From 56b0e4cc8e149917a825fdd34df174f9d1814169 Mon Sep 17 00:00:00 2001
From: peng2285 <jiangpeng01@ncti-gba.cn>
Date: Tue, 2 Aug 2022 15:14:26 +0800
Subject: [PATCH] CVE-2019-10800

---
 CVE-2019-10800.patch | 54 ++++++++++++++++++++++++++++++++++++++++++++
 python-codecov.spec  | 12 +++++++++-
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-10800.patch

diff --git a/CVE-2019-10800.patch b/CVE-2019-10800.patch
new file mode 100644
index 0000000..7c9b294
--- /dev/null
+++ b/CVE-2019-10800.patch
@@ -0,0 +1,54 @@
+From 2a80aa434f74feb31242b6f213b75ce63ae97902 Mon Sep 17 00:00:00 2001
+From: Joe Becher <jwbecher@drazisil.com>
+Date: Wed, 19 Feb 2020 09:36:10 -0500
+Subject: [PATCH] CE-1380_sanitize_args
+
+---
+ codecov/__init__.py | 10 +++++++---
+ tests/test.py       |  3 +++
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/codecov/__init__.py b/codecov/__init__.py
+index 6b3205c3..40ba7a73 100644
+--- a/codecov/__init__.py
++++ b/codecov/__init__.py
+@@ -34,6 +34,10 @@
+ 
+ remove_token = re.compile(r'token=[^\&]+').sub
+ 
++def sanitize_arg(replacement, arg):
++    return re.sub(r'[\&]+', replacement, arg, 0, re.MULTILINE)
++
++
+ ignored_path = re.compile(r'(/vendor)|'
+                           r'(/js/generated/coverage)|'
+                           r'(/__pycache__)|'
+@@ -624,11 +628,11 @@ def main(*argv, **kwargs):
+             )
+             write('==> Processing gcov (disable by -X gcov)')
+             cmd = "find %s %s -type f -name '*.gcno' %s -exec %s -pb %s {} +" % (
+-                  (codecov.gcov_root or root),
++                  (sanitize_arg('', codecov.gcov_root or root)),
+                   dont_search_here,
+                   " ".join(map(lambda a: "-not -path '%s'" % a, codecov.gcov_glob)),
+-                  (codecov.gcov_exec or ''),
+-                  (codecov.gcov_args or ''))
++                  (sanitize_arg('', codecov.gcov_exec or '')),
++                  (sanitize_arg('', codecov.gcov_args or '')))
+             write('    Executing gcov (%s)' % cmd)
+             try_to_run(cmd)
+ 
+diff --git a/tests/test.py b/tests/test.py
+index ed640c6e..cf001d61 100644
+--- a/tests/test.py
++++ b/tests/test.py
+@@ -315,6 +315,9 @@ def test_none_found(self):
+         else:
+             raise Exception("Did not raise AssertionError")
+ 
++    def test_sanitize_arg(self):
++        self.assertEqual(codecov.sanitize_arg('', '& echo test > vuln1.txt'), ' echo test > vuln1.txt')
++
+     @unittest.skipUnless(os.getenv('JENKINS_URL'), 'Skip Jenkins CI test')
+     def test_ci_jenkins(self):
+         self.set_env(BUILD_URL='https://....',
diff --git a/python-codecov.spec b/python-codecov.spec
index 0e7132d..4cfcac2 100644
--- a/python-codecov.spec
+++ b/python-codecov.spec
@@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-codecov
 Version:        2.1.11
-Release:        1
+Release:        2
 Summary:        Hosted coverage reports for GitHub, Bitbucket and Gitlab
 License:        Apache-2.0
 URL:            https://github.com/codecov/codecov-python
@@ -80,3 +80,13 @@ mv %{buildroot}/doclist.lst .
 %changelog
 * Fri Jul 30 2021 OpenStack_SIG <openstack@openeuler.org> - 2.1.11-1
 - Package Spec generate
+
+* Tue Aug 02 2022 jiangpeng<jiangpeng01@ncti-gba.cn>     
+- Type:CVE
+- SUG :NO
+- DESC : fix CVE-2019-10800  
+
+%Patch
+# CVE-2019-10800 
+Patch1  CVE-2019-10800.patch 
+%patch1 -p1
-- 
Gitee