Update upstream source from tag 'upstream/1.8.9'

Update to upstream version '1.8.9' with Debian dir da87551ba93422a95187d322cb9a32b98bf0a8ea Closes: #1078879

Update upstream source from tag 'upstream/1.8.9'
d8b46521 · Colin Watson · 72740469 · 02fd78b5 · 72740469 · d8b46521
Commit d8b46521 authored 5 months ago by Colin Watson
--- a/.travis.yml
+++ b/.travis.yml
-# Wire up travis
-language: python
-sudo: false
-
-matrix:
-    include:
-        - python: 2.7
-          env: TOXENV=py27
-        - python: 3.4
-          env: TOXENV=py34
-        - python: 3.5
-          env: TOXENV=py35
-        - python: 3.6
-          env: TOXENV=py36
-        - python: 3.6
-          env: TOXENV=docs
-        - python: nightly
-          env: TOXENV=py37
-        - python: pypy
-          env: TOXENV=pypy
-        - python: 3.6
-          env: TOXENV=py27,py36,coverage
-    allow_failures:
-        - env: TOXENV=py37
-
-install:
-  - travis_retry pip install tox
-
-script:
-  - travis_retry tox
-
-notifications:
-  email:
-    - pyramid-checkins@lists.repoze.org
--- a/CHANGES.txt
+++ b/CHANGES.txt
+1.8.9 (2024-11-23)
+------------------
+
+Bugfix
+~~~~~~
+
+- Add `legacy-cgi` to required packages to be installed for Python 3.13
+  compatibility. See https://github.com/Pylons/webob/pull/469
+
+1.8.8 (2024-08-13)
+------------------
+
+Security Fix
+~~~~~~~~~~~~
+
+- The use of WebOb's Response object to redirect a request to a new location
+  can lead to an open redirect if the Location header is not a full URI.
+
+  See https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+  and CVE-2024-42353
+
+  Thanks to Sara Gao for the report
+
 1.8.7 (2021-02-17)
 ------------------


--- a/MANIFEST.in
+++ b/MANIFEST.in
+graft src
+graft docs
+prune docs/_build
+graft tests
+
+include README.rst
+include CHANGES.txt HISTORY.txt
+include contributing.md RELEASING.rst
+include pyproject.toml
+include .coveragerc .flake8 tox.ini
+include .readthedocs.yaml
+include appveyor.yml rtd.txt
+
+global-exclude __pycache__ *.py[cod]
+global-exclude .DS_Store
--- a/PKG-INFO
+++ b/PKG-INFO
--- a/debian/changelog
+++ b/debian/changelog
-python-webob (1:1.8.7-4) UNRELEASED; urgency=medium
+python-webob (1:1.8.9-1) UNRELEASED; urgency=medium

  * Adjust debian/watch for recent PyPI URL changes.
+  * New upstream release:
+    - CVE-2024-42353: The use of WebOb's Response object to redirect a
+      request to a new location could lead to an open redirect if the
+      Location header is not a full URI (closes: #1078879).

 -- Colin Watson <cjwatson@debian.org>  Sun, 12 Jan 2025 17:30:16 +0000


--- a/debian/control
+++ b/debian/control
@@ -43,7 +43,6 @@ Package: python3-webob
 Architecture: all
 Depends:
 python3,
- python3-legacy-cgi,
 ${misc:Depends},
 ${python3:Depends},
 Suggests:

--- a/debian/patches/411.diff
+++ b/debian/patches/411.diff
--- a/tests/conftest.py
-+++ b/tests/conftest.py
-@@ -60,7 +60,7 @@ def serve():
-             log.debug("shutting server down")
-             server.shutdown()
-             worker.join(1)
-            if worker.isAlive():
-+            if worker.is_alive():
-                 log.warning('worker is hanged')
-             else:
-                 log.debug("server stopped")
--- a/debian/patches/intersphinx-local.patch
+++ b/debian/patches/intersphinx-local.patch
@@ -8,7 +8,7 @@ Patch-Name: intersphinx-local.patch
 1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/docs/conf.py b/docs/conf.py
-index 914d0f9..be3e626 100644
+index e855910..32c3377 100644
 --- a/docs/conf.py
 +++ b/docs/conf.py
 @@ -154,5 +154,6 @@ epub_exclude_files = ['search.html']

--- a/debian/patches/series
+++ b/debian/patches/series
 intersphinx-local.patch
-411.diff
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -34,7 +34,7 @@ version = release = pkg_resources.get_distribution('webob').version
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'

 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.

