Sync from SUSE:ALP:Source:Standard:1.0 python-starlette revision 4ae21534ee9c25de94596b6558db9fcf

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

CVE-2024-47874-multipart-form-data-part-limit.patch

@@ -0,0 +1,85 @@
+From fd038f3070c302bff17ef7d173dbb0b007617733 Mon Sep 17 00:00:00 2001
+From: Marcelo Trylesinski <marcelotryle@gmail.com>
+Date: Tue, 15 Oct 2024 08:40:51 +0200
+Subject: [PATCH] Merge commit from fork
+
+---
+ starlette/formparsers.py  | 11 +++++++----
+ tests/test_formparsers.py | 41 ++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 45 insertions(+), 7 deletions(-)
+
+Index: starlette-0.26.1/starlette/formparsers.py
+===================================================================
+--- starlette-0.26.1.orig/starlette/formparsers.py
++++ starlette-0.26.1/starlette/formparsers.py
+@@ -26,7 +26,7 @@ class FormMessage(Enum):
+ class MultipartPart:
+     content_disposition: typing.Optional[bytes] = None
+     field_name: str = ""
+-    data: bytes = b""
++    data: bytearray = field(default_factory=bytearray)
+     file: typing.Optional[UploadFile] = None
+     item_headers: typing.List[typing.Tuple[bytes, bytes]] = field(default_factory=list)
+ 
+@@ -116,7 +116,8 @@ class FormParser:
+ 
+ 
+ class MultiPartParser:
+-    max_file_size = 1024 * 1024
++    max_file_size = 1024 * 1024  # 1MB
++    max_part_size = 1024 * 1024  # 1MB
+ 
+     def __init__(
+         self,
+@@ -150,7 +151,9 @@ class MultiPartParser:
+     def on_part_data(self, data: bytes, start: int, end: int) -> None:
+         message_bytes = data[start:end]
+         if self._current_part.file is None:
+-            self._current_part.data += message_bytes
++            if len(self._current_part.data) + len(message_bytes) > self.max_part_size:
++                raise MultiPartException(f"Part exceeded maximum size of {int(self.max_part_size / 1024)}KB.")
++            self._current_part.data.extend(message_bytes)
+         else:
+             self._file_parts_to_write.append((self._current_part, message_bytes))
+ 
+Index: starlette-0.26.1/tests/test_formparsers.py
+===================================================================
+--- starlette-0.26.1.orig/tests/test_formparsers.py
++++ starlette-0.26.1/tests/test_formparsers.py
+@@ -682,3 +682,36 @@ def test_max_fields_is_customizable_high
+         "content": "",
+         "content_type": None,
+     }
++
++
++@pytest.mark.parametrize(
++    "app,expectation",
++    [
++        (app, pytest.raises(MultiPartException)),
++        (Starlette(routes=[Mount("/", app=app)]), does_not_raise()),
++    ],
++)
++def test_max_part_size_exceeds_limit(app, expectation, test_client_factory):
++    client = test_client_factory(app)
++    boundary = "------------------------4K1ON9fZkj9uCUmqLHRbbR"
++
++    multipart_data = (
++        f"--{boundary}\r\n"
++        f'Content-Disposition: form-data; name="small"\r\n\r\n'
++        "small content\r\n"
++        f"--{boundary}\r\n"
++        f'Content-Disposition: form-data; name="large"\r\n\r\n'
++        + ("x" * 1024 * 1024 + "x")  # 1MB + 1 byte of data
++        + "\r\n"
++        f"--{boundary}--\r\n"
++    ).encode("utf-8")
++
++    headers = {
++        "Content-Type": f"multipart/form-data; boundary={boundary}",
++        "Transfer-Encoding": "chunked",
++    }
++
++    with expectation:
++        response = client.post("/", data=multipart_data, headers=headers)  # type: ignore
++        assert response.status_code == 400
++        assert response.text == "Part exceeded maximum size of 1024KB."

