[Python-modules-commits] [twisted] 09/10: Fix insecure PYTHONPATH example. Closes #605190, #605192.
Free Ekanayaka
freee at moszumanska.debian.org
Fri Oct 21 10:09:06 UTC 2016
This is an automated email from the git hooks/post-receive script.
freee pushed a commit to branch master
in repository twisted.
commit 9f4802741b509c6960adcd96c73444d465ac8951
Author: Free Ekanayaka <freee at debian.org>
Date: Fri Oct 21 09:23:58 2016 +0000
Fix insecure PYTHONPATH example. Closes #605190, #605192.
---
debian/patches/0001-wxpython3.0.patch | 36 +++++++++
debian/patches/0002-combinedlog.patch | 103 ++++++++++++++++++++++++++
debian/patches/0003-sphinx-theme.patch | 22 ++++++
debian/patches/0005-insecure-pythonpath.patch | 26 +++++++
debian/patches/series | 1 +
5 files changed, 188 insertions(+)
diff --git a/debian/patches/0001-wxpython3.0.patch b/debian/patches/0001-wxpython3.0.patch
new file mode 100644
index 0000000..5800fe3
--- /dev/null
+++ b/debian/patches/0001-wxpython3.0.patch
@@ -0,0 +1,36 @@
+From: Matthias Klose <doko at debian.org>
+Date: Thu, 20 Oct 2016 04:34:06 +0000
+Subject: wxpython3.0
+
+Fix imports from the wx package.
+---
+ twisted/internet/wxreactor.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/twisted/internet/wxreactor.py b/twisted/internet/wxreactor.py
+index 71e861a..6713de0 100644
+--- a/twisted/internet/wxreactor.py
++++ b/twisted/internet/wxreactor.py
+@@ -25,11 +25,11 @@ real applications.
+
+ import Queue
+ try:
+- from wx import PySimpleApp as wxPySimpleApp, CallAfter as wxCallAfter, \
++ from wx import App as wxApp, CallAfter as wxCallAfter, \
+ Timer as wxTimer
+ except ImportError:
+ # older version of wxPython:
+- from wxPython.wx import wxPySimpleApp, wxCallAfter, wxTimer
++ from wxPython.wx import wxApp, wxCallAfter, wxTimer
+
+ from twisted.python import log, runtime
+ from twisted.internet import _threadedselect
+@@ -125,7 +125,7 @@ class WxReactor(_threadedselect.ThreadedSelectReactor):
+ if not hasattr(self, "wxapp"):
+ log.msg("registerWxApp() was not called on reactor, "
+ "registering my own wxApp instance.")
+- self.registerWxApp(wxPySimpleApp())
++ self.registerWxApp(wxApp(False))
+
+ # start select() thread:
+ self.interleave(self._runInMainThread,
diff --git a/debian/patches/0002-combinedlog.patch b/debian/patches/0002-combinedlog.patch
new file mode 100644
index 0000000..54993e3
--- /dev/null
+++ b/debian/patches/0002-combinedlog.patch
@@ -0,0 +1,103 @@
+From: Matthias Klose <doko at debian.org>
+Date: Thu, 20 Oct 2016 04:34:06 +0000
+Subject: combinedlog
+
+Preserve backward-compatibility in the way the client IP of a request
+is logged by the twisted.web HTTP server.
+
+Bug: https://twistedmatrix.com/trac/ticket/7730
+Bug-Debian https://bugs.debian.org/772629
+---
+ twisted/web/http.py | 2 +-
+ twisted/web/test/test_web.py | 16 ++++++++--------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/twisted/web/http.py b/twisted/web/http.py
+index c7caba3..148fb86 100644
+--- a/twisted/web/http.py
++++ b/twisted/web/http.py
+@@ -2143,7 +2143,7 @@ def combinedLogFormatter(timestamp, request):
+ referrer = _escape(request.getHeader(b"referer") or b"-")
+ agent = _escape(request.getHeader(b"user-agent") or b"-")
+ line = (
+- u'"%(ip)s" - - %(timestamp)s "%(method)s %(uri)s %(protocol)s" '
++ u'%(ip)s - - %(timestamp)s "%(method)s %(uri)s %(protocol)s" '
+ u'%(code)d %(length)s "%(referrer)s" "%(agent)s"' % dict(
+ ip=_escape(request.getClientIP() or b"-"),
+ timestamp=timestamp,
+diff --git a/twisted/web/test/test_web.py b/twisted/web/test/test_web.py
+index 6f10648..f2cb628 100644
+--- a/twisted/web/test/test_web.py
++++ b/twisted/web/test/test_web.py
+@@ -1185,7 +1185,7 @@ class AccessLogTestsMixin(object):
+
+ self.assertEqual(
+ # Client IP
+- b'"1.2.3.4" '
++ b'1.2.3.4 '
+ # Some blanks we never fill in
+ b'- - '
+ # The current time (circa 1234567890)
+@@ -1285,7 +1285,7 @@ class CombinedLogFormatterTests(unittest.TestCase):
+
+ line = http.combinedLogFormatter(timestamp, request)
+ self.assertEqual(
+- u'"evil x-forwarded-for \\x80" - - [13/Feb/2009:23:31:30 +0000] '
++ u'evil x-forwarded-for \\x80 - - [13/Feb/2009:23:31:30 +0000] '
+ u'"POS\\x81 /dummy HTTP/1.0" 123 - "evil \\x83" "evil \\x84"',
+ line)
+
+@@ -1377,7 +1377,7 @@ class LogEscapingTests(unittest.TestCase):
+ self.site._logDateTime = "[%02d/%3s/%4d:%02d:%02d:%02d +0000]" % (
+ 25, 'Oct', 2004, 12, 31, 59)
+ self.assertLogs(
+- b'"1.2.3.4" - - [25/Oct/2004:12:31:59 +0000] '
++ b'1.2.3.4 - - [25/Oct/2004:12:31:59 +0000] '
+ b'"GET /dummy HTTP/1.0" 123 - "-" "-"\n')
+
+
+@@ -1389,7 +1389,7 @@ class LogEscapingTests(unittest.TestCase):
+ 25, 'Oct', 2004, 12, 31, 59)
+ self.request.method = b'G"T'
+ self.assertLogs(
+- b'"1.2.3.4" - - [25/Oct/2004:12:31:59 +0000] '
++ b'1.2.3.4 - - [25/Oct/2004:12:31:59 +0000] '
+ b'"G\\"T /dummy HTTP/1.0" 123 - "-" "-"\n')
+
+
+@@ -1401,7 +1401,7 @@ class LogEscapingTests(unittest.TestCase):
+ 25, 'Oct', 2004, 12, 31, 59)
+ self.request.uri = b'/dummy"withquote'
+ self.assertLogs(
+- b'"1.2.3.4" - - [25/Oct/2004:12:31:59 +0000] '
++ b'1.2.3.4 - - [25/Oct/2004:12:31:59 +0000] '
+ b'"GET /dummy\\"withquote HTTP/1.0" 123 - "-" "-"\n')
+
+
+@@ -1413,7 +1413,7 @@ class LogEscapingTests(unittest.TestCase):
+ 25, 'Oct', 2004, 12, 31, 59)
+ self.request.clientproto = b'HT"P/1.0'
+ self.assertLogs(
+- b'"1.2.3.4" - - [25/Oct/2004:12:31:59 +0000] '
++ b'1.2.3.4 - - [25/Oct/2004:12:31:59 +0000] '
+ b'"GET /dummy HT\\"P/1.0" 123 - "-" "-"\n')
+
+
+@@ -1428,7 +1428,7 @@ class LogEscapingTests(unittest.TestCase):
+ b'referer',
+ b'http://malicious" ".website.invalid')
+ self.assertLogs(
+- b'"1.2.3.4" - - [25/Oct/2004:12:31:59 +0000] '
++ b'1.2.3.4 - - [25/Oct/2004:12:31:59 +0000] '
+ b'"GET /dummy HTTP/1.0" 123 - '
+ b'"http://malicious\\" \\".website.invalid" "-"\n')
+
+@@ -1443,7 +1443,7 @@ class LogEscapingTests(unittest.TestCase):
+ self.request.requestHeaders.addRawHeader(b'user-agent',
+ b'Malicious Web" Evil')
+ self.assertLogs(
+- b'"1.2.3.4" - - [25/Oct/2004:12:31:59 +0000] '
++ b'1.2.3.4 - - [25/Oct/2004:12:31:59 +0000] '
+ b'"GET /dummy HTTP/1.0" 123 - "-" "Malicious Web\\" Evil"\n')
+
+
diff --git a/debian/patches/0003-sphinx-theme.patch b/debian/patches/0003-sphinx-theme.patch
new file mode 100644
index 0000000..a676350
--- /dev/null
+++ b/debian/patches/0003-sphinx-theme.patch
@@ -0,0 +1,22 @@
+From: Matthias Klose <doko at debian.org>
+Date: Thu, 20 Oct 2016 04:34:07 +0000
+Subject: sphinx-theme
+
+Set the sphinx theme.
+---
+ docs/conf.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/docs/conf.py b/docs/conf.py
+index 1679d0c..5f498b2 100644
+--- a/docs/conf.py
++++ b/docs/conf.py
+@@ -120,6 +120,8 @@ on_rtd = os.environ.get('READTHEDOCS', None) == 'True'
+ if not on_rtd:
+ html_theme = 'twistedtrac'
+
++html_theme = 'twisteddefault'
++
+ # Theme options are theme-specific and customize the look and feel of a theme
+ # further. For a list of options available for each theme, see the
+ # documentation.
diff --git a/debian/patches/0005-insecure-pythonpath.patch b/debian/patches/0005-insecure-pythonpath.patch
new file mode 100644
index 0000000..2916708
--- /dev/null
+++ b/debian/patches/0005-insecure-pythonpath.patch
@@ -0,0 +1,26 @@
+From: Free Ekanayaka <free.ekanayaka at gmail.com>
+Date: Fri, 21 Oct 2016 09:21:44 +0000
+Subject: insecure-pythonpath
+
+Fix vulnerable example of PYTHONPATH.
+
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605190
+---
+ docs/core/howto/quotes.rst | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/docs/core/howto/quotes.rst b/docs/core/howto/quotes.rst
+index 163d67b..d171a07 100644
+--- a/docs/core/howto/quotes.rst
++++ b/docs/core/howto/quotes.rst
+@@ -65,7 +65,8 @@ following:
+ #. Add the ``TwistedQuotes`` directory's *parent* to your Python
+ path. For example, if the TwistedQuotes directory's path is
+ ``/mystuff/TwistedQuotes`` or ``c:\mystuff\TwistedQuotes``
+- add ``/mystuff`` to your Python path. On UNIX this would be ``export PYTHONPATH=/mystuff:$PYTHONPATH`` , on Microsoft
++ add ``/mystuff`` to your Python path. On UNIX this would be ``export PYTHONPATH=/mystuff${PYTHONPATH:+:$PYTHONPATH}
++`` , on Microsoft
+ Windows change the ``PYTHONPATH`` variable through the
+ Systems Properties dialog by adding ``;c:\mystuff`` at the
+ end.
diff --git a/debian/patches/series b/debian/patches/series
index 852dafe..aa529d4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
0002-combinedlog.patch
0003-sphinx-theme.patch
0004-localIntersphinx.patch
+0005-insecure-pythonpath.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/twisted.git
More information about the Python-modules-commits
mailing list