mirrors/github.com_openSUSE_osc
1
0
Fork 0
mirror of https://github.com/openSUSE/osc.git synced 2024-11-10 06:46:15 +01:00
Code

Fix the previously introduced escaping via the html module

Browse Source 
This is a follow-up commit for commit
6dbf103e10 ("Use html.escape instead
removed cgi.escape"), which breaks the python2 backward compatibility
(since the "html" module is not available by default) and also breaks
the code in general (due to missing html imports).

The fix is based on the proposed fix in [1].

Fixes: boo#1166537 ("osc rq accept - forwarding request causes backtrace")

[1] https://github.com/openSUSE/osc/pull/764
This commit is contained in:
Marcus Huewe 2020-03-12 23:00:47 +01:00
parent 9b01f59fee
commit 33bbc57b5f
3 changed files with 23 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
osc/commandline.py
View File

@ -34,6 +34,8 @@ try:
except ImportError:
from .util.helper import cmp_to_key
from .util.helper import _html_escape
from operator import itemgetter
MAN_HEADER = r""".TH %(ucname)s "1" "%(date)s" "%(name)s %(version)s" "User Commands"
@ -1241,7 +1243,6 @@ class Osc(cmdln.Cmdln):
if len(args) < 2 and is_project_dir(os.getcwd()):
if opts.diff:
raise oscerr.WrongOptions('\'--diff\' is not supported in a project working copy')
import html
project = store_read_project(os.curdir)
sr_ids = []
@ -1295,7 +1296,7 @@ class Osc(cmdln.Cmdln):
(project, target_prj_block, options_block)
actionxml += s
xml = """<request> %s <state name="new"/> <description>%s</description> </request> """ % \
(actionxml, html.escape(opts.message or "", quote=False))
(actionxml, _html_escape(opts.message or ""))
u = makeurl(apiurl, ['request'], query='cmd=create&addrevision=1')
f = http_POST(u, data=xml)
@ -1872,9 +1873,8 @@ Please submit there instead, or use --nodevelproject to force direct submission.
if not opts.message:
opts.message = edit_message()
import cgi
xml = """<request> %s <state name="new"/> <description>%s</description> </request> """ % \
(actionsxml, html.escape(opts.message or "", quote=False))
(actionsxml, _html_escape(opts.message or ""))
u = makeurl(apiurl, ['request'], query='cmd=create')
f = http_POST(u, data=xml)
@ -1911,7 +1911,6 @@ Please submit there instead, or use --nodevelproject to force direct submission.
${cmd_option_list}
"""
import cgi
args = slash_split(args)
apiurl = self.get_api_url()
@ -1966,7 +1965,7 @@ Please submit there instead, or use --nodevelproject to force direct submission.
else:
r.add_action('add_role', tgt_project=project, tgt_package=package,
person_name=user, person_role=role)
r.description = html.escape(opts.message or '', quote=False)
r.description = _html_escape(opts.message or '')
r.create(apiurl)
print(r.reqid)
@ -1991,8 +1990,6 @@ Please submit there instead, or use --nodevelproject to force direct submission.
osc deletereq [-m TEXT] PROJECT [--all|--repository REPOSITORY]
${cmd_option_list}
"""
import cgi
args = slash_split(args)
project = None
@ -2033,7 +2030,7 @@ Please submit there instead, or use --nodevelproject to force direct submission.
r = Request()
r.add_action('delete', tgt_project=project, tgt_package=package, tgt_repository=repository)
r.description = cgi.escape(opts.message)
r.description = _html_escape(opts.message)
if opts.accept_in_hours:
r.accept_at_in_hours(int(opts.accept_in_hours))
r.create(self.get_api_url())
@ -2054,8 +2051,6 @@ Please submit there instead, or use --nodevelproject to force direct submission.
osc changedevelrequest PROJECT PACKAGE DEVEL_PROJECT [DEVEL_PACKAGE]
"""
import cgi
if len(args) == 0 and is_package_dir('.') and find_default_project():
wd = os.curdir
devel_project = store_read_project(wd)
@ -2083,7 +2078,7 @@ Please submit there instead, or use --nodevelproject to force direct submission.
r = Request()
r.add_action('change_devel', src_project=devel_project, src_package=devel_package,
tgt_project=project, tgt_package=package)
r.description = html.escape(opts.message, quote=False)
r.description = _html_escape(opts.message)
r.create(self.get_api_url())
print(r.reqid)
@ -2609,7 +2604,6 @@ Please submit there instead, or use --nodevelproject to force direct submission.
# check for devel instances after accepted requests
if cmd in ['accept']:
import cgi
sr_actions = rq.get_actions('submit')
for action in sr_actions:
u = makeurl(apiurl, ['/search/package'], {
@ -2649,7 +2643,7 @@ Please submit there instead, or use --nodevelproject to force direct submission.
project, package)
msg = "%s (forwarded request %s from %s)" % (rq.description, reqid, rq.creator)
rid = create_submit_request(apiurl, action.tgt_project, action.tgt_package,
project, package, html.escape(msg, quote=False))
project, package, _html_escape(msg))
print(msg)
print("New request #", rid)
for req in reqs:
@ -8219,9 +8213,8 @@ Please submit there instead, or use --nodevelproject to force direct submission.
else:
message = edit_message()
import cgi
xml = """<request> %s <state name="new"/> <description>%s</description> </request> """ % \
(requestactionsxml, html.escape(message or "", quote=False))
(requestactionsxml, _html_escape(message or ""))
u = makeurl(apiurl, ['request'], query='cmd=create')
f = http_POST(u, data=xml)

14
osc/core.py
View File

@ -61,7 +61,7 @@ try:
except ImportError:
from .util.helper import cmp_to_key
from osc.util.helper import decode_list, decode_it, raw_input
from osc.util.helper import decode_list, decode_it, raw_input, _html_escape
try:
# python 2.6 and python 2.7
@ -4177,18 +4177,16 @@ def clone_request(apiurl, reqid, msg=None):
# create a maintenance release request
def create_release_request(apiurl, src_project, message=''):
import html
r = Request()
# api will complete the request
r.add_action('maintenance_release', src_project=src_project)
# XXX: clarify why we need the unicode(...) stuff
r.description = html.escape(unicode(message, 'utf8'), quote=False)
r.description = _html_escape(unicode(message, 'utf8'))
r.create(apiurl)
return r
# create a maintenance incident per request
def create_maintenance_request(apiurl, src_project, src_packages, tgt_project, tgt_releaseproject, opt_sourceupdate, message='', enforce_branching=False, rev=None):
import html
r = Request()
if src_packages:
for p in src_packages:
@ -4196,7 +4194,7 @@ def create_maintenance_request(apiurl, src_project, src_packages, tgt_project, t
else:
r.add_action('maintenance_incident', src_project=src_project, tgt_project=tgt_project, tgt_releaseproject=tgt_releaseproject, opt_sourceupdate = opt_sourceupdate)
# XXX: clarify why we need the unicode(...) stuff
r.description = html.escape(unicode(message, 'utf8'), quote=False)
r.description = _html_escape(unicode(message, 'utf8'))
r.create(apiurl, addrevision=True, enforce_branching=enforce_branching)
return r
@ -4204,8 +4202,6 @@ def create_submit_request(apiurl,
src_project, src_package=None,
dst_project=None, dst_package=None,
message="", orev=None, src_update=None, dst_updatelink=None):
import html
options_block = ""
package = ""
if src_package:
@ -4241,9 +4237,9 @@ def create_submit_request(apiurl,
orev or show_upstream_rev(apiurl, src_project, src_package),
targetxml,
options_block,
html.escape(message, quote=False))
_html_escape(message))
# Don't do html.escape(unicode(message, "utf8"))) above.
# Don't do _html_escape(unicode(message, "utf8"))) above.
# Promoting the string to utf8, causes the post to explode with:
# uncaught exception: Fatal error: Start tag expected, '&lt;' not found at :1.
# I guess, my original workaround was not that bad.

9
osc/util/helper.py
View File

@ -3,6 +3,11 @@
# and distributed under the terms of the GNU General Public Licence,
# either version 2, or (at your option) any later version.
try:
import html
except ImportError:
import cgi as html
from osc import oscerr
def cmp_to_key(mycmp):
@ -83,3 +88,7 @@ def raw_input(*args):
except EOFError:
# interpret ctrl-d as user abort
raise oscerr.UserAbort()
def _html_escape(data):
return html.escape(data, quote=False)