2020-07-13 08:10:55 +02:00
|
|
|
From 5754521af1d51aa8e445cba07a093bbc0c88596d Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: Zackery Spytz <zspytz@gmail.com>
|
|
|
|
|
Date: Mon, 16 Dec 2019 18:24:08 -0700
|
|
|
|
|
Subject: [PATCH] bpo-31046: ensurepip does not honour the value of $(prefix)
|
|
|
|
|
|
|
|
|
|
Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
|
|
|
|
|
---
|
2021-05-05 18:46:47 +02:00
|
|
|
Doc/library/ensurepip.rst | 9 +++--
|
|
|
|
|
Lib/ensurepip/__init__.py | 18 +++++++---
|
|
|
|
|
Lib/test/test_ensurepip.py | 11 ++++++
|
|
|
|
|
Makefile.pre.in | 4 +-
|
|
|
|
|
Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst | 1
|
2020-07-13 08:10:55 +02:00
|
|
|
5 files changed, 34 insertions(+), 9 deletions(-)
|
|
|
|
|
create mode 100644 Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
|
|
|
|
|
|
|
|
|
|
--- a/Doc/library/ensurepip.rst
|
|
|
|
|
+++ b/Doc/library/ensurepip.rst
|
|
|
|
|
@@ -56,8 +56,9 @@ is at least as recent as the one bundled
|
|
|
|
|
By default, ``pip`` is installed into the current virtual environment
|
|
|
|
|
(if one is active) or into the system site packages (if there is no
|
|
|
|
|
active virtual environment). The installation location can be controlled
|
|
|
|
|
-through two additional command line options:
|
|
|
|
|
+through some additional command line options:
|
|
|
|
|
|
|
|
|
|
+* ``--prefix <dir>``: Installs ``pip`` using the given directory prefix.
|
|
|
|
|
* ``--root <dir>``: Installs ``pip`` relative to the given root directory
|
|
|
|
|
rather than the root of the currently active virtual environment (if any)
|
|
|
|
|
or the default root for the current Python installation.
|
|
|
|
|
@@ -89,7 +90,7 @@ Module API
|
|
|
|
|
Returns a string specifying the bundled version of pip that will be
|
|
|
|
|
installed when bootstrapping an environment.
|
|
|
|
|
|
|
|
|
|
-.. function:: bootstrap(root=None, upgrade=False, user=False, \
|
|
|
|
|
+.. function:: bootstrap(root=None, prefix=None, upgrade=False, user=False, \
|
|
|
|
|
altinstall=False, default_pip=False, \
|
|
|
|
|
verbosity=0)
|
|
|
|
|
|
|
|
|
|
@@ -99,6 +100,8 @@ Module API
|
|
|
|
|
If *root* is ``None``, then installation uses the default install location
|
|
|
|
|
for the current environment.
|
|
|
|
|
|
|
|
|
|
+ *prefix* specifies the directory prefix to use when installing.
|
|
|
|
|
+
|
|
|
|
|
*upgrade* indicates whether or not to upgrade an existing installation
|
|
|
|
|
of an earlier version of ``pip`` to the bundled version.
|
|
|
|
|
|
|
|
|
|
@@ -119,6 +122,8 @@ Module API
|
|
|
|
|
*verbosity* controls the level of output to :data:`sys.stdout` from the
|
|
|
|
|
bootstrapping operation.
|
|
|
|
|
|
|
|
|
|
+ .. versionchanged:: 3.9 the *prefix* parameter was added.
|
|
|
|
|
+
|
|
|
|
|
.. audit-event:: ensurepip.bootstrap root ensurepip.bootstrap
|
|
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
--- a/Lib/ensurepip/__init__.py
|
|
|
|
|
+++ b/Lib/ensurepip/__init__.py
|
- Update to 3.9.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Also other bug fixes:
- http.server: Fix an open redirection vulnerability in the
HTTP server when an URI path starts with //. Vulnerability
discovered, and initial fix proposed, by Hamza Avvan.
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix binding of unix socket to empty address on Linux to use
an available address from the abstract namespace, instead
of “0”.
- Suppress writing an XML declaration in open files
in ElementTree.write() with encoding='unicode' and
xml_declaration=None.
- Fix the formatting for await x and not x in the operator
precedence table when using the help() system.
- Fix ensurepip environment isolation for subprocess running
pip.
- Fix problem with test_ssl test_get_ciphers on systems that
require perfect forward secrecy (PFS) ciphers.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=116
2022-09-11 10:54:55 +02:00
|
|
|
@@ -57,27 +57,27 @@ def _disable_pip_configuration_settings(
|
2020-07-13 08:10:55 +02:00
|
|
|
os.environ['PIP_CONFIG_FILE'] = os.devnull
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-def bootstrap(*, root=None, upgrade=False, user=False,
|
|
|
|
|
+def bootstrap(*, root=None, prefix=None, upgrade=False, user=False,
|
|
|
|
|
altinstall=False, default_pip=False,
|
|
|
|
|
verbosity=0):
|
|
|
|
|
"""
|
|
|
|
|
Bootstrap pip into the current Python installation (or the given root
|
|
|
|
|
- directory).
|
|
|
|
|
+ and directory prefix).
|
|
|
|
|
|
|
|
|
|
Note that calling this function will alter both sys.path and os.environ.
|
|
|
|
|
"""
|
|
|
|
|
# Discard the return value
|
|
|
|
|
- _bootstrap(root=root, upgrade=upgrade, user=user,
|
|
|
|
|
+ _bootstrap(root=root, prefix=prefix, upgrade=upgrade, user=user,
|
|
|
|
|
altinstall=altinstall, default_pip=default_pip,
|
|
|
|
|
verbosity=verbosity)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-def _bootstrap(*, root=None, upgrade=False, user=False,
|
|
|
|
|
+def _bootstrap(*, root=None, prefix=None, upgrade=False, user=False,
|
|
|
|
|
altinstall=False, default_pip=False,
|
|
|
|
|
verbosity=0):
|
|
|
|
|
"""
|
|
|
|
|
Bootstrap pip into the current Python installation (or the given root
|
|
|
|
|
- directory). Returns pip command status code.
|
|
|
|
|
+ and directory prefix). Returns pip command status code.
|
|
|
|
|
|
|
|
|
|
Note that calling this function will alter both sys.path and os.environ.
|
|
|
|
|
"""
|
- Update to 3.9.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Also other bug fixes:
- http.server: Fix an open redirection vulnerability in the
HTTP server when an URI path starts with //. Vulnerability
discovered, and initial fix proposed, by Hamza Avvan.
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix binding of unix socket to empty address on Linux to use
an available address from the abstract namespace, instead
of “0”.
- Suppress writing an XML declaration in open files
in ElementTree.write() with encoding='unicode' and
xml_declaration=None.
- Fix the formatting for await x and not x in the operator
precedence table when using the help() system.
- Fix ensurepip environment isolation for subprocess running
pip.
- Fix problem with test_ssl test_get_ciphers on systems that
require perfect forward secrecy (PFS) ciphers.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=116
2022-09-11 10:54:55 +02:00
|
|
|
@@ -120,6 +120,8 @@ def _bootstrap(*, root=None, upgrade=Fal
|
2020-07-15 00:02:29 +02:00
|
|
|
args = ["install", "--no-cache-dir", "--no-index", "--find-links", tmpdir]
|
2020-07-13 08:10:55 +02:00
|
|
|
if root:
|
|
|
|
|
args += ["--root", root]
|
|
|
|
|
+ if prefix:
|
|
|
|
|
+ args += ["--prefix", prefix]
|
|
|
|
|
if upgrade:
|
|
|
|
|
args += ["--upgrade"]
|
|
|
|
|
if user:
|
- Update to 3.9.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Also other bug fixes:
- http.server: Fix an open redirection vulnerability in the
HTTP server when an URI path starts with //. Vulnerability
discovered, and initial fix proposed, by Hamza Avvan.
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix binding of unix socket to empty address on Linux to use
an available address from the abstract namespace, instead
of “0”.
- Suppress writing an XML declaration in open files
in ElementTree.write() with encoding='unicode' and
xml_declaration=None.
- Fix the formatting for await x and not x in the operator
precedence table when using the help() system.
- Fix ensurepip environment isolation for subprocess running
pip.
- Fix problem with test_ssl test_get_ciphers on systems that
require perfect forward secrecy (PFS) ciphers.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=116
2022-09-11 10:54:55 +02:00
|
|
|
@@ -192,6 +194,11 @@ def _main(argv=None):
|
2020-07-13 08:10:55 +02:00
|
|
|
help="Install everything relative to this alternate root directory.",
|
|
|
|
|
)
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
+ "--prefix",
|
|
|
|
|
+ default=None,
|
|
|
|
|
+ help="Install everything using this prefix.",
|
|
|
|
|
+ )
|
|
|
|
|
+ parser.add_argument(
|
|
|
|
|
"--altinstall",
|
|
|
|
|
action="store_true",
|
|
|
|
|
default=False,
|
- Update to 3.9.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Also other bug fixes:
- http.server: Fix an open redirection vulnerability in the
HTTP server when an URI path starts with //. Vulnerability
discovered, and initial fix proposed, by Hamza Avvan.
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix binding of unix socket to empty address on Linux to use
an available address from the abstract namespace, instead
of “0”.
- Suppress writing an XML declaration in open files
in ElementTree.write() with encoding='unicode' and
xml_declaration=None.
- Fix the formatting for await x and not x in the operator
precedence table when using the help() system.
- Fix ensurepip environment isolation for subprocess running
pip.
