Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-repoze.who for
openSUSE:Factory checked in at 2022-12-03 10:03:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-repoze.who (Old)
and /work/SRC/openSUSE:Factory/.python-repoze.who.new.1835 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-repoze.who"
Sat Dec 3 10:03:57 2022 rev:7 rq:1039744 version:2.4.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-repoze.who/python-repoze.who.changes
2020-08-04 20:21:49.156997050 +0200
+++
/work/SRC/openSUSE:Factory/.python-repoze.who.new.1835/python-repoze.who.changes
2022-12-03 10:04:11.367424647 +0100
@@ -1,0 +2,8 @@
+Sat Dec 3 00:21:39 UTC 2022 - Yogalakshmi Arunachalam <[email protected]>
+
+- Update to v2.4.1
+ * Disallow separators in AuthTicket component values. Closes #37.
+ * Handle bytes / string correctly in
ârepoze.who.plugins.htpasswd.sha1_checkâ. Closes #28.
+ * Switch to use pytest as the testrunner. Closes #34.
+
+-------------------------------------------------------------------
Old:
----
repoze.who-2.4.tar.gz
New:
----
repoze.who-2.4.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-repoze.who.spec ++++++
--- /var/tmp/diff_new_pack.JVXieO/_old 2022-12-03 10:04:11.795427025 +0100
+++ /var/tmp/diff_new_pack.JVXieO/_new 2022-12-03 10:04:11.799427047 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-repoze.who
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%global modname repoze.who
Name: python-repoze.who
-Version: 2.4
+Version: 2.4.1
Release: 0
Summary: Identification and authentication framework for WSGI
License: SUSE-Repoze
++++++ repoze.who-2.4.tar.gz -> repoze.who-2.4.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/repoze.who-2.4/CHANGES.rst
new/repoze.who-2.4.1/CHANGES.rst
--- old/repoze.who-2.4/CHANGES.rst 2020-06-03 22:32:10.000000000 +0200
+++ new/repoze.who-2.4.1/CHANGES.rst 2022-02-01 17:56:46.000000000 +0100
@@ -1,6 +1,16 @@
repoze.who Changelog
====================
+2.4.1 (2022-02-01)
+------------------
+
+- Disallow separators in AuthTicket component values. Closes #37.
+
+- Handle bytes / string correctly in 'repoze.who.plugins.htpasswd.sha1_check'.
+ Closes #28.
+
+- Switch to use ``pytest`` as the testrunner. Closes #34.
+
2.4 (2020-06-03)
----------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/repoze.who-2.4/PKG-INFO new/repoze.who-2.4.1/PKG-INFO
--- old/repoze.who-2.4/PKG-INFO 2020-06-03 22:32:18.000000000 +0200
+++ new/repoze.who-2.4.1/PKG-INFO 2022-02-01 17:57:35.634601400 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: repoze.who
-Version: 2.4
+Version: 2.4.1
Summary: repoze.who is an identification and authentication framework for WSGI.
Home-page: http://www.repoze.org
Author: Agendaless Consulting
@@ -75,6 +75,16 @@
repoze.who Changelog
====================
+ 2.4.1 (2022-02-01)
+ ------------------
+
+ - Disallow separators in AuthTicket component values. Closes #37.
+
+ - Handle bytes / string correctly in
'repoze.who.plugins.htpasswd.sha1_check'.
+ Closes #28.
+
+ - Switch to use ``pytest`` as the testrunner. Closes #34.
+
2.4 (2020-06-03)
----------------
@@ -800,5 +810,5 @@
Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
Classifier: Topic :: Internet :: WWW/HTTP :: WSGI
Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
-Provides-Extra: testing
Provides-Extra: docs
+Provides-Extra: testing
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/repoze.who-2.4/repoze/who/_auth_tkt.py
new/repoze.who-2.4.1/repoze/who/_auth_tkt.py
--- old/repoze.who-2.4/repoze/who/_auth_tkt.py 2016-05-31 18:44:04.000000000
+0200
+++ new/repoze.who-2.4.1/repoze/who/_auth_tkt.py 2022-02-01
17:55:33.000000000 +0100
@@ -47,6 +47,15 @@
DEFAULT_DIGEST = hashlib.md5
+def _exclude_separator(separator, value, fieldname):
+ if isinstance(value, bytes):
+ separator = separator.encode("ascii")
+
+ if separator in value:
+ raise ValueError(
+ "{} may not contain '{}'".format(fieldname, separator)
+ )
+
class AuthTicket(object):
"""
@@ -88,14 +97,26 @@
time=None, cookie_name='auth_tkt',
secure=False, digest_algo=DEFAULT_DIGEST):
self.secret = secret
+
+ _exclude_separator('!', userid, "'userid'")
self.userid = userid
+
self.ip = ip
+
+ for token in tokens:
+ _exclude_separator(',', token, "'token' values")
+ _exclude_separator('!', token, "'token' values")
+
self.tokens = ','.join(tokens)
+
+ _exclude_separator('!', user_data, "'user_data'")
self.user_data = user_data
+
if time is None:
self.time = time_mod.time()
else:
self.time = time
+
self.cookie_name = cookie_name
self.secure = secure
if isinstance(digest_algo, str):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/repoze.who-2.4/repoze/who/plugins/htpasswd.py
new/repoze.who-2.4.1/repoze/who/plugins/htpasswd.py
--- old/repoze.who-2.4/repoze/who/plugins/htpasswd.py 2015-03-18
20:33:59.000000000 +0100
+++ new/repoze.who-2.4.1/repoze/who/plugins/htpasswd.py 2022-02-01
17:23:22.000000000 +0100
@@ -100,8 +100,10 @@
from hashlib import sha1
from base64 import standard_b64encode
from repoze.who._compat import must_encode
- encrypted_string = standard_b64encode(sha1(must_encode(password)).digest())
- return _same_string(hashed, "%s%s" % ("{SHA}", encrypted_string))
+ b_password = must_encode(password)
+ b_sha1_digest = sha1(b_password).digest()
+ b_b64_sha1_digest = standard_b64encode(b_sha1_digest)
+ return _same_string(hashed, b"{SHA}" + b_b64_sha1_digest)
def plain_check(password, hashed):
return _same_string(password, hashed)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/repoze.who-2.4/repoze/who/plugins/tests/test_htpasswd.py
new/repoze.who-2.4.1/repoze/who/plugins/tests/test_htpasswd.py
--- old/repoze.who-2.4/repoze/who/plugins/tests/test_htpasswd.py
2015-03-18 20:33:59.000000000 +0100
+++ new/repoze.who-2.4.1/repoze/who/plugins/tests/test_htpasswd.py
2022-02-01 17:23:22.000000000 +0100
@@ -120,18 +120,30 @@
self.assertEqual(crypt_check('password', hashed), True)
self.assertEqual(crypt_check('notpassword', hashed), False)
- def test_sha1_check(self):
+ def test_sha1_check_w_password_str(self):
from base64 import standard_b64encode
from hashlib import sha1
- from repoze.who._compat import must_encode
from repoze.who.plugins.htpasswd import sha1_check
- encrypted_string = standard_b64encode(sha1(
- must_encode("password")).digest())
- self.assertEqual(sha1_check('password',
- "%s%s" % ("{SHA}", encrypted_string)), True)
- self.assertEqual(sha1_check('notpassword',
- "%s%s" % ("{SHA}", encrypted_string)), False)
+ password = u'password'
+ b_password = password.encode("ascii")
+ encrypted_string = standard_b64encode(sha1(b_password).digest())
+ hashed = b"%s%s" % (b"{SHA}", encrypted_string)
+
+ self.assertTrue(sha1_check(password, hashed))
+ self.assertFalse(sha1_check('notpassword', hashed))
+
+ def test_sha1_check_w_password_bytes(self):
+ from base64 import standard_b64encode
+ from hashlib import sha1
+ from repoze.who.plugins.htpasswd import sha1_check
+
+ b_password = b'password'
+ encrypted_string = standard_b64encode(sha1(b_password).digest())
+ hashed = b"%s%s" % (b"{SHA}", encrypted_string)
+
+ self.assertTrue(sha1_check(b_password, hashed))
+ self.assertFalse(sha1_check(b'notpassword', hashed))
def test_plain_check(self):
from repoze.who.plugins.htpasswd import plain_check
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/repoze.who-2.4/repoze/who/tests/test__auth_tkt.py
new/repoze.who-2.4.1/repoze/who/tests/test__auth_tkt.py
--- old/repoze.who-2.4/repoze/who/tests/test__auth_tkt.py 2020-06-02
22:54:09.000000000 +0200
+++ new/repoze.who-2.4.1/repoze/who/tests/test__auth_tkt.py 2022-02-01
17:55:33.000000000 +0100
@@ -25,6 +25,42 @@
self.assertEqual(tkt.secure, False)
self.assertEqual(tkt.digest_algo, hashlib.md5)
+ def test_ctor_w_userid_w_embedded_bang(self):
+ tokens = ('a,b',) # cannot be safely round-tripped
+
+ with self.assertRaises(ValueError) as exc:
+ self._makeOne('SEEKRIT', 'USER!ID', '1.2.3.4')
+
+ self.assertEqual(str(exc.exception), "'userid' may not contain '!'")
+
+ def test_ctor_w_token_w_embedded_bang(self):
+ tokens = ('a!b',) # cannot be safely round-tripped
+
+ with self.assertRaises(ValueError) as exc:
+ self._makeOne('SEEKRIT', 'USERID', '1.2.3.4', tokens=tokens)
+
+ self.assertEqual(
+ str(exc.exception), "'token' values may not contain '!'"
+ )
+
+ def test_ctor_w_token_w_embedded_comma(self):
+ tokens = ('a,b',) # cannot be safely round-tripped
+
+ with self.assertRaises(ValueError) as exc:
+ self._makeOne('SEEKRIT', 'USERID', '1.2.3.4', tokens=tokens)
+
+ self.assertEqual(
+ str(exc.exception), "'token' values may not contain ','"
+ )
+
+ def test_ctor_w_user_data_w_embedded_bang(self):
+ user_data = 'DATA!HERE' # cannot be safely round-tripped
+
+ with self.assertRaises(ValueError) as exc:
+ self._makeOne('SEEKRIT', 'USERID', '1.2.3.4', user_data=user_data)
+
+ self.assertEqual(str(exc.exception), "'user_data' may not contain '!'")
+
def test_ctor_explicit(self):
import hashlib
tkt = self._makeOne('SEEKRIT', 'USERID', '1.2.3.4', tokens=('a', 'b'),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/repoze.who-2.4/repoze.who.egg-info/PKG-INFO
new/repoze.who-2.4.1/repoze.who.egg-info/PKG-INFO
--- old/repoze.who-2.4/repoze.who.egg-info/PKG-INFO 2020-06-03
22:32:18.000000000 +0200
+++ new/repoze.who-2.4.1/repoze.who.egg-info/PKG-INFO 2022-02-01
17:57:35.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: repoze.who
-Version: 2.4
+Version: 2.4.1
Summary: repoze.who is an identification and authentication framework for WSGI.
Home-page: http://www.repoze.org
Author: Agendaless Consulting
@@ -75,6 +75,16 @@
repoze.who Changelog
====================
+ 2.4.1 (2022-02-01)
+ ------------------
+
+ - Disallow separators in AuthTicket component values. Closes #37.
+
+ - Handle bytes / string correctly in
'repoze.who.plugins.htpasswd.sha1_check'.
+ Closes #28.
+
+ - Switch to use ``pytest`` as the testrunner. Closes #34.
+
2.4 (2020-06-03)
----------------
@@ -800,5 +810,5 @@
Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
Classifier: Topic :: Internet :: WWW/HTTP :: WSGI
Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
-Provides-Extra: testing
Provides-Extra: docs
+Provides-Extra: testing
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/repoze.who-2.4/repoze.who.egg-info/requires.txt
new/repoze.who-2.4.1/repoze.who.egg-info/requires.txt
--- old/repoze.who-2.4/repoze.who.egg-info/requires.txt 2020-06-03
22:32:18.000000000 +0200
+++ new/repoze.who-2.4.1/repoze.who.egg-info/requires.txt 2022-02-01
17:57:35.000000000 +0100
@@ -1,15 +1,15 @@
WebOb
-zope.interface
setuptools
+zope.interface
[docs]
-WebOb
-zope.interface
Sphinx
+WebOb
repoze.sphinx.autointerface
+zope.interface
[testing]
WebOb
-zope.interface
-nose
coverage
+nose
+zope.interface
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/repoze.who-2.4/setup.py new/repoze.who-2.4.1/setup.py
--- old/repoze.who-2.4/setup.py 2020-06-03 22:32:10.000000000 +0200
+++ new/repoze.who-2.4.1/setup.py 2022-02-01 17:56:22.000000000 +0100
@@ -31,7 +31,7 @@
docs_extras = tests_require + ['Sphinx', 'repoze.sphinx.autointerface']
setup(name='repoze.who',
- version='2.4',
+ version='2.4.1',
description=('repoze.who is an identification and authentication '
'framework for WSGI.'),
long_description='\n\n'.join([README, CHANGES]),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/repoze.who-2.4/tox.ini new/repoze.who-2.4.1/tox.ini
--- old/repoze.who-2.4/tox.ini 2020-06-03 22:21:08.000000000 +0200
+++ new/repoze.who-2.4.1/tox.ini 2022-01-31 18:41:51.000000000 +0100
@@ -4,35 +4,33 @@
[testenv]
commands =
- python setup.py -q test -q
+ python -m pytest --cov=repoze.who --cov-append --cov-report=
{toxinidir}/repoze/who/tests/ {toxinidir}/repoze/who/plugins/tests/
+usedevelop=true
deps =
zope.interface
WebOb
virtualenv
+ pytest
+ pytest-cov
+setenv =
+ COVERAGE_FILE=.coverage.{envname}
[testenv:cover]
+skip_install = true
basepython =
- python2.7
+ python3.8
commands =
- nosetests -qq
- coverage erase
- coverage run --timid --source=repoze setup.py -q test -q
- coverage report --show-missing --omit="*fixture*"
+ coverage combine
+ coverage report --fail-under=100 --show-missing --omit="*fixture*"
coverage xml
deps =
- zope.interface
- WebOb
- virtualenv
- nose
coverage
-
-# we separate coverage into its own testenv because a) "last run wins" wrt
-# cobertura jenkins reporting and b) pypy and jython can't handle any
-# combination of versions of coverage and nosexcover that i can find.
+setenv =
+ COVERAGE_FILE=.coverage
[testenv:docs]
basepython =
- python2.7
+ python3.8
commands =
sphinx-build -b html -d docs/_build/doctrees docs docs/_build/html
sphinx-build -b doctest -d docs/_build/doctrees docs docs/_build/doctest
