These patches address issue:
CVE-2019-9948: Unnecessary URL scheme exists to allow local_file://
reading file in urllib
Link to Python issue:
https://bugs.python.org/issue35907
Issue 35907 is still currently open, waiting for a decision for
Python 3.5; these patches for Python 2.7 and 3.7 have been merged.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
These patches address issues:
CVE-2019-9740: Python urllib CRLF injection vulnerability
CVE-2019-9947: Header Injection in urllib
Links to Python issues:
https://bugs.python.org/issue36276 (resolved duplicated of 30458)
https://bugs.python.org/issue35906 (resolved duplicated of 30458)
https://bugs.python.org/issue30458
Issue 30458 is still currently open, waiting for a decision for
Python 3.5; these patches for Python 2.7 and 3.7 have been merged.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This changes the "patched" indicator files for host setuptools and pip
to include their PKG_RELEASE values. This also removes host setuptools
and/or pip before host install, if the installed copy does not match the
version (and PKG_RELEASE) of the copy to be installed.
This will allow added or removed patches to affect host setuptools /
pip, since these changes will cause PKG_RELEASE to be incremented.
This also fixes the host install error, when the install tries to patch
an already patched copy of setuptools. (This error occurs because the
existing indicator files do not have version numbers in their file
names, whereas host install expected version numbers to be present.)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds the current setuptools/pip version numbers to the indicator
files' names, which should allow upgraded versions to be patched.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
python-cryptography's build depends (host cffi, libffi) were transferred
to python-cffi at some point; this corrects the situation.
python-cryptography's host Python build depends is copied from its
setup.py[1].
[1]: https://github.com/pyca/cryptography/blob/2.6.1/setup.py#L47
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This uses two find commands to delete __pycache__ contents then the
__pycache__ directories, rather than a for loop.
The second command omits a -empty test, so that if the first command
doesn't remove all directory contents for some reason, the second
command will return an error (find will not delete a non-empty
directory).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This changes the --prefix option, passed to host pip when "installing"
target setuptools and pip, to /usr, in case the prefix is recorded in
the packages.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds --cache-dir and --disable-pip-version-check options for host
pip, when "installing" target setuptools and pip.
This also changes the pip command to use $(HOST_PYTHON[3]_PIP) from
python[3]-host.mk.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Normally, Python will include the user's site-packages directory
(~/.local/lib/python$(PYTHON_VERSION)/site-packages) in it's internal
search path for modules.
This disables this default inclusion for host Python.
This change is applied during Host/Configure instead of as a patch to
keep this setting unchanged for target Python.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* Add --cache-dir option to set the pip cache to a directory in
$(DL_DIR), instead of pip's default (build user's ~/.cache/pip),
fixes#9066
* Add --disable-pip-version-check option, since the version check only
prints a message saying a new version is available
* Combine host_python_pip_install and host_python_pip_install_host into
Build/Compile/HostPy[3]PipInstall
* Remove --root and --prefix options, since this function is only used
to install packages to host Python's default site-packages directory
(setting these may serve to confuse pip)
* Pass all of $(HOST_PYTHON[3]_PACKAGE_BUILD_DEPENDS) to the function,
since pip can handle multiple arguments/packages
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
After some thinking over this, documenting this behavior makes sense
versus adding some functionst to handle this.
There is some validity/use-cases where some users may want to reference
a python[3]-package.mk from some other location as well as have the
flexibility to change it (locally). One example can be when the local
`packages` is renamed to something else.
This does not fall on the responsibility of the Python maintainers, but
it can be documented.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This changes --with-ensurepip=install to upgrade, to upgrade host
versions of setuptools and pip to the Python-bundled versions.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The Python 2 and 3 versions of chardet both install a script with the
same name (/usr/bin/chardetect). This is the issue identified in #9006
(https://github.com/openwrt/packages/pull/9006#issuecomment-493709812).
This renames the Python 3 script to chardetect3.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Added a python3 variant, and removed python-cryptography, and pyjwt from
the dependencies. They are required only to run one test, that is not
even being installed.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This adds the ability to patch setuptools (and pip), and adds 3
reproducibility patches from Debian[1].
(003-PKG-INFO-output-reproducible.patch addresses the issue identified
in #9039.)
The patching is not perfect, in that the patches are applied to
setuptools and pip after they have been installed, since they are
installed from wheels which are already "precompiled".
Also, patching for the host install cannot be updated in place, for
example if a patch is added or removed.
[1]: https://sources.debian.org/patches/python-setuptools/40.8.0-1/
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The current package does not work, due to missing dependencies, so they
are being added now, along with python3 support.
This versions brings many bugfixes, and the option to use defusedxml if
available, protecting against many xml exploits.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This is a dependency of the openpyxl package.
The package Makefile was reworked, and a python3 variant was added.
Maintainer was changed to Alexandru Ardelean & Eneas U de Queiroz.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This is a dependency of the openpyxl package.
The package Makefile was reworked, and a python3 variant was added.
Maintainer was changed to Alexandru Ardelean & Eneas U de Queiroz.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Changed PKG_LICENSE to reflect spdx license tag, and PKG_LICENSE_FILES
to include all lincense-related files applicable to the parts of the
code we are actually using to build and/or distributing. The
Windows-only files, and the python-bundled Tools we're not using have
been left out.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Changed PKG_LICENSE to reflect spdx license tag, and PKG_LICENSE_FILES
to include all lincense-related files applicable to the parts of the
code we are actually using to build and/or distributing. The
Windows-only files, and the python-bundled Tools we're not using have
been left out.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
If a package builds python & python3 variants, then the respective
PACKAGE-python* conditional DEPENDS were added, since circular
dependencies should all be resolved now.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Adding the conditionals to DEPENDS should not cause circular
dependencies any more. This adjusts the text to point out that it used
to be a problem, and if it happens again, one should open an issue.
Also, some spotted trivial errors were fixed.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Added python-rcssmin, and django-appconfig as dependencies, and a note
in the package help text about not having a rjsmin package, so the
jsmin (javascript) filter will not work.
Adjusted the Makefile to conform to current python-package style, and to
display the package title correctly in menuconfig.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This is a dependency of django-compressor.
The package Makefile was reworked, and a python3 variant was added.
Maintainer was changed to Alexandru Ardelean & Eneas U de Queiroz.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