- Fix problem with test_ssl test_get_ciphers on systems that
require perfect forward secrecy (PFS) ciphers.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=116
2022-09-11 10:54:55 +02:00
|
|
|
@@ -210,6 +217,7 @@ def _main(argv=None):
|
2020-07-13 08:10:55 +02:00
|
|
|
|
|
|
|
|
return _bootstrap(
|
|
|
|
|
root=args.root,
|
|
|
|
|
+ prefix=args.prefix,
|
|
|
|
|
upgrade=args.upgrade,
|
|
|
|
|
user=args.user,
|
|
|
|
|
verbosity=args.verbosity,
|
|
|
|
|
--- a/Lib/test/test_ensurepip.py
|
|
|
|
|
+++ b/Lib/test/test_ensurepip.py
|
|
|
|
|
@@ -61,6 +61,17 @@ class TestBootstrap(EnsurepipMixin, unit
|
|
|
|
|
unittest.mock.ANY,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
+ def test_bootstrapping_with_prefix(self):
|
|
|
|
|
+ ensurepip.bootstrap(prefix="/foo/bar/")
|
|
|
|
|
+ self.run_pip.assert_called_once_with(
|
|
|
|
|
+ [
|
2020-07-17 09:21:45 +02:00
|
|
|
+ "install", "--no-cache-dir", "--no-index", "--find-links",
|
2020-07-13 08:10:55 +02:00
|
|
|
+ unittest.mock.ANY, "--prefix", "/foo/bar/",
|
|
|
|
|
+ "setuptools", "pip",
|
|
|
|
|
+ ],
|
|
|
|
|
+ unittest.mock.ANY,
|
|
|
|
|
+ )
|
|
|
|
|
+
|
|
|
|
|
def test_bootstrapping_with_user(self):
|
|
|
|
|
ensurepip.bootstrap(user=True)
|
|
|
|
|
|
|
|
|
|
--- a/Makefile.pre.in
|
|
|
|
|
+++ b/Makefile.pre.in
|
- Update to 3.9.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Also other bug fixes:
- http.server: Fix an open redirection vulnerability in the
HTTP server when an URI path starts with //. Vulnerability
discovered, and initial fix proposed, by Hamza Avvan.
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix binding of unix socket to empty address on Linux to use
an available address from the abstract namespace, instead
of “0”.
- Suppress writing an XML declaration in open files
in ElementTree.write() with encoding='unicode' and
xml_declaration=None.
- Fix the formatting for await x and not x in the operator
precedence table when using the help() system.
- Fix ensurepip environment isolation for subprocess running
pip.
- Fix problem with test_ssl test_get_ciphers on systems that
require perfect forward secrecy (PFS) ciphers.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=116
2022-09-11 10:54:55 +02:00
|
|
|
@@ -1263,7 +1263,7 @@ install: @FRAMEWORKINSTALLFIRST@ commoni
|
2020-07-13 08:10:55 +02:00
|
|
|
install|*) ensurepip="" ;; \
|
|
|
|
|
esac; \
|
|
|
|
|
$(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \
|
|
|
|
|
- $$ensurepip --root=$(DESTDIR)/ ; \
|
|
|
|
|
+ $$ensurepip --root=$(DESTDIR)/ --prefix=$(prefix) ; \
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
altinstall: commoninstall
|
- Update to 3.9.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Also other bug fixes:
- http.server: Fix an open redirection vulnerability in the
HTTP server when an URI path starts with //. Vulnerability
discovered, and initial fix proposed, by Hamza Avvan.
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix binding of unix socket to empty address on Linux to use
an available address from the abstract namespace, instead
of “0”.
- Suppress writing an XML declaration in open files
in ElementTree.write() with encoding='unicode' and
xml_declaration=None.
- Fix the formatting for await x and not x in the operator
precedence table when using the help() system.
- Fix ensurepip environment isolation for subprocess running
pip.
- Fix problem with test_ssl test_get_ciphers on systems that
require perfect forward secrecy (PFS) ciphers.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=116
2022-09-11 10:54:55 +02:00
|
|
|
@@ -1273,7 +1273,7 @@ altinstall: commoninstall
|
2020-07-13 08:10:55 +02:00
|
|
|
install|*) ensurepip="--altinstall" ;; \
|
|
|
|
|
esac; \
|
|
|
|
|
$(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \
|
|
|
|
|
- $$ensurepip --root=$(DESTDIR)/ ; \
|
|
|
|
|
+ $$ensurepip --root=$(DESTDIR)/ --prefix=$(prefix) ; \
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
commoninstall: check-clean-src @FRAMEWORKALTINSTALLFIRST@ \
|
|
|
|
|
--- /dev/null
|
|
|
|
|
+++ b/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
|
|
|
|
|
@@ -0,0 +1 @@
|
|
|
|
|
+A directory prefix can now be specified when using :mod:`ensurepip`.
|
