diffstat of debian/ for twisted_16.0.0-1 twisted_16.0.0-1ubuntu0.2

 changelog                      |   10 +++
 control                        |    3 -
 patches/CVE-2016-1000111.patch |  111 +++++++++++++++++++++++++++++++++++++++++
 patches/series                 |    1 
 4 files changed, 124 insertions(+), 1 deletion(-)

diff -Nru twisted-16.0.0/debian/changelog twisted-16.0.0/debian/changelog
--- twisted-16.0.0/debian/changelog	2016-03-18 15:55:47.000000000 +0000
+++ twisted-16.0.0/debian/changelog	2018-03-01 18:31:21.000000000 +0000
@@ -1,3 +1,13 @@
+twisted (16.0.0-1ubuntu0.2) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: HTTProxy issue
+    - debian/patches/CVE-2016-1000111.patch: fix implementation
+      in twisted/web/twcgi.py and add some test in
+      twisted/web/test/test_cgi.py.
+    - CVE-2016-1000111
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Thu, 01 Mar 2018 15:19:01 -0300
+
 twisted (16.0.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru twisted-16.0.0/debian/control twisted-16.0.0/debian/control
--- twisted-16.0.0/debian/control	2016-03-18 15:55:58.000000000 +0000
+++ twisted-16.0.0/debian/control	2018-03-01 18:19:54.000000000 +0000
@@ -1,7 +1,8 @@
 Source: twisted
 Section: python
 Priority: optional
-Maintainer: Matthias Klose <doko@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Matthias Klose <doko@debian.org>
 Uploaders: Free Ekanayaka <freee@debian.org>
 Build-Depends: debhelper (>=7.0.50~), patch,
   python-all-dev, python-all-dbg,
diff -Nru twisted-16.0.0/debian/patches/CVE-2016-1000111.patch twisted-16.0.0/debian/patches/CVE-2016-1000111.patch
--- twisted-16.0.0/debian/patches/CVE-2016-1000111.patch	1970-01-01 00:00:00.000000000 +0000
+++ twisted-16.0.0/debian/patches/CVE-2016-1000111.patch	2018-03-01 18:18:40.000000000 +0000
@@ -0,0 +1,111 @@
+Backported of:
+
+From e155c8c9e3dc72a7a47608e4dbd729577c552de2 Mon Sep 17 00:00:00 2001
+From: "Amber Brown (HawkOwl)" <hawkowl@atleastfornow.net>
+Date: Wed, 10 Aug 2016 20:03:11 +0800
+Subject: [PATCH] fix the implementation
+
+
+---
+ twisted/web/test/test_cgi.py     | 43 ++++++++++++++++++++++++++++++++++++++--
+ twisted/web/topfiles/8623.bugfix |  1 +
+ twisted/web/twcgi.py             |  2 +-
+ 3 files changed, 43 insertions(+), 3 deletions(-)
+ create mode 100644 twisted/web/topfiles/8623.bugfix
+
+diff --git a/twisted/web/test/test_cgi.py b/twisted/web/test/test_cgi.py
+index 6f803be..3534b89 100755
+--- a/twisted/web/test/test_cgi.py
++++ b/twisted/web/test/test_cgi.py
+@@ -5,13 +5,17 @@
+ Tests for L{twisted.web.twcgi}.
+ """
+ 
+-import sys, os
++import sys
++import os
++import json
++
++from io import BytesIO
+ 
+ from twisted.trial import unittest
+ from twisted.internet import reactor, interfaces, error
+ from twisted.python import util, failure, log
+ from twisted.web.http import NOT_FOUND, INTERNAL_SERVER_ERROR
+-from twisted.web import client, twcgi, server, resource
++from twisted.web import client, twcgi, server, resource, http_headers
+ from twisted.web.test._util import _render
+ from twisted.web.test.test_web import DummyRequest
+ 
+@@ -73,6 +77,15 @@ print
+ print "cgi output"
+ '''
+ 
++HEADER_OUTPUT_CGI = '''\
++import json
++import os
++print("")
++print("")
++vals = {x:y for x,y in os.environ.items() if x.startswith("HTTP_")}
++print(json.dumps(vals))
++'''
++
+ class PythonScript(twcgi.FilteredScript):
+     filter = sys.executable
+ 
+@@ -154,6 +167,32 @@ class CGITests(unittest.TestCase):
+         return factory.deferred
+ 
+ 
++    def test_noProxyPassthrough(self):
++        """
++        The CGI script is never called with the Proxy header passed through.
++        """
++        cgiFilename = self.writeCGI(HEADER_OUTPUT_CGI)
++
++        portnum = self.startServer(cgiFilename)
++        url = "http://localhost:%d/cgi" % (portnum,)
++
++        agent = client.Agent(reactor)
++
++        headers = http_headers.Headers({"Proxy": ["foo"],
++                                        "X-Innocent-Header": ["bar"]})
++        d = agent.request("GET", url, headers=headers)
++
++        def checkResponse(response):
++            headers = json.loads(response)
++            self.assertEqual(
++                set(headers.keys()),
++                {"HTTP_HOST", "HTTP_CONNECTION", "HTTP_X_INNOCENT_HEADER"})
++
++        d.addCallback(client.readBody)
++        d.addCallback(checkResponse)
++        return d
++
++
+     def test_duplicateHeaderCGI(self):
+         """
+         If a CGI script emits two instances of the same header, both are sent in
+diff --git a/twisted/web/topfiles/8623.bugfix b/twisted/web/topfiles/8623.bugfix
+new file mode 100644
+index 0000000..b8aaac6
+--- /dev/null
++++ b/twisted/web/topfiles/8623.bugfix
+@@ -0,0 +1 @@
++twisted.web.twcgi.CGIScript will now not pass the "Proxy" header to CGI scripts, as a mitigation to CVE-2016-1000111.
+diff --git a/twisted/web/twcgi.py b/twisted/web/twcgi.py
+index 88cdfc0..a98c30a 100644
+--- a/twisted/web/twcgi.py
++++ b/twisted/web/twcgi.py
+@@ -116,7 +116,7 @@ class CGIScript(resource.Resource):
+         # Propagate HTTP headers
+         for title, header in request.getAllHeaders().items():
+             envname = title.replace('-', '_').upper()
+-            if title not in ('content-type', 'content-length'):
++            if title not in ('content-type', 'content-length', 'proxy'):
+                 envname = "HTTP_" + envname
+             env[envname] = header
+         # Propagate our environment
+-- 
+2.7.4
+
diff -Nru twisted-16.0.0/debian/patches/series twisted-16.0.0/debian/patches/series
--- twisted-16.0.0/debian/patches/series	2016-03-10 15:02:05.000000000 +0000
+++ twisted-16.0.0/debian/patches/series	2018-03-01 18:18:54.000000000 +0000
@@ -5,3 +5,4 @@
 # don't apply, performance issue just for backward compatibility
 #lp1102685.diff
 #lp1098127.diff
+CVE-2016-1000111.patch