Mercurial > p > roundup > code

changeset 5950:116d1f048194

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge code changes from fork
author John Rouillard <rouilj@ieee.org>
date Wed, 23 Oct 2019 13:41:01 -0400
parents 573b688fffeb (current diff) 33914dd1160f (diff)
children 0a42163ac846
files
diffstat 3 files changed, 36 insertions(+), 16 deletions(-) [+]
line wrap: on
line diff
--- a/roundup/cgi/client.py	Wed Oct 23 13:39:47 2019 -0400
+++ b/roundup/cgi/client.py	Wed Oct 23 13:41:01 2019 -0400
@@ -1145,7 +1145,7 @@
             state on the server (one nonce per form per
             page). If you have multiple forms/page this can
             lead to abandoned csrf tokens that have to time
-            out and get cleaned up.But you lose per form
+            out and get cleaned up. But you lose per form
             tokens which may be an advantage. Also the HMAC
             is constant for the session, so provides more
             occasions for it to be exposed.
@@ -1157,7 +1157,7 @@
             A session token lifetime is settable in
             config.ini.  A future enhancement to the
             creation routines should allow for the requester
-            of the token to set the lifetime.t
+            of the token to set the lifetime.
 
             The unique session key and user id is stored
             with the token. The token is valid if the stored
@@ -1187,7 +1187,7 @@
 
         # Assume: never allow changes via GET
         if self.env['REQUEST_METHOD'] not in ['POST', 'PUT', 'DELETE']:
-            if "@csrf" in self.form:
+            if (self.form.list is not None) and ("@csrf" in self.form):
                 # We have a nonce being used with a method it should
                 # not be. If the nonce exists, report to admin so they
                 # can fix the nonce leakage and destroy it. (nonces
--- a/roundup/cgi/templating.py	Wed Oct 23 13:39:47 2019 -0400
+++ b/roundup/cgi/templating.py	Wed Oct 23 13:41:01 2019 -0400
@@ -1153,11 +1153,16 @@
 
                 arg_s = '<br />'.join(cell)
             else:
-                # unkown event!!
-                comments['unknown'] = self._(
-                    "<strong><em>This event is not handled"
-                    " by the history display!</em></strong>")
-                arg_s = '<strong><em>' + str(args) + '</em></strong>'
+                if action in ( 'retired', 'restored' ):
+                    # args = None for these actions
+                    pass
+                else:
+                    # unknown event!!
+                    comments['unknown'] = self._(
+                        "<strong><em>This event %s is not handled"
+                        " by the history display!</em></strong>"%action)
+                    arg_s = '<strong><em>' + str(args) + '</em></strong>'
+
             date_s = date_s.replace(' ', '&nbsp;')
             # if the user's an itemid, figure the username (older journals
             # have the username)
--- a/roundup/cgi/wsgi_handler.py	Wed Oct 23 13:39:47 2019 -0400
+++ b/roundup/cgi/wsgi_handler.py	Wed Oct 23 13:41:01 2019 -0400
@@ -14,6 +14,9 @@
 from roundup.cgi import TranslationService
 from roundup.anypy import http_
 from roundup.anypy.strings import s2b, bs2b
+
+from roundup.cgi.client import BinaryFieldStorage
+
 BaseHTTPRequestHandler = http_.server.BaseHTTPRequestHandler
 DEFAULT_ERROR_MESSAGE = http_.server.DEFAULT_ERROR_MESSAGE
 
@@ -69,13 +72,18 @@
         request.headers = Headers(environ)
 
         if environ ['REQUEST_METHOD'] == 'OPTIONS':
-            code = 501
-            message, explain = BaseHTTPRequestHandler.responses[code]
-            request.start_response([('Content-Type', 'text/html'),
-                ('Connection', 'close')], code)
-            request.wfile.write(s2b(DEFAULT_ERROR_MESSAGE % locals()))
-            return []
-
+            if environ["PATH_INFO"][:5] == "/rest":
+                # rest does support options
+                # This I hope will result in self.form=None
+                environ['CONTENT_LENGTH'] = 0
+            else:
+                code = 501
+                message, explain = BaseHTTPRequestHandler.responses[code]
+                request.start_response([('Content-Type', 'text/html'),
+                                        ('Connection', 'close')], code)
+                request.wfile.write(s2b(DEFAULT_ERROR_MESSAGE % locals()))
+                return []
+        
         tracker = roundup.instance.open(self.home, not self.debug)
 
         # need to strip the leading '/'
@@ -83,7 +91,14 @@
         if request.timing:
             environ["CGI_SHOW_TIMING"] = request.timing
 
-        form = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ)
+        form = BinaryFieldStorage(fp=environ['wsgi.input'], environ=environ)
+
+        if environ ['REQUEST_METHOD'] in ("OPTIONS", "DELETE"):
+            # these methods have no data. When we init tracker.Client
+            # set form to None and request.rfile to None to get a
+            # properly initialized empty form.
+            form = None
+            request.rfile = None
 
         client = tracker.Client(tracker, request, environ, form,
             request.translator)
Roundup Issue Tracker: http://roundup-tracker.org/