From metatracker at psf.upfronthosting.co.za Thu Oct 5 22:33:35 2017 From: metatracker at psf.upfronthosting.co.za (John Rouillard) Date: Fri, 06 Oct 2017 02:33:35 +0000 Subject: [Tracker-discuss] [issue580] CSV Injection Vulnerability In-Reply-To: <1456222775.65.0.0851572486272.issue580@psf.upfronthosting.co.za> Message-ID: <1507257215.74.0.213398074469.issue580@psf.upfronthosting.co.za> John Rouillard added the comment: Hi all: If the generated csv line looks like: "-2+3+cmd|' /C calc'!A0","7","stalled","I cansee","","2017-10-05 22:15","0" with the quotes surrounding the injected data, will that prevent the injection? To generate the above I changed the calls to csv.writer in the handler function from: writer = csv.writer(wfile) to writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC) so it quotes more fields. QUOTE_NONNUMERIC can also be replaced by QUOTE_ALL. In the case above the "7" field is an id which is a string and not a number so it is quoted. If this works, I will open an upstream ticket and fix it upstream. You guys will still want to fix it locally. -- rouilj ---------- nosy: +rouilj _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Oct 9 22:36:19 2017 From: metatracker at psf.upfronthosting.co.za (Paul Kehrer) Date: Tue, 10 Oct 2017 02:36:19 +0000 Subject: [Tracker-discuss] [issue643] Chinese users can't load/submit python bugs Message-ID: <1507602979.16.0.213398074469.issue643@psf.upfronthosting.co.za> New submission from Paul Kehrer : bugs.python.org uses ajax.googleapis.com to load jquery and jquery-ui on the bugs.python.org issue and issue submission pages. This CDN is inaccessible in China so Chinese users (who are not on a VPN) can't view or submit Python bugs. If possible it'd be great to change this so Python users in China can potentially contribute to the language. ---------- messages: 3406 nosy: reaperhulk priority: wish status: unread title: Chinese users can't load/submit python bugs _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Oct 23 19:58:33 2017 From: metatracker at psf.upfronthosting.co.za (Cheryl Sabella) Date: Mon, 23 Oct 2017 23:58:33 +0000 Subject: [Tracker-discuss] [issue644] 'Random Issue' Button isn't working Message-ID: <1508803113.44.0.213398074469.issue644@psf.upfronthosting.co.za> New submission from Cheryl Sabella : The 'Random Issue' button used to show a new issue every time it was clicked, but for the past few weeks, the issue returned only changes once a day. ---------- messages: 3407 nosy: csabella priority: bug status: unread title: 'Random Issue' Button isn't working _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Oct 27 20:36:59 2017 From: metatracker at psf.upfronthosting.co.za (John Rouillard) Date: Sat, 28 Oct 2017 00:36:59 +0000 Subject: [Tracker-discuss] [issue583] Failed to alter nosy list when someone's name has a comma in In-Reply-To: <1458715363.18.0.462965037696.issue583@psf.upfronthosting.co.za> Message-ID: <1509151019.92.0.213398074469.issue583@psf.upfronthosting.co.za> John Rouillard added the comment: See: http://issues.roundup-tracker.org/issue2550921 for code to add to userauditor.py that limits what can be used as a username. I am not sure if it's run prior to registration, so it may be possible to register with a , but it should stop changing it to use bad characters in the username afterwards. ---------- nosy: +rouilj _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Oct 27 20:54:52 2017 From: metatracker at psf.upfronthosting.co.za (John Rouillard) Date: Sat, 28 Oct 2017 00:54:52 +0000 Subject: [Tracker-discuss] [issue500] Posting changes from "old" tracker pages causes spurious updates In-Reply-To: <1357269507.95.0.118401099594.issue500@psf.upfronthosting.co.za> Message-ID: <1509152092.62.0.213398074469.issue500@psf.upfronthosting.co.za> John Rouillard added the comment: Newer version of roundup use a timestamp nonce to prevent a form with stale data from being accepted. I think this fixes the problem you report. ---------- nosy: +rouilj _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Oct 27 21:05:09 2017 From: metatracker at psf.upfronthosting.co.za (John Rouillard) Date: Sat, 28 Oct 2017 01:05:09 +0000 Subject: [Tracker-discuss] [issue295] title is changed by email updates when only whitespace had changed In-Reply-To: <1248179761.3.0.0135867721483.issue295@psf.upfronthosting.co.za> Message-ID: <1509152709.77.0.213398074469.issue295@psf.upfronthosting.co.za> John Rouillard added the comment: Also in 2.6 there is an option in config.ini: # Update issue title if incoming subject of email is different. # Setting this to "no" will ignore the title part of the subject # of incoming email messages. # # Allowed values: yes, no # Default: yes subject_updates_title = no now that the tracker is upgradedyou should be able to enable that flag. ---------- nosy: +rouilj _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Oct 27 21:22:04 2017 From: metatracker at psf.upfronthosting.co.za (John Rouillard) Date: Sat, 28 Oct 2017 01:22:04 +0000 Subject: [Tracker-discuss] [issue369] email gateway refused comment posting In-Reply-To: <1294139661.38.0.206757900841.issue369@psf.upfronthosting.co.za> Message-ID: <1509153724.74.0.213398074469.issue369@psf.upfronthosting.co.za> John Rouillard added the comment: This is same as: issue640 I think. Same solution set loose subject parsing in config.ini in the newer roundup code. ---------- nosy: +rouilj _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Oct 27 21:55:00 2017 From: metatracker at psf.upfronthosting.co.za (John Rouillard) Date: Sat, 28 Oct 2017 01:55:00 +0000 Subject: [Tracker-discuss] [issue360] Atom feeds for issues In-Reply-To: <1288805658.7.0.263813425585.issue360@psf.upfronthosting.co.za> Message-ID: <1509155700.93.0.213398074469.issue360@psf.upfronthosting.co.za> John Rouillard added the comment: See: http://www.roundup-tracker.org/cgi-bin/moin.cgi/DetectorBasedFeedGeneration or http://www.roundup-tracker.org/cgi-bin/moin.cgi/TemplateBasedFeedGeneration for other ideas. ---------- nosy: +rouilj _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Sat Oct 28 16:01:03 2017 From: metatracker at psf.upfronthosting.co.za (Maciej Szulik) Date: Sat, 28 Oct 2017 20:01:03 +0000 Subject: [Tracker-discuss] [issue634] Only link PR to the bpo that is in the PR title, not the body In-Reply-To: <1497060629.6.0.388698227929.issue634@psf.upfronthosting.co.za> Message-ID: <1509220863.76.0.213398074469.issue634@psf.upfronthosting.co.za> Maciej Szulik added the comment: One other option is to give different priorities. For example, if title has bpo-#### we don't look further in the body and assume this is it. But I bet people will complain about that approach as well. I doubt there's a golden middle way we can satisfy all users. _______________________________________________________ PSF Meta Tracker _______________________________________________________