From a73bf5ff0b2f3d993eb49a507e89aeb1b209dafc6c111c6e428b09fc77da69ad Mon Sep 17 00:00:00 2001
From: Denisart Benjamin <p.drouand@gmail.com>
Date: Sun, 26 Jul 2015 12:41:50 +0000
Subject: [PATCH] Accepting request 318370 from SUSE:SLE-12:Update

- declare $ sign as a safe character in url paths to prevent
  escaping /$RCE/ which lead into problems with token auth
  (bnc#902416)
- set curl option SSL_VERIFYHOST correct

OBS-URL: https://build.opensuse.org/request/show/318370
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urlgrabber?expand=0&rev=25
---
 declare-dollar-sign-as-safe-in-urlquote.patch      | 13 +++++++++++++
 ...urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif | 14 ++++++++++++++
 python-urlgrabber.changes                          |  8 ++++++++
 python-urlgrabber.spec                             |  6 +++++-
 4 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 declare-dollar-sign-as-safe-in-urlquote.patch
 create mode 100644 python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif

diff --git a/declare-dollar-sign-as-safe-in-urlquote.patch b/declare-dollar-sign-as-safe-in-urlquote.patch
new file mode 100644
index 0000000..054fecc
--- /dev/null
+++ b/declare-dollar-sign-as-safe-in-urlquote.patch
@@ -0,0 +1,13 @@
+Index: urlgrabber-3.9.1/urlgrabber/grabber.py
+===================================================================
+--- urlgrabber-3.9.1.orig/urlgrabber/grabber.py
++++ urlgrabber-3.9.1/urlgrabber/grabber.py
+@@ -715,7 +715,7 @@ class URLParser:
+         passing into urlgrabber.
+         """
+         (scheme, host, path, parm, query, frag) = parts
+-        path = urllib.quote(path)
++        path = urllib.quote(path, safe='/$')
+         return (scheme, host, path, parm, query, frag)
+ 
+     hexvals = '0123456789ABCDEF'
diff --git a/python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif b/python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif
new file mode 100644
index 0000000..3231740
--- /dev/null
+++ b/python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif
@@ -0,0 +1,14 @@
+Index: urlgrabber-3.9.1/urlgrabber/grabber.py
+===================================================================
+--- urlgrabber-3.9.1.orig/urlgrabber/grabber.py
++++ urlgrabber-3.9.1/urlgrabber/grabber.py
+@@ -1190,7 +1190,8 @@ class PyCurlFileObject():
+                 self.curl_obj.setopt(pycurl.CAPATH, opts.ssl_ca_cert)
+                 self.curl_obj.setopt(pycurl.CAINFO, opts.ssl_ca_cert)
+             self.curl_obj.setopt(pycurl.SSL_VERIFYPEER, opts.ssl_verify_peer)
+-            self.curl_obj.setopt(pycurl.SSL_VERIFYHOST, opts.ssl_verify_host)
++            if opts.ssl_verify_host: # 1 is meaningless to curl
++                self.curl_obj.setopt(pycurl.SSL_VERIFYHOST, 2)
+             if opts.ssl_key:
+                 self.curl_obj.setopt(pycurl.SSLKEY, opts.ssl_key)
+             if opts.ssl_key_type:
diff --git a/python-urlgrabber.changes b/python-urlgrabber.changes
index 57b5ff6..3652bab 100644
--- a/python-urlgrabber.changes
+++ b/python-urlgrabber.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Feb 12 13:42:05 CET 2015 - mc@suse.de
+
+- declare $ sign as a safe character in url paths to prevent
+  escaping /$RCE/ which lead into problems with token auth
+  (bnc#902416)
+- set curl option SSL_VERIFYHOST correct
+
 -------------------------------------------------------------------
 Tue Sep 16 12:38:07 UTC 2014 - dmacvicar@suse.de
 
diff --git a/python-urlgrabber.spec b/python-urlgrabber.spec
index 59b9265..e15788c 100644
--- a/python-urlgrabber.spec
+++ b/python-urlgrabber.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python-urlgrabber
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -27,6 +27,8 @@ Source:         http://pypi.python.org/packages/source/u/urlgrabber/urlgrabber-%
 Patch0:         grabber_fix.diff
 # PATCH-FIX-UPSTREAM bnc#896844
 Patch1:         python-urlgrabber-3.9.1-preserve-queryparams-in-urls.patch
+Patch2:         declare-dollar-sign-as-safe-in-urlquote.patch
+Patch3:         python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  python-devel
 BuildRequires:  python-pycurl
@@ -49,6 +51,8 @@ throttling, authentication, proxies and more.
 sed -i "13d" urlgrabber/__init__.py # Remove wrong license header, fixes bnc#781323
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 python setup.py build