fix: fix possible HTTP Response Splitting in roundup-server

CodeQL flagged a possible HTTP Response Splitting in the Location
header's URL.

The AI suggested cleaning the Host value, except the URL also includes
the query parameters in the URL so they could potentially trigger the
issue. Th host header probably doesn;t have a newline or cr in it
otherwise it wouldn't have been recognized by the server as a valid
host.

In any case strip all \n or \r from the url before use.

Also update CHANGES.txt with fixing the gpg install.

Author: rouilj

CHANGES.txt

@@ -95,6 +95,8 @@ Fixed:
 - issue2551406: 'Templating Error: too many values to unpack' crash
   fixed. (reported by and patch Christof Meerwald, commit/test John
   Rouillard)
+- fix potential HTTP Response Splitting issue in
+  roundup-server. Discovered by CodeQL in CI. (John Rouillard)
 
 Features:
 
@@ -151,6 +153,8 @@ Features:
   Schlatterbeck)
 - issue2551231 - template.py-HTMLClass::classhelp doesn't merge
   user defined classes. It now merges them in. (John Rouillard)
+- re-enable support for GPG/PGP encrypted emails using new python gpg
+  pakage on the test pypi instance. (Paul Schwabauer)
 
 2024-07-13 2.4.0
 

roundup/scripts/roundup_server.py

@@ -432,6 +432,10 @@ def inner_run_cgi(self):
             url = '%s://%s%s/' % (protocol, self.headers['host'], rest)
             if query:
                 url += '?' + query
+
+            # Do not allow literal \n or \r in URL to prevent
+            # HTTP Response Splitting
+            url = re.sub("[\r\n]", "", url)
             self.send_header('Location', url)
             self.send_header('Content-Length', 17)
             self.end_headers()