=== modified file 'paste/errordocument.py'
--- paste/errordocument.py	2008-06-13 23:59:22 +0000
+++ paste/errordocument.py	2010-09-24 17:23:33 +0000
@@ -285,7 +285,7 @@
                 parts = status.split(' ')
                 try:
                     code = int(parts[0])
-                except ValueError, TypeError:
+                except (ValueError, TypeError):
                     raise Exception(
                         '_StatusBasedRedirect middleware '
                         'received an invalid status code %s'%repr(parts[0])

=== modified file 'paste/httpexceptions.py'
--- paste/httpexceptions.py	2010-04-20 19:52:41 +0000
+++ paste/httpexceptions.py	2010-09-24 17:23:33 +0000
@@ -77,7 +77,7 @@
 from paste.wsgilib import catch_errors_app
 from paste.response import has_header, header_value, replace_header
 from paste.request import resolve_relative_url
-from paste.util.quoting import strip_html, html_quote, no_quote
+from paste.util.quoting import strip_html, html_quote, no_quote, comment_quote
 
 SERVER_NAME = 'WSGI Server'
 TEMPLATE = """\
@@ -212,12 +212,12 @@
 
     def plain(self, environ):
         """ text/plain representation of the exception """
-        body = self.make_body(environ, strip_html(self.template), no_quote)
+        body = self.make_body(environ, strip_html(self.template), comment_quote)
         return ('%s %s\r\n%s\r\n' % (self.code, self.title, body))
 
     def html(self, environ):
         """ text/html representation of the exception """
-        body = self.make_body(environ, self.template, html_quote, no_quote)
+        body = self.make_body(environ, self.template, html_quote, comment_quote)
         return TEMPLATE % {
                    'title': self.title,
                    'code': self.code,

=== modified file 'paste/urlmap.py'
--- paste/urlmap.py	2008-06-13 23:59:22 +0000
+++ paste/urlmap.py	2010-09-24 17:23:33 +0000
@@ -7,6 +7,7 @@
 from UserDict import DictMixin
 import re
 import os
+import cgi
 from paste import httpexceptions
 
 __all__ = ['URLMap', 'PathProxyURLMap']
@@ -105,7 +106,7 @@
         extra += '\nHTTP_HOST: %r' % environ.get('HTTP_HOST')
         app = httpexceptions.HTTPNotFound(
             environ['PATH_INFO'],
-            comment=extra).wsgi_application
+            comment=cgi.escape(extra)).wsgi_application
         return app(environ, start_response)
 
     def normalize_url(self, url, trim=True):

=== modified file 'paste/util/mimeparse.py'
--- paste/util/mimeparse.py	2010-04-20 19:52:41 +0000
+++ paste/util/mimeparse.py	2010-09-24 17:23:33 +0000
@@ -121,3 +121,26 @@
             for mime_type in supported]
     weighted_matches.sort()
     return weighted_matches[-1][0][1] and weighted_matches[-1][1] or ''
+
+def desired_matches(desired, header):
+    """Takes a list of desired mime-types in the order the server prefers to
+    send them regardless of the browsers preference.
+
+    Browsers (such as Firefox) technically want XML over HTML depending on how
+    one reads the specification. This function is provided for a server to
+    declare a set of desired mime-types it supports, and returns a subset of
+    the desired list in the same order should each one be Accepted by the
+    browser.
+
+    >>> sorted_match(['text/html', 'application/xml'], \
+    ...     'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png')
+    ['text/html', 'application/xml']
+    >>> sorted_match(['text/html', 'application/xml'], 'application/xml,application/json')
+    ['application/xml']
+    """
+    matches = []
+    parsed_ranges = [parse_media_range(r) for r in header.split(",")]
+    for mimetype in desired:
+        if quality_parsed(mimetype, parsed_ranges):
+            matches.append(mimetype)
+    return matches

=== modified file 'paste/util/quoting.py'
--- paste/util/quoting.py	2010-04-20 19:52:41 +0000
+++ paste/util/quoting.py	2010-09-24 17:23:33 +0000
@@ -76,6 +76,13 @@
     """
     return s
 
+_comment_quote_re = re.compile(r'\-\s*\>')
+def comment_quote(s):
+    """
+    Quote that makes sure text can't escape a comment
+    """
+    return _comment_quote_re.sub('-&gt', str(s))
+
 url_quote = urllib.quote
 url_unquote = urllib.unquote
 

=== modified file 'tests/test_urlmap.py'
--- tests/test_urlmap.py	2006-05-26 23:18:53 +0000
+++ tests/test_urlmap.py	2010-09-24 17:23:33 +0000
@@ -40,3 +40,8 @@
     res.mustcontain('path_info="/z/y"')
     res.mustcontain('f-only')
     
+def test_404():
+    mapper = URLMap({})
+    app = TestApp(mapper, extra_environ={'HTTP_ACCEPT': 'text/html'})
+    res = app.get("/-->%0D<script>alert('xss')</script>", status=404)
+    assert '--><script' not in res.body

=== modified file 'tests/test_urlparser.py'
--- tests/test_urlparser.py	2008-06-13 23:59:22 +0000
+++ tests/test_urlparser.py	2010-09-24 17:23:33 +0000
@@ -106,6 +106,12 @@
     app = StaticURLParser(relative_path('find_file'))
     assert '..' not in app.root_directory
 
+def test_xss():
+    app = TestApp(StaticURLParser(relative_path('find_file')),
+                  extra_environ={'HTTP_ACCEPT': 'text/html'})
+    res = app.get("/-->%0D<script>alert('xss')</script>", status=404)
+    assert '--><script>' not in res.body
+
 def test_static_parser():
     app = StaticURLParser(path('find_file'))
     testapp = TestApp(app)

=== modified file 'debian/changelog'
--- debian/changelog	2010-04-20 19:52:41 +0000
+++ debian/changelog	2010-09-24 17:23:33 +0000
@@ -1,3 +1,10 @@
+paste (1.7.4-1) unstable; urgency=high
+
+  * New upstream release - fixes XSS bug (security issue) with not found
+    handlers for paste.urlparser.StaticURLParser and paste.urlmap.URLMap
+
+ -- Piotr Ożarowski <piotr@debian.org>  Fri, 25 Jun 2010 20:30:19 +0200
+
 paste (1.7.3.1-1) unstable; urgency=low
 
   * New upstream release

=== modified file 'Paste.egg-info/PKG-INFO'
--- Paste.egg-info/PKG-INFO	2010-04-20 19:52:41 +0000
+++ Paste.egg-info/PKG-INFO	2010-09-24 17:23:33 +0000
@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: Paste
-Version: 1.7.3.1
+Version: 1.7.4
 Summary: Tools for using a Web Server Gateway Interface stack
 Home-page: http://pythonpaste.org
 Author: Ian Bicking