| changeset | 646ba821f63e |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | feat: add TIMING option, python install dir setting, more cleanups Add commented out sys.path.append(...) for user to change location of roundup libraries. Add TIMING global to control output of timing information. Some more ruff cleanups and remove from __future__ import print_function. This is Python 3 for pete's sake. |
| files |
| changeset | 5fbf6451a782 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug: harden header/environment values for roundup-server and cgi If the environment (cgi) or header variables (server) have values with characters outside of the printable ascii range (chr(32-126)), return HTTP 400 error. This is overly strict but nothing that Roundup looks at requires a larger range. When deploying with wsgi and Zope, server software should verify proper values. This fix was riggered by the waitress wsgi server bug: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 which was caused by incorrect validation of header values resulting in a the proxy and waitress having different interpretations of what the header meant. My testing of the roundup.cgi script is to use a cgi->wsgi wrapper and run it under wsgi (using waitress). I need to try it under a real server that can run cgi. It looks like python http.server --cgi is missing definitions of HTTP_HOST and other required CGI variables. That's probably why the --cgi option was removed, but it leaves me without a good way to test. Maybe https://github.com/mdklatt/pytest-cgi could be used to test that front end? Arguably CGI is old, but cheap hosting still allows it. |
| files |
| changeset | 978285986b2c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix: issue2551193 - Fix roundup for removal of cgi and cgitb ... standard python modules (and FieldStorage/MiniFieldStorage). Vendor cgi.py and modify imports. Details: roundup/anypy/cgi_.py import that accesses a working cgi.py. All imports dealing with cgi now use cgi_. roundup/anypy/vendored/cgi.py vendored version 2.6 of cgi.py from: https://pypi.org/project/legacy-cgi/ CHANGES.txt change note added COPYING.txt added license for cgi.py doc/rest.txt change example to use cgi_ doc/upgrading.txt doc removal and how to rework local code using cgi.py. frontends/roundup.cgi remove unneeded cgi import roundup/cgi/actions.py roundup/cgi/apache.py roundup/cgi/client.py roundup/cgi/templating.py roundup/cgi/TAL/TALGenerator.py test/db_test_base.py test/rest_common.py test/test_cgi.py remove import cgi and replace with from roundup.anypy.cgi_ import cgi test/test_actions.py test/test_templating.py modify import to get *FieldStorage test/test_admin.py test/test_hyperdbvals.py test/test_xmlrpc.py remove unneeded cgi import |
| files |
| changeset | 032e5db8bf2f |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Convert cgi.escape to use html_escape from roundup.anypy.html Update for vendoring of cgi. |
| files |
| changeset | ab37c1705dbf |
|---|---|
| branch | maint-1.6 |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035 |
| files |
| changeset | 5579fa034f9e |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035 |
| files |
| changeset | e0c83bf2e628 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Joseph Myers <jsm@polyomino.org.uk> |
| description | Handle str/bytes issues for Python 3 for roundup.cgi. |
| files |
| changeset | 1ab2c81a64df |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Joseph Myers <jsm@polyomino.org.uk> |
| description | Python 3 preparation: avoid string.join(). |
| files |
| changeset | 86b6cea7a975 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Joseph Myers <jsm@polyomino.org.uk> |
| description | Python 3 preparation: avoid string.split(). |
| files |
| changeset | 55f09ca366c4 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Joseph Myers <jsm@polyomino.org.uk> |
| description | Python 3 preparation: StringIO. This generally arranges for StringIO and cStringIO references to use io.StringIO for Python 3 but io.BytesIO for Python 2, consistent with the string representations generally used in Roundup. A special FasterStringIO in the TAL code, which referenced internals of the old Python 2 StringIO module, is cut down so it doesn't actually do anything beyond the StringIO class it inherits from (it would also be reasonable to remove FasterStringIO completely). One place in roundup_server.py clearly needing binary I/O is made to use io.BytesIO unconditionally. |
| files |
| changeset | c75defc1c2f0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Joseph Myers <jsm@polyomino.org.uk> |
| description | Python 3 preparation: miscellaneous Python scripts not named *.py. |
| files |
| changeset | 92757447dcf0 |
|---|---|
| branch | routing |
| bookmark | |
| tag | |
| user | anatoly techtonik <techtonik@gmail.com> |
| description | Remove PATH_INFO hacks that strip leading slash PATH_INFO should always start with '/' when not empty, see http://tools.ietf.org/html/rfc3875#section-4.1.5 Instead, do leading slash stripping inside cgi.client |
| files |
| changeset | 52b0e416f0bc |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Fix typo |
| files |
| changeset | 6e3e4f24c753 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Eric S. Raymond <esr@thyrsus.com> |
| description | Remove keyword expansions from CVS. All regression tests passed afterwards. |
| files |
| changeset | 58306b1b01c9 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | frontends/roundup.cgi got out of sync with the roundup.cgi.Client API |
| files |
| changeset | 74aebbbea305 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Sorry for the mega-patch - was all done on the train: - handling of required for booelan False and numeric 0 [SF#1608200] - removed bogus args attr of ConfigurationError [SF#1608056] - implemented start_response in roundup.cgi [SF#1604304] |
| files |
| changeset | a2d22d0de0bc |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | WSGI support via roundup.cgi.wsgi_handler |
| files |