From 1f48583e2e7f480a26fdc01a399db0f8d04b1850 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 22 Sep 2023 19:40:01 +0300 Subject: [PATCH] import python-tornado-6.1.0-9.el9 --- .gitignore | 1 + .python-tornado.metadata | 1 + ...001-Add-test-for-open-redirect-issue.patch | 60 ++++ ...n-open-redirect-in-StaticFileHandler.patch | 41 +++ ...rn-DeprecationWarning-into-Exception.patch | 11 + ...ease-timeout-in-test_request_timeout.patch | 32 ++ SPECS/python-tornado.spec | 334 ++++++++++++++++++ 7 files changed, 480 insertions(+) create mode 100644 .gitignore create mode 100644 .python-tornado.metadata create mode 100644 SOURCES/0001-Add-test-for-open-redirect-issue.patch create mode 100644 SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch create mode 100644 SOURCES/Do-not-turn-DeprecationWarning-into-Exception.patch create mode 100644 SOURCES/Increase-timeout-in-test_request_timeout.patch create mode 100644 SPECS/python-tornado.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..194fb8e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tornado-6.1.0.tar.gz diff --git a/.python-tornado.metadata b/.python-tornado.metadata new file mode 100644 index 0000000..699327e --- /dev/null +++ b/.python-tornado.metadata @@ -0,0 +1 @@ +c23c617c7a0205e465bebad5b8cdf289ae8402a2 SOURCES/tornado-6.1.0.tar.gz diff --git a/SOURCES/0001-Add-test-for-open-redirect-issue.patch b/SOURCES/0001-Add-test-for-open-redirect-issue.patch new file mode 100644 index 0000000..2d40188 --- /dev/null +++ b/SOURCES/0001-Add-test-for-open-redirect-issue.patch @@ -0,0 +1,60 @@ +Subject: [PATCH 1/2] Add test for open redirect issue + +Backported from upstream: + - https://github.com/tornadoweb/tornado/commit/b56245730e +--- + tornado/test/web_test.py | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py +index 5490ba2..c641ca1 100644 +--- a/tornado/test/web_test.py ++++ b/tornado/test/web_test.py +@@ -1426,6 +1426,35 @@ class StaticDefaultFilenameTest(WebTestCase): + self.assertTrue(response.headers["Location"].endswith("/static/dir/")) + + ++class StaticDefaultFilenameRootTest(WebTestCase): ++ def get_app_kwargs(self): ++ return dict( ++ static_path=os.path.abspath(relpath("static")), ++ static_handler_args=dict(default_filename="index.html"), ++ static_url_prefix="/", ++ ) ++ ++ def get_handlers(self): ++ return [] ++ ++ def get_http_client(self): ++ # simple_httpclient only: curl doesn't let you send a request starting ++ # with two slashes. ++ return SimpleAsyncHTTPClient() ++ ++ def test_no_open_redirect(self): ++ # This test verifies that the open redirect that affected some configurations ++ # prior to Tornado 6.3.2 is no longer possible. The vulnerability required ++ # a static_url_prefix of "/" and a default_filename (any value) to be set. ++ # The absolute server-side path to the static directory must also be known. ++ with ExpectLog(gen_log, ".*cannot redirect path with two initial slashes"): ++ response = self.fetch( ++ f"//evil.com/../{os.path.dirname(__file__)}/static/dir", ++ follow_redirects=False, ++ ) ++ self.assertEqual(response.code, 403) ++ ++ + class StaticFileWithPathTest(WebTestCase): + def get_app_kwargs(self): + return dict( +@@ -2837,7 +2866,7 @@ class XSRFTest(SimpleHandlerTestCase): + body=b"", + headers=dict( + {"X-Xsrftoken": self.xsrf_token}, # type: ignore +- **self.cookie_headers() ++ **self.cookie_headers(), + ), + ) + self.assertEqual(response.code, 200) +-- +2.39.3 + diff --git a/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch b/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch new file mode 100644 index 0000000..161a6cc --- /dev/null +++ b/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch @@ -0,0 +1,41 @@ +From bcae82a6dd7bfed280559c8920dd89d4a48fa021 Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Tue, 25 Jul 2023 06:39:23 -0400 +Subject: [PATCH 2/2] [PATCH] web: Fix an open redirect in StaticFileHandler + +Under some configurations the default_filename redirect could be exploited +to redirect to an attacker-controlled site. This change refuses to redirect +to URLs that could be misinterpreted. + +A test case for the specific vulnerable configuration will follow after the +patch has been available. + +Originally from upstream: + - https://github.com/tornadoweb/tornado/commit/8f35b31ab +--- + tornado/web.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/tornado/web.py b/tornado/web.py +index 546e6ec..8410880 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler): + # but there is some prefix to the path that was already + # trimmed by the routing + if not self.request.path.endswith("/"): ++ if self.request.path.startswith("//"): ++ # A redirect with two initial slashes is a "protocol-relative" URL. ++ # This means the next path segment is treated as a hostname instead ++ # of a part of the path, making this effectively an open redirect. ++ # Reject paths starting with two slashes to prevent this. ++ # This is only reachable under certain configurations. ++ raise HTTPError( ++ 403, "cannot redirect path with two initial slashes" ++ ) + self.redirect(self.request.path + "/", permanent=True) + return None + absolute_path = os.path.join(absolute_path, self.default_filename) +-- +2.39.3 + diff --git a/SOURCES/Do-not-turn-DeprecationWarning-into-Exception.patch b/SOURCES/Do-not-turn-DeprecationWarning-into-Exception.patch new file mode 100644 index 0000000..7633f35 --- /dev/null +++ b/SOURCES/Do-not-turn-DeprecationWarning-into-Exception.patch @@ -0,0 +1,11 @@ +diff -Nur tornado-6.0.4/tornado/test/runtests.py tornado-6.0.4-new/tornado/test/runtests.py +--- tornado-6.0.4/tornado/test/runtests.py 2020-03-02 20:21:37.000000000 +0100 ++++ tornado-6.0.4-new/tornado/test/runtests.py 2020-09-14 09:21:31.818678680 +0200 +@@ -126,7 +126,6 @@ + # Tornado generally shouldn't use anything deprecated, but some of + # our dependencies do (last match wins). + warnings.filterwarnings("ignore", category=DeprecationWarning) +- warnings.filterwarnings("error", category=DeprecationWarning, module=r"tornado\..*") + warnings.filterwarnings("ignore", category=PendingDeprecationWarning) + warnings.filterwarnings( + "error", category=PendingDeprecationWarning, module=r"tornado\..*" diff --git a/SOURCES/Increase-timeout-in-test_request_timeout.patch b/SOURCES/Increase-timeout-in-test_request_timeout.patch new file mode 100644 index 0000000..ba7d9e1 --- /dev/null +++ b/SOURCES/Increase-timeout-in-test_request_timeout.patch @@ -0,0 +1,32 @@ +From b99df6cf3328f8e4aeb9db178df19b2411894b8c Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Wed, 15 Jun 2022 21:10:52 -0300 +Subject: [PATCH] Increase timeout in test_request_timeout + +Some architectures -- e.g. ppc64le -- need an increased request timeout. +This situation is similar to upstream change 2195f0b72, where the +timeout was increased for Windows. + +[1] https://github.com/tornadoweb/tornado/commit/2195f0b72249738 +--- + tornado/test/simple_httpclient_test.py | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/tornado/test/simple_httpclient_test.py b/tornado/test/simple_httpclient_test.py +index eadd4ed..333de50 100644 +--- a/tornado/test/simple_httpclient_test.py ++++ b/tornado/test/simple_httpclient_test.py +@@ -293,9 +293,7 @@ class SimpleHTTPClientTestMixin(object): + + @skipOnTravis + def test_request_timeout(self: typing.Any): +- timeout = 0.1 +- if os.name == "nt": +- timeout = 0.5 ++ timeout = 0.5 + + with self.assertRaises(HTTPTimeoutError): + self.fetch("/trigger?wake=false", request_timeout=timeout, raise_error=True) +-- +2.35.1 + diff --git a/SPECS/python-tornado.spec b/SPECS/python-tornado.spec new file mode 100644 index 0000000..58aa753 --- /dev/null +++ b/SPECS/python-tornado.spec @@ -0,0 +1,334 @@ +%global srcname tornado +%global common_description %{expand: +Tornado is an open source version of the scalable, non-blocking web +server and tools. + +The framework is distinct from most mainstream web server frameworks +(and certainly most Python frameworks) because it is non-blocking and +reasonably fast. Because it is non-blocking and uses epoll, it can +handle thousands of simultaneous standing connections, which means it is +ideal for real-time web services.} + +Name: python-%{srcname} +Version: 6.1.0 +Release: 9%{?dist} +Summary: Scalable, non-blocking web server and tools + +License: ASL 2.0 +URL: https://www.tornadoweb.org +Source0: https://github.com/tornadoweb/tornado/archive/v%{version}/%{srcname}-%{version}.tar.gz + +# Do not turn DeprecationWarning in tornado module into Exception +# fixes FTBFS with Python 3.8 +Patch: Do-not-turn-DeprecationWarning-into-Exception.patch +# Fix timeout failure in architectures such as ppc64le. +Patch: Increase-timeout-in-test_request_timeout.patch + +# CVE-2023-28370 +Patch: 0001-Add-test-for-open-redirect-issue.patch +Patch: 0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch + +BuildRequires: gcc +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-devel + +%description %{common_description} + +%package -n python3-%{srcname} +Summary: %{summary} + +%description -n python3-%{srcname} %{common_description} + +%package doc +Summary: Examples for %{name} + +%description doc %{common_description} + +This package contains some example applications. + +%prep +%autosetup -p1 -n %{srcname}-%{version} +# Remove shebang from files +%{__sed} -i.orig -e '/^#!\//, 1d' *py tornado/*.py tornado/*/*.py + +%build +%py3_build + +%install +%py3_install + +%check +export ASYNC_TEST_TIMEOUT=10 +%{__python3} -m tornado.test.runtests --verbose + +%files -n python%{python3_pkgversion}-%{srcname} +%license LICENSE +%doc README.rst +%{python3_sitearch}/%{srcname}/ +%{python3_sitearch}/%{srcname}-*.egg-info/ + +%files doc +%license LICENSE +%doc demos + +%changelog +* Tue Jul 25 2023 Sergio Correia - 6.1.0-9 +- Fix an open redirect in StaticFileHandler + Resolves: CVE-2023-28370 + +* Wed Jun 15 2022 Sergio Correia - 6.1.0-8 +- Fix test failure in pcc64le + Related: rhbz#2084553 + +* Wed Jun 15 2022 Sergio Correia - 6.1.0-7 +- Add python-tornado to RHEL-9 + Resolves: rhbz#2084553 + +* Tue Feb 08 2022 Carl George - 6.1.0-6 +- Convert to pyproject macros + +* Fri Jan 21 2022 Fedora Release Engineering - 6.1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Jul 23 2021 Fedora Release Engineering - 6.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Jun 03 2021 Python Maint - 6.1.0-3 +- Rebuilt for Python 3.10 + +* Wed Jan 27 2021 Fedora Release Engineering - 6.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Nov 03 2020 Fabian Affolter -6.1.0-1 +- Update to latest upstream release 6.1.0 (#1883858) + +* Sun Sep 13 2020 Fabian Affolter - 6.0.4-1 +- Update to latest upstream release 6.0.3 (#1809858) + +* Wed Jul 29 2020 Fedora Release Engineering - 6.0.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sat May 23 2020 Miro Hrončok - 6.0.3-2 +- Rebuilt for Python 3.9 + +* Mon Feb 24 2020 Peter Robinson - 6.0.3-1 +- Update to 6.0.3 + +* Thu Jan 30 2020 Fedora Release Engineering - 6.0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Oct 03 2019 Miro Hrončok - 6.0.2-4 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Thu Aug 15 2019 Miro Hrončok - 6.0.2-3 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 6.0.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Jun 03 2019 Miro Hrončok - 6.0.2-1 +- Update to 6.0.2 (#1600318) + +* Thu May 16 2019 Lumír Balhar - 5.1.1-2 +- New patch to not turn DeprecationWarning in tornado module into Exception +- Fixes FTBFS with Python 3.8 + +* Wed Mar 27 2019 Miro Hrončok - 5.1.1-1 +- Update to 5.1.1 +- Fix SyntaxWarnings (turned into SyntaxErrors) on Python 3.8 + +* Sat Feb 02 2019 Fedora Release Engineering - 5.0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 5.0.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 15 2018 Miro Hrončok - 5.0.2-3 +- Rebuilt for Python 3.7 + +* Sat May 19 2018 Miro Hrončok - 5.0.2-2 +- Require python2-futures + +* Fri May 18 2018 Charalampos Stratakis - 5.0.2-1 +- Update to 5.0.2 + +* Thu Apr 26 2018 Lumír Balhar - 4.5.2-5 +- New conditionals for Python 2 +- Drop Python 3 conditional + +* Mon Feb 12 2018 Iryna Shcherbina - 4.5.2-4 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Feb 09 2018 Fedora Release Engineering - 4.5.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Nov 07 2017 Charalampos Stratakis - 4.5.2-2 +- Fix dist tag and bump release for rebuild + +* Tue Nov 07 2017 Charalampos Stratakis - 4.5.2-1 +- Update to 4.5.2 + +* Fri Sep 29 2017 Troy Dawson - 4.5.1-4 +- Cleanup spec file conditionals + +* Thu Aug 03 2017 Fedora Release Engineering - 4.5.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 4.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Apr 20 2017 Orion Poplawski - 4.5.1-1 +- Update to 4.5.1 + +* Mon Apr 17 2017 Orion Poplawski - 4.5-1 +- Update to 4.5 + +* Sat Feb 11 2017 Fedora Release Engineering - 4.4.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Dec 13 2016 Stratakis Charalampos - 4.4.2-2 +- Rebuild for Python 3.6 +- Added patch to fix Python 3.6 test failures + +* Sun Oct 2 2016 Orion Poplawski - 4.4.2-1 +- Update to 4.4.2 + +* Thu Sep 15 2016 Orion Poplawski - 4.4.1-1 +- Update to 4.4.1 +- Drop requires patch, fixed upstream + +* Thu Sep 15 2016 Orion Poplawski - 4.3-5 +- Remove backports.ssl_match_hostname from python2-tornado egg requires (bug #1372887) + +* Thu Sep 15 2016 Orion Poplawski - 4.3-4 +- Remove certifi from python2-tornado egg requires (bug #1372886) + +* Tue Jul 19 2016 Fedora Release Engineering - 4.3-3 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Mon Feb 22 2016 Orion Poplawski - 4.3-2 +- Properly build python2-tornado + +* Thu Feb 18 2016 Orion Poplawski - 4.3-1 +- Update to 4.3 +- Drop upstream patches + +* Thu Feb 04 2016 Fedora Release Engineering - 4.2.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Orion Poplawski - 4.2.1-3 +- Build python2 packages, drop separate python3 doc package + +* Wed Oct 14 2015 Robert Kuska - 4.2.1-2 +- Rebuilt for Python3.5 rebuild +- Add patch to use getfullargspec on python3 +- Add patch to fix failing tests with python3.5 + +* Fri Sep 18 2015 Orion Poplawski - 4.2.1-1 +- Update to 4.2.1 +- Modernize spec + +* Fri Jul 10 2015 Orion Poplawski - 4.1-3 +- Do not require python-backports-ssl_match_hostname for F22+ (bug #1231368) + +* Thu Jun 18 2015 Fedora Release Engineering - 4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Mar 1 2015 Orion Poplawski - 4.1-1 +- Update to 4.1 +- Modernize spec + +* Fri Dec 5 2014 Orion Poplawski - 3.2.1-4 +- Drop requires python-simplejson + +* Sun Aug 17 2014 Fedora Release Engineering - 3.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 3.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 22 2014 Thomas Spura - 3.2.1-1 +- update to 3.2.1 +- no noarch anymore +- remove defattr + +* Wed May 14 2014 Bohuslav Kabrda - 2.2.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Sun Aug 04 2013 Fedora Release Engineering - 2.2.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri Jun 14 2013 Thomas Spura - 2.2.1-5 +- remove rhel conditional for with_python3: + https://fedorahosted.org/fpc/ticket/200 + +* Thu Feb 14 2013 Fedora Release Engineering - 2.2.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Aug 04 2012 David Malcolm - 2.2.1-3 +- rebuild for https://fedoraproject.org/wiki/Features/Python_3.3 + +* Sat Jul 21 2012 Fedora Release Engineering - 2.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun May 20 2012 Thomas Spura - 2.2.1-1 +- update to upstream release 2.2.1 (fixes CVE-2012-2374) +- fix typo for epel6 macro bug #822972 (Florian La Roche) + +* Thu Feb 9 2012 Ionuț C. Arțăriși - 2.2-1 +- upgrade to upstream release 2.2 + +* Thu Feb 9 2012 Ionuț C. Arțăriși - 2.1.1-4 +- remove python3-simplejson dependency + +* Fri Jan 27 2012 Thomas Spura - 2.1.1-3 +- build python3 package + +* Sat Jan 14 2012 Fedora Release Engineering - 2.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Oct 25 2011 Ionuț C. Arțăriși - 2.1.1-1 +- new upstream version 2.1.1 +- remove double word in description and rearrange it (#715272) +- fixed removal of shebangs +- added %%check section to run unittests during package build + +* Tue Mar 29 2011 Ionuț C. Arțăriși - 1.2.1-1 +- new upstream version 1.2.1 + +* Wed Feb 09 2011 Fedora Release Engineering - 1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Sep 8 2010 Ionuț C. Arțăriși - 1.1-1 +- new upstream release 1.1 + +* Tue Aug 17 2010 Ionuț Arțăriși - 1.0.1-1 +- new upstream bugfix release: 1.0.1 + +* Wed Aug 4 2010 Ionuț C. Arțăriși - 1.0-2 +- changed upstream source url + +* Wed Aug 4 2010 Ionuț C. Arțăriși - 1.0-1 +- new upstream release 1.0 +- there's no longer a problem with spurious permissions, so remove that fix + +* Thu Jul 22 2010 David Malcolm - 0.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Wed Oct 21 2009 Ionuț Arțăriși - 0.2-3 +- changed -doc package group to Documentation +- use global instead of define + +* Tue Oct 20 2009 Ionuț Arțăriși - 0.2-2 +- create -doc package for examples +- altered description to not include references to FriendFeed +- rename to python-tornado + +* Fri Sep 25 2009 Ionuț Arțăriși - 0.2-1 +- New upstream version +- Fixed macro usage and directory ownership in spec + +* Thu Sep 10 2009 Ionuț Arțăriși - 0.1-1 +- Initial release +