packages/python-setuptools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-6345

Browse Source 
(cherry picked from commit 94e79fb159acc760d713b7ce901c5cddc2ab3741)
This commit is contained in:
zhangxianting 2024-07-15 15:42:20 +08:00 committed by openeuler-sync-bot
parent d0e1389b0c
commit 0f4d84554d
2 changed files with 305 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

300
backport-CVE-2024-6345.patch Normal file
View File

@ -0,0 +1,300 @@
From 88807c7062788254f654ea8c03427adc859321f0 Mon Sep 17 00:00:00 2001
From: jaraco <jaraco@fosstodon.org>
Date: Tue, 30 Apr 2024 15:02:00 +0800
Subject: [PATCH] Modernize package_index VCS handling
https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
https://github.com/pypa/setuptools/pull/4332
---
changelog.d/4332.feature.rst | 1 +
setup.cfg | 1 +
setuptools/package_index.py | 137 +++++++++++++++-----------
setuptools/tests/test_packageindex.py | 57 +++++------
4 files changed, 108 insertions(+), 88 deletions(-)
create mode 100644 changelog.d/4332.feature.rst
diff --git a/changelog.d/4332.feature.rst b/changelog.d/4332.feature.rst
new file mode 100644
index 0000000..1e612ec
--- /dev/null
+++ b/changelog.d/4332.feature.rst
@@ -0,0 +1 @@
+Modernized and refactored VCS handling in package_index.
diff --git a/setup.cfg b/setup.cfg
index 05cae4a..fe62c0d 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -55,6 +55,7 @@ testing =
pip>=19.1 # For proper file:// URLs support.
jaraco.envs>=2.2
pytest-xdist
+ pytest-subprocess
sphinx
jaraco.path>=3.2.0
docs =
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index e93fcc6..3cd940b 100644
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -1,5 +1,6 @@
"""PyPI and direct package downloading"""
import sys
+import subprocess
import os
import re
import io
@@ -566,7 +567,7 @@ class PackageIndex(Environment):
scheme = URL_SCHEME(spec)
if scheme:
# It's a url, download it to tmpdir
- found = self._download_url(scheme.group(1), spec, tmpdir)
+ found = self._download_url(spec, tmpdir)
base, fragment = egg_info_for_url(spec)
if base.endswith('.py'):
found = self.gen_setup(found, fragment, tmpdir)
@@ -785,7 +786,7 @@ class PackageIndex(Environment):
raise DistutilsError("Download error for %s: %s"
% (url, v)) from v
- def _download_url(self, scheme, url, tmpdir):
+ def _download_url(self, url, tmpdir):
# Determine download filename
#
name, fragment = egg_info_for_url(url)
@@ -800,19 +801,60 @@ class PackageIndex(Environment):
filename = os.path.join(tmpdir, name)
- # Download the file
- #
- if scheme == 'svn' or scheme.startswith('svn+'):
- return self._download_svn(url, filename)
- elif scheme == 'git' or scheme.startswith('git+'):
- return self._download_git(url, filename)
- elif scheme.startswith('hg+'):
- return self._download_hg(url, filename)
- elif scheme == 'file':
- return urllib.request.url2pathname(urllib.parse.urlparse(url)[2])
- else:
- self.url_ok(url, True) # raises error if not allowed
- return self._attempt_download(url, filename)
+ return self._download_vcs(url, filename) or self._download_other(url, filename)
+
+
+ @staticmethod
+ def _resolve_vcs(url):
+ """
+ >>> rvcs = PackageIndex._resolve_vcs
+ >>> rvcs('git+http://foo/bar')
+ 'git'
+ >>> rvcs('hg+https://foo/bar')
+ 'hg'
+ >>> rvcs('git:myhost')
+ 'git'
+ >>> rvcs('hg:myhost')
+ >>> rvcs('http://foo/bar')
+ """
+ scheme = urllib.parse.urlsplit(url).scheme
+ pre, sep, post = scheme.partition('+')
+ # svn and git have their own protocol; hg does not
+ allowed = set(['svn', 'git'] + ['hg'] * bool(sep))
+ return next(iter({pre} & allowed), None)
+
+ def _download_vcs(self, url, spec_filename):
+ vcs = self._resolve_vcs(url)
+ if not vcs:
+ return
+ if vcs == 'svn':
+ raise DistutilsError(
+ f"Invalid config, SVN download is not supported: {url}"
+ )
+
+ filename, _, _ = spec_filename.partition('#')
+ url, rev = self._vcs_split_rev_from_url(url)
+
+ self.info(f"Doing {vcs} clone from {url} to {filename}")
+ subprocess.check_call([vcs, 'clone', '--quiet', url, filename])
+
+ co_commands = dict(
+ git=[vcs, '-C', filename, 'checkout', '--quiet', rev],
+ hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'],
+ )
+ if rev is not None:
+ self.info(f"Checking out {rev}")
+ subprocess.check_call(co_commands[vcs])
+
+ return filename
+
+ def _download_other(self, url, filename):
+ scheme = urllib.parse.urlsplit(url).scheme
+ if scheme == 'file': # pragma: no cover
+ return urllib.request.url2pathname(urllib.parse.urlparse(url).path)
+ # raise error if not allowed
+ self.url_ok(url, True)
+ return self._attempt_download(url, filename)
def scan_url(self, url):
self.process_url(url, True)
@@ -862,54 +904,35 @@ class PackageIndex(Environment):
return filename
@staticmethod
- def _vcs_split_rev_from_url(url, pop_prefix=False):
- scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
+ def _vcs_split_rev_from_url(url):
+ """
+ Given a possible VCS URL, return a clean URL and resolved revision if any.
+ >>> vsrfu = PackageIndex._vcs_split_rev_from_url
+ >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
+ ('https://github.com/pypa/setuptools', 'v69.0.0')
+ >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
+ ('https://github.com/pypa/setuptools', None)
+ >>> vsrfu('http://foo/bar')
+ ('http://foo/bar', None)
+ """
+ parts = urllib.parse.urlsplit(url)
- scheme = scheme.split('+', 1)[-1]
+ clean_scheme = parts.scheme.split('+', 1)[-1]
# Some fragment identification fails
- path = path.split('#', 1)[0]
-
- rev = None
- if '@' in path:
- path, rev = path.rsplit('@', 1)
-
- # Also, discard fragment
- url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
-
- return url, rev
-
- def _download_git(self, url, filename):
- filename = filename.split('#', 1)[0]
- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+ no_fragment_path, _, _ = parts.path.partition('#')
- self.info("Doing git clone from %s to %s", url, filename)
- os.system("git clone --quiet %s %s" % (url, filename))
+ pre, sep, post = no_fragment_path.rpartition('@')
+ clean_path, rev = (pre, post) if sep else (post, None)
- if rev is not None:
- self.info("Checking out %s", rev)
- os.system("git -C %s checkout --quiet %s" % (
- filename,
- rev,
- ))
-
- return filename
-
- def _download_hg(self, url, filename):
- filename = filename.split('#', 1)[0]
- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+ resolved = parts._replace(
+ scheme=clean_scheme,
+ path=clean_path,
+ # discard the fragment
+ fragment='',
+ ).geturl()
- self.info("Doing hg clone from %s to %s", url, filename)
- os.system("hg clone --quiet %s %s" % (url, filename))
-
- if rev is not None:
- self.info("Updating to %s", rev)
- os.system("hg --cwd %s up -C -r %s -q" % (
- filename,
- rev,
- ))
-
- return filename
+ return resolved, rev
def debug(self, msg, *args):
log.debug(msg, *args)
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
index fc544c0..e4fd8ca 100644
--- a/setuptools/tests/test_packageindex.py
+++ b/setuptools/tests/test_packageindex.py
@@ -193,51 +193,46 @@ class TestPackageIndex:
assert dists[0].version == ''
assert dists[1].version == vc
- def test_download_git_with_rev(self, tmpdir):
+ def test_download_git_with_rev(self, tmp_path, fp):
url = 'git+https://github.example/group/project@master#egg=foo'
index = setuptools.package_index.PackageIndex()
- with mock.patch("os.system") as os_system_mock:
- result = index.download(url, str(tmpdir))
+ expected_dir = tmp_path / 'project@master'
+ fp.register([
+ 'git',
+ 'clone',
+ '--quiet',
+ 'https://github.example/group/project',
+ expected_dir,
+ ])
+ fp.register(['git', '-C', expected_dir, 'checkout', '--quiet', 'master'])
- os_system_mock.assert_called()
-
- expected_dir = str(tmpdir / 'project@master')
- expected = (
- 'git clone --quiet '
- 'https://github.example/group/project {expected_dir}'
- ).format(**locals())
- first_call_args = os_system_mock.call_args_list[0][0]
- assert first_call_args == (expected,)
+ result = index.download(url, tmp_path)
- tmpl = 'git -C {expected_dir} checkout --quiet master'
- expected = tmpl.format(**locals())
- assert os_system_mock.call_args_list[1][0] == (expected,)
- assert result == expected_dir
+ assert result == str(expected_dir)
+ assert len(fp.calls) == 2
- def test_download_git_no_rev(self, tmpdir):
+ def test_download_git_no_rev(self, tmp_path, fp):
url = 'git+https://github.example/group/project#egg=foo'
index = setuptools.package_index.PackageIndex()
- with mock.patch("os.system") as os_system_mock:
- result = index.download(url, str(tmpdir))
-
- os_system_mock.assert_called()
-
- expected_dir = str(tmpdir / 'project')
- expected = (
- 'git clone --quiet '
- 'https://github.example/group/project {expected_dir}'
- ).format(**locals())
- os_system_mock.assert_called_once_with(expected)
-
- def test_download_svn(self, tmpdir):
+ expected_dir = tmp_path / 'project'
+ fp.register([
+ 'git',
+ 'clone',
+ '--quiet',
+ 'https://github.example/group/project',
+ expected_dir,
+ ])
+ index.download(url, tmp_path)
+
+ def test_download_svn(self, tmp_path):
url = 'svn+https://svn.example/project#egg=foo'
index = setuptools.package_index.PackageIndex()
with pytest.warns(UserWarning):
with mock.patch("os.system") as os_system_mock:
- result = index.download(url, str(tmpdir))
+ result = index.download(url, tmp_path)
os_system_mock.assert_called()
--
2.33.0

6
python-setuptools.spec
View File

@ -8,7 +8,7 @@
Name: python-setuptools
Version: 59.4.0
Release: 5
Release: 6
Summary: Easily build and distribute Python packages
License: MIT and (BSD or ASL 2.0)
@ -18,6 +18,7 @@ Source0: %{pypi_source setuptools %{version}}
Patch6000: backport-CVE-2022-40897.patch
Patch9000: bugfix-eliminate-random-order-in-metadata.patch
Patch9001: backport-CVE-2024-6345.patch
BuildArch: noarch
@ -113,6 +114,9 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore=
%changelog
* Mon Jul 15 2024 zhangxianting <zhangxianting@uniontech> - 59.4.0-6
- Fix CVE-2024-6345
* Wed Jan 04 2023 zhuofeng <zhuofeng2@huawei.com> - 59.4.0-5
- Type:CVE
- CVE:CVE-2022-40897