forked from pool/python-Twisted
Dirk Mueller
4c692692ad
* twisted.logger.formatEvent now honors dotted method names,
not just flat function names, in format strings, as it has
long been explicitly documented to do. So, you will now get
the expected result from formatEvent("here's the result of
calling a method at log-format time: {obj.method()}",
obj=...)
* twisted.web.http.HTTPChannel now ignores the trailer headers
provided in the last chunk of a chunked encoded response,
rather than raising an exception.
* twisted.protocols.tls.BufferingTLSTransport, used by default
by twisted.protocols.tls.TLSMemoryBIOFactory, was refactored
for improved performance when doing a high number of small
writes.
* twisted.python.failure.Failure now throws exception for
generators without triggering a deprecation warnings on
Python 3.12.
* twisted.internet.process.Process, used by
reactor.spawnProcess, now copies the parent environment when
the env=None argument is passed on Posix systems and
os.posix_spawnp is used internally.
* twisted.internet.defer.inlineCallbacks.returnValue's stack
introspection was adjusted for the latest PyPy 7.3.14
release, allowing legacy @inlineCallbacks to run on new PyPY
versions.
* twisted.trial.reporter.TestRun.startTest() is no longer
called for tests with skip annotation or skip attribute for
Python 3.12.1 or newer. This is the result of upstream Python
gh-106584 change. The behavior is not change in 3.12.0 or
older.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Twisted?expand=0&rev=149
96 lines
3.4 KiB
Diff
96 lines
3.4 KiB
Diff
From df79d69adea5c819bb104861dccf1bbe25851644 Mon Sep 17 00:00:00 2001
|
|
From: Thomas Grainger <tagrain@gmail.com>
|
|
Date: Sun, 21 Feb 2021 11:54:25 +0000
|
|
Subject: [PATCH 1/2] delegate to stdlib parse qs
|
|
|
|
---
|
|
src/twisted/web/http.py | 26 +-------------------------
|
|
src/twisted/web/newsfragments/10096.bugfix | 1 +
|
|
src/twisted/web/server.py | 5 ++---
|
|
3 files changed, 4 insertions(+), 28 deletions(-)
|
|
create mode 100644 src/twisted/web/newsfragments/10096.bugfix
|
|
|
|
Index: twisted-24.3.0/src/twisted/web/http.py
|
|
===================================================================
|
|
--- twisted-24.3.0.orig/src/twisted/web/http.py
|
|
+++ twisted-24.3.0/src/twisted/web/http.py
|
|
@@ -115,6 +115,7 @@ from urllib.parse import (
|
|
ParseResultBytes,
|
|
unquote_to_bytes as unquote,
|
|
urlparse as _urlparse,
|
|
+ parse_qs,
|
|
)
|
|
|
|
from zope.interface import Attribute, Interface, implementer, provider
|
|
@@ -288,34 +289,6 @@ def urlparse(url):
|
|
return ParseResultBytes(scheme, netloc, path, params, query, fragment)
|
|
|
|
|
|
-def parse_qs(qs, keep_blank_values=0, strict_parsing=0):
|
|
- """
|
|
- Like C{cgi.parse_qs}, but with support for parsing byte strings on Python 3.
|
|
-
|
|
- This was created to help with Python 2 to Python 3 migration.
|
|
- Consider using L{urllib.parse.parse_qs}.
|
|
-
|
|
- @type qs: C{bytes}
|
|
- """
|
|
- d = {}
|
|
- items = [s2 for s1 in qs.split(b"&") for s2 in s1.split(b";")]
|
|
- for item in items:
|
|
- try:
|
|
- k, v = item.split(b"=", 1)
|
|
- except ValueError:
|
|
- if strict_parsing:
|
|
- raise
|
|
- continue
|
|
- if v or keep_blank_values:
|
|
- k = unquote(k.replace(b"+", b" "))
|
|
- v = unquote(v.replace(b"+", b" "))
|
|
- if k in d:
|
|
- d[k].append(v)
|
|
- else:
|
|
- d[k] = [v]
|
|
- return d
|
|
-
|
|
-
|
|
def datetimeToString(msSinceEpoch=None):
|
|
"""
|
|
Convert seconds since epoch to HTTP datetime string.
|
|
Index: twisted-24.3.0/src/twisted/web/newsfragments/10096.bugfix
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ twisted-24.3.0/src/twisted/web/newsfragments/10096.bugfix
|
|
@@ -0,0 +1 @@
|
|
+delegate to urllib.parse:parse_qs in twisted.web.http:parse_qs to avoid CVE-2021-23336 and the associated CI failures
|
|
Index: twisted-24.3.0/src/twisted/web/server.py
|
|
===================================================================
|
|
--- twisted-24.3.0.orig/src/twisted/web/server.py
|
|
+++ twisted-24.3.0/src/twisted/web/server.py
|
|
@@ -21,7 +21,7 @@ import zlib
|
|
from binascii import hexlify
|
|
from html import escape
|
|
from typing import List, Optional
|
|
-from urllib.parse import quote as _quote
|
|
+from urllib.parse import quote as _quote, unquote_to_bytes as _unquote_to_bytes
|
|
|
|
from zope.interface import implementer
|
|
|
|
@@ -37,7 +37,6 @@ from twisted.python.deprecate import dep
|
|
from twisted.spread.pb import Copyable, ViewPoint
|
|
from twisted.web import http, iweb, resource, util
|
|
from twisted.web.error import UnsupportedMethod
|
|
-from twisted.web.http import unquote
|
|
|
|
NOT_DONE_YET = 1
|
|
|
|
@@ -210,7 +209,7 @@ class Request(Copyable, http.Request, co
|
|
|
|
# Resource Identification
|
|
self.prepath = []
|
|
- self.postpath = list(map(unquote, self.path[1:].split(b"/")))
|
|
+ self.postpath = [_unquote_to_bytes(v) for v in self.path[1:].split(b"/")]
|
|
|
|
# Short-circuit for requests whose path is '*'.
|
|
if self.path == b"*":
|