[gentoo-commits] repo/gentoo:master commit in: www-apps/roundup/files/, www-apps/roundup/ - gentoo-commits

From:	"Cédric Krier" <cedk@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: www-apps/roundup/files/, www-apps/roundup/
Date:	Fri, 05 Apr 2019 12:40:25
Message-Id:	`1554467995.2e46fefc132c4394885cabc130fe9b627fe4307b.cedk@gentoo`

1

commit:     2e46fefc132c4394885cabc130fe9b627fe4307b

2

Author:     Cédric Krier <cedk <AT> gentoo <DOT> org>

3

AuthorDate: Fri Apr  5 12:39:55 2019 +0000

4

Commit:     Cédric Krier <cedk <AT> gentoo <DOT> org>

5

CommitDate: Fri Apr  5 12:39:55 2019 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e46fefc

7

8

www-apps/roundup: Apply patches from maint-1.6 branch

9

10

Signed-off-by: Cédric Krier <cedk <AT> gentoo.org>

11

Package-Manager: Portage-2.3.62, Repoman-2.3.11

12

13

 .../roundup/files/roundup-1.6.0-configparser.patch |  40 ++++++

14

 .../roundup/files/roundup-1.6.0-csrf-headers.patch | 150 +++++++++++++++++++++

15

 www-apps/roundup/files/roundup-1.6.0-xss.patch     |  35 +++++

16

 ...oundup-1.6.0.ebuild => roundup-1.6.0-r1.ebuild} |   6 +

17

 4 files changed, 231 insertions(+)

18

19

diff --git a/www-apps/roundup/files/roundup-1.6.0-configparser.patch b/www-apps/roundup/files/roundup-1.6.0-configparser.patch

20

new file mode 100644

21

index 00000000000..6bdfc8dfaaa

22

--- /dev/null

23

+++ b/www-apps/roundup/files/roundup-1.6.0-configparser.patch

24

@@ -0,0 +1,40 @@

25

+changeset:   5625:99175953520e

26

+branch:      maint-1.6

27

+parent:      5537:d698d3d843a9

28

+user:        Joseph Myers <jsm@×××××××××××××.uk>

29

+date:        Mon Aug 20 00:50:16 2018 +0000

30

+files:       CHANGES.txt roundup/configuration.py

31

+description:

32

+Fix issue2550994: breakage caused by configparser backports.

33

+

34

+

35

+diff -r d698d3d843a9 -r 99175953520e roundup/configuration.py

36

+--- a/roundup/configuration.py	Thu Sep 06 17:04:49 2018 -0400

37

++++ b/roundup/configuration.py	Mon Aug 20 00:50:16 2018 +0000

38

+@@ -2,9 +2,15 @@

39

+ #

40

+ __docformat__ = "restructuredtext"

41

+

42

+-try:

43

++# Some systems have a backport of the Python 3 configparser module to

44

++# Python 2: <https://pypi.org/project/configparser/>.  That breaks

45

++# Roundup if used with Python 2 because it generates unicode objects

46

++# where not expected by the Python code.  Thus, a version check is

47

++# used here instead of try/except.

48

++import sys

49

++if sys.version_info[0] > 2:

50

+     import configparser			# Python 3

51

+-except ImportError:

52

++else:

53

+     import ConfigParser as configparser	# Python 2

54

+

55

+ import getopt

56

+@@ -12,7 +18,6 @@

57

+ import logging, logging.config

58

+ import os

59

+ import re

60

+-import sys

61

+ import time

62

+ import smtplib

63

+

64

+

65

66

diff --git a/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch

67

new file mode 100644

68

index 00000000000..8be484d5f80

69

--- /dev/null

70

+++ b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch

71

@@ -0,0 +1,150 @@

72

+changeset:   5629:8e3df461d316

73

+branch:      maint-1.6

74

+user:        John Rouillard <rouilj@××××.org>

75

+date:        Wed Feb 27 21:47:39 2019 -0500

76

+files:       CHANGES.txt roundup/cgi/client.py roundup/scripts/roundup_server.py test/test_cgi.py

77

+description:

78

+issue2551023: Fix CSRF headers for use with wsgi and cgi. The

79

+env variable array used - separators rather than _. Compare:

80

+HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is

81

+correct. Also fix roundup-server to produce the latter form. (Patch

82

+by Cédric Krier)

83

+

84

+

85

+diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/cgi/client.py

86

+--- a/roundup/cgi/client.py	Tue Feb 12 21:31:41 2019 -0500

87

++++ b/roundup/cgi/client.py	Wed Feb 27 21:47:39 2019 -0500

88

+@@ -1026,7 +1026,7 @@

89

+         # If required headers are missing, raise an error

90

+         for header in header_names:

91

+             if (config["WEB_CSRF_ENFORCE_HEADER_%s"%header] == 'required'

92

+-                    and "HTTP_%s"%header not in self.env):

93

++                    and "HTTP_%s" % header.replace('-', '_') not in self.env):

94

+                 logger.error(self._("csrf header %s required but missing for user%s."), header, current_user)

95

+                 raise Unauthorised, self._("Missing header: %s")%header

96

+

97

+@@ -1062,9 +1062,9 @@

98

+                 header_pass += 1

99

+

100

+         enforce=config['WEB_CSRF_ENFORCE_HEADER_X-FORWARDED-HOST']

101

+-        if 'HTTP_X-FORWARDED-HOST' in self.env:

102

++        if 'HTTP_X_FORWARDED_HOST' in self.env:

103

+             if enforce != "no":

104

+-                host = self.env['HTTP_X-FORWARDED-HOST']

105

++                host = self.env['HTTP_X_FORWARDED_HOST']

106

+                 foundat = self.base.find('://' + host + '/')

107

+                 # 4 means self.base has http:/ prefix, 5 means https:/ prefix

108

+                 if foundat not in [4, 5]:

109

+@@ -1111,7 +1111,7 @@

110

+                 # Note we do not use CSRF nonces for xmlrpc requests.

111

+                 #

112

+                 # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

113

+-                if 'HTTP_X-REQUESTED-WITH' not in self.env:

114

++                if 'HTTP_X_REQUESTED_WITH' not in self.env:

115

+                     logger.error(self._("csrf X-REQUESTED-WITH xmlrpc required header check failed for user%s."), current_user)

116

+                     raise UsageError, self._("Required Header Missing")

117

+

118

+diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/scripts/roundup_server.py

119

+--- a/roundup/scripts/roundup_server.py	Tue Feb 12 21:31:41 2019 -0500

120

++++ b/roundup/scripts/roundup_server.py	Wed Feb 27 21:47:39 2019 -0500

121

+@@ -384,8 +384,8 @@

122

+             # If behind a proxy, this is the hostname supplied

123

+             # via the Host header to the proxy. Used by core code.

124

+             # Controlled by the CSRF settings.

125

+-            env['HTTP_X-FORWARDED-HOST'] = xfh

126

+-        xff = self.headers.getheader('X-Forwarded-For', None)

127

++            env['HTTP_X_FORWARDED_HOST'] = xfh

128

++        xff = self.headers.get('X-Forwarded-For', None)

129

+         if xff:

130

+             # xff is a list of ip addresses for original client/proxies:

131

+             # X-Forwarded-For: clientIP, proxy1IP, proxy2IP

132

+@@ -394,8 +394,8 @@

133

+             # Made available for extensions if the user trusts it.

134

+             # E.g. you may wish to disable recaptcha validation extension

135

+             # if the ip of the client matches 172.16.0.0.

136

+-            env['HTTP_X-FORWARDED-FOR'] = xff

137

+-        xfp = self.headers.getheader('X-Forwarded-Proto', None)

138

++            env['HTTP_X_FORWARDED_FOR'] = xff

139

++        xfp = self.headers.get('X-Forwarded-Proto', None)

140

+         if xfp:

141

+             # xfp is the protocol (http/https) seen by proxies in the

142

+             # path of the request. I am not sure if there is only

143

+@@ -408,8 +408,8 @@

144

+             # May not be trustworthy. Do not use in core without

145

+             # config option to control its use.

146

+             # Made available for extensions if the user trusts it.

147

+-            env['HTTP_X-FORWARDED-PROTO'] = xfp

148

+-        if os.environ.has_key('CGI_SHOW_TIMING'):

149

++            env['HTTP_X_FORWARDED_PROTO'] = xfp

150

++        if 'CGI_SHOW_TIMING' in os.environ:

151

+             env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING']

152

+         env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language')

153

+         referer = self.headers.get('Referer')

154

+@@ -420,8 +420,8 @@

155

+             env['HTTP_ORIGIN'] = origin

156

+         xrw = self.headers.get('x-requested-with')

157

+         if xrw:

158

+-            env['HTTP_X-REQUESTED-WITH'] = xrw

159

+-        range = self.headers.getheader('range')

160

++            env['HTTP_X_REQUESTED_WITH'] = xrw

161

++        range = self.headers.get('range')

162

+         if range:

163

+             env['HTTP_RANGE'] = range

164

+

165

+diff -r 64ceb9c14b28 -r 8e3df461d316 test/test_cgi.py

166

+--- a/test/test_cgi.py	Tue Feb 12 21:31:41 2019 -0500

167

++++ b/test/test_cgi.py	Wed Feb 27 21:47:39 2019 -0500

168

+@@ -888,7 +888,7 @@

169

+         del(cl.env['HTTP_ORIGIN'])

170

+         del(out[0])

171

+

172

+-        cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.com'

173

++        cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.com'

174

+         # if there is an X-FORWARDED-HOST header it is used and

175

+         # HOST header is ignored. X-FORWARDED-HOST should only be

176

+         # passed/set by a proxy. In this case the HOST header is

177

+@@ -899,7 +899,7 @@

178

+         match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message')

179

+         print "result of subtest 4:", out[0]

180

+         self.assertNotEqual(match_at, -1)

181

+-        del(cl.env['HTTP_X-FORWARDED-HOST'])

182

++        del(cl.env['HTTP_X_FORWARDED_HOST'])

183

+         del(cl.env['HTTP_HOST'])

184

+         del(out[0])

185

+

186

+@@ -912,14 +912,14 @@

187

+         del(out[0])

188

+

189

+         # try failing headers

190

+-        cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.net'

191

++        cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.net'

192

+         # this raises an error as the header check passes and 

193

+         # it did the edit and tries to send mail.

194

+         cl.inner_main()

195

+         match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net')

196

+         print "result of subtest 6:", out[0]

197

+         self.assertNotEqual(match_at, -1)

198

+-        del(cl.env['HTTP_X-FORWARDED-HOST'])

199

++        del(cl.env['HTTP_X_FORWARDED_HOST'])

200

+         del(out[0])

201

+

202

+         # header checks succeed

203

+@@ -1031,7 +1031,7 @@

204

+                             'CONTENT_TYPE': 'text/plain',

205

+                             'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=',

206

+                             'HTTP_REFERER': 'http://whoami.com/path/',

207

+-                            'HTTP_X-REQUESTED-WITH': "XMLHttpRequest"

208

++                            'HTTP_X_REQUESTED_WITH': "XMLHttpRequest"

209

+                         }, form)

210

+         cl.db = self.db

211

+         cl.base = 'http://whoami.com/path/'

212

+@@ -1059,7 +1059,7 @@

213

+         del(out[0])

214

+

215

+         # remove the X-REQUESTED-WITH header and get an xmlrpc fault returned

216

+-        del(cl.env['HTTP_X-REQUESTED-WITH'])

217

++        del(cl.env['HTTP_X_REQUESTED_WITH'])

218

+         cl.handle_xmlrpc()

219

+         output="<?xml version='1.0'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>1</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string>&lt;class 'roundup.exceptions.UsageError'&gt;:Required Header Missing</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n"

220

+         print out[0]

221

+

222

223

diff --git a/www-apps/roundup/files/roundup-1.6.0-xss.patch b/www-apps/roundup/files/roundup-1.6.0-xss.patch

224

new file mode 100644

225

index 00000000000..44a607e0c46

226

--- /dev/null

227

+++ b/www-apps/roundup/files/roundup-1.6.0-xss.patch

228

@@ -0,0 +1,35 @@

229

+changeset:   5665:ab37c1705dbf

230

+branch:      maint-1.6

231

+parent:      5635:ea35ab75a4c0

232

+user:        John Rouillard <rouilj@××××.org>

233

+date:        Fri Mar 22 18:16:11 2019 -0400

234

+files:       CHANGES.txt frontends/roundup.cgi roundup/cgi/wsgi_handler.py

235

+description:

