| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0004-Adjust-flask_app.py-to-locate-template-static-and-th.patch | Adjust flask_app.py to locate template, static and theme files On Debian, we install template, static and theme files under /usr/share/pagure (instead of /usr/lib/python3/dist-packages/pagure, which is upstream's default). For that reason, we have to adjust flask_app.py in order to make it properly locate these files. |
Sergio Durigan Junior <sergiodj@debian.org> | not-needed | |||
| 0005-update-wtform-validator-call.patch | Fix wtforms issue The Required validator is no longer available. This will use DataRequired instead of Required. |
zlopez, Michal Konečný | not-needed | |||
| 0006-use-markupsafe-escape.patch | 'jinja2.escape' is deprecated and will be removed in Jinja 3.1. Import 'markupsafe.escape' instead. | Klaus Koder | not-needed | |||
| 0007-cgi-escape-removed.patch | Python 3.13 removes cgi | Matthieu Moy, Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | debian | based on git-multimail ddc9a1c | |
| 0008-fix-warning-1085764.patch | Avoid invalid escape SyntaxWarning | Ville Skyttä | no | debian | git-multimail eb590c3 | |
| 0025-no-markdown-etree.patch | Be compatible with newer markdown | Michal Konečný, Dominik Wombacher | no | part of upstream ee9713375e857f054664dc82e14fa86bbd2fe1e6 | ||
| 0026-error-messages.patch | expect new spelling/format of error messages 19d2b27b + f9185cd0 + 061d07ec + 2dfe6da4 + a2b3d943 |
Dominik Wombacher, Michal Konečný | not-needed | upstream 349fe5a9 + efc12ec5 + | ||
| 0027-dont-strip-None.patch | Check for None before using strip()/split(), not after 77a3fbf5 7832b71a 4351d921 dbb90e2c 83ad40b6 2889d1e9 dcb9b6a9 |
Michal Konečný, Dominik Wombacher | not-needed | upstream | ||
| 0028-alembic-no3suffix.patch | Rename 'alembic-3' to 'alembic' in unit tests | Dominik Wombacher | not-needed | upstream 49be21253ea7ce2e48019a492c44d3f2ff804ccc | ||
| 0029-tests-gitolite-path.patch | Don't try to write somewhere that doesn't exist | Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | |||
| 0030-arrow-timestamp.patch | arrow 'timestamp' property removed in >=v1.0.0 | Dominik Wombacher, Michal Konečný, Rebecca N. Palmer <rebecca_palmer@zoho.com> | invalid | based on 39b99cc5 + febbf04e + ce28af0f + 5a73e49e | ||
| 0031-chardet-encoding-list.patch | expect newer chardet output | Dominik Wombacher | not-needed | upstream 50c49a5f + 86a42ecd | ||
| 0032-plugin-name-in-error.patch | actually use the name argument Not using it raises an exception |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0033-error-messages2.patch | Accept new error messages | Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0034-error-messages3.patch | Accept either werkzeug error __version__ is removed in werkzeug 3.1 |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0035-avoid-415-emptyjson.patch | Don't require JSON to be marked as such (in particular, this allows requests where having *any* body data is optional) |
Dominik Wombacher | not-needed | upstream 7235ae9ab0adcbe9def07fe4b6397a8edebb5393 | ||
| 0036-dont-assume-gitrepo.patch | Don't assume we're building from a git repo read_output used git rev-list on the pagure repo (not a small test repo) as an example of a large output |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | invalid | |||
| 0037-emptystr-vs-None.patch | None is not the empty string | Dominik Wombacher | not-needed | upstream e830f17a + c719bf09 | ||
| 0002-Fix-Python-shebang-for-various-scripts.patch | Fix Python shebang for various scripts Pagure ships with the "/usr/bin/env python" shebang, which doesn't work on Debian because "python" refers to Python 2. This patch replaces every occurrence of this by "/usr/bin/python3". |
Sergio Durigan Junior <sergiodj@sergiodj.net> | invalid | |||
| 0003-Adjust-path-of-aclchecker.py.patch | Adjust path of aclchecker.py Pagure's default_config.py file contains a hardcoded path for the aclchecker.py script which doesn't work for us (/usr/libexec, Fedora-specific). This patch adjusts the path to where we actually install the script (/usr/share/pagure). pagure-ev/pagure_ev.service is not similarly patched because we don't install that (we use our pagure-ev-server.service instead) |
Sergio Durigan Junior <sergiodj@sergiodj.net> | not-needed | |||
| 0024-unittest-renames.patch | 'assertEquals' removed, replaced by 'assertEqual' | Dominik Wombacher | not-needed | upstream 8c301083 + d7803cdd | ||
| 0009-security.patch | Fix (probably minor) security issues - Quote non-escaping in HTML highlightjs/highlight.js#1475, highlightjs/highlight.js#2235 Only quotes, not other characters, were left unescaped. - JavaScript prototype pollution lodash/lodash#4336 = CVE-2019-10744, lodash CVE-2018-16487, chartjs/Chart.js#7920, chartjs/Chart.js#7918 These are probably not exploitable from pagure, as the vulnerable merge functions are used for merging configuration objects with their defaults, and pagure only calls chartjs (from static/issues_stats.js) and diff2html (from templates/commit.html) with fixed configs, not configs depending on content supplied by other users (e.g. the commit or pull request being viewed). - Leaks existence/metadata of files outside the repository Zip archiving a repository containing symlinks uses the metadata of the pointed-to file (which may be outside the repository), not the symlink itself, and fails if that file does not exist. (It used to include the file's content as well, CVE-2024-47515, but that has already been fixed by upstream.) |
Kirill Efimov, John-David Dalton, Jukka Kurkela, Evert Timberg, Josh Goebel, Ivan Sagalaev, Rebecca N. Palmer <rebecca_palmer@zoho.com> | yes | mostly upstreams of these Javascript libraries | ||
| 0010-dont-crash-on-nameless-test.patch | Don't crash the test suite when _testMethodDoc is None | Rebecca N. Palmer <rebecca_palmer@zoho.com> | invalid | |||
| 0012-assume-new-chardet.patch | Remove broken version detection (original assumed <=3.x; when this patch was added, it was 5.x) |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0014-imp-pygit2remote-renamed.patch | they are now called importlib and pygit2.remotes | Dominik Wombacher, Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | upstream | ||
| 0015-sqlalchemy-relation-renamed.patch | use new name | Dominik Wombacher, Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | upstream | ||
| 0016-use-markupsafe-markup.patch | flask.Markup no longer exists | Dominik Wombacher, Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | upstream | ||
| 0017-spelling.patch | Fix typos and grammar | Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0018-optional-test-depends.patch | Skip tests with dependencies we don't have | Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0019-create_remote-removed.patch | stop using pygit2 Repository.create_remote Does not exist in 1.14+, replaced by Repository.remotes.create |
Dominik Wombacher | not-needed | upstream 1cf9ec5a298e04acc738f343b29c26b36ba273a3 | ||
| 0020-pygit2-hex-oid-removed.patch | Stop using pygit 2 .oid and .hex (they no longer exist) This generates approximately this patch (but isn't exactly what was used as some bugs were fixed afterwards) but needs some manual fixup shopt -s globstar dpkg-source --before-build . # the first one is where we can easily tell where the str( goes - note that ([ not ]) in (1) is intentional, (3) matches either nothing or one of [0], [-1], () # the __str__() form is used where we can't easily tell where the str( goes, and may be manually fixed up afterwards, or in jinja templates (where the builtins aren't available but method calls are) # ($|[^a-z]) is to avoid matching longer names that start with .oid or .hex # peel() is an object, .target and .tree_id are oids # assume the rest are objects (this way round as calling .id on already-an-oid will *immediately* fail) and see what complains for f0 in pagure/templates/**/*.html ; do sed -i -E -e 's/\.(oid|target|tree_id)\.hex($|[^a-z])/.\1.__str__()\2/g' -e 's/\.oid($|[^a-z])/.id\1/g' -e 's/\.hex($|[^a-z])/.id.__str__()\1/g' ${f0} ; done for f0 in pagure/**/*.py tests/**/*.py dev-data.py ; do sed -i -E -e 's/([ =\[\(\{])([0-9a-zA-Z_.]+?)(\[0\]|\[-1\]|\(\)|)\.(oid|target|tree_id)\.hex/\1str(\2\3.\4)/g' -e 's/\.(oid|target|tree_id)\.hex($|[^a-z])/.\1.__str__()\2/g' -e 's/\.oid($|[^a-z])/.id\1/g' -e 's/([ =\[\(\{])([0-9a-zA-Z_.]+?)(\[0\]|\[-1\]|\(\)|)\.hex($|[^a-z])/\1str(\2\3.id)\4/g' -e 's/\.hex($|[^a-z])/.id.__str__()\1/g' ${f0} ; done # this file uses uuid hex, undo whatever we did to that # other places that do were fixed manually git diff pagure/lib/query.py | patch -p1 -R grep -rniE -e "\.oid|\.hex" --exclude-dir=.pc --exclude-dir=debian . dpkg-source --commit . 0020-pygit2-hex-oid-removed.patch |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0021-bleach-now-frozenset.patch | can't add list to frozenset | Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | |||
| 0022-pygit2-git_obj_commit-removed.patch | Stop trying to use (removed) pygit2.GIT_OBJ_COMMIT | Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0023-celery-no-empty-id.patch | Don't pass empty task_id to Celery fails in celery 5.3.0+ |
Klaus Koder | not-needed | upstream |