Accepting request 318370 from SUSE:SLE-12:Update

- declare $ sign as a safe character in url paths to prevent escaping /$RCE/ which lead into problems with token auth (bnc#902416) - set curl option SSL_VERIFYHOST correct OBS-URL: https://build.opensuse.org/request/show/318370 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urlgrabber?expand=0&rev=25
2015-07-26 12:41:50 +00:00
parent 57a2e44cf6
commit a73bf5ff0b
4 changed files with 40 additions and 1 deletions
--- a/declare-dollar-sign-as-safe-in-urlquote.patch
+++ b/declare-dollar-sign-as-safe-in-urlquote.patch
@@ -0,0 +1,13 @@
+Index: urlgrabber-3.9.1/urlgrabber/grabber.py
+===================================================================
+--- urlgrabber-3.9.1.orig/urlgrabber/grabber.py
+++ urlgrabber-3.9.1/urlgrabber/grabber.py
+@@ -715,7 +715,7 @@ class URLParser:
+         passing into urlgrabber.
+         """
+         (scheme, host, path, parm, query, frag) = parts
+-        path = urllib.quote(path)
+        path = urllib.quote(path, safe='/$')
+         return (scheme, host, path, parm, query, frag)
+ 
+     hexvals = '0123456789ABCDEF'
--- a/python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif
+++ b/python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif
@@ -0,0 +1,14 @@
+Index: urlgrabber-3.9.1/urlgrabber/grabber.py
+===================================================================
+--- urlgrabber-3.9.1.orig/urlgrabber/grabber.py
+++ urlgrabber-3.9.1/urlgrabber/grabber.py
+@@ -1190,7 +1190,8 @@ class PyCurlFileObject():
+                 self.curl_obj.setopt(pycurl.CAPATH, opts.ssl_ca_cert)
+                 self.curl_obj.setopt(pycurl.CAINFO, opts.ssl_ca_cert)
+             self.curl_obj.setopt(pycurl.SSL_VERIFYPEER, opts.ssl_verify_peer)
+-            self.curl_obj.setopt(pycurl.SSL_VERIFYHOST, opts.ssl_verify_host)
+            if opts.ssl_verify_host: # 1 is meaningless to curl
+                self.curl_obj.setopt(pycurl.SSL_VERIFYHOST, 2)
+             if opts.ssl_key:
+                 self.curl_obj.setopt(pycurl.SSLKEY, opts.ssl_key)
+             if opts.ssl_key_type:
--- a/python-urlgrabber.changes
+++ b/python-urlgrabber.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Feb 12 13:42:05 CET 2015 - mc@suse.de
+
+- declare $ sign as a safe character in url paths to prevent
+  escaping /$RCE/ which lead into problems with token auth
+  (bnc#902416)
+- set curl option SSL_VERIFYHOST correct
+
 -------------------------------------------------------------------
 Tue Sep 16 12:38:07 UTC 2014 - dmacvicar@suse.de

--- a/python-urlgrabber.spec
+++ b/python-urlgrabber.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python-urlgrabber
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -27,6 +27,8 @@ Source:         http://pypi.python.org/packages/source/u/urlgrabber/urlgrabber-%
 Patch0:         grabber_fix.diff
 # PATCH-FIX-UPSTREAM bnc#896844
 Patch1:         python-urlgrabber-3.9.1-preserve-queryparams-in-urls.patch
+Patch2:         declare-dollar-sign-as-safe-in-urlquote.patch
+Patch3:         python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  python-devel
 BuildRequires:  python-pycurl
@@ -49,6 +51,8 @@ throttling, authentication, proxies and more.
 sed -i "13d" urlgrabber/__init__.py # Remove wrong license header, fixes bnc#781323
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1

 %build
 python setup.py build