debian/0000775000000000000000000000000013173720021007164 5ustar debian/python-werkzeug-doc.docs0000664000000000000000000000002111526567172013774 0ustar docs/_build/html debian/python-werkzeug-doc.links0000664000000000000000000000075312200745355014167 0ustar /usr/share/doc/python-werkzeug-doc/html /usr/share/doc/python-werkzeug/html /usr/share/doc/python-werkzeug-doc/html/_sources /usr/share/doc/python-werkzeug/rst /usr/share/doc/python-werkzeug-doc/examples /usr/share/doc/python-werkzeug/examples /usr/share/doc/python-werkzeug-doc/html /usr/share/doc/python3-werkzeug/html /usr/share/doc/python-werkzeug-doc/html/_sources /usr/share/doc/python3-werkzeug/rst /usr/share/doc/python-werkzeug-doc/examples /usr/share/doc/python3-werkzeug/examples debian/rules0000775000000000000000000000330512265133123010247 0ustar #!/usr/bin/make -f # Copyright 2009, Noah Slater # Copying and distribution of this file, with or without modification, are # permitted in any medium without royalty provided the copyright notice and this # notice are preserved. export PYBUILD_DESTDIR_python2=debian/python-werkzeug/ export PYBUILD_DESTDIR_python3=debian/python3-werkzeug/ %: dh $@ --with python2,python3,sphinxdoc --buildsystem pybuild override_dh_auto_clean: make -C docs clean rm -rf build Werkzeug.egg-info/ #find $(CURDIR) \( -name '\._*' -o -name '\.DS_Store' \) -delete dh_auto_clean override_dh_auto_test: # don't use memcached, not in main # set -ex; \ # memcached -p 11211 -l 127.0.0.1 & \ # trap "kill $$! || true" EXIT; \ # http_proxy='' dh_auto_test; \ LC_ALL=C.UTF-8 http_proxy='' dh_auto_test override_dh_auto_install: dh_auto_install make documentation override_dh_python2: dh_python2 dh_link -p python-werkzeug /usr/share/javascript/jquery/jquery.js \ /usr/share/pyshared/werkzeug/debug/shared/jquery.js override_dh_python3: dh_python3 dh_link -p python3-werkzeug /usr/share/javascript/jquery/jquery.js \ /usr/lib/python3/dist-packages/werkzeug/debug/shared/jquery.js override_dh_fixperms: find debian/ -name '*\.png' -exec chmod -x '{}' \; dh_fixperms get-orig-source: trap 'rm -rf $(CURDIR)/.werkzeug-tarball' EXIT;\ VER=$(shell dpkg-parsechangelog | sed -rne 's,^Version: ([^-+]+).*,\1,p') &&\ mkdir -p .werkzeug-tarball &&\ uscan --force-download --rename --destdir=.werkzeug-tarball --upstream-version=$$VER &&\ cd .werkzeug-tarball &&\ tar xf python-werkzeug*tar.gz --exclude ubuntu.ttf --exclude FONT_LICENSE &&\ tar Jcf ../python-werkzeug_$$VER+dfsg.orig.tar.xz Werkzeug-$$VER debian/source/0000775000000000000000000000000011770437434010502 5ustar debian/source/format0000664000000000000000000000001411613237705011703 0ustar 3.0 (quilt) debian/python-werkzeug-doc.doc-base0000664000000000000000000000052112200767633014520 0ustar Document: werkzeug Title: Werkzeug Documentation Author: Armin Ronacher Abstract: This document describes Werkzeug - collection of utilities for WSGI applications written in Python. Section: Programming/Python Format: HTML Index: /usr/share/doc/python-werkzeug-doc/html/index.html Files: /usr/share/doc/python-werkzeug-doc/html/*.html debian/watch0000664000000000000000000000016411646557404010236 0ustar version=3 opts=dversionmangle=s/\+dfsg// \ http://pypi.python.org/packages/source/W/Werkzeug/Werkzeug-(.