From 5ae838ccbb02e12ff1abc3531d1cbdabc24a58b5 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Tue, 3 Dec 2024 03:21:40 +0300 Subject: [PATCH] import python-tornado-6.4.2-1.el9_5 --- .gitignore | 2 +- .python-tornado.metadata | 2 +- ...001-Add-test-for-open-redirect-issue.patch | 60 ------------------- ...n-open-redirect-in-StaticFileHandler.patch | 41 ------------- ...rn-DeprecationWarning-into-Exception.patch | 11 ---- SPECS/python-tornado.spec | 15 ++--- 6 files changed, 8 insertions(+), 123 deletions(-) delete mode 100644 SOURCES/0001-Add-test-for-open-redirect-issue.patch delete mode 100644 SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch delete mode 100644 SOURCES/Do-not-turn-DeprecationWarning-into-Exception.patch diff --git a/.gitignore b/.gitignore index 194fb8e..7ea7b18 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tornado-6.1.0.tar.gz +SOURCES/tornado-6.4.2.tar.gz diff --git a/.python-tornado.metadata b/.python-tornado.metadata index 699327e..bf30372 100644 --- a/.python-tornado.metadata +++ b/.python-tornado.metadata @@ -1 +1 @@ -c23c617c7a0205e465bebad5b8cdf289ae8402a2 SOURCES/tornado-6.1.0.tar.gz +94ec7bc896d8b62364abcfc2a906165d80e1baa6 SOURCES/tornado-6.4.2.tar.gz diff --git a/SOURCES/0001-Add-test-for-open-redirect-issue.patch b/SOURCES/0001-Add-test-for-open-redirect-issue.patch deleted file mode 100644 index 2d40188..0000000 --- a/SOURCES/0001-Add-test-for-open-redirect-issue.patch +++ /dev/null @@ -1,60 +0,0 @@ -Subject: [PATCH 1/2] Add test for open redirect issue - -Backported from upstream: - - https://github.com/tornadoweb/tornado/commit/b56245730e ---- - tornado/test/web_test.py | 31 ++++++++++++++++++++++++++++++- - 1 file changed, 30 insertions(+), 1 deletion(-) - -diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py -index 5490ba2..c641ca1 100644 ---- a/tornado/test/web_test.py -+++ b/tornado/test/web_test.py -@@ -1426,6 +1426,35 @@ class StaticDefaultFilenameTest(WebTestCase): - self.assertTrue(response.headers["Location"].endswith("/static/dir/")) - - -+class StaticDefaultFilenameRootTest(WebTestCase): -+ def get_app_kwargs(self): -+ return dict( -+ static_path=os.path.abspath(relpath("static")), -+ static_handler_args=dict(default_filename="index.html"), -+ static_url_prefix="/", -+ ) -+ -+ def get_handlers(self): -+ return [] -+ -+ def get_http_client(self): -+ # simple_httpclient only: curl doesn't let you send a request starting -+ # with two slashes. -+ return SimpleAsyncHTTPClient() -+ -+ def test_no_open_redirect(self): -+ # This test verifies that the open redirect that affected some configurations -+ # prior to Tornado 6.3.2 is no longer possible. The vulnerability required -+ # a static_url_prefix of "/" and a default_filename (any value) to be set. -+ # The absolute server-side path to the static directory must also be known. -+ with ExpectLog(gen_log, ".*cannot redirect path with two initial slashes"): -+ response = self.fetch( -+ f"//evil.com/../{os.path.dirname(__file__)}/static/dir", -+ follow_redirects=False, -+ ) -+ self.assertEqual(response.code, 403) -+ -+ - class StaticFileWithPathTest(WebTestCase): - def get_app_kwargs(self): - return dict( -@@ -2837,7 +2866,7 @@ class XSRFTest(SimpleHandlerTestCase): - body=b"", - headers=dict( - {"X-Xsrftoken": self.xsrf_token}, # type: ignore -- **self.cookie_headers() -+ **self.cookie_headers(), - ), - ) - self.assertEqual(response.code, 200) --- -2.39.3 - diff --git a/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch b/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch deleted file mode 100644 index 161a6cc..0000000 --- a/SOURCES/0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch +++ /dev/null @@ -1,41 +0,0 @@ -From bcae82a6dd7bfed280559c8920dd89d4a48fa021 Mon Sep 17 00:00:00 2001 -From: Ben Darnell -Date: Tue, 25 Jul 2023 06:39:23 -0400 -Subject: [PATCH 2/2] [PATCH] web: Fix an open redirect in StaticFileHandler - -Under some configurations the default_filename redirect could be exploited -to redirect to an attacker-controlled site. This change refuses to redirect -to URLs that could be misinterpreted. - -A test case for the specific vulnerable configuration will follow after the -patch has been available. - -Originally from upstream: - - https://github.com/tornadoweb/tornado/commit/8f35b31ab ---- - tornado/web.py | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/tornado/web.py b/tornado/web.py -index 546e6ec..8410880 100644 ---- a/tornado/web.py -+++ b/tornado/web.py -@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler): - # but there is some prefix to the path that was already - # trimmed by the routing - if not self.request.path.endswith("/"): -+ if self.request.path.startswith("//"): -+ # A redirect with two initial slashes is a "protocol-relative" URL. -+ # This means the next path segment is treated as a hostname instead -+ # of a part of the path, making this effectively an open redirect. -+ # Reject paths starting with two slashes to prevent this. -+ # This is only reachable under certain configurations. -+ raise HTTPError( -+ 403, "cannot redirect path with two initial slashes" -+ ) - self.redirect(self.request.path + "/", permanent=True) - return None - absolute_path = os.path.join(absolute_path, self.default_filename) --- -2.39.3 - diff --git a/SOURCES/Do-not-turn-DeprecationWarning-into-Exception.patch b/SOURCES/Do-not-turn-DeprecationWarning-into-Exception.patch deleted file mode 100644 index 7633f35..0000000 --- a/SOURCES/Do-not-turn-DeprecationWarning-into-Exception.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -Nur tornado-6.0.4/tornado/test/runtests.py tornado-6.0.4-new/tornado/test/runtests.py ---- tornado-6.0.4/tornado/test/runtests.py 2020-03-02 20:21:37.000000000 +0100 -+++ tornado-6.0.4-new/tornado/test/runtests.py 2020-09-14 09:21:31.818678680 +0200 -@@ -126,7 +126,6 @@ - # Tornado generally shouldn't use anything deprecated, but some of - # our dependencies do (last match wins). - warnings.filterwarnings("ignore", category=DeprecationWarning) -- warnings.filterwarnings("error", category=DeprecationWarning, module=r"tornado\..*") - warnings.filterwarnings("ignore", category=PendingDeprecationWarning) - warnings.filterwarnings( - "error", category=PendingDeprecationWarning, module=r"tornado\..*" diff --git a/SPECS/python-tornado.spec b/SPECS/python-tornado.spec index 58aa753..1a5e3bc 100644 --- a/SPECS/python-tornado.spec +++ b/SPECS/python-tornado.spec @@ -10,24 +10,17 @@ handle thousands of simultaneous standing connections, which means it is ideal for real-time web services.} Name: python-%{srcname} -Version: 6.1.0 -Release: 9%{?dist} +Version: 6.4.2 +Release: 1%{?dist} Summary: Scalable, non-blocking web server and tools License: ASL 2.0 URL: https://www.tornadoweb.org Source0: https://github.com/tornadoweb/tornado/archive/v%{version}/%{srcname}-%{version}.tar.gz -# Do not turn DeprecationWarning in tornado module into Exception -# fixes FTBFS with Python 3.8 -Patch: Do-not-turn-DeprecationWarning-into-Exception.patch # Fix timeout failure in architectures such as ppc64le. Patch: Increase-timeout-in-test_request_timeout.patch -# CVE-2023-28370 -Patch: 0001-Add-test-for-open-redirect-issue.patch -Patch: 0002-PATCH-web-Fix-an-open-redirect-in-StaticFileHandler.patch - BuildRequires: gcc BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-devel @@ -72,6 +65,10 @@ export ASYNC_TEST_TIMEOUT=10 %doc demos %changelog +* Tue Nov 26 2024 Sergio Correia - 6.4.2-1 +- Update to 6.4.2 + Resolves: RHEL-68663 + * Tue Jul 25 2023 Sergio Correia - 6.1.0-9 - Fix an open redirect in StaticFileHandler Resolves: CVE-2023-28370