_multibuild

@@ -0,0 +1,3 @@
+<multibuild>
+  <package>test</package>
+</multibuild>

python-starlette.changes

@@ -0,0 +1,318 @@
+-------------------------------------------------------------------
+Thu Oct 17 02:47:31 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Add patch CVE-2024-47874-multipart-form-data-part-limit.patch:
+  * Add max_part_size to MultiPartParser to limit the size of parts in
+    multipart/form-data requests. (bsc#1231689, CVE-2024-47874)
+
+-------------------------------------------------------------------
+Tue Mar 14 09:11:16 UTC 2023 - David Anes <david.anes@suse.com>
+
+- Update to 0.26.1:
+  * Fixed
+    - Fix typing of Lifespan to allow subclasses of Starlette #2077.
+
+-------------------------------------------------------------------
+Fri Mar 10 11:36:42 UTC 2023 - David Anes <david.anes@suse.com>
+
+- Update to 0.26.0.post1:
+  * Fixed
+    - Replace reference from Events to Lifespan on the mkdocs.yml #2072.
+
+- Update to 0.26.0:
+  * Added
+    - Support lifespan state #2060, #2065 and #2064.
+  * Changed
+    - Change url_for signature to return a URL instance #1385.
+  * Fixed
+    - Allow "name" argument on url_for() and url_path_for() #2050.
+  * Deprecated
+    - Deprecate on_startup and on_shutdown events #2070. 
+
+-------------------------------------------------------------------
+Thu Feb 16 16:22:35 UTC 2023 - David Anes <david.anes@suse.com>
+
+- Update to 0.25.0:
+  * Fixed
+    - Limit the number of fields and files when parsing 
+    multipart/form-data on the MultipartParser.
+
+- Fixed upstream: reenable tests for tests for i586 and armv7l.
+
+-------------------------------------------------------------------
+Fri Feb 10 18:28:13 UTC 2023 - David Anes <david.anes@suse.com>
+
+- Disable broken tests for i586 and armv7l.
+
+- Update to 0.24.0
+  * Added
+    - Allow StaticFiles to follow symlinks
+    - Allow Request.form() as a context manager
+    - Add size attribute to UploadFile
+    - Add env_prefix argument to Config
+    - Add template context processors
+    - Support str and datetime on expires parameter on the Response.set_cookie method
+  * Changed
+    - Lazily build the middleware stack
+    - Make the file argument required on UploadFile
+    - Use debug extension instead of custom response template extension
+  * Fixed
+    - Fix url parsing of ipv6 urls on URL.replace
+
+-------------------------------------------------------------------
+Wed Jan  4 21:03:11 UTC 2023 - Ben Greiner <code@bnavigator.de>
+
+- Clean up test dependencies: fastapi pulls this into Staging
+  Ring1, we don't want to pull in more than we want.
+
+-------------------------------------------------------------------
+Tue Dec 13 08:27:49 UTC 2022 - David Anes <david.anes@suse.com>
+
+- Update to 0.21.3
+  * Fixed
+    - Only stop receiving stream on body_stream if body is empty on i
+      the BaseHTTPMiddleware.
+
+- Update to 0.21.0
+  * Added
+    - Add headers parameter to the TestClient.
+  * Deprecated
+    - Deprecate Starlette and Router decorators.
+  * Fixed
+    - Fix bug on FloatConvertor regex.
+
+- Fix test package by adding 'exceptiongroup' python module as a 
+  build dependency.
+
+-------------------------------------------------------------------
+Sun Nov 27 22:53:40 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- Update to 0.22.0
+  * Changed
+    - Bypass GZipMiddleware when response includes Content-Encoding #1901.
+  * Fixed
+    - Remove unneeded unquote() from query parameters on the TestClient #1953.
+    - Make sure MutableHeaders._list is actually a list #1917.
+    - Import compatibility with the next version of AnyIO #1936.
+
+-------------------------------------------------------------------
+Thu Sep 29 08:19:37 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- Update to 0.21.0
+  * Changed
+    - Replace requests with httpx in TestClient #1376.
+  * Added
+    - Add WebSocketException and support for WebSocket exception handlers #1263.
+    - Add middleware parameter to Mount class #1649.
+    - Officially support Python 3.11 1863.
+    - Implement __repr__ for route classes #1864.
+  * Fixed
+    - Fix bug on which BackgroundTasks were cancelled when using BaseHTTPMiddleware and client disconnected #1715.
+- setup.py install is no longer supported by upstream => use pip-based installation
+- added build dependencies:
+  * python3-hatchling
+  * python3-pip
+  * python3-wheel
+
+-------------------------------------------------------------------
