.gitignore

@@ -1 +1 @@
-SOURCES/rel_1_2_3.tar.gz
+SOURCES/rel_1_1_4.tar.gz

.python-mako.metadata

@@ -1 +1 @@
-263da98d1fd27583abe119125a572bb3555673fd SOURCES/rel_1_2_3.tar.gz
+557b3318679d7675c2b1fe00bb2e744f47a53c2a SOURCES/rel_1_1_4.tar.gz

SOURCES/python-mako-1.1.14-CVE-2022-40023.patch

@@ -0,0 +1,87 @@
+From 0969203d36a128f42d7e4025ca29b5dfa74e1a21 Mon Sep 17 00:00:00 2001
+From: Mike Bayer <mike_mp@zzzcomputing.com>
+Date: Mon, 29 Aug 2022 12:28:52 -0400
+Subject: [PATCH] fix tag regexp to match quoted groups correctly
+
+Fixed issue in lexer where the regexp used to match tags would not
+correctly interpret quoted sections individually. While this parsing issue
+still produced the same expected tag structure later on, the mis-handling
+of quoted sections was also subject to a regexp crash if a tag had a large
+number of quotes within its quoted sections.
+
+Fixes: #366
+Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0
+---
+ doc/build/unreleased/366.rst |  9 +++++++++
+ mako/lexer.py                | 12 ++++++++----
+ test/test_lexer.py           |  4 ++++
+ 3 files changed, 21 insertions(+), 4 deletions(-)
+ create mode 100644 doc/build/unreleased/366.rst
+
+diff --git a/doc/build/unreleased/366.rst b/doc/build/unreleased/366.rst
+new file mode 100644
+index 0000000..27b0278
+--- /dev/null
++++ b/doc/build/unreleased/366.rst
+@@ -0,0 +1,9 @@
++.. change::
++    :tags: bug, lexer
++    :tickets: 366
++
++    Fixed issue in lexer where the regexp used to match tags would not
++    correctly interpret quoted sections individually. While this parsing issue
++    still produced the same expected tag structure later on, the mis-handling
++    of quoted sections was also subject to a regexp crash if a tag had a large
++    number of quotes within its quoted sections.
+\ No newline at end of file
+diff --git a/mako/lexer.py b/mako/lexer.py
+index 6226e26..c8eee6f 100644
+--- a/mako/lexer.py
++++ b/mako/lexer.py
+@@ -295,20 +295,24 @@ class Lexer(object):
+         return self.template
+ 
+     def match_tag_start(self):
+-        match = self.match(
+-            r"""
++        reg = r"""
+             \<%     # opening tag
+ 
+             ([\w\.\:]+)   # keyword
+ 
+-            ((?:\s+\w+|\s*=\s*|".*?"|'.*?')*)  # attrname, = \
++            ((?:\s+\w+|\s*=\s*|"[^"]*?"|'[^']*?'|\s*,\s*)*)  # attrname, = \
+                                                #        sign, string expression
++                                               # comma is for backwards compat
++                                               # identified in #366
+ 
+             \s*     # more whitespace
+ 
+             (/)?>   # closing
+ 
+-            """,
++        """
++
++        match = self.match(
++            reg,
+             re.I | re.S | re.X,
+         )
+ 
+diff --git a/test/test_lexer.py b/test/test_lexer.py
+index 9807961..7d4b146 100644
+--- a/test/test_lexer.py
++++ b/test/test_lexer.py
+@@ -146,6 +146,10 @@ class LexerTest(TemplateTest):
+         """
+         self.assertRaises(exceptions.CompileException, Lexer(template).parse)
+ 
++    def test_tag_many_quotes(self):
++        template = "<%0" + '"' * 3000
++        self.assertRaises(exceptions.SyntaxException, Lexer(template).parse)
++
+     def test_unmatched_tag(self):
+         template = """
+         <%namespace name="bar">
+-- 
+2.38.1
+

SPECS/python-mako.spec

@@ -1,15 +1,17 @@
-Name:    python-mako
+Name: python-mako
-Version: 1.2.3
+Version: 1.1.4
-Release: 8%{?dist}
+Release: 6%{?dist}
+BuildArch: noarch
+
+# Mostly MIT, but _ast_util.py is Python licensed.
+# The documentation contains javascript for search licensed BSD or GPLv2
+License: (MIT and Python) and (BSD or GPLv2)
 Summary: Mako template library for Python
-
+URL: http://www.makotemplates.org/
-# Mostly MIT, but _ast_util.py is Python-2.0.1 licensed
-# examples/bench/basic.py is BSD-3-Clause
-License: MIT AND Python-2.0.1 AND BSD-3-Clause
-URL:     https://www.makotemplates.org/
 Source0: https://github.com/sqlalchemy/mako/archive/rel_%(echo %{version} | sed "s/\./_/g").tar.gz
+# https://bugzilla.redhat.com/show_bug.cgi?id=2133606
+Patch0:  python-mako-1.1.14-CVE-2022-40023.patch
 
-BuildArch:     noarch
 BuildRequires: python3-devel
 BuildRequires: python3-pytest
 BuildRequires: python3-setuptools
@@ -35,7 +37,6 @@ Summary: %{summary}
 Recommends: python3-beaker
 
 Obsoletes: python2-mako < 1.1.0-3
-Obsoletes: python-mako-doc < 1.1.4-6
 
 %{?python_provide:%python_provide python3-mako}
 
@@ -44,13 +45,18 @@ Obsoletes: python-mako-doc < 1.1.4-6
 This package contains the mako module built for use with python3.
 
 
+%package doc
+Summary: Documentation for the Mako template library for Python
+Suggests: python3-mako = %{version}-%{release}
+
+%description doc %_description
+
+This package contains documentation in text and HTML formats.
+
 
 %prep
 %autosetup -p1 -n mako-rel_%(echo %{version} | sed "s/\./_/g")
 
-# the package ends up installed as %%{version}.dev0 otherwise:
-sed -i '/tag_build = dev/d' setup.cfg
-
 
 %build
 %py3_build
@@ -63,6 +69,9 @@ mv %{buildroot}/%{_bindir}/mako-render %{buildroot}/%{_bindir}/mako-render-%{pyt
 ln -s ./mako-render-%{python3_version} %{buildroot}/%{_bindir}/mako-render-3
 ln -s ./mako-render-%{python3_version} %{buildroot}/%{_bindir}/mako-render
 
+# These are supporting files for building the docs.  No need to ship
+rm -rf doc/build
+
 
 %check
 pytest-3
@@ -77,53 +86,20 @@ pytest-3
 %{python3_sitelib}/mako/
 %{python3_sitelib}/Mako-*.egg-info/
 
+%files doc
+%doc doc
 
-%changelog
-* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1.2.3-8
-- Rebuilt for MSVSphere 10
-
-* Mon Aug 19 2024 Tomas Popela <tpopela@redhat.com> - 1.2.3-8
-- Fix SDPX license
-
-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.2.3-7
-- Bump release for June 2024 mass rebuild
-
-* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-5
+%changelog
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+* Thu Nov 17 2022 David King <amigadave@amigadave.com> - 1.1.4-6
-
+- Fix CVE-2022-40023 (#2133606)
-* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 1.2.3-3
-- Rebuilt for Python 3.12
-
-* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Thu Oct 27 2022 David King <amigadave@amigadave.com> - 1.2.3-1
-- Update to 1.2.3 (#1996163)
-
-* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.4-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1.1.4-8
-- Rebuilt for Python 3.11
-
-* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.4-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Fri Oct 29 2021 Miro Hrončok <mhroncok@redhat.com> - 1.1.4-6
-- Don't build the package as 1.1.4.dev0
-- Remove the empty python-mako-doc package
 
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.4-5
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.1.4-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 1.1.4-4
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.1.4-4
-- Rebuilt for Python 3.10
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
 * Mon Mar 29 2021 David King <amigadave@amigadave.com> - 1.1.4-3
 - Remove unnecessary python3-mock BuildRequires