community/patchwork: upgrade to 2.1.4

3 files changed, 154 insertions, 107 deletions

diff --git a/community/patchwork/APKBUILD b/community/patchwork/APKBUILD
index 6cc8e9a1c1..22c9f523bb 100644
--- a/community/patchwork/APKBUILD
+++ b/community/patchwork/APKBUILD
@@ -1,35 +1,42 @@
 # Con#tributor: Francesco Colista <fcolista@alpinelinux.org>
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=patchwork
-pkgver=2.0.1
-pkgrel=1
+pkgver=2.1.4
+pkgrel=0
 pkgdesc="Web-based patch tracking system"
 url="https://github.com/getpatchwork/patchwork"
 arch="noarch"
-license="GPL"
+license="GPL-2.0-or-later"
 options="!check"
-depends="py-django py-django-registration git py-psycopg2"
-subpackages="$pkgname-doc $pkgname-uwsgi-apache2:apache2_wsgi $pkgname-uwsgi-nginx:nginx_wsgi $pkgname-mysql
-	$pkgname-postgresql pwclient:pwclient"
-source="$pkgname-$pkgver.tar.gz::https://github.com/getpatchwork/$pkgname/archive/v$pkgver.tar.gz
+depends="
+	py3-django<2.0
+	py3-django-rest-framework<3.9
+	py3-django-filter<2.0.1
+	py3-psycopg2<2.8
+	py3-sqlparse
+	"
+subpackages="
+	$pkgname-doc
+	$pkgname-uwsgi-apache2:apache2_wsgi
+	$pkgname-uwsgi-nginx:nginx_wsgi
+	$pkgname-mysql
+	$pkgname-postgresql
+	pwclient:pwclient
+	"
+source="patchwork-$pkgver.tar.gz::https://github.com/getpatchwork/patchwork/archive/v$pkgver.tar.gz
 	0001-support-busybox-readlink.patch
 	0002-remove-uneeded-bashism-from-tools-and-change-path.patch
 	nginx-uwsgi-patchwork-conf.ini
 	nginx-patchwork.conf
-	CVE-2019-13122.patch"
+	py-django-rest-framwork-py-django-filter.patch
+	"
 
-builddir="$srcdir"/$pkgname-$pkgver
 
 # secfixes:
 #   2.0.1-r1:
 #     - CVE-2019-13122
 
-build() {
-	return 0
-}
-
 package() {
-	cd "$builddir"
 	mkdir -p "$pkgdir"/usr/share/webapps/$pkgname
 	install -Dm644 COPYING \
 		"$pkgdir"/usr/share/doc/$pkgname/COPYING
@@ -80,9 +87,9 @@ pwclient() {
 		"$subpkgdir"/usr/bin/pwclient
 }
 
-sha512sums="95dcfcdf19de0a65a77ab4274de82457c969e3a65705da25cbec742e4d6671e51e629d5366d47ee510a1ac622afde3e2637fa4a013fd576a66808be75a7e84b5  patchwork-2.0.1.tar.gz
+sha512sums="e15e1b2b9d386d98f74d55efcc805ecad827be40610c993245d3ac13d04b655a264bf0ebe7ec83b929db52059a9dd13c49bd56676a5c1d2f25d965b310bccfb0  patchwork-2.1.4.tar.gz
 5facc2c2620b2d614011bcdc06bb481fb1481c79333579e5a7fa5b8bc4f97d1651cc8c4632a5e150b62674d64c00345341229319f1edb2016721868e84146826  0001-support-busybox-readlink.patch
 f6d3590b3ac53797e0ae25fe50ab0935608be5ded44665599cbc91e93558895eddc6a7a717153d81fc194b314d7854686577ef5ecf9e0302b7824ce3b3863f7b  0002-remove-uneeded-bashism-from-tools-and-change-path.patch
 28911a25e00a254237f7214fb681e5e984a2eae331e610be62967d5e246958e0f8d3f84861d8fd17c1190c1df72a25f28ddb33843b3679a3864beb00cb4b4961  nginx-uwsgi-patchwork-conf.ini
 862dd2522236a0b18d2a8d06f1ad91ad0fd0936fa502d95e09556641e67d42e1212821bfd7fb98923e4fe8b8a7369ded8c23831fb496b1e2833d9831c1b23725  nginx-patchwork.conf
-fb1e70245d285e725a85d8c37a97ba5d393ccd7c1704130be9d518a44721e23ffe85345e325ef172bc23c959a3159b113616c5ecd8b80c560730a79177272f8a  CVE-2019-13122.patch"
+47f040f80836bf5e8c0c5d5a95e7cf6c5d9714437eac2f6c6e927ca6b346b86eb50b87e7deace33e3d1cd11ab6c74146e725aac835a1355864a5e5e9179b0082  py-django-rest-framwork-py-django-filter.patch"
diff --git a/community/patchwork/CVE-2019-13122.patch b/community/patchwork/CVE-2019-13122.patch
deleted file mode 100644
index 4c23714a2c..0000000000
--- a/community/patchwork/CVE-2019-13122.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 556f750d8d723791fded3476bcd9885d4b97355b Mon Sep 17 00:00:00 2001

-From: Andrew Donnellan <ajd@linux.ibm.com>

-Date: Mon, 1 Jul 2019 15:28:03 +1000

-Subject: [PATCH 1/2] templatetags: Do not mark output of msgid tag as safe

-

-The msgid template tag exists to remove angle brackets from either side of

-the Message-ID header.

-

-It also marks its output as safe, meaning it does not get autoescaped by

-Django templating.

-

-Its output is not safe. A maliciously crafted email can include HTML tags

-inside the Message-ID header, and as long as the angle brackets are not at

-the start and end of the header, we will quite happily render them.

-

-Rather than using mark_safe(), use escape() to explicitly escape the

-Message-ID.

-

-Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>

----

- patchwork/templatetags/patch.py | 3 ++-

- 1 file changed, 2 insertions(+), 1 deletion(-)

-

-diff --git a/patchwork/templatetags/patch.py b/patchwork/templatetags/patch.py

-index ea5a71de362f..757f873b6043 100644

---- a/patchwork/templatetags/patch.py

-+++ b/patchwork/templatetags/patch.py

-@@ -5,6 +5,7 @@

- # SPDX-License-Identifier: GPL-2.0-or-later

- 

- from django import template

-+from django.utils.html import escape

- from django.utils.safestring import mark_safe

- from django.template.defaultfilters import stringfilter

- 

-@@ -64,4 +65,4 @@ def patch_checks(patch):

- @register.filter

- @stringfilter

- def msgid(value):

--    return mark_safe(value.strip('<>'))

-+    return escape(value.strip('<>'))

--- 

-2.20.1

-

-From 3bf1aa7568a9a1f08f13ed28c5ac6102841bd4dd Mon Sep 17 00:00:00 2001

-From: Andrew Donnellan <ajd@linux.ibm.com>

-Date: Mon, 1 Jul 2019 18:04:53 +1000

-Subject: [PATCH 2/2] tests: Add test for unescaped values in patch detail page

-

-Add a test to check whether we are escaping values from the Patch model on

-the patch detail page.

-

-This test shouldn't be relied upon as proof that we've escaped everything

-correctly, but may help catch regressions.

-

-Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>

----

- patchwork/tests/test_detail.py | 17 +++++++++++++++++

- 1 file changed, 17 insertions(+)

-

-diff --git a/patchwork/tests/test_detail.py b/patchwork/tests/test_detail.py

-index 4ca1c9cda2f9..18408ecb95f6 100644

---- a/patchwork/tests/test_detail.py

-+++ b/patchwork/tests/test_detail.py

-@@ -34,6 +34,23 @@ class PatchViewTest(TestCase):

-         response = self.client.get(requested_url)

-         self.assertRedirects(response, redirect_url)

- 

-+    def test_escaping(self):

-+        # Warning: this test doesn't guarantee anything - it only tests some

-+        # fields

-+        unescaped_string = 'blah<b>TEST</b>blah'

-+        patch = create_patch()

-+        patch.diff = unescaped_string

-+        patch.commit_ref = unescaped_string

-+        patch.pull_url = unescaped_string

-+        patch.name = unescaped_string

-+        patch.msgid = unescaped_string

-+        patch.headers = unescaped_string

-+        patch.content = unescaped_string

-+        patch.save()

-+        requested_url = reverse('patch-detail', kwargs={'patch_id': patch.id})

-+        response = self.client.get(requested_url)

-+        self.assertNotIn('<b>TEST</b>'.encode('utf-8'), response.content)

-+

- 

- class CommentRedirectTest(TestCase):

- 

--- 

-2.20.1

-

diff --git a/community/patchwork/py-django-rest-framwork-py-django-filter.patch b/community/patchwork/py-django-rest-framwork-py-django-filter.patch
new file mode 100644
index 0000000000..84755de9ee
--- /dev/null
+++ b/community/patchwork/py-django-rest-framwork-py-django-filter.patch
@@ -0,0 +1,131 @@
+diff --git a/patchwork/api/bundle.py b/patchwork/api/bundle.py
+index b0005da..14c109b 100644
+--- a/patchwork/api/bundle.py
++++ b/patchwork/api/bundle.py
+@@ -81,7 +81,7 @@ class BundleMixin(object):
+ class BundleList(BundleMixin, ListAPIView):
+     """List bundles."""
+ 
+-    filter_class = BundleFilterSet
++    filter_class = filterset_class = BundleFilterSet
+     search_fields = ('name',)
+     ordering_fields = ('id', 'name', 'owner')
+     ordering = 'id'
+diff --git a/patchwork/api/check.py b/patchwork/api/check.py
+index 1498abb..5873649 100644
+--- a/patchwork/api/check.py
++++ b/patchwork/api/check.py
+@@ -93,7 +93,7 @@ class CheckSerializer(HyperlinkedModelSerializer):
+ class CheckMixin(object):
+ 
+     serializer_class = CheckSerializer
+-    filter_class = CheckFilterSet
++    filter_class = filterset_class = CheckFilterSet
+ 
+     def get_queryset(self):
+         patch_id = self.kwargs['patch_id']
+diff --git a/patchwork/api/cover.py b/patchwork/api/cover.py
+index b497fd8..53f9135 100644
+--- a/patchwork/api/cover.py
++++ b/patchwork/api/cover.py
+@@ -97,7 +97,7 @@ class CoverLetterList(ListAPIView):
+     """List cover letters."""
+ 
+     serializer_class = CoverLetterListSerializer
+-    filter_class = CoverLetterFilterSet
++    filter_class = filterset_class = CoverLetterFilterSet
+     search_fields = ('name',)
+     ordering_fields = ('id', 'name', 'date', 'submitter')
+     ordering = 'id'
+diff --git a/patchwork/api/event.py b/patchwork/api/event.py
+index cce25a7..5b290e5 100644
+--- a/patchwork/api/event.py
++++ b/patchwork/api/event.py
+@@ -89,7 +89,7 @@ class EventList(ListAPIView):
+     """List events."""
+ 
+     serializer_class = EventSerializer
+-    filter_class = EventFilterSet
++    filter_class = filterset_class = EventFilterSet
+     page_size_query_param = None  # fixed page size
+     ordering_fields = ()
+     ordering = '-date'
+diff --git a/patchwork/api/patch.py b/patchwork/api/patch.py
+index 7b8e12e..46371f4 100644
+--- a/patchwork/api/patch.py
++++ b/patchwork/api/patch.py
+@@ -179,7 +179,7 @@ class PatchList(ListAPIView):
+ 
+     permission_classes = (PatchworkPermission,)
+     serializer_class = PatchListSerializer
+-    filter_class = PatchFilterSet
++    filter_class = filterset_class = PatchFilterSet
+     search_fields = ('name',)
+     ordering_fields = ('id', 'name', 'project', 'date', 'state', 'archived',
+                        'submitter', 'check')
+diff --git a/patchwork/api/series.py b/patchwork/api/series.py
+index 14768ef..16a6490 100644
+--- a/patchwork/api/series.py
++++ b/patchwork/api/series.py
+@@ -76,7 +76,7 @@ class SeriesMixin(object):
+ class SeriesList(SeriesMixin, ListAPIView):
+     """List series."""
+ 
+-    filter_class = SeriesFilterSet
++    filter_class = filterset_class = SeriesFilterSet
+     search_fields = ('name',)
+     ordering_fields = ('id', 'name', 'date', 'submitter', 'received_all')
+     ordering = 'id'
+diff --git a/patchwork/compat.py b/patchwork/compat.py
+index 3bbff44..d1d89c1 100644
+--- a/patchwork/compat.py
++++ b/patchwork/compat.py
+@@ -46,16 +46,35 @@ if settings.ENABLE_REST_API:
+ # The django-filter library renamed 'Filter.name' to 'Filter.field_name' in
+ # 1.1.
+ #
++# DjangoFilterBackend
++
++# The django-filter library changed the default strictness level in 2.0
++#
+ # https://django-filter.readthedocs.io/en/master/guide/migration.html#migrating-to-2-0
+ 
+ if settings.ENABLE_REST_API:
+     import django_filters  # noqa
++    from django_filters import rest_framework  # noqa
++    from rest_framework import exceptions  # noqa
+ 
+     if django_filters.VERSION >= (1, 1):
+         NAME_FIELD = 'field_name'
+     else:
+         NAME_FIELD = 'name'
+ 
++    if django_filters.VERSION >= (2, 0):
++        # TODO(stephenfin): Enable strict mode in API v2.0, possibly with a
++        # bump in the minimum version of django-filter [1]
++        #
++        # [1] https://github.com/carltongibson/django-filter/pull/983
++        class DjangoFilterBackend(rest_framework.DjangoFilterBackend):
++            def filter_queryset(self, request, queryset, view):
++                try:
++                    return super().filter_queryset(request, queryset, view)
++                except exceptions.ValidationError:
++                    return queryset.none()
++    else:
++        DjangoFilterBackend = rest_framework.DjangoFilterBackend
+ 
+ # reverse, reverse_lazy
+ #
+diff --git a/requirements-prod.txt b/requirements-prod.txt
+index d249ad8..4246b61 100644
+--- a/requirements-prod.txt
++++ b/requirements-prod.txt
+@@ -1,5 +1,5 @@
+ Django>=1.8,<2.0
+-djangorestframework>=3.4,<3.7
+-django-filter>=1.0,<1.1
++djangorestframework>=3.4,<3.9
++django-filter==2.0.0
+ psycopg2>=2.7,<2.8
+ sqlparse==0.2.4
+