Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
python-Twisted.12278
69707bb1aa.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 69707bb1aa.patch of Package python-Twisted.12278
From 9a35e728d8a49934f886fc99cb636b3339720c89 Mon Sep 17 00:00:00 2001 From: "Amber Brown (HawkOwl)" <hawkowl@atleastfornow.net> Date: Wed, 10 Aug 2016 20:49:08 +0800 Subject: [PATCH 1/3] fix pyflakes --- twisted/web/test/test_cgi.py | 2 -- 1 file changed, 2 deletions(-) Index: Twisted-15.2.1/twisted/web/test/test_cgi.py =================================================================== --- Twisted-15.2.1.orig/twisted/web/test/test_cgi.py +++ Twisted-15.2.1/twisted/web/test/test_cgi.py @@ -5,13 +5,15 @@ Tests for L{twisted.web.twcgi}. """ -import sys, os +import sys +import os +import json from twisted.trial import unittest from twisted.internet import reactor, interfaces, error from twisted.python import util, failure, log from twisted.web.http import NOT_FOUND, INTERNAL_SERVER_ERROR -from twisted.web import client, twcgi, server, resource +from twisted.web import client, twcgi, server, resource, http_headers from twisted.web.test._util import _render from twisted.web.test.test_web import DummyRequest @@ -73,6 +75,15 @@ print print "cgi output" ''' +HEADER_OUTPUT_CGI = '''\ +import json +import os +print("") +print("") +vals = {x:y for x,y in os.environ.items() if x.startswith("HTTP_")} +print(json.dumps(vals)) +''' + class PythonScript(twcgi.FilteredScript): filter = sys.executable @@ -154,6 +165,32 @@ class CGITests(unittest.TestCase): return factory.deferred + def test_noProxyPassthrough(self): + """ + The CGI script is never called with the Proxy header passed through. + """ + cgiFilename = self.writeCGI(HEADER_OUTPUT_CGI) + + portnum = self.startServer(cgiFilename) + url = "http://localhost:%d/cgi" % (portnum,) + + agent = client.Agent(reactor) + + headers = http_headers.Headers({"Proxy": ["foo"], + "X-Innocent-Header": ["bar"]}) + d = agent.request("GET", url, headers=headers) + + def checkResponse(response): + headers = json.loads(response) + self.assertEqual( + set(headers.keys()), + {"HTTP_HOST", "HTTP_CONNECTION", "HTTP_X_INNOCENT_HEADER"}) + + d.addCallback(client.readBody) + d.addCallback(checkResponse) + return d + + def test_duplicateHeaderCGI(self): """ If a CGI script emits two instances of the same header, both are sent in Index: Twisted-15.2.1/twisted/web/topfiles/8623.bugfix =================================================================== --- /dev/null +++ Twisted-15.2.1/twisted/web/topfiles/8623.bugfix @@ -0,0 +1 @@ +twisted.web.twcgi.CGIScript will now not pass the "Proxy" header to CGI scripts, as a mitigation to CVE-2016-1000111. Index: Twisted-15.2.1/twisted/web/twcgi.py =================================================================== --- Twisted-15.2.1.orig/twisted/web/twcgi.py +++ Twisted-15.2.1/twisted/web/twcgi.py @@ -116,7 +116,7 @@ class CGIScript(resource.Resource): # Propagate HTTP headers for title, header in request.getAllHeaders().items(): envname = title.replace('-', '_').upper() - if title not in ('content-type', 'content-length'): + if title not in ('content-type', 'content-length', 'proxy'): envname = "HTTP_" + envname env[envname] = header # Propagate our environment
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor