6 changed files with 25 additions and 94 deletions
--- a/Adapt_py310.patch
+++ b/Adapt_py310.patch
@ -1,25 +0,0 @@
 From ad952b384b2066d4424af8304444e23e95a2f646 Mon Sep 17 00:00:00 2001
 From: root <root@localhost.localdomain>
 Date: Wed, 2 Mar 2022 18:29:39 +0800
 Subject: [PATCH] to_adapt_py310
 ---
 tests/conftest.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tests/conftest.py b/tests/conftest.py
 index ec47c86..174aebf 100644
 --- a/tests/conftest.py
 +++ b/tests/conftest.py
@@ -60,7 +60,7 @@ def serve():
             log.debug("shutting server down")
             server.shutdown()
             worker.join(1)
 -            if worker.isAlive():
 +            if worker.is_alive():
                 log.warning('worker is hanged')
             else:
                 log.debug("server stopped")
 -- 
 2.27.0
--- a/WebOb-1.8.2.tar.gz
+++ b/WebOb-1.8.2.tar.gz
--- a/WebOb-1.8.7.tar.gz
+++ b/WebOb-1.8.7.tar.gz
--- a/backport-CVE-2024-42353.patch
+++ b/backport-CVE-2024-42353.patch
@ -1,48 +0,0 @@
 From f689bcf4f0a1f64f1735b1d5069aef5be6974b5b Mon Sep 17 00:00:00 2001
 From: Delta Regeer <xistence@0x58.com>
 Date: Wed, 7 Aug 2024 11:15:35 -0600
 Subject: [PATCH] Add fix for open redirect
 ---
 src/webob/response.py  |  5 +++++
 tests/test_response.py | 11 +++++++++++
 2 files changed, 16 insertions(+)
 diff --git a/src/webob/response.py b/src/webob/response.py
 index 2aad591c..efc38ecf 100644
 --- a/src/webob/response.py
 +++ b/src/webob/response.py
@@ -1284,6 +1284,11 @@ def _make_location_absolute(environ, value):
         if SCHEME_RE.search(value):
             return value
 +        # This is to fix an open redirect issue due to the way that
 +        # urlparse.urljoin works. See CVE-2024-42353 and
 +        # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
 +        if value.startswith("//"):
 +            value = "/%2f{}".format(value[2:])
         new_location = urlparse.urljoin(_request_uri(environ), value)
         return new_location
 diff --git a/tests/test_response.py b/tests/test_response.py
 index 9d9f9d37..8a6ac06d 100644
 --- a/tests/test_response.py
 +++ b/tests/test_response.py
@@ -1031,6 +1031,17 @@ def test_location():
     assert req.get_response(res).location == 'http://localhost/test2.html'
 +def test_location_no_open_redirect():
 +    # This is a test for a fix for CVE-2024-42353 and
 +    # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
 +    res = Response()
 +    res.status = "301"
 +    res.location = "//www.example.com/test"
 +    assert res.location == "//www.example.com/test"
 +    req = Request.blank("/")
 +    assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"
 +
 +
 @pytest.mark.xfail(sys.version_info < (3,0),
                    reason="Python 2.x unicode != str, WSGI requires str. Test "
                    "added due to https://github.com/Pylons/webob/issues/247. "
--- a/python-webob.spec
+++ b/python-webob.spec
@ -1,16 +1,14 @@
 Name:           python-webob
-Version:        1.8.7
+Version:        1.8.2
 Release:        3
 Summary:        WSGI request and response object
 License:        MIT
 URL:            http://pythonpaste.org/webob/
 Source0:        https://files.pythonhosted.org/packages/source/W/WebOb/WebOb-%{version}.tar.gz
 Patch0001:      Adapt_py310.patch
 # https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b
 Patch3000:      backport-CVE-2024-42353.patch
 BuildArch:      noarch
-BuildRequires:  python3-devel, python3-pytest
+BuildRequires:  python2-devel, python2-setuptools, python2-nose, python2-pytest
 BuildRequires:  python3-devel, python3-setuptools, python3-nose, python3-pytest
 %description
 WebOb provides wrappers around the WSGI request environment,
@ -18,6 +16,19 @@ and an object to help create WSGI responses. The objects map
 much of the specified behavior of HTTP, including header parsing
 and accessors for other standard parts of the environment.
 %package -n python2-webob
 %{?python_provide:%python_provide python2-webob}
 Summary:        WSGI request and response object
 Requires:       python2
 Provides:       python-webob1.2 = %{version}-%{release}
 Obsoletes:      python-webob1.2 < 1.2.3-7
 %description -n python2-webob
 WebOb provides wrappers around the WSGI request environment,
 and an object to help create WSGI responses. The objects map
 much of the specified behavior of HTTP, including header parsing
 and accessors for other standard parts of the environment.
 %package -n python3-webob
 %{?python_provide:%python_provide python3-webob}
 Summary:        WSGI request and response object
@ -38,32 +49,29 @@ rm -rf docs/_static/.empty
 mv docs/license.txt license.txt
 %build
 %py2_build
 %py3_build
 %install
 %py3_install
 %py2_install
 %check
 export PYTHONPATH=$RPM_BUILD_ROOT%{python2_sitelib}
 py.test tests
 export PYTHONPATH=$RPM_BUILD_ROOT%{python3_sitelib}
 py.test-3 tests
 %files -n python2-webob
 %license license.txt
 %doc docs/*
 %{python2_sitelib}/*
 %files -n python3-webob
 %license license.txt
 %doc docs/*
 %{python3_sitelib}/*
 %changelog
 * Thu Aug 15 2024 yaoxin <yao_xin001@hoperun.com> - 1.8.7-3
 - Fix CVE-2024-42353
 * Wed Mar 02 2022 zhaoshuang <zhaoshuang@uniontech.com> - 1.8.7-2
 - remove some unnecessary buildrequirements
 * Thu Aug 05 2021 liusheng <liusheng2048@gmail.com> - 1.8.7-1
 - Upgrade to version 1.8.7
 * Thu Oct 29 2020 xinghe <xinghe1@huawei.com> - 1.8.2-4
 - remove python2 dependency
 * Fri Feb 14 2020 Ruijun Ge <geruijun@huawei.com> - 1.8.2-3
 - init package
--- a/python-webob.yaml
+++ b/python-webob.yaml
@ -1,4 +0,0 @@
 version_control: pypi
 src_repo: webob
 tag_pattern: ^v
 seperator: .