From a4e6369276b188b8b3750400ceb7f486f632bfaa Mon Sep 17 00:00:00 2001 From: wu-leilei Date: Thu, 31 Mar 2022 10:42:37 +0800 Subject: [PATCH] fix rejecting URLs with unsafe characters in is_valid_endpoint_url() --- ...cting-URLs-with-unsafe-characters-in.patch | 47 +++++++++++++++++++ python-botocore.spec | 9 +++- 2 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 Fix-rejecting-URLs-with-unsafe-characters-in.patch diff --git a/Fix-rejecting-URLs-with-unsafe-characters-in.patch b/Fix-rejecting-URLs-with-unsafe-characters-in.patch new file mode 100644 index 0000000..98ac725 --- /dev/null +++ b/Fix-rejecting-URLs-with-unsafe-characters-in.patch @@ -0,0 +1,47 @@ +From 4f7cc3a38802c2ec54b1168815792b49656f7fa0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= +Date: Fri, 7 May 2021 10:49:27 +0200 +Subject: [PATCH] Fix rejecting URLs with unsafe characters in + +--- + botocore/utils.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/botocore/utils.py b/botocore/utils.py +index cf61e7a..57f6194 100644 +--- a/botocore/utils.py ++++ b/botocore/utils.py +@@ -173,6 +173,10 @@ ZONE_ID_PAT = "(?:%25|%)(?:[" + UNRESERVED_PAT + "]|%[a-fA-F0-9]{2})+" + IPV6_ADDRZ_PAT = r"\[" + IPV6_PAT + r"(?:" + ZONE_ID_PAT + r")?\]" + IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + ++# These are the characters that are stripped by post-bpo-43882 urlparse(). ++UNSAFE_URL_CHARS = frozenset('\t\r\n') ++ ++ + def ensure_boolean(val): + """Ensures a boolean value if a string or boolean is provided + +@@ -977,6 +981,8 @@ class ArgumentGenerator(object): + + + def is_valid_ipv6_endpoint_url(endpoint_url): ++ if UNSAFE_URL_CHARS.intersection(endpoint_url): ++ return False + netloc = urlparse(endpoint_url).netloc + return IPV6_ADDRZ_RE.match(netloc) is not None + +@@ -990,6 +996,10 @@ def is_valid_endpoint_url(endpoint_url): + :return: True if the endpoint url is valid. False otherwise. + + """ ++ # post-bpo-43882 urlsplit() strips unsafe characters from URL, causing ++ # it to pass hostname validation below. Detect them early to fix that. ++ if UNSAFE_URL_CHARS.intersection(endpoint_url): ++ return False + parts = urlsplit(endpoint_url) + hostname = parts.hostname + if hostname is None: +-- +2.27.0 + diff --git a/python-botocore.spec b/python-botocore.spec index 1ce2a5d..1201276 100644 --- a/python-botocore.spec +++ b/python-botocore.spec @@ -1,11 +1,13 @@ %global pypi_name botocore Name: python-%{pypi_name} Version: 1.20.26 -Release: 1 +Release: 2 Summary: Low-level, data-driven core of boto 3 License: Apache-2.0 URL: https://github.com/boto/botocore Source0: https://files.pythonhosted.org/packages/09/e9/3f85aac6fcf346a12b59e7f946aa23a732c0689a39c9a658dd3dc91c3ea6/botocore-1.20.26.tar.gz +# https://github.com/boto/botocore/issues/2377 +Patch00: Fix-rejecting-URLs-with-unsafe-characters-in.patch BuildArch: noarch %description A low-level interface to a growing number of Amazon Web Services. The @@ -29,7 +31,7 @@ A low-level interface to a growing number of Amazon Web Services. The botocore package is the foundation for the AWS CLI as well as boto3. %prep -%autosetup -n %{pypi_name}-%{version} +%autosetup -n %{pypi_name}-%{version} -p1 # unable to import "botocore". I'm not 100% sure why this happened but for now # just exclude this one test and run all the other functional tests. rm -vr tests/functional/leak @@ -51,6 +53,9 @@ nosetests-%{python3_version} unit functional %{python3_sitelib}/%{pypi_name}-*.egg-info/ %changelog +* Thu Mar 31 202 wulei - 1.20.26.2 +- Fix rejecting URLs with unsafe characters in is_valid_endpoint_url() + * Mon Jul 26 2021 OpenStack_SIG - 1.20.26-1 - update to 1.20.26 -- Gitee