From 9ce37b77cdda020ec5ab7e30775e76bc19fd9aec Mon Sep 17 00:00:00 2001 From: Leo Date: Mon, 9 Sep 2019 08:03:59 -0300 Subject: community/patchwork: upgrade to 2.1.4 --- community/patchwork/APKBUILD | 39 +++--- community/patchwork/CVE-2019-13122.patch | 91 -------------- .../py-django-rest-framwork-py-django-filter.patch | 131 +++++++++++++++++++++ 3 files changed, 154 insertions(+), 107 deletions(-) delete mode 100644 community/patchwork/CVE-2019-13122.patch create mode 100644 community/patchwork/py-django-rest-framwork-py-django-filter.patch (limited to 'community/patchwork') diff --git a/community/patchwork/APKBUILD b/community/patchwork/APKBUILD index 6cc8e9a1c1..22c9f523bb 100644 --- a/community/patchwork/APKBUILD +++ b/community/patchwork/APKBUILD @@ -1,35 +1,42 @@ # Con#tributor: Francesco Colista # Maintainer: Francesco Colista pkgname=patchwork -pkgver=2.0.1 -pkgrel=1 +pkgver=2.1.4 +pkgrel=0 pkgdesc="Web-based patch tracking system" url="https://github.com/getpatchwork/patchwork" arch="noarch" -license="GPL" +license="GPL-2.0-or-later" options="!check" -depends="py-django py-django-registration git py-psycopg2" -subpackages="$pkgname-doc $pkgname-uwsgi-apache2:apache2_wsgi $pkgname-uwsgi-nginx:nginx_wsgi $pkgname-mysql - $pkgname-postgresql pwclient:pwclient" -source="$pkgname-$pkgver.tar.gz::https://github.com/getpatchwork/$pkgname/archive/v$pkgver.tar.gz +depends=" + py3-django<2.0 + py3-django-rest-framework<3.9 + py3-django-filter<2.0.1 + py3-psycopg2<2.8 + py3-sqlparse + " +subpackages=" + $pkgname-doc + $pkgname-uwsgi-apache2:apache2_wsgi + $pkgname-uwsgi-nginx:nginx_wsgi + $pkgname-mysql + $pkgname-postgresql + pwclient:pwclient + " +source="patchwork-$pkgver.tar.gz::https://github.com/getpatchwork/patchwork/archive/v$pkgver.tar.gz 0001-support-busybox-readlink.patch 0002-remove-uneeded-bashism-from-tools-and-change-path.patch nginx-uwsgi-patchwork-conf.ini nginx-patchwork.conf - CVE-2019-13122.patch" + py-django-rest-framwork-py-django-filter.patch + " -builddir="$srcdir"/$pkgname-$pkgver # secfixes: # 2.0.1-r1: # - CVE-2019-13122 -build() { - return 0 -} - package() { - cd "$builddir" mkdir -p "$pkgdir"/usr/share/webapps/$pkgname install -Dm644 COPYING \ "$pkgdir"/usr/share/doc/$pkgname/COPYING @@ -80,9 +87,9 @@ pwclient() { "$subpkgdir"/usr/bin/pwclient } -sha512sums="95dcfcdf19de0a65a77ab4274de82457c969e3a65705da25cbec742e4d6671e51e629d5366d47ee510a1ac622afde3e2637fa4a013fd576a66808be75a7e84b5 patchwork-2.0.1.tar.gz +sha512sums="e15e1b2b9d386d98f74d55efcc805ecad827be40610c993245d3ac13d04b655a264bf0ebe7ec83b929db52059a9dd13c49bd56676a5c1d2f25d965b310bccfb0 patchwork-2.1.4.tar.gz 5facc2c2620b2d614011bcdc06bb481fb1481c79333579e5a7fa5b8bc4f97d1651cc8c4632a5e150b62674d64c00345341229319f1edb2016721868e84146826 0001-support-busybox-readlink.patch f6d3590b3ac53797e0ae25fe50ab0935608be5ded44665599cbc91e93558895eddc6a7a717153d81fc194b314d7854686577ef5ecf9e0302b7824ce3b3863f7b 0002-remove-uneeded-bashism-from-tools-and-change-path.patch 28911a25e00a254237f7214fb681e5e984a2eae331e610be62967d5e246958e0f8d3f84861d8fd17c1190c1df72a25f28ddb33843b3679a3864beb00cb4b4961 nginx-uwsgi-patchwork-conf.ini 862dd2522236a0b18d2a8d06f1ad91ad0fd0936fa502d95e09556641e67d42e1212821bfd7fb98923e4fe8b8a7369ded8c23831fb496b1e2833d9831c1b23725 nginx-patchwork.conf -fb1e70245d285e725a85d8c37a97ba5d393ccd7c1704130be9d518a44721e23ffe85345e325ef172bc23c959a3159b113616c5ecd8b80c560730a79177272f8a CVE-2019-13122.patch" +47f040f80836bf5e8c0c5d5a95e7cf6c5d9714437eac2f6c6e927ca6b346b86eb50b87e7deace33e3d1cd11ab6c74146e725aac835a1355864a5e5e9179b0082 py-django-rest-framwork-py-django-filter.patch" diff --git a/community/patchwork/CVE-2019-13122.patch b/community/patchwork/CVE-2019-13122.patch deleted file mode 100644 index 4c23714a2c..0000000000 --- a/community/patchwork/CVE-2019-13122.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 556f750d8d723791fded3476bcd9885d4b97355b Mon Sep 17 00:00:00 2001 -From: Andrew Donnellan -Date: Mon, 1 Jul 2019 15:28:03 +1000 -Subject: [PATCH 1/2] templatetags: Do not mark output of msgid tag as safe - -The msgid template tag exists to remove angle brackets from either side of -the Message-ID header. - -It also marks its output as safe, meaning it does not get autoescaped by -Django templating. - -Its output is not safe. A maliciously crafted email can include HTML tags -inside the Message-ID header, and as long as the angle brackets are not at -the start and end of the header, we will quite happily render them. - -Rather than using mark_safe(), use escape() to explicitly escape the -Message-ID. - -Signed-off-by: Andrew Donnellan ---- - patchwork/templatetags/patch.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/patchwork/templatetags/patch.py b/patchwork/templatetags/patch.py -index ea5a71de362f..757f873b6043 100644 ---- a/patchwork/templatetags/patch.py -+++ b/patchwork/templatetags/patch.py -@@ -5,6 +5,7 @@ - # SPDX-License-Identifier: GPL-2.0-or-later - - from django import template -+from django.utils.html import escape - from django.utils.safestring import mark_safe - from django.template.defaultfilters import stringfilter - -@@ -64,4 +65,4 @@ def patch_checks(patch): - @register.filter - @stringfilter - def msgid(value): -- return mark_safe(value.strip('<>')) -+ return escape(value.strip('<>')) --- -2.20.1 - -From 3bf1aa7568a9a1f08f13ed28c5ac6102841bd4dd Mon Sep 17 00:00:00 2001 -From: Andrew Donnellan -Date: Mon, 1 Jul 2019 18:04:53 +1000 -Subject: [PATCH 2/2] tests: Add test for unescaped values in patch detail page - -Add a test to check whether we are escaping values from the Patch model on -the patch detail page. - -This test shouldn't be relied upon as proof that we've escaped everything -correctly, but may help catch regressions. - -Signed-off-by: Andrew Donnellan ---- - patchwork/tests/test_detail.py | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/patchwork/tests/test_detail.py b/patchwork/tests/test_detail.py -index 4ca1c9cda2f9..18408ecb95f6 100644 ---- a/patchwork/tests/test_detail.py -+++ b/patchwork/tests/test_detail.py -@@ -34,6 +34,23 @@ class PatchViewTest(TestCase): - response = self.client.get(requested_url) - self.assertRedirects(response, redirect_url) - -+ def test_escaping(self): -+ # Warning: this test doesn't guarantee anything - it only tests some -+ # fields -+ unescaped_string = 'blahTESTblah' -+ patch = create_patch() -+ patch.diff = unescaped_string -+ patch.commit_ref = unescaped_string -+ patch.pull_url = unescaped_string -+ patch.name = unescaped_string -+ patch.msgid = unescaped_string -+ patch.headers = unescaped_string -+ patch.content = unescaped_string -+ patch.save() -+ requested_url = reverse('patch-detail', kwargs={'patch_id': patch.id}) -+ response = self.client.get(requested_url) -+ self.assertNotIn('TEST'.encode('utf-8'), response.content) -+ - - class CommentRedirectTest(TestCase): - --- -2.20.1 - diff --git a/community/patchwork/py-django-rest-framwork-py-django-filter.patch b/community/patchwork/py-django-rest-framwork-py-django-filter.patch new file mode 100644 index 0000000000..84755de9ee --- /dev/null +++ b/community/patchwork/py-django-rest-framwork-py-django-filter.patch @@ -0,0 +1,131 @@ +diff --git a/patchwork/api/bundle.py b/patchwork/api/bundle.py +index b0005da..14c109b 100644 +--- a/patchwork/api/bundle.py ++++ b/patchwork/api/bundle.py +@@ -81,7 +81,7 @@ class BundleMixin(object): + class BundleList(BundleMixin, ListAPIView): + """List bundles.""" + +- filter_class = BundleFilterSet ++ filter_class = filterset_class = BundleFilterSet + search_fields = ('name',) + ordering_fields = ('id', 'name', 'owner') + ordering = 'id' +diff --git a/patchwork/api/check.py b/patchwork/api/check.py +index 1498abb..5873649 100644 +--- a/patchwork/api/check.py ++++ b/patchwork/api/check.py +@@ -93,7 +93,7 @@ class CheckSerializer(HyperlinkedModelSerializer): + class CheckMixin(object): + + serializer_class = CheckSerializer +- filter_class = CheckFilterSet ++ filter_class = filterset_class = CheckFilterSet + + def get_queryset(self): + patch_id = self.kwargs['patch_id'] +diff --git a/patchwork/api/cover.py b/patchwork/api/cover.py +index b497fd8..53f9135 100644 +--- a/patchwork/api/cover.py ++++ b/patchwork/api/cover.py +@@ -97,7 +97,7 @@ class CoverLetterList(ListAPIView): + """List cover letters.""" + + serializer_class = CoverLetterListSerializer +- filter_class = CoverLetterFilterSet ++ filter_class = filterset_class = CoverLetterFilterSet + search_fields = ('name',) + ordering_fields = ('id', 'name', 'date', 'submitter') + ordering = 'id' +diff --git a/patchwork/api/event.py b/patchwork/api/event.py +index cce25a7..5b290e5 100644 +--- a/patchwork/api/event.py ++++ b/patchwork/api/event.py +@@ -89,7 +89,7 @@ class EventList(ListAPIView): + """List events.""" + + serializer_class = EventSerializer +- filter_class = EventFilterSet ++ filter_class = filterset_class = EventFilterSet + page_size_query_param = None # fixed page size + ordering_fields = () + ordering = '-date' +diff --git a/patchwork/api/patch.py b/patchwork/api/patch.py +index 7b8e12e..46371f4 100644 +--- a/patchwork/api/patch.py ++++ b/patchwork/api/patch.py +@@ -179,7 +179,7 @@ class PatchList(ListAPIView): + + permission_classes = (PatchworkPermission,) + serializer_class = PatchListSerializer +- filter_class = PatchFilterSet ++ filter_class = filterset_class = PatchFilterSet + search_fields = ('name',) + ordering_fields = ('id', 'name', 'project', 'date', 'state', 'archived', + 'submitter', 'check') +diff --git a/patchwork/api/series.py b/patchwork/api/series.py +index 14768ef..16a6490 100644 +--- a/patchwork/api/series.py ++++ b/patchwork/api/series.py +@@ -76,7 +76,7 @@ class SeriesMixin(object): + class SeriesList(SeriesMixin, ListAPIView): + """List series.""" + +- filter_class = SeriesFilterSet ++ filter_class = filterset_class = SeriesFilterSet + search_fields = ('name',) + ordering_fields = ('id', 'name', 'date', 'submitter', 'received_all') + ordering = 'id' +diff --git a/patchwork/compat.py b/patchwork/compat.py +index 3bbff44..d1d89c1 100644 +--- a/patchwork/compat.py ++++ b/patchwork/compat.py +@@ -46,16 +46,35 @@ if settings.ENABLE_REST_API: + # The django-filter library renamed 'Filter.name' to 'Filter.field_name' in + # 1.1. + # ++# DjangoFilterBackend ++ ++# The django-filter library changed the default strictness level in 2.0 ++# + # https://django-filter.readthedocs.io/en/master/guide/migration.html#migrating-to-2-0 + + if settings.ENABLE_REST_API: + import django_filters # noqa ++ from django_filters import rest_framework # noqa ++ from rest_framework import exceptions # noqa + + if django_filters.VERSION >= (1, 1): + NAME_FIELD = 'field_name' + else: + NAME_FIELD = 'name' + ++ if django_filters.VERSION >= (2, 0): ++ # TODO(stephenfin): Enable strict mode in API v2.0, possibly with a ++ # bump in the minimum version of django-filter [1] ++ # ++ # [1] https://github.com/carltongibson/django-filter/pull/983 ++ class DjangoFilterBackend(rest_framework.DjangoFilterBackend): ++ def filter_queryset(self, request, queryset, view): ++ try: ++ return super().filter_queryset(request, queryset, view) ++ except exceptions.ValidationError: ++ return queryset.none() ++ else: ++ DjangoFilterBackend = rest_framework.DjangoFilterBackend + + # reverse, reverse_lazy + # +diff --git a/requirements-prod.txt b/requirements-prod.txt +index d249ad8..4246b61 100644 +--- a/requirements-prod.txt ++++ b/requirements-prod.txt +@@ -1,5 +1,5 @@ + Django>=1.8,<2.0 +-djangorestframework>=3.4,<3.7 +-django-filter>=1.0,<1.1 ++djangorestframework>=3.4,<3.9 ++django-filter==2.0.0 + psycopg2>=2.7,<2.8 + sqlparse==0.2.4 + -- cgit v1.2.3