+Thu Aug 11 05:22:41 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Remove unneeded BuildRequires on contextlib2. 
+
+-------------------------------------------------------------------
+Fri Aug  5 11:37:43 UTC 2022 - John Vandenberg <jayvdb@gmail.com>
+
+- Add missing runtime dependencies anyio and typing_extensions
+- Remove unnecessary build dependencies flake8 and pytest-cov
+
+-------------------------------------------------------------------
+Fri Jul 29 10:21:51 UTC 2022 - Torsten Gruner <simmphonie@opensuse.org>
+
+- enable multibuild for test
+
+-------------------------------------------------------------------
+Tue Jul 12 17:55:25 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- Update to 0.20.4:
+  - Remove converter from path when generating OpenAPI schema
+    #1648.
+  - Revert "Allow StaticFiles to follow symlinks" #1681.
+  - Fix regression on route paths with colons #1675.
+  - Allow StaticFiles to follow symlinks #1337.
+  - Improve detection of async callables #1444.
+  - Send 400 (Bad Request) when boundary is missing #1617.
+  - Send 400 (Bad Request) when missing "name" field on
+    Content-Disposition header #1643.
+  - Do not send empty data to StreamingResponse on
+    BaseHTTPMiddleware #1609.
+  - Add __bool__ dunder for Secret #1625.
+  - Drop Python 3.6 support #1357 and #1616.
+
+-------------------------------------------------------------------
+Sat May 28 15:16:15 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- Update to 0.19.1:
+  * Fixed
+    - Fix inference of Route.name when created from methods #1553.
+    - Avoid TypeError on websocket.disconnect when code is None #1574.
+  * Deprecated
+    - Deprecate WS_1004_NO_STATUS_RCVD and WS_1005_ABNORMAL_CLOSURE in favor
+      of WS_1005_NO_STATUS_RCVD and WS_1006_ABNORMAL_CLOSURE, as the previous
+      constants didn't match the WebSockets specs #1580.
+
+-------------------------------------------------------------------
+Mon Apr 18 15:27:00 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- Update to 0.19.0:
+  * Added
+    - Error handler will always run, even if the error happens
+      on a background task #761.
+    - Add headers parameter to HTTPException #1435.
+    - Internal responses with 405 status code insert an Allow header,
+      as described by RFC 7231 #1436.
+    - The content argument in JSONResponse is now required #1431.
+    - Add custom URL convertor register #1437.
+    - Add content disposition type parameter to FileResponse #1266.
+    - Add next query param with original request URL in requires decorator #920.
+    - Add raw_path to TestClient scope #1445.
+    - Add union operators to MutableHeaders #1240.
+    - Display missing route details on debug page #1363.
+    - Change anyio required version range to >=3.4.0,<5.0 #1421 and #1460.
+    - Add typing-extensions>=3.10 requirement - used only on lower versions
+      than Python 3.10 #1475.
+  * Fixed
+    - Prevent BaseHTTPMiddleware from hiding errors of StreamingResponse
+      and mounted applications #1459.
+    - SessionMiddleware uses an explicit path=..., instead of defaulting
+      to the ASGI 'root_path' #1512.
+    - Request.client is now compliant with the ASGI specifications #1462.
+    - Raise KeyError at early stage for missing boundary #1349.
+  * Deprecated
+    - Deprecate WSGIMiddleware in favor of a2wsgi #1504.
+    - Deprecate run_until_first_complete #1443.
+
+-------------------------------------------------------------------
+Wed Feb 23 01:08:10 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 0.18.0:
+  * Change default chunk size from 4Kb to 64Kb on FileResponse #1345.
+  * Add support for functools.partial in WebSocketRoute #1356.
+  * Add StaticFiles packages with directory #1350.
+  * Allow environment options in Jinja2Templates #1401.
+  * Allow HEAD method on HttpEndpoint #1346.
+  * Accept additional headers on websocket.accept message #1361 and #1422.
+  * Add reason to WebSocket close ASGI event #1417.
+  * Add headers attribute to UploadFile #1382.
+  * Don't omit Content-Length header for Content-Length: 0 cases #1395.
+  * Don't set headers for responses with 1xx, 204 and 304 status code #1397.
+  * SessionMiddleware.max_age now accepts None, so cookie can last as long
+    as the browser session #1387.
+  * Tweak hashlib.md5() function on FileResponses ETag generation. The
+    parameter usedforsecurity flag is set to False, if the flag is available
+    on the system. This fixes an error raised on systems with FIPS
+    enabled #1366 and #1410.
