* [gentoo-commits] repo/gentoo:master commit in: www-apps/roundup/files/, www-apps/roundup/
@ 2019-04-05 12:40 Cédric Krier
0 siblings, 0 replies; 2+ messages in thread
From: Cédric Krier @ 2019-04-05 12:40 UTC (permalink / raw
To: gentoo-commits
commit: 2e46fefc132c4394885cabc130fe9b627fe4307b
Author: Cédric Krier <cedk <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 5 12:39:55 2019 +0000
Commit: Cédric Krier <cedk <AT> gentoo <DOT> org>
CommitDate: Fri Apr 5 12:39:55 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e46fefc
www-apps/roundup: Apply patches from maint-1.6 branch
Signed-off-by: Cédric Krier <cedk <AT> gentoo.org>
Package-Manager: Portage-2.3.62, Repoman-2.3.11
.../roundup/files/roundup-1.6.0-configparser.patch | 40 ++++++
| 150 +++++++++++++++++++++
www-apps/roundup/files/roundup-1.6.0-xss.patch | 35 +++++
...oundup-1.6.0.ebuild => roundup-1.6.0-r1.ebuild} | 6 +
4 files changed, 231 insertions(+)
diff --git a/www-apps/roundup/files/roundup-1.6.0-configparser.patch b/www-apps/roundup/files/roundup-1.6.0-configparser.patch
new file mode 100644
index 00000000000..6bdfc8dfaaa
--- /dev/null
+++ b/www-apps/roundup/files/roundup-1.6.0-configparser.patch
@@ -0,0 +1,40 @@
+changeset: 5625:99175953520e
+branch: maint-1.6
+parent: 5537:d698d3d843a9
+user: Joseph Myers <jsm@polyomino.org.uk>
+date: Mon Aug 20 00:50:16 2018 +0000
+files: CHANGES.txt roundup/configuration.py
+description:
+Fix issue2550994: breakage caused by configparser backports.
+
+
+diff -r d698d3d843a9 -r 99175953520e roundup/configuration.py
+--- a/roundup/configuration.py Thu Sep 06 17:04:49 2018 -0400
++++ b/roundup/configuration.py Mon Aug 20 00:50:16 2018 +0000
+@@ -2,9 +2,15 @@
+ #
+ __docformat__ = "restructuredtext"
+
+-try:
++# Some systems have a backport of the Python 3 configparser module to
++# Python 2: <https://pypi.org/project/configparser/>. That breaks
++# Roundup if used with Python 2 because it generates unicode objects
++# where not expected by the Python code. Thus, a version check is
++# used here instead of try/except.
++import sys
++if sys.version_info[0] > 2:
+ import configparser # Python 3
+-except ImportError:
++else:
+ import ConfigParser as configparser # Python 2
+
+ import getopt
+@@ -12,7 +18,6 @@
+ import logging, logging.config
+ import os
+ import re
+-import sys
+ import time
+ import smtplib
+
+
--git a/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch
new file mode 100644
index 00000000000..8be484d5f80
--- /dev/null
+++ b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch
@@ -0,0 +1,150 @@
+changeset: 5629:8e3df461d316
+branch: maint-1.6
+user: John Rouillard <rouilj@ieee.org>
+date: Wed Feb 27 21:47:39 2019 -0500
+files: CHANGES.txt roundup/cgi/client.py roundup/scripts/roundup_server.py test/test_cgi.py
+description:
+issue2551023: Fix CSRF headers for use with wsgi and cgi. The
+env variable array used - separators rather than _. Compare:
+HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
+correct. Also fix roundup-server to produce the latter form. (Patch
+by Cédric Krier)
+
+
+diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/cgi/client.py
+--- a/roundup/cgi/client.py Tue Feb 12 21:31:41 2019 -0500
++++ b/roundup/cgi/client.py Wed Feb 27 21:47:39 2019 -0500
+@@ -1026,7 +1026,7 @@
+ # If required headers are missing, raise an error
+ for header in header_names:
+ if (config["WEB_CSRF_ENFORCE_HEADER_%s"%header] == 'required'
+- and "HTTP_%s"%header not in self.env):
++ and "HTTP_%s" % header.replace('-', '_') not in self.env):
+ logger.error(self._("csrf header %s required but missing for user%s."), header, current_user)
+ raise Unauthorised, self._("Missing header: %s")%header
+
+@@ -1062,9 +1062,9 @@
+ header_pass += 1
+
+ enforce=config['WEB_CSRF_ENFORCE_HEADER_X-FORWARDED-HOST']
+- if 'HTTP_X-FORWARDED-HOST' in self.env:
++ if 'HTTP_X_FORWARDED_HOST' in self.env:
+ if enforce != "no":
+- host = self.env['HTTP_X-FORWARDED-HOST']
++ host = self.env['HTTP_X_FORWARDED_HOST']
+ foundat = self.base.find('://' + host + '/')
+ # 4 means self.base has http:/ prefix, 5 means https:/ prefix
+ if foundat not in [4, 5]:
+@@ -1111,7 +1111,7 @@
+ # Note we do not use CSRF nonces for xmlrpc requests.
+ #
+ # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
+- if 'HTTP_X-REQUESTED-WITH' not in self.env:
++ if 'HTTP_X_REQUESTED_WITH' not in self.env:
+ logger.error(self._("csrf X-REQUESTED-WITH xmlrpc required header check failed for user%s."), current_user)
+ raise UsageError, self._("Required Header Missing")
+
+diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/scripts/roundup_server.py
+--- a/roundup/scripts/roundup_server.py Tue Feb 12 21:31:41 2019 -0500
++++ b/roundup/scripts/roundup_server.py Wed Feb 27 21:47:39 2019 -0500
+@@ -384,8 +384,8 @@
+ # If behind a proxy, this is the hostname supplied
+ # via the Host header to the proxy. Used by core code.
+ # Controlled by the CSRF settings.
+- env['HTTP_X-FORWARDED-HOST'] = xfh
+- xff = self.headers.getheader('X-Forwarded-For', None)
++ env['HTTP_X_FORWARDED_HOST'] = xfh
++ xff = self.headers.get('X-Forwarded-For', None)
+ if xff:
+ # xff is a list of ip addresses for original client/proxies:
+ # X-Forwarded-For: clientIP, proxy1IP, proxy2IP
+@@ -394,8 +394,8 @@
+ # Made available for extensions if the user trusts it.
+ # E.g. you may wish to disable recaptcha validation extension
+ # if the ip of the client matches 172.16.0.0.
+- env['HTTP_X-FORWARDED-FOR'] = xff
+- xfp = self.headers.getheader('X-Forwarded-Proto', None)
++ env['HTTP_X_FORWARDED_FOR'] = xff
++ xfp = self.headers.get('X-Forwarded-Proto', None)
+ if xfp:
+ # xfp is the protocol (http/https) seen by proxies in the
+ # path of the request. I am not sure if there is only
+@@ -408,8 +408,8 @@
+ # May not be trustworthy. Do not use in core without
+ # config option to control its use.
+ # Made available for extensions if the user trusts it.
+- env['HTTP_X-FORWARDED-PROTO'] = xfp
+- if os.environ.has_key('CGI_SHOW_TIMING'):
++ env['HTTP_X_FORWARDED_PROTO'] = xfp
++ if 'CGI_SHOW_TIMING' in os.environ:
+ env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING']
+ env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language')
+ referer = self.headers.get('Referer')
+@@ -420,8 +420,8 @@
+ env['HTTP_ORIGIN'] = origin
+ xrw = self.headers.get('x-requested-with')
+ if xrw:
+- env['HTTP_X-REQUESTED-WITH'] = xrw
+- range = self.headers.getheader('range')
++ env['HTTP_X_REQUESTED_WITH'] = xrw
++ range = self.headers.get('range')
+ if range:
+ env['HTTP_RANGE'] = range
+
+diff -r 64ceb9c14b28 -r 8e3df461d316 test/test_cgi.py
+--- a/test/test_cgi.py Tue Feb 12 21:31:41 2019 -0500
++++ b/test/test_cgi.py Wed Feb 27 21:47:39 2019 -0500
+@@ -888,7 +888,7 @@
+ del(cl.env['HTTP_ORIGIN'])
+ del(out[0])
+
+- cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.com'
++ cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.com'
+ # if there is an X-FORWARDED-HOST header it is used and
+ # HOST header is ignored. X-FORWARDED-HOST should only be
+ # passed/set by a proxy. In this case the HOST header is
+@@ -899,7 +899,7 @@
+ match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message')
+ print "result of subtest 4:", out[0]
+ self.assertNotEqual(match_at, -1)
+- del(cl.env['HTTP_X-FORWARDED-HOST'])
++ del(cl.env['HTTP_X_FORWARDED_HOST'])
+ del(cl.env['HTTP_HOST'])
+ del(out[0])
+
+@@ -912,14 +912,14 @@
+ del(out[0])
+
+ # try failing headers
+- cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.net'
++ cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.net'
+ # this raises an error as the header check passes and
+ # it did the edit and tries to send mail.
+ cl.inner_main()
+ match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net')
+ print "result of subtest 6:", out[0]
+ self.assertNotEqual(match_at, -1)
+- del(cl.env['HTTP_X-FORWARDED-HOST'])
++ del(cl.env['HTTP_X_FORWARDED_HOST'])
+ del(out[0])
+
+ # header checks succeed
+@@ -1031,7 +1031,7 @@
+ 'CONTENT_TYPE': 'text/plain',
+ 'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=',
+ 'HTTP_REFERER': 'http://whoami.com/path/',
+- 'HTTP_X-REQUESTED-WITH': "XMLHttpRequest"
++ 'HTTP_X_REQUESTED_WITH': "XMLHttpRequest"
+ }, form)
+ cl.db = self.db
+ cl.base = 'http://whoami.com/path/'
+@@ -1059,7 +1059,7 @@
+ del(out[0])
+
+ # remove the X-REQUESTED-WITH header and get an xmlrpc fault returned
+- del(cl.env['HTTP_X-REQUESTED-WITH'])
++ del(cl.env['HTTP_X_REQUESTED_WITH'])
+ cl.handle_xmlrpc()
+ output="<?xml version='1.0'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>1</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string><class 'roundup.exceptions.UsageError'>:Required Header Missing</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n"
+ print out[0]
+
diff --git a/www-apps/roundup/files/roundup-1.6.0-xss.patch b/www-apps/roundup/files/roundup-1.6.0-xss.patch
new file mode 100644
index 00000000000..44a607e0c46
--- /dev/null
+++ b/www-apps/roundup/files/roundup-1.6.0-xss.patch
@@ -0,0 +1,35 @@
+changeset: 5665:ab37c1705dbf
+branch: maint-1.6
+parent: 5635:ea35ab75a4c0
+user: John Rouillard <rouilj@ieee.org>
+date: Fri Mar 22 18:16:11 2019 -0400
+files: CHANGES.txt frontends/roundup.cgi roundup/cgi/wsgi_handler.py
+description:
+Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035
+
+
+diff -r ea35ab75a4c0 -r ab37c1705dbf frontends/roundup.cgi
+--- a/frontends/roundup.cgi Thu Mar 07 15:42:21 2019 +0100
++++ b/frontends/roundup.cgi Fri Mar 22 18:16:11 2019 -0400
+@@ -179,7 +179,7 @@
+ request.send_response(404)
+ request.send_header('Content-Type', 'text/html')
+ request.end_headers()
+- out.write('Not found: %s'%client.path)
++ out.write('Not found: %s'%cgi.escape(client.path))
+
+ else:
+ import urllib
+diff -r ea35ab75a4c0 -r ab37c1705dbf roundup/cgi/wsgi_handler.py
+--- a/roundup/cgi/wsgi_handler.py Thu Mar 07 15:42:21 2019 +0100
++++ b/roundup/cgi/wsgi_handler.py Fri Mar 22 18:16:11 2019 -0400
+@@ -66,7 +66,7 @@
+ client.main()
+ except roundup.cgi.client.NotFound:
+ request.start_response([('Content-Type', 'text/html')], 404)
+- request.wfile.write('Not found: %s'%client.path)
++ request.wfile.write('Not found: %s'%cgi.escape(client.path))
+
+ # all body data has been written using wfile
+ return []
+
diff --git a/www-apps/roundup/roundup-1.6.0.ebuild b/www-apps/roundup/roundup-1.6.0-r1.ebuild
similarity index 85%
rename from www-apps/roundup/roundup-1.6.0.ebuild
rename to www-apps/roundup/roundup-1.6.0-r1.ebuild
index bb623df0658..4e1c93d0283 100644
--- a/www-apps/roundup/roundup-1.6.0.ebuild
+++ b/www-apps/roundup/roundup-1.6.0-r1.ebuild
@@ -19,6 +19,12 @@ RDEPEND="${DEPEND}"
DOCS="CHANGES.txt doc/*.txt"
+PATCHES=(
+ "${FILESDIR}/${P}-configparser.patch"
+ "${FILESDIR}/${P}-csrf-headers.patch"
+ "${FILESDIR}/${P}-xss.patch"
+)
+
python_install_all() {
distutils-r1_python_install_all
rm -r "${ED}"/usr/share/doc/${PN} || die
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-apps/roundup/files/, www-apps/roundup/
@ 2019-09-14 13:38 Cédric Krier
0 siblings, 0 replies; 2+ messages in thread
From: Cédric Krier @ 2019-09-14 13:38 UTC (permalink / raw
To: gentoo-commits
commit: 87c4a503664a1a271435d3409d06b412318aa0bb
Author: Cédric Krier <cedk <AT> gentoo <DOT> org>
AuthorDate: Sat Sep 14 13:37:52 2019 +0000
Commit: Cédric Krier <cedk <AT> gentoo <DOT> org>
CommitDate: Sat Sep 14 13:38:31 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87c4a503
www-apps/roundup: Version bumps
Package-Manager: Portage-2.3.69, Repoman-2.3.16
Signed-off-by: Cédric Krier <cedk <AT> gentoo.org>
www-apps/roundup/Manifest | 2 +-
.../roundup/files/roundup-1.6.0-configparser.patch | 40 ------
| 150 ---------------------
www-apps/roundup/files/roundup-1.6.0-xss.patch | 35 -----
www-apps/roundup/metadata.xml | 5 +
...oundup-1.6.0-r1.ebuild => roundup-1.6.1.ebuild} | 16 ++-
6 files changed, 15 insertions(+), 233 deletions(-)
diff --git a/www-apps/roundup/Manifest b/www-apps/roundup/Manifest
index 07f3cccfd45..b97d22ec510 100644
--- a/www-apps/roundup/Manifest
+++ b/www-apps/roundup/Manifest
@@ -1,2 +1,2 @@
DIST roundup-1.5.1.tar.gz 2618886 BLAKE2B 5ccca10ce7f30b35b0875340c4cae87aa19e5384e6e5973576ea8e2de79eb83d32447580944f472d73e7cdb5f43a4ed7f805d51242e22cc2f756b3deae4004b2 SHA512 d7cdeaafb682ce7f202cacddeb1a42312f22778a2c83b52b4e838c27b1e7141a94b2ac2b670b0edee0efcfe27d74e31e6f267ae1380e90359def27385ca68d58
-DIST roundup-1.6.0.tar.gz 2893499 BLAKE2B 5fe75b0953d16cebe52a25379d5a13f7745eb87e4a6a46f17945c3655394c1d1d2aff9e74783ee3e4757fc407ca2b46a7c3ef6d20eedbfb695783302fb64bf1f SHA512 1a8e9c0c7a6e607953ee91ce750f72bf53b5c6dc4bbd6d001570dd77abf396d4de2c832ef45495b87890a3c11b158be9e7a8eed635f63b5586b7bb9399856dcc
+DIST roundup-1.6.1.tar.gz 3128618 BLAKE2B 7fa87006582feac74f0fc455bc201f2485326b8f6ed616164f667992da114d45e8d8cef370a825450b5a4cb757ba0453d5fe3ace47164bd83e78a8c6f28b9d05 SHA512 b7666c5515c76baa4fa3ac3d0efea82feace6270af55bbc70e603b2ce0c617b4a303a15133310c1e00d3b6442baa58060d5387f568014652b1b781d9248f0052
diff --git a/www-apps/roundup/files/roundup-1.6.0-configparser.patch b/www-apps/roundup/files/roundup-1.6.0-configparser.patch
deleted file mode 100644
index 6bdfc8dfaaa..00000000000
--- a/www-apps/roundup/files/roundup-1.6.0-configparser.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-changeset: 5625:99175953520e
-branch: maint-1.6
-parent: 5537:d698d3d843a9
-user: Joseph Myers <jsm@polyomino.org.uk>
-date: Mon Aug 20 00:50:16 2018 +0000
-files: CHANGES.txt roundup/configuration.py
-description:
-Fix issue2550994: breakage caused by configparser backports.
-
-
-diff -r d698d3d843a9 -r 99175953520e roundup/configuration.py
---- a/roundup/configuration.py Thu Sep 06 17:04:49 2018 -0400
-+++ b/roundup/configuration.py Mon Aug 20 00:50:16 2018 +0000
-@@ -2,9 +2,15 @@
- #
- __docformat__ = "restructuredtext"
-
--try:
-+# Some systems have a backport of the Python 3 configparser module to
-+# Python 2: <https://pypi.org/project/configparser/>. That breaks
-+# Roundup if used with Python 2 because it generates unicode objects
-+# where not expected by the Python code. Thus, a version check is
-+# used here instead of try/except.
-+import sys
-+if sys.version_info[0] > 2:
- import configparser # Python 3
--except ImportError:
-+else:
- import ConfigParser as configparser # Python 2
-
- import getopt
-@@ -12,7 +18,6 @@
- import logging, logging.config
- import os
- import re
--import sys
- import time
- import smtplib
-
-
diff --git a/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch
deleted file mode 100644
index 8be484d5f80..00000000000
--- a/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-changeset: 5629:8e3df461d316
-branch: maint-1.6
-user: John Rouillard <rouilj@ieee.org>
-date: Wed Feb 27 21:47:39 2019 -0500
-files: CHANGES.txt roundup/cgi/client.py roundup/scripts/roundup_server.py test/test_cgi.py
-description:
-issue2551023: Fix CSRF headers for use with wsgi and cgi. The
-env variable array used - separators rather than _. Compare:
-HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
-correct. Also fix roundup-server to produce the latter form. (Patch
-by Cédric Krier)
-
-
-diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/cgi/client.py
---- a/roundup/cgi/client.py Tue Feb 12 21:31:41 2019 -0500
-+++ b/roundup/cgi/client.py Wed Feb 27 21:47:39 2019 -0500
-@@ -1026,7 +1026,7 @@
- # If required headers are missing, raise an error
- for header in header_names:
- if (config["WEB_CSRF_ENFORCE_HEADER_%s"%header] == 'required'
-- and "HTTP_%s"%header not in self.env):
-+ and "HTTP_%s" % header.replace('-', '_') not in self.env):
- logger.error(self._("csrf header %s required but missing for user%s."), header, current_user)
- raise Unauthorised, self._("Missing header: %s")%header
-
-@@ -1062,9 +1062,9 @@
- header_pass += 1
-
- enforce=config['WEB_CSRF_ENFORCE_HEADER_X-FORWARDED-HOST']
-- if 'HTTP_X-FORWARDED-HOST' in self.env:
-+ if 'HTTP_X_FORWARDED_HOST' in self.env:
- if enforce != "no":
-- host = self.env['HTTP_X-FORWARDED-HOST']
-+ host = self.env['HTTP_X_FORWARDED_HOST']
- foundat = self.base.find('://' + host + '/')
- # 4 means self.base has http:/ prefix, 5 means https:/ prefix
- if foundat not in [4, 5]:
-@@ -1111,7 +1111,7 @@
- # Note we do not use CSRF nonces for xmlrpc requests.
- #
- # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
-- if 'HTTP_X-REQUESTED-WITH' not in self.env:
-+ if 'HTTP_X_REQUESTED_WITH' not in self.env:
- logger.error(self._("csrf X-REQUESTED-WITH xmlrpc required header check failed for user%s."), current_user)
- raise UsageError, self._("Required Header Missing")
-
-diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/scripts/roundup_server.py
---- a/roundup/scripts/roundup_server.py Tue Feb 12 21:31:41 2019 -0500
-+++ b/roundup/scripts/roundup_server.py Wed Feb 27 21:47:39 2019 -0500
-@@ -384,8 +384,8 @@
- # If behind a proxy, this is the hostname supplied
- # via the Host header to the proxy. Used by core code.
- # Controlled by the CSRF settings.
-- env['HTTP_X-FORWARDED-HOST'] = xfh
-- xff = self.headers.getheader('X-Forwarded-For', None)
-+ env['HTTP_X_FORWARDED_HOST'] = xfh
-+ xff = self.headers.get('X-Forwarded-For', None)
- if xff:
- # xff is a list of ip addresses for original client/proxies:
- # X-Forwarded-For: clientIP, proxy1IP, proxy2IP
-@@ -394,8 +394,8 @@
- # Made available for extensions if the user trusts it.
- # E.g. you may wish to disable recaptcha validation extension
- # if the ip of the client matches 172.16.0.0.
-- env['HTTP_X-FORWARDED-FOR'] = xff
-- xfp = self.headers.getheader('X-Forwarded-Proto', None)
-+ env['HTTP_X_FORWARDED_FOR'] = xff
-+ xfp = self.headers.get('X-Forwarded-Proto', None)
- if xfp:
- # xfp is the protocol (http/https) seen by proxies in the
- # path of the request. I am not sure if there is only
-@@ -408,8 +408,8 @@
- # May not be trustworthy. Do not use in core without
- # config option to control its use.
- # Made available for extensions if the user trusts it.
-- env['HTTP_X-FORWARDED-PROTO'] = xfp
-- if os.environ.has_key('CGI_SHOW_TIMING'):
-+ env['HTTP_X_FORWARDED_PROTO'] = xfp
-+ if 'CGI_SHOW_TIMING' in os.environ:
- env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING']
- env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language')
- referer = self.headers.get('Referer')
-@@ -420,8 +420,8 @@
- env['HTTP_ORIGIN'] = origin
- xrw = self.headers.get('x-requested-with')
- if xrw:
-- env['HTTP_X-REQUESTED-WITH'] = xrw
-- range = self.headers.getheader('range')
-+ env['HTTP_X_REQUESTED_WITH'] = xrw
-+ range = self.headers.get('range')
- if range:
- env['HTTP_RANGE'] = range
-
-diff -r 64ceb9c14b28 -r 8e3df461d316 test/test_cgi.py
---- a/test/test_cgi.py Tue Feb 12 21:31:41 2019 -0500
-+++ b/test/test_cgi.py Wed Feb 27 21:47:39 2019 -0500
-@@ -888,7 +888,7 @@
- del(cl.env['HTTP_ORIGIN'])
- del(out[0])
-
-- cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.com'
-+ cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.com'
- # if there is an X-FORWARDED-HOST header it is used and
- # HOST header is ignored. X-FORWARDED-HOST should only be
- # passed/set by a proxy. In this case the HOST header is
-@@ -899,7 +899,7 @@
- match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message')
- print "result of subtest 4:", out[0]
- self.assertNotEqual(match_at, -1)
-- del(cl.env['HTTP_X-FORWARDED-HOST'])
-+ del(cl.env['HTTP_X_FORWARDED_HOST'])
- del(cl.env['HTTP_HOST'])
- del(out[0])
-
-@@ -912,14 +912,14 @@
- del(out[0])
-
- # try failing headers
-- cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.net'
-+ cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.net'
- # this raises an error as the header check passes and
- # it did the edit and tries to send mail.
- cl.inner_main()
- match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net')
- print "result of subtest 6:", out[0]
- self.assertNotEqual(match_at, -1)
-- del(cl.env['HTTP_X-FORWARDED-HOST'])
-+ del(cl.env['HTTP_X_FORWARDED_HOST'])
- del(out[0])
-
- # header checks succeed
-@@ -1031,7 +1031,7 @@
- 'CONTENT_TYPE': 'text/plain',
- 'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=',
- 'HTTP_REFERER': 'http://whoami.com/path/',
-- 'HTTP_X-REQUESTED-WITH': "XMLHttpRequest"
-+ 'HTTP_X_REQUESTED_WITH': "XMLHttpRequest"
- }, form)
- cl.db = self.db
- cl.base = 'http://whoami.com/path/'
-@@ -1059,7 +1059,7 @@
- del(out[0])
-
- # remove the X-REQUESTED-WITH header and get an xmlrpc fault returned
-- del(cl.env['HTTP_X-REQUESTED-WITH'])
-+ del(cl.env['HTTP_X_REQUESTED_WITH'])
- cl.handle_xmlrpc()
- output="<?xml version='1.0'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>1</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string><class 'roundup.exceptions.UsageError'>:Required Header Missing</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n"
- print out[0]
-
diff --git a/www-apps/roundup/files/roundup-1.6.0-xss.patch b/www-apps/roundup/files/roundup-1.6.0-xss.patch
deleted file mode 100644
index 44a607e0c46..00000000000
--- a/www-apps/roundup/files/roundup-1.6.0-xss.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-changeset: 5665:ab37c1705dbf
-branch: maint-1.6
-parent: 5635:ea35ab75a4c0
-user: John Rouillard <rouilj@ieee.org>
-date: Fri Mar 22 18:16:11 2019 -0400
-files: CHANGES.txt frontends/roundup.cgi roundup/cgi/wsgi_handler.py
-description:
-Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035
-
-
-diff -r ea35ab75a4c0 -r ab37c1705dbf frontends/roundup.cgi
---- a/frontends/roundup.cgi Thu Mar 07 15:42:21 2019 +0100
-+++ b/frontends/roundup.cgi Fri Mar 22 18:16:11 2019 -0400
-@@ -179,7 +179,7 @@
- request.send_response(404)
- request.send_header('Content-Type', 'text/html')
- request.end_headers()
-- out.write('Not found: %s'%client.path)
-+ out.write('Not found: %s'%cgi.escape(client.path))
-
- else:
- import urllib
-diff -r ea35ab75a4c0 -r ab37c1705dbf roundup/cgi/wsgi_handler.py
---- a/roundup/cgi/wsgi_handler.py Thu Mar 07 15:42:21 2019 +0100
-+++ b/roundup/cgi/wsgi_handler.py Fri Mar 22 18:16:11 2019 -0400
-@@ -66,7 +66,7 @@
- client.main()
- except roundup.cgi.client.NotFound:
- request.start_response([('Content-Type', 'text/html')], 404)
-- request.wfile.write('Not found: %s'%client.path)
-+ request.wfile.write('Not found: %s'%cgi.escape(client.path))
-
- # all body data has been written using wfile
- return []
-
diff --git a/www-apps/roundup/metadata.xml b/www-apps/roundup/metadata.xml
index 0942edd0187..499f901ab9c 100644
--- a/www-apps/roundup/metadata.xml
+++ b/www-apps/roundup/metadata.xml
@@ -13,4 +13,9 @@
<remote-id type="pypi">roundup</remote-id>
<remote-id type="sourceforge">roundup</remote-id>
</upstream>
+ <use>
+ <flag name="tz">Enable full support of timezone</flag>
+ <flag name="xapian">Enable Xapian full-text indexer</flag>
+ <flag name="whoosh">Enable Whoosh full-text indexer</flag>
+ </use>
</pkgmetadata>
diff --git a/www-apps/roundup/roundup-1.6.0-r1.ebuild b/www-apps/roundup/roundup-1.6.1.ebuild
similarity index 62%
rename from www-apps/roundup/roundup-1.6.0-r1.ebuild
rename to www-apps/roundup/roundup-1.6.1.ebuild
index 4e1c93d0283..eebb51a675b 100644
--- a/www-apps/roundup/roundup-1.6.0-r1.ebuild
+++ b/www-apps/roundup/roundup-1.6.1.ebuild
@@ -13,18 +13,20 @@ SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
LICENSE="MIT ZPL"
SLOT="0"
KEYWORDS="~amd64 ~ppc ~sparc ~x86"
+IUSE="+tz sqlite mysql postgres xapian whoosh ssl"
DEPEND=""
-RDEPEND="${DEPEND}"
+RDEPEND="${DEPEND}
+ tz? ( dev-python/pytz[$PYTHON_USEDEP] )
+ sqlite? ( dev-lang/python:*[sqlite] )
+ mysql? ( dev-python/mysql-python[$PYTHON_USEDEP] )
+ postgres? ( >=dev-python/psycopg-1.1.21[$PYTHON_USEDEP] )
+ xapian? ( >=dev-libs/xapian-bindings-1.0.0[python,$PYTHON_USEDEP] )
+ whoosh? ( >=dev-python/whoosh-2.5.7[$PYTHON_USEDEP] )
+ ssl? ( dev-python/pyopenssl[$PYTHON_USEDEP] )"
DOCS="CHANGES.txt doc/*.txt"
-PATCHES=(
- "${FILESDIR}/${P}-configparser.patch"
- "${FILESDIR}/${P}-csrf-headers.patch"
- "${FILESDIR}/${P}-xss.patch"
-)
-
python_install_all() {
distutils-r1_python_install_all
rm -r "${ED}"/usr/share/doc/${PN} || die
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-09-14 13:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-14 13:38 [gentoo-commits] repo/gentoo:master commit in: www-apps/roundup/files/, www-apps/roundup/ Cédric Krier
-- strict thread matches above, loose matches on Subject: below --
2019-04-05 12:40 Cédric Krier
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox