Accepting request 318370 from SUSE:SLE-12:Update

- declare $ sign as a safe character in url paths to prevent
  escaping /$RCE/ which lead into problems with token auth
  (bnc#902416)
- set curl option SSL_VERIFYHOST correct

OBS-URL: https://build.opensuse.org/request/show/318370
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urlgrabber?expand=0&rev=25

declare-dollar-sign-as-safe-in-urlquote.patch

@@ -0,0 +1,13 @@
+Index: urlgrabber-3.9.1/urlgrabber/grabber.py
+===================================================================
+--- urlgrabber-3.9.1.orig/urlgrabber/grabber.py
++++ urlgrabber-3.9.1/urlgrabber/grabber.py
+@@ -715,7 +715,7 @@ class URLParser:
+         passing into urlgrabber.
+         """
+         (scheme, host, path, parm, query, frag) = parts
+-        path = urllib.quote(path)
++        path = urllib.quote(path, safe='/$')
+         return (scheme, host, path, parm, query, frag)
+ 
+     hexvals = '0123456789ABCDEF'

python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif

@@ -0,0 +1,14 @@
+Index: urlgrabber-3.9.1/urlgrabber/grabber.py
+===================================================================
+--- urlgrabber-3.9.1.orig/urlgrabber/grabber.py
++++ urlgrabber-3.9.1/urlgrabber/grabber.py
+@@ -1190,7 +1190,8 @@ class PyCurlFileObject():
+                 self.curl_obj.setopt(pycurl.CAPATH, opts.ssl_ca_cert)
+                 self.curl_obj.setopt(pycurl.CAINFO, opts.ssl_ca_cert)
+             self.curl_obj.setopt(pycurl.SSL_VERIFYPEER, opts.ssl_verify_peer)
+-            self.curl_obj.setopt(pycurl.SSL_VERIFYHOST, opts.ssl_verify_host)
++            if opts.ssl_verify_host: # 1 is meaningless to curl
++                self.curl_obj.setopt(pycurl.SSL_VERIFYHOST, 2)
+             if opts.ssl_key:
+                 self.curl_obj.setopt(pycurl.SSLKEY, opts.ssl_key)
+             if opts.ssl_key_type:

python-urlgrabber.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Feb 12 13:42:05 CET 2015 - mc@suse.de
+
+- declare $ sign as a safe character in url paths to prevent
+  escaping /$RCE/ which lead into problems with token auth
+  (bnc#902416)
+- set curl option SSL_VERIFYHOST correct
+
 -------------------------------------------------------------------
 Tue Sep 16 12:38:07 UTC 2014 - dmacvicar@suse.de
 

python-urlgrabber.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-urlgrabber
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -27,6 +27,8 @@ Source:         http://pypi.python.org/packages/source/u/urlgrabber/urlgrabber-%
 Patch0:         grabber_fix.diff
 # PATCH-FIX-UPSTREAM bnc#896844
 Patch1:         python-urlgrabber-3.9.1-preserve-queryparams-in-urls.patch
+Patch2:         declare-dollar-sign-as-safe-in-urlquote.patch
+Patch3:         python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  python-devel
 BuildRequires:  python-pycurl
@@ -49,6 +51,8 @@ throttling, authentication, proxies and more.
 sed -i "13d" urlgrabber/__init__.py # Remove wrong license header, fixes bnc#781323
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 python setup.py build