--- a/setup.py
+++ b/setup.py
@@ -25,7 +25,7 @@ docs_extras = [

 setup(
    name='WebOb',
-    version='1.8.7',
+    version='1.8.9',
    description="WSGI request and response object",
    long_description=README + '\n\n' + CHANGES,
    classifiers=[
@@ -52,6 +52,9 @@ setup(
    packages=find_packages('src', exclude=['tests']),
    package_dir={'': 'src'},
    python_requires='>=2.7,!=3.0.*,!=3.1.*,!=3.2.*',
+    install_requires=[
+        "legacy-cgi>=2.6; python_version>='3.13'",
+    ],
    zip_safe=True,
    extras_require={
        'testing': testing_extras,

--- a/src/WebOb.egg-info/PKG-INFO
+++ b/src/WebOb.egg-info/PKG-INFO
--- a/src/WebOb.egg-info/SOURCES.txt
+++ b/src/WebOb.egg-info/SOURCES.txt
 .coveragerc
 .gitignore
-.travis.yml
 CHANGES.txt
 HISTORY.txt
+MANIFEST.in
 README.rst
 RELEASING.rst
 appveyor.yml

--- a/src/WebOb.egg-info/requires.txt
+++ b/src/WebOb.egg-info/requires.txt

+[:python_version >= "3.13"]
+legacy-cgi>=2.6
+
 [docs]
 Sphinx>=1.7.5
 pylons-sphinx-themes

--- a/src/webob/response.py
+++ b/src/webob/response.py
@@ -1284,6 +1284,11 @@ class Response(object):
        if SCHEME_RE.search(value):
            return value

+        # This is to fix an open redirect issue due to the way that
+        # urlparse.urljoin works. See CVE-2024-42353 and
+        # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+        if value.startswith("//"):
+            value = "/%2f{}".format(value[2:])
        new_location = urlparse.urljoin(_request_uri(environ), value)
        return new_location


--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -60,8 +60,8 @@ def serve():
            log.debug("shutting server down")
            server.shutdown()
            worker.join(1)
-            if worker.isAlive():
-                log.warning('worker is hanged')
+            if worker.is_alive():
+                log.warning("worker is hanged")
            else:
                log.debug("server stopped")


--- a/tests/test_response.py
+++ b/tests/test_response.py
@@ -1031,6 +1031,17 @@ def test_location():
    assert req.get_response(res).location == 'http://localhost/test2.html'


+def test_location_no_open_redirect():
+    # This is a test for a fix for CVE-2024-42353 and
+    # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+    res = Response()
+    res.status = "301"
+    res.location = "//www.example.com/test"
+    assert res.location == "//www.example.com/test"
+    req = Request.blank("/")
+    assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"
+
+
 @pytest.mark.xfail(sys.version_info < (3,0),
                   reason="Python 2.x unicode != str, WSGI requires str. Test "
                   "added due to https://github.com/Pylons/webob/issues/247. "

--- a/tox.ini
+++ b/tox.ini
 [tox]
+requires = virtualenv<20.22.0
 envlist =
-    py27,py34,py35,py36,py37,pypy,
+    py27,py34,py35,py36,py37,py313,pypy,
    docs,coverage,pep8
 skip_missing_interpreters = True

@@ -13,6 +14,7 @@ basepython =
    py35: python3.5
    py36: python3.6
    py37: python3.7
+    py313: python3.13
    pypy: pypy
    py2: python2.7
    py3: python3.5
@@ -37,7 +39,7 @@ setenv =

 [testenv:docs]
 basepython = python3.6
-whitelist_externals = make
+allowlist_externals = make
 commands =
    pip install webob[docs]
    make -C docs html epub BUILDDIR={envdir} "SPHINXOPTS=-W -E"
@@ -49,3 +51,21 @@ commands =
 deps =
    flake8

+[testenv:build]
+skip_install = true
+commands =
+    # clean up build/ and dist/ folders
+    python -c 'import shutil; shutil.rmtree("build", ignore_errors=True)'
+    # Make sure we aren't forgetting anything
+    check-manifest
+    # build sdist/wheel
+    python -m build .
+    # Verify all is well
+    twine check dist/*
+
+deps =
+    build
+    check-manifest
+    readme_renderer
+    twine
+