Accepting request 700428 from home:mcepl:branches:devel:languages:python:Factory

- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. OBS-URL: https://build.opensuse.org/request/show/700428 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=243
2019-05-03 15:46:24 +00:00
parent 88ffffeead
commit 2f5ed5b585
5 changed files with 129 additions and 0 deletions
--- a/python-base.spec
+++ b/python-base.spec
@@ -78,6 +78,9 @@ Patch51:        CVE-2019-9636-netloc-no-decompose-characters.patch
 # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
 # removing unnecessary (and potentially harmful) URL scheme local-file://
 Patch52:        CVE-2019-9948-avoid_local-file.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
+# bpo#30458: Disallow control chars in http URLs.
+Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -191,6 +194,7 @@ other applications.
 %patch50 -p1
 %patch51 -p1
 %patch52 -p1
+%patch53 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac