1 |
commit: 2e46fefc132c4394885cabc130fe9b627fe4307b |
2 |
Author: Cédric Krier <cedk <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Apr 5 12:39:55 2019 +0000 |
4 |
Commit: Cédric Krier <cedk <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Apr 5 12:39:55 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e46fefc |
7 |
|
8 |
www-apps/roundup: Apply patches from maint-1.6 branch |
9 |
|
10 |
Signed-off-by: Cédric Krier <cedk <AT> gentoo.org> |
11 |
Package-Manager: Portage-2.3.62, Repoman-2.3.11 |
12 |
|
13 |
.../roundup/files/roundup-1.6.0-configparser.patch | 40 ++++++ |
14 |
.../roundup/files/roundup-1.6.0-csrf-headers.patch | 150 +++++++++++++++++++++ |
15 |
www-apps/roundup/files/roundup-1.6.0-xss.patch | 35 +++++ |
16 |
...oundup-1.6.0.ebuild => roundup-1.6.0-r1.ebuild} | 6 + |
17 |
4 files changed, 231 insertions(+) |
18 |
|
19 |
diff --git a/www-apps/roundup/files/roundup-1.6.0-configparser.patch b/www-apps/roundup/files/roundup-1.6.0-configparser.patch |
20 |
new file mode 100644 |
21 |
index 00000000000..6bdfc8dfaaa |
22 |
--- /dev/null |
23 |
+++ b/www-apps/roundup/files/roundup-1.6.0-configparser.patch |
24 |
@@ -0,0 +1,40 @@ |
25 |
+changeset: 5625:99175953520e |
26 |
+branch: maint-1.6 |
27 |
+parent: 5537:d698d3d843a9 |
28 |
+user: Joseph Myers <jsm@×××××××××××××.uk> |
29 |
+date: Mon Aug 20 00:50:16 2018 +0000 |
30 |
+files: CHANGES.txt roundup/configuration.py |
31 |
+description: |
32 |
+Fix issue2550994: breakage caused by configparser backports. |
33 |
+ |
34 |
+ |
35 |
+diff -r d698d3d843a9 -r 99175953520e roundup/configuration.py |
36 |
+--- a/roundup/configuration.py Thu Sep 06 17:04:49 2018 -0400 |
37 |
++++ b/roundup/configuration.py Mon Aug 20 00:50:16 2018 +0000 |
38 |
+@@ -2,9 +2,15 @@ |
39 |
+ # |
40 |
+ __docformat__ = "restructuredtext" |
41 |
+ |
42 |
+-try: |
43 |
++# Some systems have a backport of the Python 3 configparser module to |
44 |
++# Python 2: <https://pypi.org/project/configparser/>. That breaks |
45 |
++# Roundup if used with Python 2 because it generates unicode objects |
46 |
++# where not expected by the Python code. Thus, a version check is |
47 |
++# used here instead of try/except. |
48 |
++import sys |
49 |
++if sys.version_info[0] > 2: |
50 |
+ import configparser # Python 3 |
51 |
+-except ImportError: |
52 |
++else: |
53 |
+ import ConfigParser as configparser # Python 2 |
54 |
+ |
55 |
+ import getopt |
56 |
+@@ -12,7 +18,6 @@ |
57 |
+ import logging, logging.config |
58 |
+ import os |
59 |
+ import re |
60 |
+-import sys |
61 |
+ import time |
62 |
+ import smtplib |
63 |
+ |
64 |
+ |
65 |
|
66 |
diff --git a/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch |
67 |
new file mode 100644 |
68 |
index 00000000000..8be484d5f80 |
69 |
--- /dev/null |
70 |
+++ b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch |
71 |
@@ -0,0 +1,150 @@ |
72 |
+changeset: 5629:8e3df461d316 |
73 |
+branch: maint-1.6 |
74 |
+user: John Rouillard <rouilj@××××.org> |
75 |
+date: Wed Feb 27 21:47:39 2019 -0500 |
76 |
+files: CHANGES.txt roundup/cgi/client.py roundup/scripts/roundup_server.py test/test_cgi.py |
77 |
+description: |
78 |
+issue2551023: Fix CSRF headers for use with wsgi and cgi. The |
79 |
+env variable array used - separators rather than _. Compare: |
80 |
+HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is |
81 |
+correct. Also fix roundup-server to produce the latter form. (Patch |
82 |
+by Cédric Krier) |
83 |
+ |
84 |
+ |
85 |
+diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/cgi/client.py |
86 |
+--- a/roundup/cgi/client.py Tue Feb 12 21:31:41 2019 -0500 |
87 |
++++ b/roundup/cgi/client.py Wed Feb 27 21:47:39 2019 -0500 |
88 |
+@@ -1026,7 +1026,7 @@ |
89 |
+ # If required headers are missing, raise an error |
90 |
+ for header in header_names: |
91 |
+ if (config["WEB_CSRF_ENFORCE_HEADER_%s"%header] == 'required' |
92 |
+- and "HTTP_%s"%header not in self.env): |
93 |
++ and "HTTP_%s" % header.replace('-', '_') not in self.env): |
94 |
+ logger.error(self._("csrf header %s required but missing for user%s."), header, current_user) |
95 |
+ raise Unauthorised, self._("Missing header: %s")%header |
96 |
+ |
97 |
+@@ -1062,9 +1062,9 @@ |
98 |
+ header_pass += 1 |
99 |
+ |
100 |
+ enforce=config['WEB_CSRF_ENFORCE_HEADER_X-FORWARDED-HOST'] |
101 |
+- if 'HTTP_X-FORWARDED-HOST' in self.env: |
102 |
++ if 'HTTP_X_FORWARDED_HOST' in self.env: |
103 |
+ if enforce != "no": |
104 |
+- host = self.env['HTTP_X-FORWARDED-HOST'] |
105 |
++ host = self.env['HTTP_X_FORWARDED_HOST'] |
106 |
+ foundat = self.base.find('://' + host + '/') |
107 |
+ # 4 means self.base has http:/ prefix, 5 means https:/ prefix |
108 |
+ if foundat not in [4, 5]: |
109 |
+@@ -1111,7 +1111,7 @@ |
110 |
+ # Note we do not use CSRF nonces for xmlrpc requests. |
111 |
+ # |
112 |
+ # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers |
113 |
+- if 'HTTP_X-REQUESTED-WITH' not in self.env: |
114 |
++ if 'HTTP_X_REQUESTED_WITH' not in self.env: |
115 |
+ logger.error(self._("csrf X-REQUESTED-WITH xmlrpc required header check failed for user%s."), current_user) |
116 |
+ raise UsageError, self._("Required Header Missing") |
117 |
+ |
118 |
+diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/scripts/roundup_server.py |
119 |
+--- a/roundup/scripts/roundup_server.py Tue Feb 12 21:31:41 2019 -0500 |
120 |
++++ b/roundup/scripts/roundup_server.py Wed Feb 27 21:47:39 2019 -0500 |
121 |
+@@ -384,8 +384,8 @@ |
122 |
+ # If behind a proxy, this is the hostname supplied |
123 |
+ # via the Host header to the proxy. Used by core code. |
124 |
+ # Controlled by the CSRF settings. |
125 |
+- env['HTTP_X-FORWARDED-HOST'] = xfh |
126 |
+- xff = self.headers.getheader('X-Forwarded-For', None) |
127 |
++ env['HTTP_X_FORWARDED_HOST'] = xfh |
128 |
++ xff = self.headers.get('X-Forwarded-For', None) |
129 |
+ if xff: |
130 |
+ # xff is a list of ip addresses for original client/proxies: |
131 |
+ # X-Forwarded-For: clientIP, proxy1IP, proxy2IP |
132 |
+@@ -394,8 +394,8 @@ |
133 |
+ # Made available for extensions if the user trusts it. |
134 |
+ # E.g. you may wish to disable recaptcha validation extension |
135 |
+ # if the ip of the client matches 172.16.0.0. |
136 |
+- env['HTTP_X-FORWARDED-FOR'] = xff |
137 |
+- xfp = self.headers.getheader('X-Forwarded-Proto', None) |
138 |
++ env['HTTP_X_FORWARDED_FOR'] = xff |
139 |
++ xfp = self.headers.get('X-Forwarded-Proto', None) |
140 |
+ if xfp: |
141 |
+ # xfp is the protocol (http/https) seen by proxies in the |
142 |
+ # path of the request. I am not sure if there is only |
143 |
+@@ -408,8 +408,8 @@ |
144 |
+ # May not be trustworthy. Do not use in core without |
145 |
+ # config option to control its use. |
146 |
+ # Made available for extensions if the user trusts it. |
147 |
+- env['HTTP_X-FORWARDED-PROTO'] = xfp |
148 |
+- if os.environ.has_key('CGI_SHOW_TIMING'): |
149 |
++ env['HTTP_X_FORWARDED_PROTO'] = xfp |
150 |
++ if 'CGI_SHOW_TIMING' in os.environ: |
151 |
+ env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING'] |
152 |
+ env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language') |
153 |
+ referer = self.headers.get('Referer') |
154 |
+@@ -420,8 +420,8 @@ |
155 |
+ env['HTTP_ORIGIN'] = origin |
156 |
+ xrw = self.headers.get('x-requested-with') |
157 |
+ if xrw: |
158 |
+- env['HTTP_X-REQUESTED-WITH'] = xrw |
159 |
+- range = self.headers.getheader('range') |
160 |
++ env['HTTP_X_REQUESTED_WITH'] = xrw |
161 |
++ range = self.headers.get('range') |
162 |
+ if range: |
163 |
+ env['HTTP_RANGE'] = range |
164 |
+ |
165 |
+diff -r 64ceb9c14b28 -r 8e3df461d316 test/test_cgi.py |
166 |
+--- a/test/test_cgi.py Tue Feb 12 21:31:41 2019 -0500 |
167 |
++++ b/test/test_cgi.py Wed Feb 27 21:47:39 2019 -0500 |
168 |
+@@ -888,7 +888,7 @@ |
169 |
+ del(cl.env['HTTP_ORIGIN']) |
170 |
+ del(out[0]) |
171 |
+ |
172 |
+- cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.com' |
173 |
++ cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.com' |
174 |
+ # if there is an X-FORWARDED-HOST header it is used and |
175 |
+ # HOST header is ignored. X-FORWARDED-HOST should only be |
176 |
+ # passed/set by a proxy. In this case the HOST header is |
177 |
+@@ -899,7 +899,7 @@ |
178 |
+ match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message') |
179 |
+ print "result of subtest 4:", out[0] |
180 |
+ self.assertNotEqual(match_at, -1) |
181 |
+- del(cl.env['HTTP_X-FORWARDED-HOST']) |
182 |
++ del(cl.env['HTTP_X_FORWARDED_HOST']) |
183 |
+ del(cl.env['HTTP_HOST']) |
184 |
+ del(out[0]) |
185 |
+ |
186 |
+@@ -912,14 +912,14 @@ |
187 |
+ del(out[0]) |
188 |
+ |
189 |
+ # try failing headers |
190 |
+- cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.net' |
191 |
++ cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.net' |
192 |
+ # this raises an error as the header check passes and |
193 |
+ # it did the edit and tries to send mail. |
194 |
+ cl.inner_main() |
195 |
+ match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net') |
196 |
+ print "result of subtest 6:", out[0] |
197 |
+ self.assertNotEqual(match_at, -1) |
198 |
+- del(cl.env['HTTP_X-FORWARDED-HOST']) |
199 |
++ del(cl.env['HTTP_X_FORWARDED_HOST']) |
200 |
+ del(out[0]) |
201 |
+ |
202 |
+ # header checks succeed |
203 |
+@@ -1031,7 +1031,7 @@ |
204 |
+ 'CONTENT_TYPE': 'text/plain', |
205 |
+ 'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', |
206 |
+ 'HTTP_REFERER': 'http://whoami.com/path/', |
207 |
+- 'HTTP_X-REQUESTED-WITH': "XMLHttpRequest" |
208 |
++ 'HTTP_X_REQUESTED_WITH': "XMLHttpRequest" |
209 |
+ }, form) |
210 |
+ cl.db = self.db |
211 |
+ cl.base = 'http://whoami.com/path/' |
212 |
+@@ -1059,7 +1059,7 @@ |
213 |
+ del(out[0]) |
214 |
+ |
215 |
+ # remove the X-REQUESTED-WITH header and get an xmlrpc fault returned |
216 |
+- del(cl.env['HTTP_X-REQUESTED-WITH']) |
217 |
++ del(cl.env['HTTP_X_REQUESTED_WITH']) |
218 |
+ cl.handle_xmlrpc() |
219 |
+ output="<?xml version='1.0'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>1</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string><class 'roundup.exceptions.UsageError'>:Required Header Missing</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n" |
220 |
+ print out[0] |
221 |
+ |
222 |
|
223 |
diff --git a/www-apps/roundup/files/roundup-1.6.0-xss.patch b/www-apps/roundup/files/roundup-1.6.0-xss.patch |
224 |
new file mode 100644 |
225 |
index 00000000000..44a607e0c46 |
226 |
--- /dev/null |
227 |
+++ b/www-apps/roundup/files/roundup-1.6.0-xss.patch |
228 |
@@ -0,0 +1,35 @@ |
229 |
+changeset: 5665:ab37c1705dbf |
230 |
+branch: maint-1.6 |
231 |
+parent: 5635:ea35ab75a4c0 |
232 |
+user: John Rouillard <rouilj@××××.org> |
233 |
+date: Fri Mar 22 18:16:11 2019 -0400 |
234 |
+files: CHANGES.txt frontends/roundup.cgi roundup/cgi/wsgi_handler.py |
235 |
+description: |
236 |
+Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035 |
237 |
+ |
238 |
+ |
239 |
+diff -r ea35ab75a4c0 -r ab37c1705dbf frontends/roundup.cgi |
240 |
+--- a/frontends/roundup.cgi Thu Mar 07 15:42:21 2019 +0100 |
241 |
++++ b/frontends/roundup.cgi Fri Mar 22 18:16:11 2019 -0400 |
242 |
+@@ -179,7 +179,7 @@ |
243 |
+ request.send_response(404) |
244 |
+ request.send_header('Content-Type', 'text/html') |
245 |
+ request.end_headers() |
246 |
+- out.write('Not found: %s'%client.path) |
247 |
++ out.write('Not found: %s'%cgi.escape(client.path)) |
248 |
+ |
249 |
+ else: |
250 |
+ import urllib |
251 |
+diff -r ea35ab75a4c0 -r ab37c1705dbf roundup/cgi/wsgi_handler.py |
252 |
+--- a/roundup/cgi/wsgi_handler.py Thu Mar 07 15:42:21 2019 +0100 |
253 |
++++ b/roundup/cgi/wsgi_handler.py Fri Mar 22 18:16:11 2019 -0400 |
254 |
+@@ -66,7 +66,7 @@ |
255 |
+ client.main() |
256 |
+ except roundup.cgi.client.NotFound: |
257 |
+ request.start_response([('Content-Type', 'text/html')], 404) |
258 |
+- request.wfile.write('Not found: %s'%client.path) |
259 |
++ request.wfile.write('Not found: %s'%cgi.escape(client.path)) |
260 |
+ |
261 |
+ # all body data has been written using wfile |
262 |
+ return [] |
263 |
+ |
264 |
|
265 |
diff --git a/www-apps/roundup/roundup-1.6.0.ebuild b/www-apps/roundup/roundup-1.6.0-r1.ebuild |
266 |
similarity index 85% |
267 |
rename from www-apps/roundup/roundup-1.6.0.ebuild |
268 |
rename to www-apps/roundup/roundup-1.6.0-r1.ebuild |
269 |
index bb623df0658..4e1c93d0283 100644 |
270 |
--- a/www-apps/roundup/roundup-1.6.0.ebuild |
271 |
+++ b/www-apps/roundup/roundup-1.6.0-r1.ebuild |
272 |
@@ -19,6 +19,12 @@ RDEPEND="${DEPEND}" |
273 |
|
274 |
DOCS="CHANGES.txt doc/*.txt" |
275 |
|
276 |
+PATCHES=( |
277 |
+ "${FILESDIR}/${P}-configparser.patch" |
278 |
+ "${FILESDIR}/${P}-csrf-headers.patch" |
279 |
+ "${FILESDIR}/${P}-xss.patch" |
280 |
+) |
281 |
+ |
282 |
python_install_all() { |
283 |
distutils-r1_python_install_all |
284 |
rm -r "${ED}"/usr/share/doc/${PN} || die |