packages/python-bottle
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!14 [sync] PR-12: Fix CVE-2022-31799

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @small_leek 
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2022-06-14 03:22:36 +00:00 committed by Gitee
commit 89ce2a5923
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
CVE-2022-31799.patch Normal file
View File

@ -0,0 +1,40 @@
From e140e1b54da721a660f2eb9d58a106b7b3ff2f00 Mon Sep 17 00:00:00 2001
From: Marcel Hellkamp <marc@gsites.de>
Date: Thu, 26 May 2022 14:49:32 +0200
Subject: [PATCH] Gracefully handle errors during early request binding.
---
bottle.py | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/bottle.py b/bottle.py
index 04ccf7da..035f99ec 100644
--- a/bottle.py
+++ b/bottle.py
@@ -848,17 +848,19 @@ def default_error_handler(self, res):
return tob(template(ERROR_PAGE_TEMPLATE, e=res))
def _handle(self, environ):
- path = environ['bottle.raw_path'] = environ['PATH_INFO']
- if py3k:
- try:
- environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
- except UnicodeError:
- return HTTPError(400, 'Invalid path string. Expected UTF-8')
-
try:
+
environ['bottle.app'] = self
request.bind(environ)
response.bind()
+
+ path = environ['bottle.raw_path'] = environ['PATH_INFO']
+ if py3k:
+ try:
+ environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
+ except UnicodeError:
+ return HTTPError(400, 'Invalid path string. Expected UTF-8')
+
try:
self.trigger_hook('before_request')
route, args = self.router.match(environ)

7
python-bottle.spec
View File

@ -1,11 +1,13 @@
Name: python-bottle Name: python-bottle
Version: 0.12.13 Version: 0.12.13
Release: 9 Release: 10
Summary: WSGI micro web-framework for Python. Summary: WSGI micro web-framework for Python.
License: MIT License: MIT
URL: https://github.com/bottlepy/bottle URL: https://github.com/bottlepy/bottle
Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz Source0: https://github.com/bottlepy/bottle/archive/%{version}/bottle-%{version}.tar.gz
Patch0000: CVE-2020-28473.patch Patch0000: CVE-2020-28473.patch
#https://github.com/bottlepy/bottle/commit/e140e1b54da721a660f2eb9d58a106b7b3ff2f00
Patch0001: CVE-2022-31799.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: python3-devel python3-setuptools BuildRequires: python3-devel python3-setuptools
@ -43,6 +45,9 @@ sed -i '/^#!/d' bottle.py
%exclude %{_bindir}/bottle.py %exclude %{_bindir}/bottle.py
%changelog %changelog
* Tue Jun 14 2022 yaoxin <yaoxin30@h-partners.com> - 0.12.13-10
- Fix CVE-2022-31799
* Fri Feb 19 2021 zhanghua <zhanghua40@huawei.com> - 0.12.13-9 * Fri Feb 19 2021 zhanghua <zhanghua40@huawei.com> - 0.12.13-9
- fix CVE-2020-28473 - fix CVE-2020-28473