These patches address issues:
CVE-2019-9740: Python urllib CRLF injection vulnerability
CVE-2019-9947: Header Injection in urllib
Links to Python issues:
https://bugs.python.org/issue36276 (resolved duplicated of 30458)
https://bugs.python.org/issue35906 (resolved duplicated of 30458)
https://bugs.python.org/issue30458
Issue 30458 is still currently open, waiting for a decision for
Python 3.5; these patches for Python 2.7 and 3.7 have been merged.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds the current setuptools/pip version numbers to the indicator
files' names, which should allow upgraded versions to be patched.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
python-cryptography's build depends (host cffi, libffi) were transferred
to python-cffi at some point; this corrects the situation.
python-cryptography's host Python build depends is copied from its
setup.py[1].
[1]: https://github.com/pyca/cryptography/blob/2.6.1/setup.py#L47
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This uses two find commands to delete __pycache__ contents then the
__pycache__ directories, rather than a for loop.
The second command omits a -empty test, so that if the first command
doesn't remove all directory contents for some reason, the second
command will return an error (find will not delete a non-empty
directory).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This changes the --prefix option, passed to host pip when "installing"
target setuptools and pip, to /usr, in case the prefix is recorded in
the packages.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds --cache-dir and --disable-pip-version-check options for host
pip, when "installing" target setuptools and pip.
This also changes the pip command to use $(HOST_PYTHON[3]_PIP) from
python[3]-host.mk.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
After some thinking over this, documenting this behavior makes sense
versus adding some functionst to handle this.
There is some validity/use-cases where some users may want to reference
a python[3]-package.mk from some other location as well as have the
flexibility to change it (locally). One example can be when the local
`packages` is renamed to something else.
This does not fall on the responsibility of the Python maintainers, but
it can be documented.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This changes --with-ensurepip=install to upgrade, to upgrade host
versions of setuptools and pip to the Python-bundled versions.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The Python 2 and 3 versions of chardet both install a script with the
same name (/usr/bin/chardetect). This is the issue identified in #9006
(https://github.com/openwrt/packages/pull/9006#issuecomment-493709812).
This renames the Python 3 script to chardetect3.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Added a python3 variant, and removed python-cryptography, and pyjwt from
the dependencies. They are required only to run one test, that is not
even being installed.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This adds the ability to patch setuptools (and pip), and adds 3
reproducibility patches from Debian[1].
(003-PKG-INFO-output-reproducible.patch addresses the issue identified
in #9039.)
The patching is not perfect, in that the patches are applied to
setuptools and pip after they have been installed, since they are
installed from wheels which are already "precompiled".
Also, patching for the host install cannot be updated in place, for
example if a patch is added or removed.
[1]: https://sources.debian.org/patches/python-setuptools/40.8.0-1/
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
luajit didn't understand completely that it was building in a cross
compiled environment for Linux target. This would cause issues when
building under openwrt on macos.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The current package does not work, due to missing dependencies, so they
are being added now, along with python3 support.
This versions brings many bugfixes, and the option to use defusedxml if
available, protecting against many xml exploits.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This is a dependency of the openpyxl package.
The package Makefile was reworked, and a python3 variant was added.
Maintainer was changed to Alexandru Ardelean & Eneas U de Queiroz.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This is a dependency of the openpyxl package.
The package Makefile was reworked, and a python3 variant was added.
Maintainer was changed to Alexandru Ardelean & Eneas U de Queiroz.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Changed PKG_LICENSE to reflect spdx license tag, and PKG_LICENSE_FILES
to include all lincense-related files applicable to the parts of the
code we are actually using to build and/or distributing. The
Windows-only files, and the python-bundled Tools we're not using have
been left out.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Changed PKG_LICENSE to reflect spdx license tag, and PKG_LICENSE_FILES
to include all lincense-related files applicable to the parts of the
code we are actually using to build and/or distributing. The
Windows-only files, and the python-bundled Tools we're not using have
been left out.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
If a package builds python & python3 variants, then the respective
PACKAGE-python* conditional DEPENDS were added, since circular
dependencies should all be resolved now.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Adding the conditionals to DEPENDS should not cause circular
dependencies any more. This adjusts the text to point out that it used
to be a problem, and if it happens again, one should open an issue.
Also, some spotted trivial errors were fixed.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Added python-rcssmin, and django-appconfig as dependencies, and a note
in the package help text about not having a rjsmin package, so the
jsmin (javascript) filter will not work.
Adjusted the Makefile to conform to current python-package style, and to
display the package title correctly in menuconfig.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This is a dependency of django-compressor.
The package Makefile was reworked, and a python3 variant was added.
Maintainer was changed to Alexandru Ardelean & Eneas U de Queiroz.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
The defusedxml package contains several Python-only workarounds and
fixes for denial of service and other vulnerabilities in Python's XML
libraries. In order to benefit from the protection you just have to
import and use the listed functions / classes from the right defusedxml
module instead of the original module.
Currently, openpyxl detects, and uses defusedxml, if installed.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Fixes issue #8978. If libcurl's SSL library is set to an SSL
library other than libmbedtls, compilation fails. This patch
configures python-curl to use the currently selected SSL library
for libcurl.
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
With pip3.7, `--index-url ""` is different from absence of --index-url
argument. Apply the same for python3 variant
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
This is largely done by suffixing "python" or "py" with "3". The
README.md file is also copied here and we intend to maintain it
independently from its python2 counterpart.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>