Sync from SUSE:SLFO:Main python-starlette revision 4359b3ff55080f6065aedc98cd17a3e7

Sync from SUSE:SLFO:Main python-starlette revision 9890ba29562e346532ae7415cd83df56
Sync from SUSE:SLFO:Main python-starlette revision 31af6e4e495fa978176ba3cae5fef2eb
2025-05-17 16:08:49 +02:00 · 2024-12-13 12:28:31 +01:00 · 2024-10-18 15:44:38 +02:00
6 changed files with 116 additions and 118 deletions
--- a/CVE-2024-47874-multipart-form-data-part-limit.patch
+++ b/CVE-2024-47874-multipart-form-data-part-limit.patch
@@ -1,106 +0,0 @@
-From fd038f3070c302bff17ef7d173dbb0b007617733 Mon Sep 17 00:00:00 2001
-From: Marcelo Trylesinski <marcelotryle@gmail.com>
-Date: Tue, 15 Oct 2024 08:40:51 +0200
-Subject: [PATCH] Merge commit from fork
-
---
- starlette/formparsers.py  | 11 +++++++----
- tests/test_formparsers.py | 41 ++++++++++++++++++++++++++++++++++++---
- 2 files changed, 45 insertions(+), 7 deletions(-)
-
-Index: starlette-0.38.5/starlette/formparsers.py
-===================================================================
--- starlette-0.38.5.orig/starlette/formparsers.py
-+++ starlette-0.38.5/starlette/formparsers.py
-@@ -28,12 +28,12 @@ class FormMessage(Enum):
- class MultipartPart:
-     content_disposition: bytes | None = None
-     field_name: str = ""
-    data: bytes = b""
-+    data: bytearray = field(default_factory=bytearray)
-     file: UploadFile | None = None
-     item_headers: list[tuple[bytes, bytes]] = field(default_factory=list)
- 
- 
-def _user_safe_decode(src: bytes, codec: str) -> str:
-+def _user_safe_decode(src: bytes | bytearray, codec: str) -> str:
-     try:
-         return src.decode(codec)
-     except (UnicodeDecodeError, LookupError):
-@@ -114,7 +114,8 @@ class FormParser:
- 
- 
- class MultiPartParser:
-    max_file_size = 1024 * 1024
-+    max_file_size = 1024 * 1024  # 1MB
-+    max_part_size = 1024 * 1024  # 1MB
- 
-     def __init__(
-         self,
-@@ -146,7 +147,9 @@ class MultiPartParser:
-     def on_part_data(self, data: bytes, start: int, end: int) -> None:
-         message_bytes = data[start:end]
-         if self._current_part.file is None:
-            self._current_part.data += message_bytes
-+            if len(self._current_part.data) + len(message_bytes) > self.max_part_size:
-+                raise MultiPartException(f"Part exceeded maximum size of {int(self.max_part_size / 1024)}KB.")
-+            self._current_part.data.extend(message_bytes)
-         else:
-             self._file_parts_to_write.append((self._current_part, message_bytes))
- 
-Index: starlette-0.38.5/tests/test_formparsers.py
-===================================================================
--- starlette-0.38.5.orig/tests/test_formparsers.py
-+++ starlette-0.38.5/tests/test_formparsers.py
-@@ -640,9 +640,7 @@ def test_max_files_is_customizable_low_r
-         assert res.text == "Too many files. Maximum number of files is 1."
- 
- 
-def test_max_fields_is_customizable_high(
-    test_client_factory: TestClientFactory,
-) -> None:
-+def test_max_fields_is_customizable_high(test_client_factory: TestClientFactory) -> None:
-     client = test_client_factory(make_app_max_parts(max_fields=2000, max_files=2000))
-     fields = []
-     for i in range(2000):
-@@ -664,3 +662,40 @@ def test_max_fields_is_customizable_high
-         "content": "",
-         "content_type": None,
-     }
-+
-+
-+@pytest.mark.parametrize(
-+    "app,expectation",
-+    [
-+        (app, pytest.raises(MultiPartException)),
-+        (Starlette(routes=[Mount("/", app=app)]), does_not_raise()),
-+    ],
-+)
-+def test_max_part_size_exceeds_limit(
-+    app: ASGIApp,
-+    expectation: typing.ContextManager[Exception],
-+    test_client_factory: TestClientFactory,
-+) -> None:
-+    client = test_client_factory(app)
-+    boundary = "------------------------4K1ON9fZkj9uCUmqLHRbbR"
-+
-+    multipart_data = (
-+        f"--{boundary}\r\n"
-+        f'Content-Disposition: form-data; name="small"\r\n\r\n'
-+        "small content\r\n"
-+        f"--{boundary}\r\n"
-+        f'Content-Disposition: form-data; name="large"\r\n\r\n'
-+        + ("x" * 1024 * 1024 + "x")  # 1MB + 1 byte of data
-+        + "\r\n"
-+        f"--{boundary}--\r\n"
-+    ).encode("utf-8")
-+
-+    headers = {
-+        "Content-Type": f"multipart/form-data; boundary={boundary}",
-+        "Transfer-Encoding": "chunked",
-+    }
-+
-+    with expectation:
-+        response = client.post("/", data=multipart_data, headers=headers)  # type: ignore
-+        assert response.status_code == 400
-+        assert response.text == "Part exceeded maximum size of 1024KB."
--- a/python-starlette.changes
+++ b/python-starlette.changes
@@ -1,9 +1,43 @@
 -------------------------------------------------------------------
-Thu Oct 17 02:48:03 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+Thu Dec 12 16:09:18 UTC 2024 - Ben Greiner <code@bnavigator.de>

- Add patch CVE-2024-47874-multipart-form-data-part-limit.patch:
+- Add starlette-pr2773-httpx0.28.patch gh#encode/starlette#2773
+  for httpx 0.28
+
+-------------------------------------------------------------------
+Wed Nov 20 17:28:31 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.41.3:
+  * Exclude the query parameters from the `scope[raw_path]` on
+    the `TestClient` #2716.
+  * Replace `dict` by `Mapping` on `HTTPException.headers` #2749.
+  * Correct middleware argument passing and improve factory
+    pattern #2752.
+- update to 0.41.2:
+  * Revert bump on `python-multipart`
+- update to 0.41.1:
+  * Bump minimum `python-multipart` version to 0.0.13
+
+-------------------------------------------------------------------
+Thu Nov  7 09:20:47 UTC 2024 - Nico Krapp <nico.krapp@suse.com>
+
+- disable PendingDeprecationWarning
+
+-------------------------------------------------------------------
+Wed Oct 16 04:18:23 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 0.41.0:
+  * Allow to raise HTTPException before websocket.accept().
  * Add max_part_size to MultiPartParser to limit the size of parts in
    multipart/form-data requests. (bsc#1231689, CVE-2024-47874)
+  * Allow use of request.url_for when only "app" scope is available.
+  * Avoid regex re-compilation in responses.py and schemas.py.
+  * Improve performance of get_route_path by removing regular expression
+    usage.
+  * Consider FileResponse.chunk_size when handling multiple ranges.
+  * Use token_hex for generating multipart boundary strings.
+  * Add support for HTTP Range to FileResponse.
+  * Close unclosed MemoryObjectReceiveStream in TestClient.

 -------------------------------------------------------------------
 Sun Sep  8 15:05:40 UTC 2024 - Dirk Müller <dmueller@suse.com>
--- a/python-starlette.spec
+++ b/python-starlette.spec
@@ -27,14 +27,14 @@

 %{?sle15_python_module_pythons}
 Name:           python-starlette%{psuffix}
-Version:        0.38.5
+Version:        0.41.3
 Release:        0
 Summary:        Lightweight ASGI framework/toolkit
 License:        BSD-3-Clause
 URL:            https://github.com/encode/starlette
 Source:         https://github.com/encode/starlette/archive/refs/tags/%{version}.tar.gz#/starlette-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM gh#encode/starlette#fd038f3070c302bff17ef7d173dbb0b007617733
-Patch0:         CVE-2024-47874-multipart-form-data-part-limit.patch
+# PATCH-FIX-UPSTREAM starlette-pr2773-httpx0.28.patch gh#encode/starlette#2773
+Patch0:         https://github.com/encode/starlette/pull/2773.patch#/starlette-pr2773-httpx0.28.patch
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module hatchling}
 BuildRequires:  %{python_module pip}
@@ -49,7 +49,7 @@ BuildRequires:  %{python_module anyio >= 3.4.0}
 # SECTION [full]
 BuildRequires:  %{python_module PyYAML}
 BuildRequires:  %{python_module Jinja2}
-BuildRequires:  %{python_module httpx >= 0.22}
+BuildRequires:  %{python_module httpx >= 0.28}
 BuildRequires:  %{python_module itsdangerous}
 BuildRequires:  %{python_module python-multipart >= 0.0.7}
 # /SECTION
@@ -74,7 +74,9 @@ building high performance asyncio services.
 %autosetup -p1 -n starlette-%{version}

 %build
+%if ! %{with test}
 %pyproject_wheel
+%endif

 %install
 %if ! %{with test}
@@ -92,7 +94,7 @@ ignored_tests="test_set_cookie"
 ignored_tests="$ignored_tests or test_expires_on_set_cookie"
 # fails to raise a deprecation warning as of 2024/04/25
 ignored_tests="$ignored_tests or test_lifespan_with_on_events"
-%pytest --asyncio-mode=strict -k "not ($ignored_tests)"
+%pytest -W ignore::PendingDeprecationWarning --asyncio-mode=strict -k "not ($ignored_tests)"

 %endif

@@ -101,7 +103,7 @@ ignored_tests="$ignored_tests or test_lifespan_with_on_events"
 %doc README.md
 %license LICENSE.md
 %{python_sitelib}/starlette
-%{python_sitelib}/starlette-%{version}*-info
+%{python_sitelib}/starlette-%{version}.dist-info
 %endif

 %changelog
--- a/starlette-0.38.5.tar.gz
+++ b/starlette-0.38.5.tar.gz
--- a/starlette-0.41.3.tar.gz
+++ b/starlette-0.41.3.tar.gz
--- a/starlette-pr2773-httpx0.28.patch
+++ b/starlette-pr2773-httpx0.28.patch
@@ -0,0 +1,68 @@
+From b781c571068f4afc0417c7dfb8df2eda0547af55 Mon Sep 17 00:00:00 2001
+From: Marcelo Trylesinski <marcelotryle@gmail.com>
+Date: Sat, 30 Nov 2024 10:32:50 +0100
+Subject: [PATCH 1/2] Pin httpx in `full` extra
+
+---
+ pyproject.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index a532e4628..598d4333b 100644
+--- a/pyproject.toml
+++ b/pyproject.toml
+@@ -37,7 +37,7 @@ full = [
+     "jinja2",
+     "python-multipart>=0.0.7",
+     "pyyaml",
+-    "httpx>=0.22.0",
+    "httpx>=0.27.0,<0.29.0",
+ ]
+ 
+ [project.urls]
+
+From 24de2bfc8aa99a084a9b4fcfab1e52d7a6747cd9 Mon Sep 17 00:00:00 2001
+From: Marcelo Trylesinski <marcelotryle@gmail.com>
+Date: Sat, 30 Nov 2024 10:51:11 +0100
+Subject: [PATCH 2/2] fix test
+
+---
+ tests/middleware/test_wsgi.py | 2 +-
+ tests/test_requests.py        | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/middleware/test_wsgi.py b/tests/middleware/test_wsgi.py
+index 58696bb65..e4ac66ab4 100644
+--- a/tests/middleware/test_wsgi.py
+++ b/tests/middleware/test_wsgi.py
+@@ -77,7 +77,7 @@ def test_wsgi_post(test_client_factory: TestClientFactory) -> None:
+     client = test_client_factory(app)
+     response = client.post("/", json={"example": 123})
+     assert response.status_code == 200
+-    assert response.text == '{"example": 123}'
+    assert response.text == '{"example":123}'
+ 
+ 
+ def test_wsgi_exception(test_client_factory: TestClientFactory) -> None:
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index f0494e751..665dceb87 100644
+--- a/tests/test_requests.py
+++ b/tests/test_requests.py
+@@ -91,7 +91,7 @@ async def app(scope: Scope, receive: Receive, send: Send) -> None:
+     assert response.json() == {"body": ""}
+ 
+     response = client.post("/", json={"a": "123"})
+-    assert response.json() == {"body": '{"a": "123"}'}
+    assert response.json() == {"body": '{"a":"123"}'}
+ 
+     response = client.post("/", data="abc")  # type: ignore
+     assert response.json() == {"body": "abc"}
+@@ -112,7 +112,7 @@ async def app(scope: Scope, receive: Receive, send: Send) -> None:
+     assert response.json() == {"body": ""}
+ 
+     response = client.post("/", json={"a": "123"})
+-    assert response.json() == {"body": '{"a": "123"}'}
+    assert response.json() == {"body": '{"a":"123"}'}
+ 
+     response = client.post("/", data="abc")  # type: ignore
+     assert response.json() == {"body": "abc"}
Author	SHA256	Message	Date
Adrian Schröter	f89c45b6a3	Sync from SUSE:SLFO:Main python-starlette revision 4359b3ff55080f6065aedc98cd17a3e7	2025-05-17 16:08:49 +02:00
Adrian Schröter	e381406bec	Sync from SUSE:SLFO:Main python-starlette revision 9890ba29562e346532ae7415cd83df56	2024-12-13 12:28:31 +01:00
Adrian Schröter	f5119118b8	Sync from SUSE:SLFO:Main python-starlette revision 31af6e4e495fa978176ba3cae5fef2eb	2024-10-18 15:44:38 +02:00