!64 Fixed pre-1980 file timestamps raising ValueError

From: @yuxiating2021 Reviewed-by: @Charlie_li Signed-off-by: @Charlie_li
Fixed pre-1980 file timestamps raising ValueError
2023-12-25 11:50:09 +00:00 · 2023-12-25 19:32:33 +08:00 · 2023-12-19 06:36:12 +00:00 · 2023-12-19 11:03:44 +08:00 · 2023-12-08 06:47:59 +00:00 · 2023-12-07 19:08:34 +08:00
5 changed files with 315 additions and 2 deletions
--- a/0001-Fixed-pre-1980-file-timestamps-raising-ValueError.patch
+++ b/0001-Fixed-pre-1980-file-timestamps-raising-ValueError.patch
@ -0,0 +1,59 @@
 From ef6b4027e74a8271d89ee44b38e43e273882ef77 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
 Date: Thu, 20 Oct 2022 17:31:51 +0300
 Subject: [PATCH] Fixed pre-1980 file timestamps raising ValueError
 Reference:https://github.com/pypa/wheel/commit/ef6b4027e74a8271d89ee44b38e43e273882ef77
 Fixes #418.
 ---
 src/wheel/wheelfile.py    |  2 ++
 tests/test_bdist_wheel.py | 16 ++++++++++++++++
 2 files changed, 18 insertions(+)
 diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
 index b985774..f55fc73 100644
 --- a/src/wheel/wheelfile.py
 +++ b/src/wheel/wheelfile.py
@@ -30,12 +30,14 @@ WHEEL_INFO_RE = re.compile(
     r"""^(?P<namever>(?P<name>[^\s-]+?)-(?P<ver>[^\s-]+?))(-(?P<build>\d[^\s-]*))?
      -(?P<pyver>[^\s-]+?)-(?P<abi>[^\s-]+?)-(?P<plat>\S+)\.whl$""",
     re.VERBOSE)
 +MINIMUM_TIMESTAMP = 315532800  # 1980-01-01 00:00:00 UTC
 def get_zipinfo_datetime(timestamp=None):
     # Some applications need reproducible .whl files, but they can't do this without forcing
     # the timestamp of the individual ZipInfo objects. See issue #143.
     timestamp = int(os.environ.get('SOURCE_DATE_EPOCH', timestamp or time.time()))
 +    timestamp = max(timestamp, MINIMUM_TIMESTAMP)
     return time.gmtime(timestamp)[0:6]
 diff --git a/tests/test_bdist_wheel.py b/tests/test_bdist_wheel.py
 index 5ed9a41..2a4d777 100644
 --- a/tests/test_bdist_wheel.py
 +++ b/tests/test_bdist_wheel.py
@@ -154,3 +154,19 @@ def test_wheelfile_line_endings(wheel_paths):
             wheelfile = next(fn for fn in wf.filelist if fn.filename.endswith('WHEEL'))
             wheelfile_contents = wf.read(wheelfile)
             assert b'\r' not in wheelfile_contents
 +
 +
 +def test_unix_epoch_timestamps(dummy_dist, monkeypatch, tmp_path):
 +    monkeypatch.setenv("SOURCE_DATE_EPOCH", "0")
 +    monkeypatch.chdir(dummy_dist)
 +    subprocess.check_call(
 +        [
 +            sys.executable,
 +            "setup.py",
 +            "bdist_wheel",
 +            "-b",
 +            str(tmp_path),
 +            "--universal",
 +            "--build-number=2",
 +        ]
 +    )
 -- 
 2.33.0
--- a/0001-Support-unpacking-wheels-that-contain-files-with-com.patch
+++ b/0001-Support-unpacking-wheels-that-contain-files-with-com.patch
@ -0,0 +1,144 @@
 From 5846dacf8d4d48ad9278ded327cbb5f0917a238b Mon Sep 17 00:00:00 2001
 From: Hood Chatham <roberthoodchatham@gmail.com>
 Date: Wed, 22 Dec 2021 02:13:50 -0800
 Subject: [PATCH] Support unpacking wheels that contain files with commas in
 their names (#427)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The csv module is now being used to read RECORD.
 Co-authored-by: Alex Grönholm <alex.gronholm@nextday.fi>
 ---
 src/wheel/wheelfile.py                        | 46 ++++++++++++-------
 tests/conftest.py                             |  2 +-
 .../mypackage/__init__.py                     |  0
 .../mypackage/data/1,2,3.txt                  |  0
 .../mypackage/data/__init__.py                |  0
 .../testdata/commasinfilenames.dist/setup.py  | 12 +++++
 .../testrepo-0.1.0/mypackage/__init__.py      |  0
 7 files changed, 42 insertions(+), 18 deletions(-)
 create mode 100644 tests/testdata/commasinfilenames.dist/mypackage/__init__.py
 create mode 100644 tests/testdata/commasinfilenames.dist/mypackage/data/1,2,3.txt
 create mode 100644 tests/testdata/commasinfilenames.dist/mypackage/data/__init__.py
 create mode 100644 tests/testdata/commasinfilenames.dist/setup.py
 create mode 100644 tests/testdata/commasinfilenames.dist/testrepo-0.1.0/mypackage/__init__.py
 diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
 index 3ee97dd..21e7361 100644
 --- a/src/wheel/wheelfile.py
 +++ b/src/wheel/wheelfile.py
@@ -5,6 +5,7 @@ import hashlib
 import os.path
 import re
 import stat
 +import sys
 import time
 from collections import OrderedDict
 from distutils import log as logger
@@ -13,6 +14,16 @@ from zipfile import ZIP_DEFLATED, ZipInfo, ZipFile
 from wheel.cli import WheelError
 from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode, as_bytes, StringIO
 +if sys.version_info >= (3,):
 +    from io import TextIOWrapper
 +
 +    def read_csv(fp):
 +        return csv.reader(TextIOWrapper(fp, newline='', encoding='utf-8'))
 +else:
 +    def read_csv(fp):
 +        for line in csv.reader(fp):
 +            yield [column.decode('utf-8') for column in line]
 +
 # Non-greedy matching of an optional build number may be too clever (more
 # invalid wheel filenames will match). Separate regex for .dist-info?
 WHEEL_INFO_RE = re.compile(
@@ -60,23 +71,24 @@ class WheelFile(ZipFile):
                 raise WheelError('Missing {} file'.format(self.record_path))
             with record:
 -                for line in record:
 -                    line = line.decode('utf-8')
 -                    path, hash_sum, size = line.rsplit(u',', 2)
 -                    if hash_sum:
 -                        algorithm, hash_sum = hash_sum.split(u'=')
 -                        try:
 -                            hashlib.new(algorithm)
 -                        except ValueError:
 -                            raise WheelError('Unsupported hash algorithm: {}'.format(algorithm))
 -
 -                        if algorithm.lower() in {'md5', 'sha1'}:
 -                            raise WheelError(
 -                                'Weak hash algorithm ({}) is not permitted by PEP 427'
 -                                .format(algorithm))
 -
 -                        self._file_hashes[path] = (
 -                            algorithm, urlsafe_b64decode(hash_sum.encode('ascii')))
 +                for line in read_csv(record):
 +                    path, hash_sum, size = line
 +                    if not hash_sum:
 +                        continue
 +
 +                    algorithm, hash_sum = hash_sum.split(u'=')
 +                    try:
 +                        hashlib.new(algorithm)
 +                    except ValueError:
 +                        raise WheelError('Unsupported hash algorithm: {}'.format(algorithm))
 +
 +                    if algorithm.lower() in {'md5', 'sha1'}:
 +                        raise WheelError(
 +                            'Weak hash algorithm ({}) is not permitted by PEP 427'
 +                            .format(algorithm))
 +
 +                    self._file_hashes[path] = (
 +                        algorithm, urlsafe_b64decode(hash_sum.encode('ascii')))
     def open(self, name_or_info, mode="r", pwd=None):
         def _update_crc(newdata, eof=None):
 diff --git a/tests/conftest.py b/tests/conftest.py
 index 7c3698c..d9821b8 100644
 --- a/tests/conftest.py
 +++ b/tests/conftest.py
@@ -12,7 +12,7 @@ import pytest
 @pytest.fixture(scope='session')
 def wheels_and_eggs(tmpdir_factory):
     """Build wheels and eggs from test distributions."""
 -    test_distributions = "complex-dist", "simple.dist", "headers.dist"
 +    test_distributions = "complex-dist", "simple.dist", "headers.dist", "commasinfilenames.dist"
     if sys.version_info >= (3, 6):
         # Only Python 3.6+ can handle packaging unicode file names reliably
         # across different platforms
 diff --git a/tests/testdata/commasinfilenames.dist/mypackage/__init__.py b/tests/testdata/commasinfilenames.dist/mypackage/__init__.py
 new file mode 100644
 index 0000000..e69de29
 diff --git a/tests/testdata/commasinfilenames.dist/mypackage/data/1,2,3.txt b/tests/testdata/commasinfilenames.dist/mypackage/data/1,2,3.txt
 new file mode 100644
 index 0000000..e69de29
 diff --git a/tests/testdata/commasinfilenames.dist/mypackage/data/__init__.py b/tests/testdata/commasinfilenames.dist/mypackage/data/__init__.py
 new file mode 100644
 index 0000000..e69de29
 diff --git a/tests/testdata/commasinfilenames.dist/setup.py b/tests/testdata/commasinfilenames.dist/setup.py
 new file mode 100644
 index 0000000..8cf9e4e
 --- /dev/null
 +++ b/tests/testdata/commasinfilenames.dist/setup.py
@@ -0,0 +1,12 @@
 +from setuptools import setup
 +
 +setup(
 +    name='testrepo',
 +    version='0.1',
 +    packages=["mypackage"],
 +    description='A test package with commas in file names',
 +    include_package_data=True,
 +    package_data={
 +        "mypackage.data": ["*"]
 +    },
 +)
 diff --git a/tests/testdata/commasinfilenames.dist/testrepo-0.1.0/mypackage/__init__.py b/tests/testdata/commasinfilenames.dist/testrepo-0.1.0/mypackage/__init__.py
 new file mode 100644
 index 0000000..e69de29
 -- 
 2.42.0.windows.2
--- a/CVE-2022-40898.patch
+++ b/CVE-2022-40898.patch
@ -0,0 +1,25 @@
 From 88f02bc335d5404991e532e7f3b0fc80437bf4e0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
 Date: Thu, 20 Oct 2022 17:13:23 +0300
 Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE
 Refer: https://github.com/pypa/wheel/issues/498
 ---
 src/wheel/wheelfile.py | 4 ++--
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
 index a0c9d2a5..b985774e 100644
 --- a/src/wheel/wheelfile.py
 +++ b/src/wheel/wheelfile.py
@@ -16,8 +16,8 @@
 # Non-greedy matching of an optional build number may be too clever (more
 # invalid wheel filenames will match). Separate regex for .dist-info?
 WHEEL_INFO_RE = re.compile(
 -    r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
 -     -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
 +    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
 +     -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
     re.VERBOSE)
--- a/backport-Fixed-parsing-of-wheel-file-names-with-multiple-platform-tags.patch
+++ b/backport-Fixed-parsing-of-wheel-file-names-with-multiple-platform-tags.patch
@ -0,0 +1,66 @@
 From 44193907eb308930de05deed863fb4d157c5c866 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
 Date: Sat, 5 Nov 2022 01:17:22 +0200
 Subject: [PATCH] Fixed parsing of wheel file names with multiple platform tags
 Reference:https://github.com/pypa/wheel/commit/44193907eb308930de05deed863fb4d157c5c866
 Fixes #485.
 ---
 src/wheel/wheelfile.py  |  4 ++--
 tests/test_wheelfile.py | 16 ++++++++++++----
 2 files changed, 14 insertions(+), 6 deletions(-)
 diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
 index 3c3d9f5..bce7ab3 100644
 --- a/src/wheel/wheelfile.py
 +++ b/src/wheel/wheelfile.py
@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode,
 # Non-greedy matching of an optional build number may be too clever (more
 # invalid wheel filenames will match). Separate regex for .dist-info?
 WHEEL_INFO_RE = re.compile(
 -    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
 -     -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
 +    r"""^(?P<namever>(?P<name>[^\s-]+?)-(?P<ver>[^\s-]+?))(-(?P<build>\d[^\s-]*))?
 +     -(?P<pyver>[^\s-]+?)-(?P<abi>[^\s-]+?)-(?P<plat>\S+)\.whl$""",
     re.VERBOSE)
 diff --git a/tests/test_wheelfile.py b/tests/test_wheelfile.py
 index db11bcd..91e8aab 100644
 --- a/tests/test_wheelfile.py
 +++ b/tests/test_wheelfile.py
@@ -16,9 +16,16 @@ def wheel_path(tmpdir):
     return str(tmpdir.join('test-1.0-py2.py3-none-any.whl'))
 -def test_wheelfile_re(tmpdir):
 -    # Regression test for #208
 -    path = tmpdir.join('foo-2-py3-none-any.whl')
 +@pytest.mark.parametrize(
 +    "filename",
 +    [
 +        "foo-2-py3-none-any.whl",
 +        "foo-2-py2.py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl",
 +    ],
 +)
 +def test_wheelfile_re(filename, tmpdir):
 +    # Regression test for #208 and #485
 +    path = tmpdir.join(filename)
     with WheelFile(str(path), 'w') as wf:
         assert wf.parsed_filename.group('namever') == 'foo-2'
@@ -28,7 +35,8 @@ def test_wheelfile_re(tmpdir):
     'test-1.0.whl',
     'test-1.0-py2.whl',
     'test-1.0-py2-none.whl',
 -    'test-1.0-py2-none-any'
 +    'test-1.0-py2-none-any',
 +    "test-1.0-py 2-none-any.whl",
 ])
 def test_bad_wheel_filename(filename):
     exc = pytest.raises(WheelError, WheelFile, filename)
 -- 
 2.33.0
--- a/python-wheel.spec
+++ b/python-wheel.spec
@ -1,7 +1,7 @@
 %bcond_with bootstrap
 Name:           python-wheel
 Version:        0.37.0
-Release:        3
+Release:        8
 Epoch:          1
 Summary:        Built-package format for Python
 License:        MIT
@ -10,6 +10,10 @@ Source0:        %{url}/archive/%{version}/wheel-%{version}.tar.gz
 BuildArch:      noarch
 Patch01:        0001-Fixed-wheel-pack-duplicating-WHEEL-contents-on-build.patch
 Patch02:        0001-Support-unpacking-wheels-that-contain-files-with-com.patch
 Patch03:        CVE-2022-40898.patch
 Patch04:        backport-Fixed-parsing-of-wheel-file-names-with-multiple-platform-tags.patch
 Patch05:        0001-Fixed-pre-1980-file-timestamps-raising-ValueError.patch
 %description
 A built-package format for Python.
@ -81,7 +85,22 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-3 -v --ignore build
 %endif
 %changelog
-* Fri Oct 13 2023 liubo <liubo1@xfusion.com> - 0.37.0-3
+* Mon Dec 25 2023 yuxiating <yuxiating@xfusion.com> - 1:0.37.0-8
 - Fixed pre-1980 file timestamps raising ValueError
 * Tue Dec 19 2023 shixuantong <shixuantong1@huawei.com> - 1:0.37.0-7
 - Fixed parsing of wheel file names with multiple platform tags
 * Thu Dec 07 2023 wangkai <13474090681@163.com> - 1:0.37.0-6
 - Fix CVE-2022-40898
 * Wed Nov 8 2023 liubo <liubo1@xfusion.com> - 1:0.37.0-5
 - Support unpacking wheels that contain files with commas in their names
 * Tue Oct 17 2023 liubo <liubo1@xfusion.com> - 1:0.37.0-4
 - Fixed the non-standard format of changelog
 * Fri Oct 13 2023 liubo <liubo1@xfusion.com> - 1:0.37.0-3
 - Fixed wheel pack duplicating WHEEL contents on build number
 * Thu Oct 27 2022 zhangruifang <zhangruifang1@h-partners.com> - 0.37.0-2
Author	SHA1	Message	Date
openeuler-ci-bot	ecaa880789	!64 Fixed pre-1980 file timestamps raising ValueError From: @yuxiating2021 Reviewed-by: @Charlie_li Signed-off-by: @Charlie_li	2023-12-25 11:50:09 +00:00
yuxiating	4730167066	Fixed pre-1980 file timestamps raising ValueError Signed-off-by: yuxiating <yuxiating@xfusion.com>	2023-12-25 19:32:33 +08:00
openeuler-ci-bot	e44bc1bca8	!47 Fixed parsing of wheel file names with multiple platform tags From: @tong_1001 Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2023-12-19 06:36:12 +00:00
shixuantong	6f9ad70252	Fixed parsing of wheel file names with multiple platform tags	2023-12-19 11:03:44 +08:00
openeuler-ci-bot	d863d40b07	!39 Fix CVE-2022-40898 From: @wk333 Reviewed-by: @lyn1001 Signed-off-by: @lyn1001	2023-12-08 06:47:59 +00:00
wk333	e68ba50197	Fix CVE-2022-40898	2023-12-07 19:08:34 +08:00
openeuler-ci-bot	4408e5d70a	!38 [sync] PR-28: Support unpacking wheels that contain files with commas in their names From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001	2023-11-29 08:36:54 +00:00
liubo	7bdcea4b0a	Support unpacking wheels that contain files with commas in their names Signed-off-by: liubo <liubo1@xfusion.com> (cherry picked from commit a3b03089e192550f6303fa1876ac82f4c3714996)	2023-11-29 09:01:41 +08:00
openeuler-ci-bot	ecbe90ac0f	!36 [sync] PR-26: Fixed the non-standard format of changelog From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001	2023-11-29 00:58:02 +00:00
liubo	8d66400071	Fixed the non-standard format of changelog Signed-off-by: liubo <liubo1@xfusion.com> (cherry picked from commit 4c38091310f4a513a4bbf5b302ee8b1bb1661917)	2023-11-28 20:04:45 +08:00