Compare commits

...
Sign in to create a new pull request.

1 commit

Author SHA1 Message Date
Thomas Moschny
a826d6f1bf Fix CVE-2014-1402 (using patch from RHSA-2014:0748). 2014-06-13 20:52:51 +02:00
2 changed files with 74 additions and 1 deletions

View file

@ -0,0 +1,64 @@
--- jinja2/bccache.py.orig 2011-07-12 14:02:32.000000000 +0200
+++ jinja2/bccache.py 2014-05-30 13:15:12.850410773 +0200
@@ -20,6 +20,9 @@
import tempfile
import cPickle as pickle
import fnmatch
+import os
+import errno
+import stat
try:
from hashlib import sha1
except ImportError:
@@ -194,7 +197,9 @@
two arguments: The directory where the cache items are stored and a
pattern string that is used to build the filename.
- If no directory is specified the system temporary items folder is used.
+ If no directory is specified a default cache directory is selected. On
+ Windows the user's temp directory is used, on UNIX systems a directory
+ is created for the user in the system temp directory.
The pattern can be used to have multiple separate caches operate on the
same directory. The default pattern is ``'__jinja2_%s.cache'``. ``%s``
@@ -207,10 +212,39 @@
def __init__(self, directory=None, pattern='__jinja2_%s.cache'):
if directory is None:
- directory = tempfile.gettempdir()
+ directory = self._get_default_cache_dir()
self.directory = directory
self.pattern = pattern
+ def _get_default_cache_dir(self):
+ tmpdir = tempfile.gettempdir()
+
+ # On windows the temporary directory is used specific unless
+ # explicitly forced otherwise. We can just use that.
+ if os.name == 'nt':
+ return tmpdir
+ if not hasattr(os, 'getuid'):
+ raise RuntimeError('Cannot determine safe temp directory. You '
+ 'need to explicitly provide one.')
+
+ dirname = '_jinja2-cache-%d' % os.getuid()
+ actual_dir = os.path.join(tmpdir, dirname)
+ try:
+ os.mkdir(actual_dir, stat.S_IRWXU) # 0o700
+ except OSError as e:
+ if e.errno != errno.EEXIST:
+ raise
+
+ actual_dir_stat = os.lstat(actual_dir)
+ if actual_dir_stat.st_uid != os.getuid() \
+ or not stat.S_ISDIR(actual_dir_stat.st_mode) \
+ or stat.S_IMODE(actual_dir_stat.st_mode) != stat.S_IRWXU:
+ raise RuntimeError('Temporary directory \'%s\' has an incorrect '
+ 'owner, permissions, or type.' % actual_dir)
+
+
+ return actual_dir
+
def _get_cache_filename(self, bucket):
return path.join(self.directory, self.pattern % bucket.key)

View file

@ -10,12 +10,17 @@
Name: python-jinja2
Version: 2.6
Release: 6%{?dist}
Release: 7%{?dist}
Summary: General purpose template engine
Group: Development/Languages
License: BSD
URL: http://jinja.pocoo.org/
Source0: http://pypi.python.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
# This patch consists of two upstream patches merged and rebased
# (the first upstream patch introduced CVE-2014-0012 and the second fixed it)
# https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
# https://github.com/mitsuhiko/jinja2/pull/296/files
Patch0: Jinja2-2.6-fix-CVE-2014-1402.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: python-devel
@ -69,6 +74,7 @@ environments.
%prep
%setup -q -n Jinja2-%{version}
%patch0 -p0
# cleanup
find . -name '*.pyo' -o -name '*.pyc' -delete
@ -155,6 +161,9 @@ popd
%changelog
* Fri Jun 13 2014 Thomas Moschny <thomas.moschny@gmx.de> - 2.6-7
- Fix CVE-2014-1402 (using patch from RHSA-2014:0748).
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild