fix CVE-2020-28473
(cherry picked from commit e941d8331ef0c412c2d587eab1955d52df198b1a)
This commit is contained in:
zhanghua1831
openeuler-sync-bot
parent
15f19fc91e
commit
ec28f82459
27
CVE-2020-28473.patch
Normal file
27
CVE-2020-28473.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Marcel Hellkamp <marc@gsites.de>
|
||||||
|
Date: Wed, 11 Nov 2020 19:24:29 +0100
|
||||||
|
Subject: [PATCH] Do not split query strings on `;` anymore.
|
||||||
|
|
||||||
|
Using `;` as a separator instead of `&` was allowed a long time ago,
|
||||||
|
but is now obsolete and actually invalid according to the 2014 W3C
|
||||||
|
recommendations. Even if this change is technically backwards-incompatible,
|
||||||
|
no real-world application should depend on broken behavior. If you REALLY
|
||||||
|
need this functionality, monkey-patch the _parse_qsl() function.
|
||||||
|
---
|
||||||
|
bottle.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/bottle.py b/bottle.py
|
||||||
|
index bcfc5e62..417b01b9 100644
|
||||||
|
--- a/bottle.py
|
||||||
|
+++ b/bottle.py
|
||||||
|
@@ -2585,7 +2585,7 @@ def parse_range_header(header, maxlen=0):
|
||||||
|
|
||||||
|
def _parse_qsl(qs):
|
||||||
|
r = []
|
||||||
|
- for pair in qs.replace(';','&').split('&'):
|
||||||
|
+ for pair in qs.split('&'):
|
||||||
|
if not pair: continue
|
||||||
|
nv = pair.split('=', 1)
|
||||||
|
if len(nv) != 2: nv.append('')
|
||||||
@ -1,10 +1,11 @@
|
|||||||
Name: python-bottle
|
Name: python-bottle
|
||||||
Version: 0.12.13
|
Version: 0.12.13
|
||||||
Release: 7
|
Release: 8
|
||||||
Summary: WSGI micro web-framework for Python.
|
Summary: WSGI micro web-framework for Python.
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://bottlepy.org
|
URL: http://bottlepy.org
|
||||||
Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz
|
Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz
|
||||||
|
Patch0000: CVE-2020-28473.patch
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: python2-devel python2-setuptools python3-devel python3-setuptools
|
BuildRequires: python2-devel python2-setuptools python3-devel python3-setuptools
|
||||||
|
|
||||||
@ -32,7 +33,7 @@ It is distributed as a single file module and has no dependencies other than
|
|||||||
the Python Standard Library.
|
the Python Standard Library.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -n bottle-%{version}
|
%autosetup -n bottle-%{version} -p1
|
||||||
sed -i '/^#!/d' bottle.py
|
sed -i '/^#!/d' bottle.py
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -59,6 +60,9 @@ sed -i '/^#!/d' bottle.py
|
|||||||
%{python3_sitelib}/*
|
%{python3_sitelib}/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 19 2021 zhanghua <zhanghua40@huawei.com> - 0.12.13-8
|
||||||
|
- fix CVE-2020-28473
|
||||||
|
|
||||||
* Tue Nov 26 2019 zhujunhao <zhujunhao5@huawei.com> - 0.12.13-7
|
* Tue Nov 26 2019 zhujunhao <zhujunhao5@huawei.com> - 0.12.13-7
|
||||||
- Package init
|
- Package init
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user