diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2019-04-05 21:17:31 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2019-04-05 21:17:31 +0100 |
| commit | dc7cbdfa65fd814b3b9aa3c56257da201109e807 (patch) | |
| tree | c85d72f6f31f21f178069c9d41d41a7c1ff4b362 /www-apps/roundup | |
| parent | 0706fc6986773f4e4d391deff4ad5143c464ea4e (diff) | |
gentoo resync : 05.04.2019
Diffstat (limited to 'www-apps/roundup')
| -rw-r--r-- | www-apps/roundup/Manifest | 5 | ||||
| -rw-r--r-- | www-apps/roundup/files/roundup-1.6.0-configparser.patch | 40 | ||||
| -rw-r--r-- | www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch | 150 | ||||
| -rw-r--r-- | www-apps/roundup/files/roundup-1.6.0-xss.patch | 35 | ||||
| -rw-r--r-- | www-apps/roundup/roundup-1.6.0-r1.ebuild (renamed from www-apps/roundup/roundup-1.6.0.ebuild) | 6 |
5 files changed, 235 insertions, 1 deletions
diff --git a/www-apps/roundup/Manifest b/www-apps/roundup/Manifest index 698b99917b22..5976cfbdcdbf 100644 --- a/www-apps/roundup/Manifest +++ b/www-apps/roundup/Manifest @@ -1,5 +1,8 @@ +AUX roundup-1.6.0-configparser.patch 1159 BLAKE2B 555aac3215c1e706a89de6d85e7ee7add2284daf608bbbbcd818132f58c84a26c01e4ea6b561d3733d8b32c6524f5c4191a2522737417e88a1bdaf51f2c11f41 SHA512 961bd05fc36c00780ec7ac94d14534ccca9b492dfa524bbc62a21b15fa507f9aebc5816e28f9707e93e7bedd060506742720b2c9b1dd157ec71be8caeb48b580 +AUX roundup-1.6.0-csrf-headers.patch 7402 BLAKE2B b5c78e31a0de357f5074907271a81f66090ee4fc8d1ea49c94c511f29a8d639149e3483fd5335710bf3deca0bffb1c8ceb8f8fcf3dabd5de9efefe61b06f906c SHA512 a6cdb78a8725c8f7fc2004dd12679ac5beff34ecc5d31025344fa914827bd3c8f989731d830a38dbc98a2c9651ad0483bbb29743b29d1ed4f4f9ba5326f05341 +AUX roundup-1.6.0-xss.patch 1421 BLAKE2B 94938ffda8e83bf13e81c5b8d07579dcb6a97caae549c1f172ef081f5848648804c3f64797550f3b93e1eb24bc48b05dd78574ef02031c014d0a21c961331907 SHA512 bd265f305850bb6931f4c25fb18fd1fc06508b3e6c834814f52b25fc47a87f681600d0484ba8014915d4374ba0f32c522e1bf5b01c84fb1bd1e3166b394c704b DIST roundup-1.5.1.tar.gz 2618886 BLAKE2B 5ccca10ce7f30b35b0875340c4cae87aa19e5384e6e5973576ea8e2de79eb83d32447580944f472d73e7cdb5f43a4ed7f805d51242e22cc2f756b3deae4004b2 SHA512 d7cdeaafb682ce7f202cacddeb1a42312f22778a2c83b52b4e838c27b1e7141a94b2ac2b670b0edee0efcfe27d74e31e6f267ae1380e90359def27385ca68d58 DIST roundup-1.6.0.tar.gz 2893499 BLAKE2B 5fe75b0953d16cebe52a25379d5a13f7745eb87e4a6a46f17945c3655394c1d1d2aff9e74783ee3e4757fc407ca2b46a7c3ef6d20eedbfb695783302fb64bf1f SHA512 1a8e9c0c7a6e607953ee91ce750f72bf53b5c6dc4bbd6d001570dd77abf396d4de2c832ef45495b87890a3c11b158be9e7a8eed635f63b5586b7bb9399856dcc EBUILD roundup-1.5.1.ebuild 1223 BLAKE2B 7ed134153096b574ae8efd88613d28555055ba10ecde2bbcc47ffb78dc68de813b8fd6e2c8ade791b34fd69ca8ef88a4e7522cf24f26c282c463f87c3e4571af SHA512 226588bc17c7fa2726b1734d6a233c354f684d39b705f47ce3ce2b9792c6ecbe7979075861a677a6434e78caa0f5abede020a329c145ed59e112769591575a62 -EBUILD roundup-1.6.0.ebuild 736 BLAKE2B e3201ca312233101a3891b616d81b2ca1d064f10cb34937cefff3f686edc323be6d5f6f04c45f3192ebcc6a51dd03548bbe00b7547a9596dccb01a7ac67ee024 SHA512 67ed3036ab5260fe6c1399e89b7cf2cb66f48782aae872dedd44465add2130a5c006f5c40ff7cf17951ed287f57a828361d46132581d1d38ecb3d1637f979672 +EBUILD roundup-1.6.0-r1.ebuild 857 BLAKE2B 5381a9e6d13e526ec7591c9d0765c2d17bdb9eb2c387696c7f23d1f54a2ff4baad3a23bff9288f347ff34a982ea5d8fc05243af39ec34c7c406e1b2f0cafbd93 SHA512 cfe90f9195f634cef21a1465332d6368a2d30d7490f004376a2aeeb02ad804afccde6c907106b067fbce43c2fcd6e760024986c9488aaa75143363999d31ee0e MISC metadata.xml 477 BLAKE2B 558f76b13892756e818b9931e72c1e9f2262bd214c1a8d08cd48775a474e6dd95b3a4099e5bd8ce7582560f40804fbbe93006932ac245b72f90aa54a78c9e909 SHA512 2a8912d94be88771ed0044ae823fb2027fb3f403256f8d3045b01a46f9595866a9129e85cdbc05e601a18d264b92c88648e8acc78a50ce52a4810ee7d5532999 diff --git a/www-apps/roundup/files/roundup-1.6.0-configparser.patch b/www-apps/roundup/files/roundup-1.6.0-configparser.patch new file mode 100644 index 000000000000..6bdfc8dfaaad --- /dev/null +++ b/www-apps/roundup/files/roundup-1.6.0-configparser.patch @@ -0,0 +1,40 @@ +changeset: 5625:99175953520e +branch: maint-1.6 +parent: 5537:d698d3d843a9 +user: Joseph Myers <jsm@polyomino.org.uk> +date: Mon Aug 20 00:50:16 2018 +0000 +files: CHANGES.txt roundup/configuration.py +description: +Fix issue2550994: breakage caused by configparser backports. + + +diff -r d698d3d843a9 -r 99175953520e roundup/configuration.py +--- a/roundup/configuration.py Thu Sep 06 17:04:49 2018 -0400 ++++ b/roundup/configuration.py Mon Aug 20 00:50:16 2018 +0000 +@@ -2,9 +2,15 @@ + # + __docformat__ = "restructuredtext" + +-try: ++# Some systems have a backport of the Python 3 configparser module to ++# Python 2: <https://pypi.org/project/configparser/>. That breaks ++# Roundup if used with Python 2 because it generates unicode objects ++# where not expected by the Python code. Thus, a version check is ++# used here instead of try/except. ++import sys ++if sys.version_info[0] > 2: + import configparser # Python 3 +-except ImportError: ++else: + import ConfigParser as configparser # Python 2 + + import getopt +@@ -12,7 +18,6 @@ + import logging, logging.config + import os + import re +-import sys + import time + import smtplib + + diff --git a/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch new file mode 100644 index 000000000000..8be484d5f807 --- /dev/null +++ b/www-apps/roundup/files/roundup-1.6.0-csrf-headers.patch @@ -0,0 +1,150 @@ +changeset: 5629:8e3df461d316 +branch: maint-1.6 +user: John Rouillard <rouilj@ieee.org> +date: Wed Feb 27 21:47:39 2019 -0500 +files: CHANGES.txt roundup/cgi/client.py roundup/scripts/roundup_server.py test/test_cgi.py +description: +issue2551023: Fix CSRF headers for use with wsgi and cgi. The +env variable array used - separators rather than _. Compare: +HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is +correct. Also fix roundup-server to produce the latter form. (Patch +by Cédric Krier) + + +diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/cgi/client.py +--- a/roundup/cgi/client.py Tue Feb 12 21:31:41 2019 -0500 ++++ b/roundup/cgi/client.py Wed Feb 27 21:47:39 2019 -0500 +@@ -1026,7 +1026,7 @@ + # If required headers are missing, raise an error + for header in header_names: + if (config["WEB_CSRF_ENFORCE_HEADER_%s"%header] == 'required' +- and "HTTP_%s"%header not in self.env): ++ and "HTTP_%s" % header.replace('-', '_') not in self.env): + logger.error(self._("csrf header %s required but missing for user%s."), header, current_user) + raise Unauthorised, self._("Missing header: %s")%header + +@@ -1062,9 +1062,9 @@ + header_pass += 1 + + enforce=config['WEB_CSRF_ENFORCE_HEADER_X-FORWARDED-HOST'] +- if 'HTTP_X-FORWARDED-HOST' in self.env: ++ if 'HTTP_X_FORWARDED_HOST' in self.env: + if enforce != "no": +- host = self.env['HTTP_X-FORWARDED-HOST'] ++ host = self.env['HTTP_X_FORWARDED_HOST'] + foundat = self.base.find('://' + host + '/') + # 4 means self.base has http:/ prefix, 5 means https:/ prefix + if foundat not in [4, 5]: +@@ -1111,7 +1111,7 @@ + # Note we do not use CSRF nonces for xmlrpc requests. + # + # see: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers +- if 'HTTP_X-REQUESTED-WITH' not in self.env: ++ if 'HTTP_X_REQUESTED_WITH' not in self.env: + logger.error(self._("csrf X-REQUESTED-WITH xmlrpc required header check failed for user%s."), current_user) + raise UsageError, self._("Required Header Missing") + +diff -r 64ceb9c14b28 -r 8e3df461d316 roundup/scripts/roundup_server.py +--- a/roundup/scripts/roundup_server.py Tue Feb 12 21:31:41 2019 -0500 ++++ b/roundup/scripts/roundup_server.py Wed Feb 27 21:47:39 2019 -0500 +@@ -384,8 +384,8 @@ + # If behind a proxy, this is the hostname supplied + # via the Host header to the proxy. Used by core code. + # Controlled by the CSRF settings. +- env['HTTP_X-FORWARDED-HOST'] = xfh +- xff = self.headers.getheader('X-Forwarded-For', None) ++ env['HTTP_X_FORWARDED_HOST'] = xfh ++ xff = self.headers.get('X-Forwarded-For', None) + if xff: + # xff is a list of ip addresses for original client/proxies: + # X-Forwarded-For: clientIP, proxy1IP, proxy2IP +@@ -394,8 +394,8 @@ + # Made available for extensions if the user trusts it. + # E.g. you may wish to disable recaptcha validation extension + # if the ip of the client matches 172.16.0.0. +- env['HTTP_X-FORWARDED-FOR'] = xff +- xfp = self.headers.getheader('X-Forwarded-Proto', None) ++ env['HTTP_X_FORWARDED_FOR'] = xff ++ xfp = self.headers.get('X-Forwarded-Proto', None) + if xfp: + # xfp is the protocol (http/https) seen by proxies in the + # path of the request. I am not sure if there is only +@@ -408,8 +408,8 @@ + # May not be trustworthy. Do not use in core without + # config option to control its use. + # Made available for extensions if the user trusts it. +- env['HTTP_X-FORWARDED-PROTO'] = xfp +- if os.environ.has_key('CGI_SHOW_TIMING'): ++ env['HTTP_X_FORWARDED_PROTO'] = xfp ++ if 'CGI_SHOW_TIMING' in os.environ: + env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING'] + env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language') + referer = self.headers.get('Referer') +@@ -420,8 +420,8 @@ + env['HTTP_ORIGIN'] = origin + xrw = self.headers.get('x-requested-with') + if xrw: +- env['HTTP_X-REQUESTED-WITH'] = xrw +- range = self.headers.getheader('range') ++ env['HTTP_X_REQUESTED_WITH'] = xrw ++ range = self.headers.get('range') + if range: + env['HTTP_RANGE'] = range + +diff -r 64ceb9c14b28 -r 8e3df461d316 test/test_cgi.py +--- a/test/test_cgi.py Tue Feb 12 21:31:41 2019 -0500 ++++ b/test/test_cgi.py Wed Feb 27 21:47:39 2019 -0500 +@@ -888,7 +888,7 @@ + del(cl.env['HTTP_ORIGIN']) + del(out[0]) + +- cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.com' ++ cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.com' + # if there is an X-FORWARDED-HOST header it is used and + # HOST header is ignored. X-FORWARDED-HOST should only be + # passed/set by a proxy. In this case the HOST header is +@@ -899,7 +899,7 @@ + match_at=out[0].find('Redirecting to <a href="http://whoami.com/path/issue1?@ok_message') + print "result of subtest 4:", out[0] + self.assertNotEqual(match_at, -1) +- del(cl.env['HTTP_X-FORWARDED-HOST']) ++ del(cl.env['HTTP_X_FORWARDED_HOST']) + del(cl.env['HTTP_HOST']) + del(out[0]) + +@@ -912,14 +912,14 @@ + del(out[0]) + + # try failing headers +- cl.env['HTTP_X-FORWARDED-HOST'] = 'whoami.net' ++ cl.env['HTTP_X_FORWARDED_HOST'] = 'whoami.net' + # this raises an error as the header check passes and + # it did the edit and tries to send mail. + cl.inner_main() + match_at=out[0].find('Invalid X-FORWARDED-HOST whoami.net') + print "result of subtest 6:", out[0] + self.assertNotEqual(match_at, -1) +- del(cl.env['HTTP_X-FORWARDED-HOST']) ++ del(cl.env['HTTP_X_FORWARDED_HOST']) + del(out[0]) + + # header checks succeed +@@ -1031,7 +1031,7 @@ + 'CONTENT_TYPE': 'text/plain', + 'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', + 'HTTP_REFERER': 'http://whoami.com/path/', +- 'HTTP_X-REQUESTED-WITH': "XMLHttpRequest" ++ 'HTTP_X_REQUESTED_WITH': "XMLHttpRequest" + }, form) + cl.db = self.db + cl.base = 'http://whoami.com/path/' +@@ -1059,7 +1059,7 @@ + del(out[0]) + + # remove the X-REQUESTED-WITH header and get an xmlrpc fault returned +- del(cl.env['HTTP_X-REQUESTED-WITH']) ++ del(cl.env['HTTP_X_REQUESTED_WITH']) + cl.handle_xmlrpc() + output="<?xml version='1.0'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>1</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string><class 'roundup.exceptions.UsageError'>:Required Header Missing</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n" + print out[0] + diff --git a/www-apps/roundup/files/roundup-1.6.0-xss.patch b/www-apps/roundup/files/roundup-1.6.0-xss.patch new file mode 100644 index 000000000000..44a607e0c46b --- /dev/null +++ b/www-apps/roundup/files/roundup-1.6.0-xss.patch @@ -0,0 +1,35 @@ +changeset: 5665:ab37c1705dbf +branch: maint-1.6 +parent: 5635:ea35ab75a4c0 +user: John Rouillard <rouilj@ieee.org> +date: Fri Mar 22 18:16:11 2019 -0400 +files: CHANGES.txt frontends/roundup.cgi roundup/cgi/wsgi_handler.py +description: +Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035 + + +diff -r ea35ab75a4c0 -r ab37c1705dbf frontends/roundup.cgi +--- a/frontends/roundup.cgi Thu Mar 07 15:42:21 2019 +0100 ++++ b/frontends/roundup.cgi Fri Mar 22 18:16:11 2019 -0400 +@@ -179,7 +179,7 @@ + request.send_response(404) + request.send_header('Content-Type', 'text/html') + request.end_headers() +- out.write('Not found: %s'%client.path) ++ out.write('Not found: %s'%cgi.escape(client.path)) + + else: + import urllib +diff -r ea35ab75a4c0 -r ab37c1705dbf roundup/cgi/wsgi_handler.py +--- a/roundup/cgi/wsgi_handler.py Thu Mar 07 15:42:21 2019 +0100 ++++ b/roundup/cgi/wsgi_handler.py Fri Mar 22 18:16:11 2019 -0400 +@@ -66,7 +66,7 @@ + client.main() + except roundup.cgi.client.NotFound: + request.start_response([('Content-Type', 'text/html')], 404) +- request.wfile.write('Not found: %s'%client.path) ++ request.wfile.write('Not found: %s'%cgi.escape(client.path)) + + # all body data has been written using wfile + return [] + diff --git a/www-apps/roundup/roundup-1.6.0.ebuild b/www-apps/roundup/roundup-1.6.0-r1.ebuild index bb623df06580..4e1c93d0283a 100644 --- a/www-apps/roundup/roundup-1.6.0.ebuild +++ b/www-apps/roundup/roundup-1.6.0-r1.ebuild @@ -19,6 +19,12 @@ RDEPEND="${DEPEND}" DOCS="CHANGES.txt doc/*.txt" +PATCHES=( + "${FILESDIR}/${P}-configparser.patch" + "${FILESDIR}/${P}-csrf-headers.patch" + "${FILESDIR}/${P}-xss.patch" +) + python_install_all() { distutils-r1_python_install_all rm -r "${ED}"/usr/share/doc/${PN} || die |