Hello community, here is the log from the commit of package python-urlgrabber for openSUSE:Factory checked in at 2015-07-28 11:42:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-urlgrabber (Old) and /work/SRC/openSUSE:Factory/.python-urlgrabber.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urlgrabber" Changes: -------- --- /work/SRC/openSUSE:Factory/python-urlgrabber/python-urlgrabber.changes 2014-09-20 15:49:58.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python-urlgrabber.new/python-urlgrabber.changes 2015-07-28 11:42:45.000000000 +0200 @@ -1,0 +2,10 @@ +Thu Feb 12 13:42:05 CET 2015 - [email protected] + +- declare $ sign as a safe character in url paths to prevent + escaping /$RCE/ which lead into problems with token auth + (bnc#902416) + * declare-dollar-sign-as-safe-in-urlquote.patch + * python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif +- set curl option SSL_VERIFYHOST correct + +------------------------------------------------------------------- New: ---- declare-dollar-sign-as-safe-in-urlquote.patch python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-urlgrabber.spec ++++++ --- /var/tmp/diff_new_pack.uPhPCW/_old 2015-07-28 11:42:45.000000000 +0200 +++ /var/tmp/diff_new_pack.uPhPCW/_new 2015-07-28 11:42:45.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-urlgrabber # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,6 +27,8 @@ Patch0: grabber_fix.diff # PATCH-FIX-UPSTREAM bnc#896844 Patch1: python-urlgrabber-3.9.1-preserve-queryparams-in-urls.patch +Patch2: declare-dollar-sign-as-safe-in-urlquote.patch +Patch3: python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: python-devel BuildRequires: python-pycurl @@ -49,6 +51,8 @@ sed -i "13d" urlgrabber/__init__.py # Remove wrong license header, fixes bnc#781323 %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build python setup.py build ++++++ declare-dollar-sign-as-safe-in-urlquote.patch ++++++ Index: urlgrabber-3.9.1/urlgrabber/grabber.py =================================================================== --- urlgrabber-3.9.1.orig/urlgrabber/grabber.py +++ urlgrabber-3.9.1/urlgrabber/grabber.py @@ -715,7 +715,7 @@ class URLParser: passing into urlgrabber. """ (scheme, host, path, parm, query, frag) = parts - path = urllib.quote(path) + path = urllib.quote(path, safe='/$') return (scheme, host, path, parm, query, frag) hexvals = '0123456789ABCDEF' ++++++ python-urlgrabber-3.9.1-set-SSL_VERIFYHOST-correct.dif ++++++ Index: urlgrabber-3.9.1/urlgrabber/grabber.py =================================================================== --- urlgrabber-3.9.1.orig/urlgrabber/grabber.py +++ urlgrabber-3.9.1/urlgrabber/grabber.py @@ -1190,7 +1190,8 @@ class PyCurlFileObject(): self.curl_obj.setopt(pycurl.CAPATH, opts.ssl_ca_cert) self.curl_obj.setopt(pycurl.CAINFO, opts.ssl_ca_cert) self.curl_obj.setopt(pycurl.SSL_VERIFYPEER, opts.ssl_verify_peer) - self.curl_obj.setopt(pycurl.SSL_VERIFYHOST, opts.ssl_verify_host) + if opts.ssl_verify_host: # 1 is meaningless to curl + self.curl_obj.setopt(pycurl.SSL_VERIFYHOST, 2) if opts.ssl_key: self.curl_obj.setopt(pycurl.SSLKEY, opts.ssl_key) if opts.ssl_key_type:
