package/python-tornado: bump to version 6.4.1

Drop patch which is now upstream; that was a backport from an upstream
security fix for CVE-2023-28370, so we can drop the CVE exclusion now.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[yann.morin.1998@free.fr:
  - drop CVE exclusion
  - extend commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/python-tornado/0001-web-Fix-an-open-redirect-in-StaticFileHandler.patch

@@ -1,42 +0,0 @@
-From ac79778c91bd9a4a92111f7e06d4b12674571113 Mon Sep 17 00:00:00 2001
-From: Ben Darnell <ben@bendarnell.com>
-Date: Sat, 13 May 2023 20:58:52 -0400
-Subject: [PATCH] web: Fix an open redirect in StaticFileHandler
-
-Under some configurations the default_filename redirect could be exploited
-to redirect to an attacker-controlled site. This change refuses to redirect
-to URLs that could be misinterpreted.
-
-A test case for the specific vulnerable configuration will follow after the
-patch has been available.
-
-Upstream: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f
-[Thomas: backported to fix CVE-2023-28370]
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
----
- tornado/web.py | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/tornado/web.py b/tornado/web.py
-index cd6a81b4..05b571eb 100644
---- a/tornado/web.py
-+++ b/tornado/web.py
-@@ -2806,6 +2806,15 @@ class StaticFileHandler(RequestHandler):
-             # but there is some prefix to the path that was already
-             # trimmed by the routing
-             if not self.request.path.endswith("/"):
-+                if self.request.path.startswith("//"):
-+                    # A redirect with two initial slashes is a "protocol-relative" URL.
-+                    # This means the next path segment is treated as a hostname instead
-+                    # of a part of the path, making this effectively an open redirect.
-+                    # Reject paths starting with two slashes to prevent this.
-+                    # This is only reachable under certain configurations.
-+                    raise HTTPError(
-+                        403, "cannot redirect path with two initial slashes"
-+                    )
-                 self.redirect(self.request.path + "/", permanent=True)
-                 return None
-             absolute_path = os.path.join(absolute_path, self.default_filename)
--- 
-2.41.0
-

package/python-tornado/python-tornado.hash

@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/tornado/json
-md5  32fbad606b439c3e1bf4e79d4e872741  tornado-6.2.tar.gz
-sha256  9b630419bde84ec666bfd7ea0a4cb2a8a651c2d5cccdbdd1972a0c859dfc3c13  tornado-6.2.tar.gz
+md5  07ebd88a2a7acee1b819738f3f4ca7ef  tornado-6.4.1.tar.gz
+sha256  92d3ab53183d8c50f8204a51e6f91d18a15d5ef261e84d452800d4ff6fc504e9  tornado-6.4.1.tar.gz
 # Locally computed sha256 checksums
 sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE

package/python-tornado/python-tornado.mk

@@ -4,15 +4,13 @@
 #
 ################################################################################
 
-PYTHON_TORNADO_VERSION = 6.2
+PYTHON_TORNADO_VERSION = 6.4.1
 PYTHON_TORNADO_SOURCE = tornado-$(PYTHON_TORNADO_VERSION).tar.gz
-PYTHON_TORNADO_SITE = https://files.pythonhosted.org/packages/f3/9e/225a41452f2d9418d89be5e32cf824c84fe1e639d350d6e8d49db5b7f73a
+PYTHON_TORNADO_SITE = https://files.pythonhosted.org/packages/ee/66/398ac7167f1c7835406888a386f6d0d26ee5dbf197d8a571300be57662d3
 PYTHON_TORNADO_LICENSE = Apache-2.0
 PYTHON_TORNADO_LICENSE_FILES = LICENSE
 PYTHON_TORNADO_CPE_ID_VENDOR = tornadoweb
 PYTHON_TORNADO_CPE_ID_PRODUCT = tornado
 PYTHON_TORNADO_SETUP_TYPE = setuptools
-# 0001-web-Fix-an-open-redirect-in-StaticFileHandler.patch
-PYTHON_TORNADO_IGNORE_CVES += CVE-2023-28370
 
 $(eval $(python-package))