1 files changed, 0 insertions, 124 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch
deleted file mode 100644
index 10d28a9e65..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From e0264a61119d551658d9445af38323ba94fc16db Mon Sep 17 00:00:00 2001
-From: "Jason R. Coombs" <jaraco@jaraco.com>
-Date: Thu, 22 Aug 2024 19:24:33 -0400
-Subject: [PATCH] CVE-2024-8088: Sanitize names in zipfile.Path. (GH-122906)
-Upstream-Status: Backport from https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db
-CVE: CVE-2024-8088
-Signed-off-by: Rohini Sangam <rsangam@mvista.com>
---
- Lib/test/test_zipfile.py   | 17 ++++++
- Lib/zipfile.py             | 61 ++++++++++++++++++-
- 2 files changed, 77 insertions(+), 1 deletion(-)
-diff --git a/Lib/test/test_zipfile.py b/Lib/test/test_zipfile.py
-index 32c0170..a60dc11 100644
--- a/Lib/test/test_zipfile.py
-+++ b/Lib/test/test_zipfile.py
-@@ -3280,6 +3280,23 @@ with zipfile.ZipFile(io.BytesIO(), "w") as zf:
-         zipfile.Path(zf)
-         zf.extractall(source_path.parent)
- 
-+    def test_malformed_paths(self):
-+        """
-+        Path should handle malformed paths.
-+        """
-+        data = io.BytesIO()
-+        zf = zipfile.ZipFile(data, "w")
-+        zf.writestr("/one-slash.txt", b"content")
-+        zf.writestr("//two-slash.txt", b"content")
-+        zf.writestr("../parent.txt", b"content")
-+        zf.filename = ''
-+        root = zipfile.Path(zf)
-+        assert list(map(str, root.iterdir())) == [
-+            'one-slash.txt',
-+            'two-slash.txt',
-+            'parent.txt',
-+        ]
-+
- 
- class StripExtraTests(unittest.TestCase):
-     # Note: all of the "z" characters are technically invalid, but up
-diff --git a/Lib/zipfile.py b/Lib/zipfile.py
-index 7d18bc2..cbac8d9 100644
--- a/Lib/zipfile.py
-+++ b/Lib/zipfile.py
-@@ -9,6 +9,7 @@ import io
- import itertools
- import os
- import posixpath
-+import re
- import shutil
- import stat
- import struct
-@@ -2182,7 +2183,65 @@ def _difference(minuend, subtrahend):
-     return itertools.filterfalse(set(subtrahend).__contains__, minuend)
- 
- 
-class CompleteDirs(ZipFile):
-+class SanitizedNames:
-+    """
-+    ZipFile mix-in to ensure names are sanitized.
-+    """
-+
-+    def namelist(self):
-+        return list(map(self._sanitize, super().namelist()))
-+
-+    @staticmethod
-+    def _sanitize(name):
-+        r"""
-+        Ensure a relative path with posix separators and no dot names.
-+        Modeled after
-+        https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
-+        but provides consistent cross-platform behavior.
-+        >>> san = SanitizedNames._sanitize
-+        >>> san('/foo/bar')
-+        'foo/bar'
-+        >>> san('//foo.txt')
-+        'foo.txt'
-+        >>> san('foo/.././bar.txt')
-+        'foo/bar.txt'
-+        >>> san('foo../.bar.txt')
-+        'foo../.bar.txt'
-+        >>> san('\\foo\\bar.txt')
-+        'foo/bar.txt'
-+        >>> san('D:\\foo.txt')
-+        'D/foo.txt'
-+        >>> san('\\\\server\\share\\file.txt')
-+        'server/share/file.txt'
-+        >>> san('\\\\?\\GLOBALROOT\\Volume3')
-+        '?/GLOBALROOT/Volume3'
-+        >>> san('\\\\.\\PhysicalDrive1\\root')
-+        'PhysicalDrive1/root'
-+        Retain any trailing slash.
-+        >>> san('abc/')
-+        'abc/'
-+        Raises a ValueError if the result is empty.
-+        >>> san('../..')
-+        Traceback (most recent call last):
-+        ...
-+        ValueError: Empty filename
-+        """
-+
-+        def allowed(part):
-+            return part and part not in {'..', '.'}
-+
-+        # Remove the drive letter.
-+        # Don't use ntpath.splitdrive, because that also strips UNC paths
-+        bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
-+        clean = bare.replace('\\', '/')
-+        parts = clean.split('/')
-+        joined = '/'.join(filter(allowed, parts))
-+        if not joined:
-+            raise ValueError("Empty filename")
-+        return joined + '/' * name.endswith('/')
-+
-+
-+class CompleteDirs(SanitizedNames, ZipFile):
-     """
-     A ZipFile subclass that ensures that implied directories
-     are always included in the namelist.
-- 
-2.35.7

diff --git a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch deleted file mode 100644 index 10d28a9e65..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch +++ /dev/null
@@ -1,124 +0,0 @@
1	From e0264a61119d551658d9445af38323ba94fc16db Mon Sep 17 00:00:00 2001
2	From: "Jason R. Coombs" <jaraco@jaraco.com>
3	Date: Thu, 22 Aug 2024 19:24:33 -0400
4	Subject: [PATCH] CVE-2024-8088: Sanitize names in zipfile.Path. (GH-122906)
5
6	Upstream-Status: Backport from https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db
7	CVE: CVE-2024-8088
8
9	Signed-off-by: Rohini Sangam <rsangam@mvista.com>
10	---
11	Lib/test/test_zipfile.py \| 17 ++++++
12	Lib/zipfile.py \| 61 ++++++++++++++++++-
13	2 files changed, 77 insertions(+), 1 deletion(-)
14
15	diff --git a/Lib/test/test_zipfile.py b/Lib/test/test_zipfile.py
16	index 32c0170..a60dc11 100644
17	--- a/Lib/test/test_zipfile.py
18	+++ b/Lib/test/test_zipfile.py
19	@@ -3280,6 +3280,23 @@ with zipfile.ZipFile(io.BytesIO(), "w") as zf:
20	zipfile.Path(zf)
21	zf.extractall(source_path.parent)
22
23	+ def test_malformed_paths(self):
24	+ """
25	+ Path should handle malformed paths.
26	+ """
27	+ data = io.BytesIO()
28	+ zf = zipfile.ZipFile(data, "w")
29	+ zf.writestr("/one-slash.txt", b"content")
30	+ zf.writestr("//two-slash.txt", b"content")
31	+ zf.writestr("../parent.txt", b"content")
32	+ zf.filename = ''
33	+ root = zipfile.Path(zf)
34	+ assert list(map(str, root.iterdir())) == [
35	+ 'one-slash.txt',
36	+ 'two-slash.txt',
37	+ 'parent.txt',
38	+ ]
39	+
40
41	class StripExtraTests(unittest.TestCase):
42	# Note: all of the "z" characters are technically invalid, but up
43	diff --git a/Lib/zipfile.py b/Lib/zipfile.py
44	index 7d18bc2..cbac8d9 100644
45	--- a/Lib/zipfile.py
46	+++ b/Lib/zipfile.py
47	@@ -9,6 +9,7 @@ import io
48	import itertools
49	import os
50	import posixpath
51	+import re
52	import shutil
53	import stat
54	import struct
55	@@ -2182,7 +2183,65 @@ def _difference(minuend, subtrahend):
56	return itertools.filterfalse(set(subtrahend).__contains__, minuend)
57
58
59	-class CompleteDirs(ZipFile):
60	+class SanitizedNames:
61	+ """
62	+ ZipFile mix-in to ensure names are sanitized.
63	+ """
64	+
65	+ def namelist(self):
66	+ return list(map(self._sanitize, super().namelist()))
67	+
68	+ @staticmethod
69	+ def _sanitize(name):
70	+ r"""
71	+ Ensure a relative path with posix separators and no dot names.
72	+ Modeled after
73	+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
74	+ but provides consistent cross-platform behavior.
75	+ >>> san = SanitizedNames._sanitize
76	+ >>> san('/foo/bar')
77	+ 'foo/bar'
78	+ >>> san('//foo.txt')
79	+ 'foo.txt'
80	+ >>> san('foo/.././bar.txt')
81	+ 'foo/bar.txt'
82	+ >>> san('foo../.bar.txt')
83	+ 'foo../.bar.txt'
84	+ >>> san('\\foo\\bar.txt')
85	+ 'foo/bar.txt'
86	+ >>> san('D:\\foo.txt')
87	+ 'D/foo.txt'
88	+ >>> san('\\\\server\\share\\file.txt')
89	+ 'server/share/file.txt'
90	+ >>> san('\\\\?\\GLOBALROOT\\Volume3')
91	+ '?/GLOBALROOT/Volume3'
92	+ >>> san('\\\\.\\PhysicalDrive1\\root')
93	+ 'PhysicalDrive1/root'
94	+ Retain any trailing slash.
95	+ >>> san('abc/')
96	+ 'abc/'
97	+ Raises a ValueError if the result is empty.
98	+ >>> san('../..')
99	+ Traceback (most recent call last):
100	+ ...
101	+ ValueError: Empty filename
102	+ """
103	+
104	+ def allowed(part):
105	+ return part and part not in {'..', '.'}
106	+
107	+ # Remove the drive letter.
108	+ # Don't use ntpath.splitdrive, because that also strips UNC paths
109	+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
110	+ clean = bare.replace('\\', '/')
111	+ parts = clean.split('/')
112	+ joined = '/'.join(filter(allowed, parts))
113	+ if not joined:
114	+ raise ValueError("Empty filename")
115	+ return joined + '/' * name.endswith('/')
116	+
117	+
118	+class CompleteDirs(SanitizedNames, ZipFile):
119	"""
120	A ZipFile subclass that ensures that implied directories
121	are always included in the namelist.
122	--
123	2.35.7
124