merge code changes from fork

rouilj · rouilj · commit 1e82941b8c0a · 2019-10-23T13:41:01.000-04:00
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1145,7 +1145,7 @@ def handle_csrf(self, xmlrpc=False):
             state on the server (one nonce per form per
             page). If you have multiple forms/page this can
             lead to abandoned csrf tokens that have to time
-            out and get cleaned up.But you lose per form
+            out and get cleaned up. But you lose per form
             tokens which may be an advantage. Also the HMAC
             is constant for the session, so provides more
             occasions for it to be exposed.
@@ -1157,7 +1157,7 @@ def handle_csrf(self, xmlrpc=False):
             A session token lifetime is settable in
             config.ini.  A future enhancement to the
             creation routines should allow for the requester
-            of the token to set the lifetime.t
+            of the token to set the lifetime.
 
             The unique session key and user id is stored
             with the token. The token is valid if the stored
@@ -1187,7 +1187,7 @@ def handle_csrf(self, xmlrpc=False):
 
         # Assume: never allow changes via GET
         if self.env['REQUEST_METHOD'] not in ['POST', 'PUT', 'DELETE']:
-            if "@csrf" in self.form:
+            if (self.form.list is not None) and ("@csrf" in self.form):
                 # We have a nonce being used with a method it should
                 # not be. If the nonce exists, report to admin so they
                 # can fix the nonce leakage and destroy it. (nonces
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -1153,11 +1153,16 @@ def history(self, direction='descending', dre=re.compile(r'^\d+$'),
 
                 arg_s = '<br />'.join(cell)
             else:
-                # unkown event!!
-                comments['unknown'] = self._(
-                    "<strong><em>This event is not handled"
-                    " by the history display!</em></strong>")
-                arg_s = '<strong><em>' + str(args) + '</em></strong>'
+                if action in ( 'retired', 'restored' ):
+                    # args = None for these actions
+                    pass
+                else:
+                    # unknown event!!
+                    comments['unknown'] = self._(
+                        "<strong><em>This event %s is not handled"
+                        " by the history display!</em></strong>"%action)
+                    arg_s = '<strong><em>' + str(args) + '</em></strong>'
+
             date_s = date_s.replace(' ', '&nbsp;')
             # if the user's an itemid, figure the username (older journals
             # have the username)
diff --git a/roundup/cgi/wsgi_handler.py b/roundup/cgi/wsgi_handler.py
@@ -14,6 +14,9 @@
 from roundup.cgi import TranslationService
 from roundup.anypy import http_
 from roundup.anypy.strings import s2b, bs2b
+
+from roundup.cgi.client import BinaryFieldStorage
+
 BaseHTTPRequestHandler = http_.server.BaseHTTPRequestHandler
 DEFAULT_ERROR_MESSAGE = http_.server.DEFAULT_ERROR_MESSAGE
 
@@ -69,21 +72,33 @@ def __call__(self, environ, start_response):
         request.headers = Headers(environ)
 
         if environ ['REQUEST_METHOD'] == 'OPTIONS':
-            code = 501
-            message, explain = BaseHTTPRequestHandler.responses[code]
-            request.start_response([('Content-Type', 'text/html'),
-                ('Connection', 'close')], code)
-            request.wfile.write(s2b(DEFAULT_ERROR_MESSAGE % locals()))
-            return []
-
+            if environ["PATH_INFO"][:5] == "/rest":
+                # rest does support options
+                # This I hope will result in self.form=None
+                environ['CONTENT_LENGTH'] = 0
+            else:
+                code = 501
+                message, explain = BaseHTTPRequestHandler.responses[code]
+                request.start_response([('Content-Type', 'text/html'),
+                                        ('Connection', 'close')], code)
+                request.wfile.write(s2b(DEFAULT_ERROR_MESSAGE % locals()))
+                return []
+        
         tracker = roundup.instance.open(self.home, not self.debug)
 
         # need to strip the leading '/'
         environ["PATH_INFO"] = environ["PATH_INFO"][1:]
         if request.timing:
             environ["CGI_SHOW_TIMING"] = request.timing
 
-        form = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ)
+        form = BinaryFieldStorage(fp=environ['wsgi.input'], environ=environ)
+
+        if environ ['REQUEST_METHOD'] in ("OPTIONS", "DELETE"):
+            # these methods have no data. When we init tracker.Client
+            # set form to None and request.rfile to None to get a
+            # properly initialized empty form.
+            form = None
+            request.rfile = None
 
         client = tracker.Client(tracker, request, environ, form,
             request.translator)
