File 69707bb1aa.patch of Package python-Twisted.34938

From 9a35e728d8a49934f886fc99cb636b3339720c89 Mon Sep 17 00:00:00 2001
From: "Amber Brown (HawkOwl)" <hawkowl@atleastfornow.net>
Date: Wed, 10 Aug 2016 20:49:08 +0800
Subject: [PATCH 1/3] fix pyflakes

---
 twisted/web/test/test_cgi.py | 2 --
 1 file changed, 2 deletions(-)

Index: Twisted-15.2.1/twisted/web/test/test_cgi.py
===================================================================
--- Twisted-15.2.1.orig/twisted/web/test/test_cgi.py
+++ Twisted-15.2.1/twisted/web/test/test_cgi.py
@@ -5,13 +5,15 @@
 Tests for L{twisted.web.twcgi}.
 """
 
-import sys, os
+import sys
+import os
+import json
 
 from twisted.trial import unittest
 from twisted.internet import reactor, interfaces, error
 from twisted.python import util, failure, log
 from twisted.web.http import NOT_FOUND, INTERNAL_SERVER_ERROR
-from twisted.web import client, twcgi, server, resource
+from twisted.web import client, twcgi, server, resource, http_headers
 from twisted.web.test._util import _render
 from twisted.web.test.test_web import DummyRequest
 
@@ -73,6 +75,15 @@ print
 print "cgi output"
 '''
 
+HEADER_OUTPUT_CGI = '''\
+import json
+import os
+print("")
+print("")
+vals = {x:y for x,y in os.environ.items() if x.startswith("HTTP_")}
+print(json.dumps(vals))
+'''
+
 class PythonScript(twcgi.FilteredScript):
     filter = sys.executable
 
@@ -154,6 +165,32 @@ class CGITests(unittest.TestCase):
         return factory.deferred
 
 
+    def test_noProxyPassthrough(self):
+        """
+        The CGI script is never called with the Proxy header passed through.
+        """
+        cgiFilename = self.writeCGI(HEADER_OUTPUT_CGI)
+
+        portnum = self.startServer(cgiFilename)
+        url = "http://localhost:%d/cgi" % (portnum,)
+
+        agent = client.Agent(reactor)
+
+        headers = http_headers.Headers({"Proxy": ["foo"],
+                                        "X-Innocent-Header": ["bar"]})
+        d = agent.request("GET", url, headers=headers)
+
+        def checkResponse(response):
+            headers = json.loads(response)
+            self.assertEqual(
+                set(headers.keys()),
+                {"HTTP_HOST", "HTTP_CONNECTION", "HTTP_X_INNOCENT_HEADER"})
+
+        d.addCallback(client.readBody)
+        d.addCallback(checkResponse)
+        return d
+
+
     def test_duplicateHeaderCGI(self):
         """
         If a CGI script emits two instances of the same header, both are sent in
Index: Twisted-15.2.1/twisted/web/topfiles/8623.bugfix
===================================================================
--- /dev/null
+++ Twisted-15.2.1/twisted/web/topfiles/8623.bugfix
@@ -0,0 +1 @@
+twisted.web.twcgi.CGIScript will now not pass the "Proxy" header to CGI scripts, as a mitigation to CVE-2016-1000111.
Index: Twisted-15.2.1/twisted/web/twcgi.py
===================================================================
--- Twisted-15.2.1.orig/twisted/web/twcgi.py
+++ Twisted-15.2.1/twisted/web/twcgi.py
@@ -116,7 +116,7 @@ class CGIScript(resource.Resource):
         # Propagate HTTP headers
         for title, header in request.getAllHeaders().items():
             envname = title.replace('-', '_').upper()
-            if title not in ('content-type', 'content-length'):
+            if title not in ('content-type', 'content-length', 'proxy'):
                 envname = "HTTP_" + envname
             env[envname] = header
         # Propagate our environment