
-py.test tests
 export PYTHONPATH=$RPM_BUILD_ROOT%{python3_sitelib}
 py.test-3 tests
 
-%files -n python2-webob
-%license license.txt
-%doc docs/*
-%{python2_sitelib}/*
-
 %files -n python3-webob
 %license license.txt
 %doc docs/*
 %{python3_sitelib}/*
 
 %changelog
+* Thu Aug 15 2024 yaoxin <yao_xin001@hoperun.com> - 1.8.7-3
+- Fix CVE-2024-42353
+
+* Wed Mar 02 2022 zhaoshuang <zhaoshuang@uniontech.com> - 1.8.7-2
+- remove some unnecessary buildrequirements
+
+* Thu Aug 05 2021 liusheng <liusheng2048@gmail.com> - 1.8.7-1
+- Upgrade to version 1.8.7
+
+* Thu Oct 29 2020 xinghe <xinghe1@huawei.com> - 1.8.2-4
+- remove python2 dependency
+
 * Fri Feb 14 2020 Ruijun Ge <geruijun@huawei.com> - 1.8.2-3
 - init package

python-webob.yaml

@@ -0,0 +1,4 @@
+version_control: pypi
+src_repo: webob
+tag_pattern: ^v
+seperator: .