Compare commits
1 commit
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
a826d6f1bf |
2 changed files with 74 additions and 1 deletions
64
Jinja2-2.6-fix-CVE-2014-1402.patch
Normal file
64
Jinja2-2.6-fix-CVE-2014-1402.patch
Normal file
|
|
@ -0,0 +1,64 @@
|
|||
--- jinja2/bccache.py.orig 2011-07-12 14:02:32.000000000 +0200
|
||||
+++ jinja2/bccache.py 2014-05-30 13:15:12.850410773 +0200
|
||||
@@ -20,6 +20,9 @@
|
||||
import tempfile
|
||||
import cPickle as pickle
|
||||
import fnmatch
|
||||
+import os
|
||||
+import errno
|
||||
+import stat
|
||||
try:
|
||||
from hashlib import sha1
|
||||
except ImportError:
|
||||
@@ -194,7 +197,9 @@
|
||||
two arguments: The directory where the cache items are stored and a
|
||||
pattern string that is used to build the filename.
|
||||
|
||||
- If no directory is specified the system temporary items folder is used.
|
||||
+ If no directory is specified a default cache directory is selected. On
|
||||
+ Windows the user's temp directory is used, on UNIX systems a directory
|
||||
+ is created for the user in the system temp directory.
|
||||
|
||||
The pattern can be used to have multiple separate caches operate on the
|
||||
same directory. The default pattern is ``'__jinja2_%s.cache'``. ``%s``
|
||||
@@ -207,10 +212,39 @@
|
||||
|
||||
def __init__(self, directory=None, pattern='__jinja2_%s.cache'):
|
||||
if directory is None:
|
||||
- directory = tempfile.gettempdir()
|
||||
+ directory = self._get_default_cache_dir()
|
||||
self.directory = directory
|
||||
self.pattern = pattern
|
||||
|
||||
+ def _get_default_cache_dir(self):
|
||||
+ tmpdir = tempfile.gettempdir()
|
||||
+
|
||||
+ # On windows the temporary directory is used specific unless
|
||||
+ # explicitly forced otherwise. We can just use that.
|
||||
+ if os.name == 'nt':
|
||||
+ return tmpdir
|
||||
+ if not hasattr(os, 'getuid'):
|
||||
+ raise RuntimeError('Cannot determine safe temp directory. You '
|
||||
+ 'need to explicitly provide one.')
|
||||
+
|
||||
+ dirname = '_jinja2-cache-%d' % os.getuid()
|
||||
+ actual_dir = os.path.join(tmpdir, dirname)
|
||||
+ try:
|
||||
+ os.mkdir(actual_dir, stat.S_IRWXU) # 0o700
|
||||
+ except OSError as e:
|
||||
+ if e.errno != errno.EEXIST:
|
||||
+ raise
|
||||
+
|
||||
+ actual_dir_stat = os.lstat(actual_dir)
|
||||
+ if actual_dir_stat.st_uid != os.getuid() \
|
||||
+ or not stat.S_ISDIR(actual_dir_stat.st_mode) \
|
||||
+ or stat.S_IMODE(actual_dir_stat.st_mode) != stat.S_IRWXU:
|
||||
+ raise RuntimeError('Temporary directory \'%s\' has an incorrect '
|
||||
+ 'owner, permissions, or type.' % actual_dir)
|
||||
+
|
||||
+
|
||||
+ return actual_dir
|
||||
+
|
||||
def _get_cache_filename(self, bucket):
|
||||
return path.join(self.directory, self.pattern % bucket.key)
|
||||
|
||||
|
|
@ -10,12 +10,17 @@
|
|||
|
||||
Name: python-jinja2
|
||||
Version: 2.6
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Summary: General purpose template engine
|
||||
Group: Development/Languages
|
||||
License: BSD
|
||||
URL: http://jinja.pocoo.org/
|
||||
Source0: http://pypi.python.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
|
||||
# This patch consists of two upstream patches merged and rebased
|
||||
# (the first upstream patch introduced CVE-2014-0012 and the second fixed it)
|
||||
# https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
|
||||
# https://github.com/mitsuhiko/jinja2/pull/296/files
|
||||
Patch0: Jinja2-2.6-fix-CVE-2014-1402.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildArch: noarch
|
||||
BuildRequires: python-devel
|
||||
|
|
@ -69,6 +74,7 @@ environments.
|
|||
|
||||
%prep
|
||||
%setup -q -n Jinja2-%{version}
|
||||
%patch0 -p0
|
||||
|
||||
# cleanup
|
||||
find . -name '*.pyo' -o -name '*.pyc' -delete
|
||||
|
|
@ -155,6 +161,9 @@ popd
|
|||
|
||||
|
||||
%changelog
|
||||
* Fri Jun 13 2014 Thomas Moschny <thomas.moschny@gmx.de> - 2.6-7
|
||||
- Fix CVE-2014-1402 (using patch from RHSA-2014:0748).
|
||||
|
||||
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue