From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: unbreak wfuzz
To: Sebastian Reitenbach <sebastia@l00-bugdead-prods.de>
Cc: ports <ports@openbsd.org>
Date: Thu, 12 Feb 2026 15:46:57 +0000

On 2026/02/12 15:53, Sebastian Reitenbach wrote:
> Hi Stuart,
> 
> thanks for addressing this issue, I nearly forgot about it again.
> 
> For my main use-case (directory enumeration, WAY faster than dirb), it still works fine.
> More seldomly I use it to enumerate other HTTP fields, but I haven't tested that.
> 
> Wfuzz is still maintained upstream, even a newer subminer version exists, but it doesn't
> address the cgi problem.

Barely - one commit (plus the pseudo-commit because it was a PR merge)
since 2020, and what they have can't work on python 3.12/newer.

> Do you intend to upstream the patch? otherwise I'm happy to attempt to do so.

I wasn't going to but feel free to try!

the older patch to externals/moduleman/loader.py (fixing 3.12) already
came from a PR (from 2024 and ignored).

externals/reqresp/Response.py can be upstreamed as-is, it will work on
much older Python 3.x too.

helpers/file_func.py can't go upstream directly, it would need some
fallbacks for their "run from source dir without installing" code,
and for older Python.

> OK sebastia@

thanks.

> Sebastian
> 
> 
> 
> On Thu, Feb 12, 2026 at 12:14 PM Stuart Henderson <stu@spacehopper.org> wrote:
> 
>     - replace "cgi" from standard library, for this use the header parser
>     from email.message is a usable alternative. unbreaks with py3.13
>     - replace pkg_resources, will be removed in setuptools sometime
> 
>     ok?
> 
>     (alternatively: is this still useful to have?)
> 
>     Index: Makefile
>     ===================================================================
>     RCS file: /cvs/ports/security/wfuzz/Makefile,v
>     diff -u -p -r1.10 Makefile
>     --- Makefile    17 Jun 2025 12:52:34 -0000      1.10
>     +++ Makefile    12 Feb 2026 11:09:12 -0000
>     @@ -2,7 +2,7 @@ COMMENT =       web fuzzer
> 
>      MODPY_DISTV =  3.1.0
>      DISTNAME =     wfuzz-${MODPY_DISTV}
>     -REVISION =     6
>     +REVISION =     7
> 
>      CATEGORIES =   security www
> 
>     @@ -13,16 +13,16 @@ MAINTAINER =        Sebastian Reitenbach <sebas
>      # GPLv2
>      PERMIT_PACKAGE =       Yes
> 
>     -MODPY_PI =             Yes
>     +MODPY_PI =     Yes
> 
>     -MODULES =              lang/python
>     +MODULES =      lang/python
>      MODPY_PYBUILD =        setuptools
> 
>     -RUN_DEPENDS =          devel/py-parsing \
>     -                       devel/py-six \
>     -                       net/py-curl \
>     -                       textproc/py-chardet
>     +RUN_DEPENDS =  devel/py-parsing \
>     +               devel/py-six \
>     +               net/py-curl \
>     +               textproc/py-chardet
> 
>     -BUILD_DEPENDS =                ${RUN_DEPENDS}
>     +#BUILD_DEPENDS =       ${RUN_DEPENDS}
> 
>      .include <bsd.port.mk>
>     Index: patches/patch-src_wfuzz_externals_reqresp_Response_py
>     ===================================================================
>     RCS file: patches/patch-src_wfuzz_externals_reqresp_Response_py
>     diff -N patches/patch-src_wfuzz_externals_reqresp_Response_py
>     --- /dev/null   1 Jan 1970 00:00:00 -0000
>     +++ patches/patch-src_wfuzz_externals_reqresp_Response_py       12 Feb 2026 11:09:12 -0000
>     @@ -0,0 +1,22 @@
>     +suggested replacement for removed API:
>     +https://peps.python.org/pep-0594/#cgi
>     +
>     +Index: src/wfuzz/externals/reqresp/Response.py
>     +--- src/wfuzz/externals/reqresp/Response.py.orig
>     ++++ src/wfuzz/externals/reqresp/Response.py
>     +@@ -1,5 +1,5 @@
>     + import re
>     +-import cgi
>     ++from email.message import Message
>     +
>     + from io import BytesIO
>     + import gzip
>     +@@ -22,7 +22,7 @@ def get_encoding_from_headers(headers):
>     +     if not content_type:
>     +         return None
>     +
>     +-    content_type, params = cgi.parse_header(content_type)
>     ++    content_type, params = Message(content_type)
>     +
>     +     if "charset" in params:
>     +         return params["charset"].strip("'\"")
>     Index: patches/patch-src_wfuzz_helpers_file_func_py
>     ===================================================================
>     RCS file: patches/patch-src_wfuzz_helpers_file_func_py
>     diff -N patches/patch-src_wfuzz_helpers_file_func_py
>     --- /dev/null   1 Jan 1970 00:00:00 -0000
>     +++ patches/patch-src_wfuzz_helpers_file_func_py        12 Feb 2026 11:09:12 -0000
>     @@ -0,0 +1,32 @@
>     +pkg_resources will go away
>     +
>     +Index: src/wfuzz/helpers/file_func.py
>     +--- src/wfuzz/helpers/file_func.py.orig
>     ++++ src/wfuzz/helpers/file_func.py
>     +@@ -1,7 +1,6 @@
>     + import os
>     + import sys
>     + import re
>     +-import pkg_resources
>     +
>     + from chardet.universaldetector import UniversalDetector
>     + import chardet
>     +@@ -10,15 +9,9 @@ from ..exception import FuzzExceptInternalError
>     +
>     +
>     + def get_filter_help_file():
>     +-    FILTER_HELP_FILE = "advanced.rst"
>     +-    FILTER_HELP_DEV_FILE = "../../../docs/user/advanced.rst"
>     +-
>     +-    filter_help_text = None
>     +-    try:
>     +-        fname = pkg_resources.resource_filename("wfuzz", FILTER_HELP_FILE)
>     +-        filter_help_text = open(fname).read()
>     +-    except IOError:
>     +-        filter_help_text = open(get_path(FILTER_HELP_DEV_FILE)).read()
>     ++    ref = importlib_resources.files('wfuzz') / 'advanced.rst'
>     ++    with importlib_resources.as_file(ref) as path:
>     ++        filter_help_text = open(path).read()
>     +
>     +     return filter_help_text
>     +
>