Add CVE-2026-24486.patch to fix CVE-2026-24486 (bsc#1257301)

- update to 0.0.20:
  * Handle messages containing only end boundary #142.

OBS-URL: https://build.opensuse.org/request/show/1243192
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-python-multipart?expand=0&rev=11

CVE-2026-24486.patch

@@ -0,0 +1,58 @@
+From 9433f4bbc9652bdde82bbe380984e32f8cfc89c4 Mon Sep 17 00:00:00 2001
+From: Marcelo Trylesinski <marcelotryle@gmail.com>
+Date: Sun, 25 Jan 2026 10:37:09 +0100
+Subject: [PATCH] Merge commit from fork
+
+---
+ python_multipart/multipart.py |  4 +++-
+ tests/test_file.py            | 26 ++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 tests/test_file.py
+
+diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
+index 0cc4c82..1489b7a 100644
+--- a/python_multipart/multipart.py
++++ b/python_multipart/multipart.py
+@@ -375,7 +375,9 @@ def __init__(self, file_name: bytes | None, field_name: bytes | None = None, con
+ 
+         # Split the extension from the filename.
+         if file_name is not None:
+-            base, ext = os.path.splitext(file_name)
++            # Extract just the basename to avoid directory traversal
++            basename = os.path.basename(file_name)
++            base, ext = os.path.splitext(basename)
+             self._file_base = base
+             self._ext = ext
+ 
+diff --git a/tests/test_file.py b/tests/test_file.py
+new file mode 100644
+index 0000000..4d65232
+--- /dev/null
++++ b/tests/test_file.py
+@@ -0,0 +1,26 @@
++from pathlib import Path
++
++from python_multipart.multipart import File
++
++
++def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path):
++    upload_dir = tmp_path / "upload"
++    upload_dir.mkdir()
++
++    # When the file_name provided has a leading slash, we should only use the basename.
++    # This is to avoid directory traversal.
++    to_upload = tmp_path / "foo.txt"
++
++    file = File(
++        bytes(to_upload),
++        config={
++            "UPLOAD_DIR": bytes(upload_dir),
++            "UPLOAD_KEEP_FILENAME": True,
++            "UPLOAD_KEEP_EXTENSIONS": True,
++            "MAX_MEMORY_FILE_SIZE": 10,
++        },
++    )
++    file.write(b"123456789012")
++    assert not file.in_memory
++    assert Path(upload_dir / "foo.txt").exists()
++    assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"

python-python-multipart.changes

@@ -1,3 +1,57 @@
+-------------------------------------------------------------------
+Tue Jan 27 09:01:01 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
+
+- Add CVE-2026-24486.patch to fix CVE-2026-24486 (bsc#1257301)
+
+-------------------------------------------------------------------
+Tue Feb  4 17:06:23 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.0.20:
+  * Handle messages containing only end boundary #142.
+
+-------------------------------------------------------------------
+Wed Dec  4 10:08:03 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 0.0.19 (bsc#1234115, CVE-2024-53981):
+  * Don't warn when CRLF is found after last boundary #193
+- 0.0.18:
+  * Hard break if found data after last boundary on MultipartParser #189
+
+-------------------------------------------------------------------
+Wed Nov  6 14:13:57 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 0.0.17
+  * Handle PermissionError in fallback code for old import name #182
+- from version 0.0.16
+  * Add dunder attributes to `multipart` package #177
+- from version 0.0.15
+  * Replace `FutureWarning` to `PendingDeprecationWarning` #174
+  * Add missing files to SDist #171
+- from version 0.0.14
+  * Fix import scheme for `multipart` module #168
+- from version 0.0.13
+  * Rename import to `python_multipart` #166
+- from version 0.0.12
+  * Improve error message when boundary character does not match #124
+  * Add mypy strict typing #140
+  * Enforce 100% coverage #159
+- from version 0.0.11
+  * Improve performance, especially in data with many CR-LF #137
+  * Handle invalid CRLF in header name #141
+- from version 0.0.10
+  * Support `on_header_begin` #103
+  * Improve type hints on `FormParser` #104
+  * Fix `OnFileCallback` type #106
+  * Improve type hints #110
+  * Improve type hints on `File` #111
+  * Add type hint to helper functions #112
+  * Minor fix for Field.__repr__ #114
+  * Fix use of chunk_size parameter #136
+  * Allow digits and valid token chars in headers #134
+  * Fix headers being carried between parts #135
+- Add python_multipart Python directory to %files section
+- Rename README.rst to README.md in %files section
+
 -------------------------------------------------------------------
 Fri Mar  1 10:15:27 UTC 2024 - Dirk Müller <dmueller@suse.com>
 

python-python-multipart.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-python-multipart
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,12 +18,14 @@
 
 %{?sle15_python_module_pythons}
 Name:           python-python-multipart
-Version:        0.0.9
+Version:        0.0.20
 Release:        0
 License:        Apache-2.0
 Summary:        Python streaming multipart parser
-URL:            http://github.com/andrew-d/python-multipart
+URL:            http://github.com/Kludex/python-multipart
 Source:         https://files.pythonhosted.org/packages/source/p/python-multipart/python_multipart-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM CVE-2026-24486.patch bsc#1257301 gh#Kludex/python-multipart@9433f4b
+Patch0:         CVE-2026-24486.patch
 BuildRequires:  %{python_module hatchling}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module wheel}
@@ -54,9 +56,10 @@ A streaming multipart parser for Python.
 %pytest
 
 %files %{python_files}
-%doc README.rst
+%doc README.md
 %license LICENSE.txt
 %{python_sitelib}/multipart
+%{python_sitelib}/python_multipart
 %{python_sitelib}/python_multipart-%{version}.dist-info
 
 %changelog

python_multipart-0.0.9.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:03f54688c663f1b7977105f021043b0793151e4cb1c1a9d4a11fc13d622c4026
-size 31516