236

+Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035

237

+

238

+

239

+diff -r ea35ab75a4c0 -r ab37c1705dbf frontends/roundup.cgi

240

+--- a/frontends/roundup.cgi	Thu Mar 07 15:42:21 2019 +0100

241

++++ b/frontends/roundup.cgi	Fri Mar 22 18:16:11 2019 -0400

242

+@@ -179,7 +179,7 @@

243

+                 request.send_response(404)

244

+                 request.send_header('Content-Type', 'text/html')

245

+                 request.end_headers()

246

+-                out.write('Not found: %s'%client.path)

247

++                out.write('Not found: %s'%cgi.escape(client.path))

248

+

249

+     else:

250

+         import urllib

251

+diff -r ea35ab75a4c0 -r ab37c1705dbf roundup/cgi/wsgi_handler.py

252

+--- a/roundup/cgi/wsgi_handler.py	Thu Mar 07 15:42:21 2019 +0100

253

++++ b/roundup/cgi/wsgi_handler.py	Fri Mar 22 18:16:11 2019 -0400

254

+@@ -66,7 +66,7 @@

255

+             client.main()

256

+         except roundup.cgi.client.NotFound:

257

+             request.start_response([('Content-Type', 'text/html')], 404)

258

+-            request.wfile.write('Not found: %s'%client.path)

259

++            request.wfile.write('Not found: %s'%cgi.escape(client.path))

260

+

261

+         # all body data has been written using wfile

262

+         return []

263

+

264

265

diff --git a/www-apps/roundup/roundup-1.6.0.ebuild b/www-apps/roundup/roundup-1.6.0-r1.ebuild

266

similarity index 85%

267

rename from www-apps/roundup/roundup-1.6.0.ebuild

268

rename to www-apps/roundup/roundup-1.6.0-r1.ebuild

269

index bb623df0658..4e1c93d0283 100644

270

--- a/www-apps/roundup/roundup-1.6.0.ebuild

271

+++ b/www-apps/roundup/roundup-1.6.0-r1.ebuild

272

@@ -19,6 +19,12 @@ RDEPEND="${DEPEND}"

273

274

 DOCS="CHANGES.txt doc/*.txt"

275

276

+PATCHES=(

277

+	"${FILESDIR}/${P}-configparser.patch"

278

+	"${FILESDIR}/${P}-csrf-headers.patch"

279

+	"${FILESDIR}/${P}-xss.patch"

280

+)

281

+

282

 python_install_all() {

283

 	distutils-r1_python_install_all

284

 	rm -r "${ED}"/usr/share/doc/${PN} || die

1	commit: 2e46fefc132c4394885cabc130fe9b627fe4307b
2	Author: Cédric Krier <cedk <AT> gentoo <DOT> org>
3	AuthorDate: Fri Apr 5 12:39:55 2019 +0000
4	Commit: Cédric Krier <cedk <AT> gentoo <DOT> org>
5	CommitDate: Fri Apr 5 12:39:55 2019 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e46fefc
7
8	www-apps/roundup: Apply patches from maint-1.6 branch
9
10	Signed-off-by: Cédric Krier <cedk <AT> gentoo.org>
11	Package-Manager: Portage-2.3.62, Repoman-2.3.11
12
13	.../roundup/files/roundup-1.6.0-configparser.patch \| 40 ++++++
14	.../roundup/files/roundup-1.6.0-csrf-headers.patch \| 150 +++++++++++++++++++++
15	www-apps/roundup/files/roundup-1.6.0-xss.patch \| 35 +++++
16	...oundup-1.6.0.ebuild => roundup-1.6.0-r1.ebuild} \| 6 +
17	4 files changed, 231 insertions(+)
18
19	diff --git a/www-apps/roundup/files/roundup-1.6.0-configparser.patch b/www-apps/roundup/files/roundup-1.6.0-configparser.patch
20	new file mode 100644
21	index 00000000000..6bdfc8dfaaa
22	--- /dev/null
23	+++ b/www-apps/roundup/files/roundup-1.6.0-configparser.patch
24	@@ -0,0 +1,40 @@
25	+changeset: 5625:99175953520e
26	+branch: maint-1.6
27	+parent: 5537:d698d3d843a9
28	+user: Joseph Myers <jsm@×××××××××××××.uk>
29	+date: Mon Aug 20 00:50:16 2018 +0000
30	+files: CHANGES.txt roundup/configuration.py
31	+description:
32	+Fix issue2550994: breakage caused by configparser backports.
33	+
34	+
35	+diff -r d698d3d843a9 -r 99175953520e roundup/configuration.py
36	+--- a/roundup/configuration.py Thu Sep 06 17:04:49 2018 -0400
37	++++ b/roundup/configuration.py Mon Aug 20 00:50:16 2018 +0000
38	+@@ -2,9 +2,15 @@
39	+ #
40	+ __docformat__ = "restructuredtext"
41	+
42	+-try:
43	++# Some systems have a backport of the Python 3 configparser module to
44	++# Python 2: <https://pypi.org/project/configparser/>. That breaks
45	++# Roundup if used with Python 2 because it generates unicode objects
46	++# where not expected by the Python code. Thus, a version check is
47	++# used here instead of try/except.
48	++import sys
49	++if sys.version_info[0] > 2:
50	+ import configparser # Python 3
51	+-except ImportError:
52	++else:
53	+ import ConfigParser as configparser # Python 2
54	+
55	+ import getopt
56	+@@ -12,7 +18,6 @@
57	+ import logging, logging.config
58	+ import os
59	+ import re
60	+-import sys
61	+ import time
62	+ import smtplib
63	+
64	+
65
66	diff --git a/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch
67	new file mode 100644
68	index 00000000000..8be484d5f80
69	--- /dev/null
70	+++ b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch
71	@@ -0,0 +1,150 @@
72	+changeset: 5629:8e3df461d316
73	+branch: maint-1.6
74	+user: John Rouillard <rouilj@××××.org>
75	+date: Wed Feb 27 21:47:39 2019 -0500
76	+files: CHANGES.txt roundup/cgi/client.py roundup/scripts/roundup_server.py test/test_cgi.py
77	+description:
78	+issue2551023: Fix CSRF headers for use with wsgi and cgi. The
79	+env variable array used - separators rather than _. Compare:
80	+HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
81	+correct. Also fix roundup-server to produce the latter form. (Patch
82	+by Cédric Krier)
83	+
84	+
85	+diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/cgi/client.py
86	+--- a/roundup/cgi/client.py Tue Feb 12 21:31:41 2019 -0500
87	++++ b/roundup/cgi/client.py Wed Feb 27 21:47:39 2019 -0500
88	+@@ -1026,7 +1026,7 @@
89	+ # If required headers are missing, raise an error
90	+ for header in header_names:
91	+ if (config["WEB_CSRF_ENFORCE_HEADER_%s"%header] == 'required'
92	+- and "HTTP_%s"%header not in self.env):
93	++ and "HTTP_%s" % header.replace('-', '_') not in self.env):
94	+ logger.error(self._("csrf header %s required but missing for user%s."), header, current_user)
95	+ raise Unauthorised, self._("Missing header: %s")%header
96	+
97	+@@ -1062,9 +1062,9 @@
98	+ header_pass += 1
99	+
100	+ enforce=config['WEB_CSRF_ENFORCE_HEADER_X-FORWARDED-HOST']
101	+- if 'HTTP_X-FORWARDED-HOST' in self.env:
102	++ if 'HTTP_X_FORWARDED_HOST' in self.env:
103	+ if enforce != "no":
104	+- host = self.env['HTTP_X-FORWARDED-HOST']
105	++ host = self.env['HTTP_X_FORWARDED_HOST']
106	+ foundat = self.base.find('://' + host + '/')
107	+ # 4 means self.base has http:/ prefix, 5 means https:/ prefix
108	+ if foundat not in [4, 5]:
109	+@@ -1111,7 +1111,7 @@
110	+ # Note we do not use CSRF nonces for xmlrpc requests.
111	+ #
112	+ # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
113	+- if 'HTTP_X-REQUESTED-WITH' not in self.env:
114	++ if 'HTTP_X_REQUESTED_WITH' not in self.env:
115	+ logger.error(self._("csrf X-REQUESTED-WITH xmlrpc required header check failed for user%s."), current_user)
116	+ raise UsageError, self._("Required Header Missing")
117	+
118	+diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/scripts/roundup_server.py
119	+--- a/roundup/scripts/roundup_server.py Tue Feb 12 21:31:41 2019 -0500
120	++++ b/roundup/scripts/roundup_server.py Wed Feb 27 21:47:39 2019 -0500
121	+@@ -384,8 +384,8 @@
122	+ # If behind a proxy, this is the hostname supplied
123	+ # via the Host header to the proxy. Used by core code.
124	+ # Controlled by the CSRF settings.
125	+- env['HTTP_X-FORWARDED-HOST'] = xfh
126	+- xff = self.headers.getheader('X-Forwarded-For', None)
127	++ env['HTTP_X_FORWARDED_HOST'] = xfh
128	++ xff = self.headers.get('X-Forwarded-For', None)
129	+ if xff:
130	+ # xff is a list of ip addresses for original client/proxies:
131	+ # X-Forwarded-For: clientIP, proxy1IP, proxy2IP
132	+@@ -394,8 +394,8 @@
133	+ # Made available for extensions if the user trusts it.
134	+ # E.g. you may wish to disable recaptcha validation extension
135	+ # if the ip of the client matches 172.16.0.0.
136	+- env['HTTP_X-FORWARDED-FOR'] = xff
137	+- xfp = self.headers.getheader('X-Forwarded-Proto', None)
138	++ env['HTTP_X_FORWARDED_FOR'] = xff
139	++ xfp = self.headers.get('X-Forwarded-Proto', None)
140	+ if xfp:
141	+ # xfp is the protocol (http/https) seen by proxies in the
142	+ # path of the request. I am not sure if there is only
143	+@@ -408,8 +408,8 @@
144	+ # May not be trustworthy. Do not use in core without
145	+ # config option to control its use.
146	+ # Made available for extensions if the user trusts it.
147	+- env['HTTP_X-FORWARDED-PROTO'] = xfp
148	+- if os.environ.has_key('CGI_SHOW_TIMING'):
149	++ env['HTTP_X_FORWARDED_PROTO'] = xfp
150	++ if 'CGI_SHOW_TIMING' in os.environ:
151	+ env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING']
152	+ env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language')
153	+ referer = self.headers.get('Referer')
154	+@@ -420,8 +420,8 @@
155	+ env['HTTP_ORIGIN'] = origin
156	+ xrw = self.headers.get('x-requested-with')
157	+ if xrw:
158	+- env['HTTP_X-REQUESTED-WITH'] = xrw
159	+- range = self.headers.getheader('range')
160	++ env['HTTP_X_REQUESTED_WITH'] = xrw
161	++ range = self.headers.get('range')
162	+ if range:
163	+ env['HTTP_RANGE'] = range
164	+
165	+diff -r 64ceb9c14b28 -r 8e3df461d316 test/test_cgi.py
166	+--- a/test/test_cgi.py Tue Feb 12 21:31:41 2019 -0500
167	++++ b/test/test_cgi.py Wed Feb 27 21:47:39 2019 -0500
168	+@@ -888,7 +888,7 @@
169	+ del(cl.env['HTTP_ORIGIN'])
170	+ del(out[0])
171	+
172	+- cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.com'
173	++ cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.com'
174	+ # if there is an X-FORWARDED-HOST header it is used and
175	+ # HOST header is ignored. X-FORWARDED-HOST should only be
176	+ # passed/set by a proxy. In this case the HOST header is
177	+@@ -899,7 +899,7 @@
178	+ match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message')
179	+ print "result of subtest 4:", out[0]
180	+ self.assertNotEqual(match_at, -1)
181	+- del(cl.env['HTTP_X-FORWARDED-HOST'])
182	++ del(cl.env['HTTP_X_FORWARDED_HOST'])
183	+ del(cl.env['HTTP_HOST'])
184	+ del(out[0])
185	+
186	+@@ -912,14 +912,14 @@
187	+ del(out[0])
188	+
189	+ # try failing headers
190	+- cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.net'
191	++ cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.net'
192	+ # this raises an error as the header check passes and
193	+ # it did the edit and tries to send mail.
194	+ cl.inner_main()
195	+ match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net')
196	+ print "result of subtest 6:", out[0]
197	+ self.assertNotEqual(match_at, -1)
198	+- del(cl.env['HTTP_X-FORWARDED-HOST'])
199	++ del(cl.env['HTTP_X_FORWARDED_HOST'])
200	+ del(out[0])
201	+
202	+ # header checks succeed
203	+@@ -1031,7 +1031,7 @@
204	+ 'CONTENT_TYPE': 'text/plain',
205	+ 'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=',
206	+ 'HTTP_REFERER': 'http://whoami.com/path/',
207	+- 'HTTP_X-REQUESTED-WITH': "XMLHttpRequest"
208	++ 'HTTP_X_REQUESTED_WITH': "XMLHttpRequest"
209	+ }, form)
210	+ cl.db = self.db
211	+ cl.base = 'http://whoami.com/path/'
212	+@@ -1059,7 +1059,7 @@
213	+ del(out[0])
214	+
215	+ # remove the X-REQUESTED-WITH header and get an xmlrpc fault returned
216	+- del(cl.env['HTTP_X-REQUESTED-WITH'])
217	++ del(cl.env['HTTP_X_REQUESTED_WITH'])
218	+ cl.handle_xmlrpc()
219	+ output="<?xml version='1.0'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>1</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string><class 'roundup.exceptions.UsageError'>:Required Header Missing</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n"
220	+ print out[0]
221	+
222
223	diff --git a/www-apps/roundup/files/roundup-1.6.0-xss.patch b/www-apps/roundup/files/roundup-1.6.0-xss.patch
224	new file mode 100644
225	index 00000000000..44a607e0c46
226	--- /dev/null
227	+++ b/www-apps/roundup/files/roundup-1.6.0-xss.patch
228	@@ -0,0 +1,35 @@
229	+changeset: 5665:ab37c1705dbf
230	+branch: maint-1.6
231	+parent: 5635:ea35ab75a4c0
232	+user: John Rouillard <rouilj@××××.org>
233	+date: Fri Mar 22 18:16:11 2019 -0400
234	+files: CHANGES.txt frontends/roundup.cgi roundup/cgi/wsgi_handler.py
235	+description:
236	+Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035
237	+
238	+
239	+diff -r ea35ab75a4c0 -r ab37c1705dbf frontends/roundup.cgi
240	+--- a/frontends/roundup.cgi Thu Mar 07 15:42:21 2019 +0100
241	++++ b/frontends/roundup.cgi Fri Mar 22 18:16:11 2019 -0400
242	+@@ -179,7 +179,7 @@
243	+ request.send_response(404)
244	+ request.send_header('Content-Type', 'text/html')
245	+ request.end_headers()
246	+- out.write('Not found: %s'%client.path)
247	++ out.write('Not found: %s'%cgi.escape(client.path))
248	+
249	+ else:
250	+ import urllib
251	+diff -r ea35ab75a4c0 -r ab37c1705dbf roundup/cgi/wsgi_handler.py
252	+--- a/roundup/cgi/wsgi_handler.py Thu Mar 07 15:42:21 2019 +0100
253	++++ b/roundup/cgi/wsgi_handler.py Fri Mar 22 18:16:11 2019 -0400
254	+@@ -66,7 +66,7 @@
255	+ client.main()
256	+ except roundup.cgi.client.NotFound:
257	+ request.start_response([('Content-Type', 'text/html')], 404)
258	+- request.wfile.write('Not found: %s'%client.path)
259	++ request.wfile.write('Not found: %s'%cgi.escape(client.path))
260	+
261	+ # all body data has been written using wfile
262	+ return []
263	+
264
265	diff --git a/www-apps/roundup/roundup-1.6.0.ebuild b/www-apps/roundup/roundup-1.6.0-r1.ebuild
266	similarity index 85%
267	rename from www-apps/roundup/roundup-1.6.0.ebuild
268	rename to www-apps/roundup/roundup-1.6.0-r1.ebuild
269	index bb623df0658..4e1c93d0283 100644
270	--- a/www-apps/roundup/roundup-1.6.0.ebuild
271	+++ b/www-apps/roundup/roundup-1.6.0-r1.ebuild
272	@@ -19,6 +19,12 @@ RDEPEND="${DEPEND}"
273
274	DOCS="CHANGES.txt doc/*.txt"
275
276	+PATCHES=(
277	+ "${FILESDIR}/${P}-configparser.patch"
278	+ "${FILESDIR}/${P}-csrf-headers.patch"
279	+ "${FILESDIR}/${P}-xss.patch"
280	+)
281	+
282	python_install_all() {
283	distutils-r1_python_install_all
284	rm -r "${ED}"/usr/share/doc/${PN} \|\| die

Gentoo Archives: gentoo-commits