*)\.tar\.gz debian/control0000664000000000000000000000565713173717762010626 0ustar Source: python-werkzeug Section: python Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Noah Slater Uploaders: Piotr Ożarowski , Python Modules Packaging Team Standards-Version: 3.9.5 Build-Depends: debhelper (>= 9), dh-python, python-sphinx (>= 1.0.7+dfsg-1~), python-all, python3-all, python-setuptools (>= 0.6b3), python3-setuptools (>= 0.6b3), # for tests: python-simplejson, python3-simplejson, python-nose, python3-nose, python-lxml, python3-lxml Homepage: http://werkzeug.pocoo.org/ Vcs-Svn: svn://anonscm.debian.org/python-modules/packages/python-werkzeug/trunk/ Vcs-Browser: http://anonscm.debian.org/viewvc/python-modules/packages/python-werkzeug/trunk/ X-Python-Version: >= 2.5 X-Python3-Version: >= 3.3 Package: python-werkzeug Architecture: all Depends: ${python:Depends}, ${misc:Depends}, libjs-jquery Recommends: python-simplejson | python (>= 2.6), python-openssl, python-pyinotify Suggests: ipython, python-genshi, python-pkg-resources, python-lxml, python-greenlet, python-redis, python-pylibmc | python-memcache, python-werkzeug-doc Description: collection of utilities for WSGI applications The Web Server Gateway Interface (WSGI) is a standard interface between web server software and web applications written in Python. . Werkzeug is a lightweight library for interfacing with WSGI. It features request and response objects, an interactive debugging system and a powerful URI dispatcher. Combine with your choice of third party libraries and middleware to easily create a custom application framework. Package: python3-werkzeug Architecture: all Depends: ${python3:Depends}, ${misc:Depends}, libjs-jquery Recommends: python3-simplejson | python3, python3-openssl, python3-pyinotify Suggests: ipython3, python3-pkg-resources, python3-lxml, python-werkzeug-doc Description: collection of utilities for WSGI applications The Web Server Gateway Interface (WSGI) is a standard interface between web server software and web applications written in Python. . Werkzeug is a lightweight library for interfacing with WSGI. It features request and response objects, an interactive debugging system and a powerful URI dispatcher. Combine with your choice of third party libraries and middleware to easily create a custom application framework. Package: python-werkzeug-doc Section: doc Architecture: all Priority: extra Depends: ${misc:Depends}, ${sphinxdoc:Depends} Conflicts: python-werkzeug (<< 0.9.3+dfsg-2) Replaces: python-werkzeug (<< 0.9.3+dfsg-2) Description: documentation for the werkzeug Python library Werkzeug is a lightweight library for interfacing with WSGI. It features request and response objects, an interactive debugging system and a powerful URI dispatcher. Combine with your choice of third party libraries and middleware to easily create a custom application framework. debian/copyright0000664000000000000000000000652111526567172011143 0ustar Format-Specification: http://wiki.debian.org/Proposals/CopyrightFormat?action=recall&rev=180 Upstream-Name: Werkzeug Upstream-Maintainer: Armin Ronacher Upstream-Source: http://werkzeug.pocoo.org/download Files: * Copyright: Copyright 2009-2010, the Werkzeug Team License: BSD Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. . * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . * The names of the contributors may not be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Files: debian/* Copyright: Copyright 2009, Noah Slater License: GAP Copying and distribution of this package, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. Files: werkzeug/debug/shared/jquery.js Copyright: Copyright 2008, John Resig License: MIT | GPL-2 License: MIT Copyright (c) 2008 John Resig, http://jquery.com/ . Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. License: GPL-2 On Debian systems the full text of the GNU General Public License (Version 2) can be found in the `/usr/share/common-licenses/GPL-2' file. debian/python-werkzeug-doc.examples0000664000000000000000000000001311526567172014663 0ustar examples/* debian/compat0000664000000000000000000000000212200771717010372 0ustar 9 debian/patches/0000775000000000000000000000000013173720021010613 5ustar debian/patches/CVE-2016-10516.patch0000664000000000000000000000261313173717171013327 0ustar From 1034edc7f901dd645ec6e462754111b39002bd65 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 31 Aug 2016 16:00:55 +0800 Subject: [PATCH] fix XSS in debugger Fix #1001 --- CHANGES | 1 + werkzeug/debug/tbtools.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) #diff --git a/CHANGES b/CHANGES #index 920db7584..547103a1f 100644 #--- a/CHANGES #+++ b/CHANGES #@@ -13,6 +13,7 @@ Bugfix release, unreleased. # see issue ``#995``. # - Fix a bug in multidicts when passing empty lists as values, see issue # ``#979``. #+- Fix a security issue that allows XSS on the Werkzeug debugger. See ``#1001``. # # Version 0.11.10 # --------------- Index: python-werkzeug-0.9.4+dfsg/werkzeug/debug/tbtools.py =================================================================== --- python-werkzeug-0.9.4+dfsg.orig/werkzeug/debug/tbtools.py +++ python-werkzeug-0.9.4+dfsg/werkzeug/debug/tbtools.py @@ -337,7 +337,7 @@ class Traceback(object): 'exception': exc, 'exception_type': escape(self.exception_type), 'summary': self.render_summary(include_title=False), - 'plaintext': self.plaintext, + 'plaintext': escape(self.plaintext), 'plaintext_cs': re.sub('-{2,}', '-', self.plaintext), 'traceback_id': self.id, 'secret': secret debian/patches/series0000664000000000000000000000012013173717124012033 0ustar drop_ubuntu_font.patch b23efe87.patch fix-flask-ftbfs.diff CVE-2016-10516.patch debian/patches/fix-flask-ftbfs.diff0000664000000000000000000000143612417756576014467 0ustar Index: b/werkzeug/security.py =================================================================== --- a/werkzeug/security.py +++ b/werkzeug/security.py @@ -113,17 +113,25 @@ .. versionadded:: 0.7 """ + if isinstance(a, text_type): + a = a.encode('utf-8') + if isinstance(b, text_type): + b = b.encode('utf-8') + if _builtin_safe_str_cmp is not None: return _builtin_safe_str_cmp(a, b) + if len(a) != len(b): return False + rv = 0 - if isinstance(a, bytes) and isinstance(b, bytes) and not PY2: + if PY2: for x, y in izip(a, b): - rv |= x ^ y + rv |= ord(x) ^ ord(y) else: for x, y in izip(a, b): - rv |= ord(x) ^ ord(y) + rv |= x ^ y + return rv == 0 debian/patches/b23efe87.patch0000664000000000000000000000150512247422702013070 0ustar commit b23efe879bbab6e992172df0a101b576bc5b2ea6 Author: Armin Ronacher Date: Wed Sep 4 23:12:50 2013 +0600 Fixed a failing test on 3.3 diff --git a/werkzeug/testsuite/urls.py b/werkzeug/testsuite/urls.py index c63c577..b333e1b 100644 --- a/werkzeug/testsuite/urls.py +++ b/werkzeug/testsuite/urls.py @@ -146,7 +146,7 @@ class URLsTestCase(WerkzeugTestCase): 'http://xn--f-1gaa.com:8080/bam/baz') def test_iri_safe_quoting(self): - uri = b'http://xn--f-1gaa.com/%2F%25?q=%C3%B6&x=%3D%25#%25' + uri = 'http://xn--f-1gaa.com/%2F%25?q=%C3%B6&x=%3D%25#%25' iri = u'http://föö.com/%2F%25?q=ö&x=%3D%25#%25' self.assert_strict_equal(urls.uri_to_iri(uri), iri) self.assert_strict_equal(urls.iri_to_uri(urls.uri_to_iri(uri)), uri) debian/patches/drop_ubuntu_font.patch0000664000000000000000000000127411646564227015255 0ustar # ubuntu.ttf has been removed from Debian package Index: python-werkzeug-0.8.1/werkzeug/debug/shared/style.css =================================================================== --- python-werkzeug-0.8.1.orig/werkzeug/debug/shared/style.css +++ python-werkzeug-0.8.1/werkzeug/debug/shared/style.css @@ -1,9 +1,7 @@ @font-face { - font-family: 'Ubuntu'; + font-family: 'Ubuntu', 'Lucida Grande', 'Lucida Sans Unicode', 'Geneva', 'Verdana'; font-style: normal; font-weight: normal; - src: local('Ubuntu'), local('Ubuntu-Regular'), - url('?__debugger__=yes&cmd=resource&f=ubuntu.ttf') format('truetype'); } body, input { font-family: 'Lucida Grande', 'Lucida Sans Unicode', 'Geneva', debian/changelog0000664000000000000000000002073113173717701011054 0ustar python-werkzeug (0.9.4+dfsg-1.1ubuntu2.1) trusty-security; urgency=medium * SECURITY UPDATE: Cross-site vulnerability in render_full function allows attackers to inject arbitrary script or HTML. - debian/patches/CVE-2016-10516.patch: in werkzeub/debug/tbtools.py. - CVE-2016-10516 -- Leonidas S. Barbosa Tue, 24 Oct 2017 17:13:01 -0300 python-werkzeug (0.9.4+dfsg-1.1ubuntu2) trusty-proposed; urgency=medium * Convert arguments to bytes for hmac.compare_digest. Fixes a test failure with flask. https://github.com/mitsuhiko/werkzeug/issues/537 LP: #1382085. -- Matthias Klose Thu, 16 Oct 2014 16:43:20 +0200 python-werkzeug (0.9.4+dfsg-1.1ubuntu1) trusty; urgency=medium * Merge with Debian; remaining changes: - Run the tests with LC_ALL=C.UTF-8. - Drop the build dependencies on the memcache servers, not in main. The tests run these tests conditionally, and for python2 only. -- Matthias Klose Tue, 14 Jan 2014 04:54:56 +0100 python-werkzeug (0.9.4+dfsg-1.1) unstable; urgency=medium * Non-maintainer upload. * Start memcached for tests, thanks to Sebastian Ramacher for the patch (Closes: #725594) -- Gaudenz Steinlin Mon, 06 Jan 2014 19:01:32 +0100 python-werkzeug (0.9.4+dfsg-1) unstable; urgency=low * New upstream release * Backport b23efe87 commit to fix failing test on Python 3.3 * Standards-Version bumped to 3.9.5 (no changes needed) -- Piotr Ożarowski Tue, 03 Dec 2013 19:33:17 +0100 python-werkzeug (0.9.3+dfsg-2ubuntu2) saucy; urgency=low * Run the tests with LC_ALL=C.UTF-8. -- Matthias Klose Fri, 27 Sep 2013 09:28:46 +0200 python-werkzeug (0.9.3+dfsg-2ubuntu1) saucy; urgency=low * Drop the build dependencies on the memcache servers, not in main. The tests run these tests conditionally, and for python2 only. -- Matthias Klose Thu, 26 Sep 2013 15:24:39 +0200 python-werkzeug (0.9.3+dfsg-2) unstable; urgency=low * Add python3-werkzeug binary package * Move docs and examples to new python-werkzeug-doc binary package * Switch to pybuild buildsystem * Add redis and memcached related packages to Build-Depends (used in tests) * Set debhelper compatibility level to 9 -- Piotr Ożarowski Thu, 08 Aug 2013 17:13:05 +0200 python-werkzeug (0.9.3+dfsg-1) unstable; urgency=low * New upstream release -- Piotr Ożarowski Fri, 26 Jul 2013 00:03:35 +0200 python-werkzeug (0.9.2+dfsg-1) unstable; urgency=low * New upstream release -- Piotr Ożarowski Mon, 22 Jul 2013 19:26:28 +0200 python-werkzeug (0.9.1+dfsg-1) unstable; urgency=low * New upstream release * Run tests with LC_ALL=C.UTF-8 -- Piotr Ożarowski Sun, 16 Jun 2013 11:51:23 +0200 python-werkzeug (0.9+dfsg-1) unstable; urgency=low [ Piotr Ożarowski ] * New upstream release * Suggest new packages: - python-greenlet (used in werkzeug.contrib.iterio) - python-redis (used in werkzeug.contrib.cache) - python-pylibmc (as an alternative to python-memcache, used in werkzeug.contrib.cache) * Recommend python-pyinotify (used in werkzeug.serving) * Remove Werkzeug.egg-info in clean target * Minimum required Python version bumped to 2.5 (due to with statements) * Standards-Version bumped to 3.9.4 (no changes needed) [ Jakub Wilk ] * Use canonical URIs for Vcs-* fields. -- Piotr Ożarowski Thu, 13 Jun 2013 22:04:15 +0200 python-werkzeug (0.8.3+dfsg-1) unstable; urgency=low * New upstream release -- Piotr Ożarowski Sun, 05 Feb 2012 23:33:49 +0100 python-werkzeug (0.8.2+dfsg-1) unstable; urgency=low * New upstream release -- Piotr Ożarowski Sun, 08 Jan 2012 20:10:33 +0100 python-werkzeug (0.8.1+dfsg-1) unstable; urgency=low * New upstream release - no longer double quotes location header during redirects. Closes: #594172 - ubuntu.ttf removed from upstream tarball (cannot regenerate this file using free tools), get-orig-source target added to debian/rules - compatible with ipython 0.11. Closes: 636470 * Bump minimum debhelper version to 8.1.0 (which no longer compresses objects.inv files, closes: #608751) * Switch from dh_pysupport to dh_python2 * Source format changed to 3.0 (quilt) * Let dh_sphinxdoc handle documentation files, python-sphinx build dependency bumped to 1.0.7+dfsg-1 * Standards-Version bumped to 3.9.2 (no changes needed) -- Piotr Ożarowski Sun, 16 Oct 2011 15:01:03 +0200 python-werkzeug (0.6.2-1) unstable; urgency=low * New upstream release -- Piotr Ożarowski Fri, 23 Apr 2010 19:53:19 +0200 python-werkzeug (0.6.1-1) unstable; urgency=low * New upstream release - supports IPv6 addresses. Closes: #569336 -- Piotr Ożarowski Tue, 13 Apr 2010 21:35:42 +0200 python-werkzeug (0.6-1) unstable; urgency=low * New upstream release * Add python-openssl to Recommends * Add python-memcache to Suggests * Add "python (>= 2.6)" as an alternative dependency to python-simplejson * Remove MacOS DS store and resource fork files in clean rule * Standards-Version bumped to 3.8.4 (no changes needed) -- Piotr Ożarowski Fri, 19 Feb 2010 18:55:34 +0100 python-werkzeug (0.5.1-1) unstable; urgency=low [ Noah Slater ] * New upstream release (0.5). Closes: #536465 * Updated debian/control, removed Depends on python-wsgiref. * Updated debian/control, updated Build-Depends on debhelper to 7.2.11. * Updated debian/rules, use /usr/share/pyshared directory. Closes: #517302 [ Piotr Ożarowski ] * New upstream release (0.5.1) * New build dependencies: - python-simplejson (to build docs) - python-nose and python-lxml (to run tests) * Use dh sequencer instead of CDBS. Closes: #526577 * Standards-Version bumped to 3.8.2 (no changes needed) * Add myself to Uploaders -- Piotr Ożarowski Fri, 07 Aug 2009 19:44:53 +0200 python-werkzeug (0.4.1-1) experimental; urgency=low * New upstream release. Closes: #511553 * Added debian/README.source file. * Updated debian/control, updated Vcs-Browser. * Updated debian/control, updated Description. * Updated debian/copyright, updated for latest format proposal. * Updated debian/rules, improved uscan options for get-orig-source. -- Noah Slater Sun, 18 Jan 2009 20:01:23 +0000 python-werkzeug (0.3.1-1) unstable; urgency=high * New upstream release, fixes a security issue. -- Noah Slater Wed, 25 Jun 2008 19:32:07 +0100 python-werkzeug (0.3-1) unstable; urgency=low * New upstream release. * Moved documentation to standard location. * Fixed shared file permissions. * Updated debian/control, updated Suggests. * Updated debian/control, updated Standards-Version to 3.8.0. * Updated debian/copyright, updated for latest format proposal. -- Noah Slater Tue, 17 Jun 2008 22:35:18 +0100 python-werkzeug (0.2-2) unstable; urgency=low * Updated debian/control, updated Depends. Closes: #468704 -- Noah Slater Tue, 04 Mar 2008 23:40:55 +0000 python-werkzeug (0.2-1) unstable; urgency=low * New upstream release. * Updated debian/control, updated Uploaders. * Updated debian/control, updated Vcs-Browser. * Updated debian/control, updated Depends. -- Noah Slater Mon, 25 Feb 2008 10:30:54 +0000 python-werkzeug (0.1-1) unstable; urgency=low * New upstream release. * Added debian/watch file. * Updated debian/control, added Recommends. * Updated debian/control, added Suggests. * Updated debian/control, updated Standards-Version to 3.7.3. * Updated debian/control, updated Build-Depends-Indep. -- Noah Slater Fri, 28 Dec 2007 11:09:34 +0000 python-werkzeug (0.1~svn3830-2) unstable; urgency=low * Updated debian/control, added Homepage. * Updated debian/control, added Vcs-Svn. * Updated debian/control, added Vcs-Browser. * Updated debian/control, updated Build-Depends. * Updated debian/control, removed additional Priority. * Updated debian/copyright, changed ordering of sections. -- Noah Slater Sat, 03 Nov 2007 01:10:16 +0000 python-werkzeug (0.1~svn3830-1) experimental; urgency=low * Initial release. Closes: #433991 -- Noah Slater Fri, 20 Jul 2007 20:53:52 +0100