+  * Fix path_params type on url_path_for() method i.e. turn str into Any #1341.
+  * Host now ignores port on routing #1322. 
+- Set asyncio_mode when running pytest, and stop turning warnings into
+  errors.
+
+-------------------------------------------------------------------
+Wed Dec  8 15:53:03 UTC 2021 - Torsten Gruner <simmphonie@opensuse.org>
+
+- update to version 0.17.1
+  * Fix IndexError in authentication requires when wrapped function
+     arguments are distributed between *args and **kwargs #1335.
+- version 17.0
+  * Added
+    - Response.delete_cookie now accepts the same parameters as
+      Response.set_cookie #1228.
+    - Update the Jinja2Templates constructor to allow PathLike #1292.
+  * Fixed
+    - Fix BadSignature exception handling in SessionMiddleware #1264.
+    - Change HTTPConnection.__getitem__ return type from str to
+      typing.Any #1118.
+    - Change ImmutableMultiDict.getlist return type from typing.List[str]
+      to typing.List[typing.Any] #1235.
+    - Handle OSError exceptions on StaticFiles #1220.
+    - Fix StaticFiles 404.html in HTML mode #1314.
+    - Prevent anyio.ExceptionGroup in error views under a
+      BaseHTTPMiddleware #1262.
+  *Removed
+    - Remove GraphQL support #1198.
+- Remove py39-ignore-loop-deprecation.patch
+
+-------------------------------------------------------------------
+Mon Sep 27 12:44:18 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add py39-ignore-loop-deprecation.patch to fix failing tests
+  (gh#encode/starlette#1293).
+
+-------------------------------------------------------------------
+Thu Jul 22 09:53:25 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Update to 0.16.0:
+  - Added Encode funding option #1219
+  - Starlette now supports Trio as an async runtime via AnyIO
+    - #1157.
+  - TestClient.websocket_connect() now must be used as a context
+    manager.
+  - Initial support for Python 3.10 - #1201.
+  - The compression level used in GZipMiddleware is now
+    adjustable - #1128.
+  - starlette.websockets.WebSocket instances are now hashable and
+    compare by identity #1039
+  - A number of fixes related to running task groups in lifespan
+    #1213, #1227
+  - Several fixes to CORSMiddleware. See #1111, #1112, #1113,
+    #1199.
+  - Improved exception messages in the case of duplicated path
+    parameter names - #1177.
+  - RedirectResponse now uses quote instead of quote_plus
+    encoding for the Location header to better match the
+    behaviour in other frameworks such as Django - #1164.
+  - Exception causes are now preserved in more cases - #1158.
+  - Session cookies now use the ASGI root path in the case of
+    mounted applications - #1147.
+  - Fixed a cache invalidation bug when static files were deleted
+    in certain circumstances - #1023.
+  - Improved memory usage of BaseHTTPMiddleware when handling
+    large responses - #1012 fixed via #1157
+  - The method starlette.templates.Jinja2Templates.get_env was
+    removed #1218
+  - The ClassVar starlette.testclient.TestClient.async_backend
+    was removed, the backend is now configured using constructor
+    kwargs #1211
+  - Passing an Async Generator Function or a Generator Function
+    to starlette.router.Router(lifespan_context=) is deprecated.
+    You should wrap your lifespan in
+    @contextlib.asynccontextmanager. #1227 #1110
+  - Built-in GraphQL support via the GraphQLApp class has been
+    deprecated and will be removed in a future release. Please
+    see #619. GraphQL is not supported on Python 3.10.
+  - The executor parameter to GraphQLApp was removed. Use
+    executor_class instead.
+  - The workers parameter to WSGIMiddleware was removed. This
+    hasn't had any effect since Starlette v0.6.3.
+
+-------------------------------------------------------------------
+Tue Apr 13 19:20:13 UTC 2021 - simmphonie@opensuse.org
+
+- add build requirements for %pytest
+- remove test for deprecated built-in GraphQL support
+- remove unrecognized arguments in setup.cfg
+
+-------------------------------------------------------------------
+Wed Feb 17 18:40:47 UTC 2021 - Michael Ströder <michael@stroeder.com>
+
+- update to 0.14.2
+
+-------------------------------------------------------------------
+Wed Dec  2 14:49:51 UTC 2020 - Michael Ströder <michael@stroeder.com>
+
+- update to 0.14.1
+
+-------------------------------------------------------------------
+Sat Sep  5 11:33:42 UTC 2020 - Michael Ströder <michael@stroeder.com>
+
+- initial packaging of 0.13.8
+ 

python-starlette.spec

@@ -0,0 +1,109 @@
+#
+# spec file
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global flavor @BUILD_FLAVOR@%{nil}
+%if "%{flavor}" == "test"
+%define psuffix -test
+%bcond_without test
+%else
+%define psuffix %{nil}
+%bcond_with test
+%endif
+
+%define skip_python2 1
+Name:           python-starlette%{psuffix}
+Version:        0.26.1
+Release:        0
+Summary:        Lightweight ASGI framework/toolkit
+License:        BSD-3-Clause
+URL:            https://github.com/encode/starlette
+Source:         https://github.com/encode/starlette/archive/refs/tags/%{version}.tar.gz#/starlette-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM gh#encode/starlette#fd038f3070c302bff17ef7d173dbb0b007617733
+Patch0:         CVE-2024-47874-multipart-form-data-part-limit.patch
+BuildRequires:  %{python_module base >= 3.7}
+BuildRequires:  %{python_module hatchling}
+BuildRequires:  %{python_module pip}
+BuildRequires:  fdupes
+BuildRequires:  python-rpm-macros
+Requires:       python-anyio >= 3.4.0
+Requires:       (python-typing_extensions >= 3.10.0 if python-base < 3.10)
+BuildArch:      noarch
+%if %{with test}
+BuildRequires:  %{python_module anyio >= 3.4.0}
+# typing_extensions, see below
+# SECTION [full]
+BuildRequires:  %{python_module PyYAML}
+BuildRequires:  %{python_module Jinja2}
+BuildRequires:  %{python_module httpx >= 0.22}
+BuildRequires:  %{python_module itsdangerous}
+BuildRequires:  %{python_module python-multipart}
+# /SECTION
+# SECTION test
+BuildRequires:  %{python_module exceptiongroup}
+BuildRequires:  %{python_module pytest-asyncio}
+BuildRequires:  %{python_module pytest}
+BuildRequires:  %{python_module trio}
+# testing requires it for all flavors
+BuildRequires:  %{python_module typing_extensions}
+BuildRequires:  %{python_module importlib-metadata}
+# /SECITON
+%endif
+%python_subpackages
+
+%description
+Starlette is a lightweight ASGI framework/toolkit, which is ideal for
+building high performance asyncio services.
+
+%prep
+%autosetup -p1 -n starlette-%{version}
+
+%build
+%pyproject_wheel
+
+%install
+%if ! %{with test}
+%pyproject_install
+%python_expand %fdupes %{buildroot}%{$python_sitelib}
+%endif
+
+%check
+%if %{with test}
+# Remove unrecognized arguments: --strict-config --strict-markers
+sed -i "s|--strict-config||" setup.cfg
+sed -i "s|--strict-markers||" setup.cfg
+sed -i "s| error$||" setup.cfg
+
+# The following tests don't work in some archs because time_t cannot
+# hold the values the test expect, as they go beyond the maximum
+# value in i586 and armv7l. As we are using Buildarch: noarch, we
+# cannot just use ifarch conditionals here...
+ignored_tests="test_set_cookie"
+ignored_tests="$ignored_tests or test_expires_on_set_cookie"
+%pytest --asyncio-mode=strict -k "not ($ignored_tests)"
+
+%endif
+
+%if ! %{with test}
+%files %{python_files}
+%doc README.md
+%license LICENSE.md
+%{python_sitelib}/starlette
+%{python_sitelib}/starlette-%{version}*-info
+%endif
+
+%changelog