Accepting request 957469 from home:susnux:branches:devel:languages:python

- Update to version 2.5.0
various CVE

OBS-URL: https://build.opensuse.org/request/show/957469
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-onionshare?expand=0&rev=31

fix-test-cli-web.patch

@@ -0,0 +1,12 @@
+diff -Nur onionshare-2.5/cli/tests/test_cli_web.py new/cli/tests/test_cli_web.py
+--- onionshare-2.5/cli/tests/test_cli_web.py	2022-01-17 21:56:39.000000000 +0100
++++ new/cli/tests/test_cli_web.py	2022-02-24 23:43:29.209447238 +0100
+@@ -624,7 +624,7 @@
+                 ]
+             )
+ 
+-    @pytest.mark.skipif(sys.platform != "Linux", reason="requires Linux")
++    @pytest.mark.skipif(sys.platform != "linux", reason="requires Linux")
+     @check_unsupported("http", ["--version"])
+     def test_httpie(self, temp_dir, common_obj):
+         web = web_obj(temp_dir, common_obj, "share", 3)

onionshare-2.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9d82744ec930a280cf036e5e7dfab817a37866e927e5a72bdd3e13bd9b9c7b4a
-size 5680723

onionshare-2.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a1de4b43f6e1edbb39a6fcc1e1339856c7c7584d2899312d69449ad22f2834e7
+size 6585296

onionshare.desktop

@@ -1,14 +0,0 @@
-[Desktop Entry]
-Name=OnionShare
-GenericName=OnionShare Client
-Comment=Share a file securely and anonymously over Tor
-Comment[da]=Del en fil sikkert og anonymt over Tor
-Comment[de]=Teile Dateien sicher und anonym über das Tor-Netzwerk
-Exec=/usr/bin/onionshare-cli
-Terminal=false
-Type=Application
-Icon=onionshare.png
-Categories=Network;FileTransfer;
-Keywords=tor;anonymity;privacy;onion service;file sharing;file hosting;
-Keywords[da]=tor;anonymitet;privatliv;onion-tjeneste;fildeling;filhosting;
-Keywords[de]=tor;Anonymität;Privatsphäre;Onion-Service;File-Sharing;File-Hosting;

python-onionshare.changes

@@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Thu Feb 24 19:33:47 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
+
+- Update to version 2.5.0
+  * CVE-2022-21696: It was possible to change the username to that
+    of another chat participant with an additional space character
+    at the end of the name string. 
+  * CVE-2022-21695: Authenticated users (or unauthenticated in
+    public mode) could send messages without being visible in the
+    list of chat participants
+  * CVE-2022-21694:
+  * CVE-2022-21693: An adversary with a primitive that allows for
+    filesystem access from the context of the Onionshare process
+    could access sensitive files in the entire user home folder.
+  * CVE-2022-21692: anyone with access to the chat environment
+    could write messages disguised as another chat participant
+  * CVE-2022-21691: chat participants could spoof their channel
+    leave message, tricking others into assuming they left the chatroom.
+  * CVE-2022-21690: The path parameter of the requested URL was not
+    sanitized before being passed to the QT frontend. This path is
+    used in all components for displaying the server access history.
+  * CVE-2022-21688, CVE-2022-21689: Use microseconds in Receive mode
+    directory creation to avoid potential DoS
+  * Major feature:
+    * Obtain bridges from Moat / BridgeDB
+    * Snowflake bridge support
+  * New feature:
+    * Tor connection settings, as well as general settings,
+      are now Tabs rather than dialogs
+    * User can customize the Content-Security-Policy header
+      in Website mode
+    * Built-in bridges are automatically updated from Tor's API
+      when the user has chosen to use them
+  * Switch to using stem fork called cepa
+  * Various bug fixes
+- Drop desktop file, upstream already provides one
+- Install metainfo file
+- Adjust requirements
+- Added relax-async-mode.patch
+
 -------------------------------------------------------------------
 Thu Oct  7 20:00:10 UTC 2021 - Axel Braun <axel.braun@gmx.de>
 

python-onionshare.spec

@@ -1,7 +1,7 @@
 #
-# spec file for package python-onionshare
+# spec file
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 # Copyright (c) 2018-2021 Dr. Axel Braun
 #
 # All modifications and additions to the file contributed by third parties
@@ -19,59 +19,61 @@
 
 %define modname onionshare
 Name:           python-%{modname}
-Version:        2.4
+Version:        2.5
 Release:        0
 Summary:        Self-hosting Tor Onion Service based file sharing
 License:        GPL-3.0-or-later
 Group:          Productivity/Networking/File-Sharing
-URL:            https://github.com/micahflee/onionshare
-Source0:        https://github.com/micahflee/onionshare/archive/v%{version}.tar.gz#/%{modname}-%{version}.tar.gz
-Source1:        %{modname}.desktop
+URL:            https://github.com/onionshare/onionshare
+Source0:        https://github.com/onionshare/onionshare/archive/v%{version}.tar.gz#/%{modname}-%{version}.tar.gz
 # PATCH-FIX-OPENSUSE skip test_large_download in gui tests
 Patch0:         0001-adjust_tests.diff
-
+# PATCH-FIX-UPSTREAM fix-test-cli-web.patch -- https://github.com/onionshare/onionshare/issues/1534
+Patch1:         fix-test-cli-web.patch
+# PATCH-FIX-OPENSUSE relax-async-mode.patch -- Do not rely on gevent
+Patch2:         relax-async-mode.patch
 BuildRequires:  fdupes
+BuildRequires:  hicolor-icon-theme
 BuildRequires:  python-rpm-macros
-BuildRequires:  python3-Flask
-BuildRequires:  python3-Flask-HTTPAuth
-BuildRequires:  python3-Flask-SocketIO
+BuildRequires:  python3-Flask >= 1.4.1
+BuildRequires:  python3-Flask-SocketIO >= 5.0.1
 BuildRequires:  python3-PyNaCl
 BuildRequires:  python3-PySocks
 BuildRequires:  python3-Unidecode
+BuildRequires:  python3-cepa >= 1.8.3
 BuildRequires:  python3-colorama
-BuildRequires:  python3-nautilus
+BuildRequires:  python3-eventlet
+BuildRequires:  python3-poetry
 BuildRequires:  python3-psutil
-BuildRequires:  python3-pycrypto
-BuildRequires:  python3-pyside2
+BuildRequires:  python3-pyside2 >= 5.15.2
 BuildRequires:  python3-pytest
 BuildRequires:  python3-pytest-qt
 BuildRequires:  python3-pytest-xvfb
 BuildRequires:  python3-qrcode
 BuildRequires:  python3-requests
 BuildRequires:  python3-setuptools
-BuildRequires:  python3-stem
+BuildRequires:  python3-urllib3
 BuildRequires:  tor
 BuildRequires:  update-desktop-files
-Requires:       python3-Flask
-Requires:       python3-Flask-HTTPAuth
-Requires:       python3-Flask-SocketIO
-Requires:       python3-Unidecode
-Requires:       python3-colorama
-Requires:       python3-psutil
+Requires:       python3-Flask >= 1.4.1
+Requires:       python3-Flask-SocketIO >= 5.0.1
 Requires:       python3-PyNaCl
-Requires:       python3-pycrypto
-Requires:       python3-pyside2
+Requires:       python3-Unidecode
+Requires:       python3-cepa >= 1.8.3
+Requires:       python3-colorama
+Requires:       python3-eventlet
+Requires:       python3-psutil
+Requires:       python3-pyside2 >= 5.15.2
 Requires:       python3-qrcode
 Requires:       python3-requests
-Requires:       python3-stem
+Requires:       python3-urllib3
 Requires:       tor
-BuildArch:      noarch
-
 Provides:       %{name}-%{version}
 Obsoletes:      %{name}-data < %{version}
 Obsoletes:      python36-onionshare < %{version}
 Obsoletes:      python38-onionshare < %{version}
 Obsoletes:      python39-onionshare < %{version}
+BuildArch:      noarch
 
 %description
 OnionShare lets the user share files securely and anonymously. It
@@ -83,32 +85,27 @@ program is run on. The receiving user just needs to open the URL in
 Tor Browser to download the file.
 
 %prep
-%setup -q -n %{modname}-%{version}
-%autopatch -p1
-cp %{SOURCE1} .
-
-sed -i 's/sys.platform != "Linux"/sys.platform != "linux"/' cli/tests/test_cli_settings.py cli/tests/test_cli_common.py
+%autosetup -p1 -n %{modname}-%{version}
 
 %build
-cd cli
+pushd cli
 %python3_build
-cd ../desktop/src
+popd
+pushd desktop
 %python3_build
 
 %install
-cd cli
+pushd cli
+%python3_install
+popd
+pushd desktop
 %python3_install
 
-cd ../desktop/src
-%python3_install
-
-mkdir -p %{buildroot}%{_datadir}/pixmaps
-cp org.onionshare.OnionShare.svg %{buildroot}%{_datadir}/pixmaps/.
-
-pwd
-
-desktop-file-install --dir %{buildroot}%{_datadir}/applications/ org.onionshare.OnionShare.desktop
-%suse_update_desktop_file org.onionshare.OnionShare
+install -Dm 0644 org.onionshare.OnionShare.appdata.xml \
+  %{buildroot}%{_datadir}/metainfo/org.onionshare.OnionShare.metainfo.xml
+install -Dm 0644 org.onionshare.OnionShare.svg \
+  %{buildroot}%{_datadir}/icons/hicolor/scalable/apps/org.onionshare.OnionShare.svg
+%suse_update_desktop_file -i org.onionshare.OnionShare
 
 %fdupes %{buildroot}%{python3_sitelib}
 
@@ -135,8 +132,9 @@ popd
 %{_bindir}/%{modname}-cli
 %license LICENSE
 %doc README.md
-%{_datadir}/applications/*
-%{_datadir}/pixmaps/*
+%{_datadir}/applications/org.onionshare.OnionShare.desktop
+%{_datadir}/metainfo/org.onionshare.OnionShare.metainfo.xml
+%{_datadir}/icons/hicolor/scalable/apps/org.onionshare.OnionShare.svg
 %{python3_sitelib}/onionshare
 %{python3_sitelib}/onionshare-%{version}*-info
 %{python3_sitelib}/onionshare_cli

relax-async-mode.patch

@@ -0,0 +1,16 @@
+diff -Nur onionshare-2.5/cli/onionshare_cli/web/web.py new/cli/onionshare_cli/web/web.py
+--- onionshare-2.5/cli/onionshare_cli/web/web.py	2022-01-17 21:56:39.000000000 +0100
++++ new/cli/onionshare_cli/web/web.py	2022-02-25 01:35:45.401731026 +0100
+@@ -164,10 +164,10 @@
+         elif self.mode == "chat":
+             if self.common.verbose:
+                 self.socketio = SocketIO(
+-                    async_mode="gevent", logger=True, engineio_logger=True
++                    logger=True, engineio_logger=True
+                 )
+             else:
+-                self.socketio = SocketIO(async_mode="gevent")
++                self.socketio = SocketIO()
+             self.socketio.init_app(self.app)
+             self.chat_mode = ChatModeWeb(self.common, self)
+