Compare commits
1 commit
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
a826d6f1bf |
2 changed files with 74 additions and 1 deletions
64
Jinja2-2.6-fix-CVE-2014-1402.patch
Normal file
64
Jinja2-2.6-fix-CVE-2014-1402.patch
Normal file
|
|
@ -0,0 +1,64 @@
|
||||||
|
--- jinja2/bccache.py.orig 2011-07-12 14:02:32.000000000 +0200
|
||||||
|
+++ jinja2/bccache.py 2014-05-30 13:15:12.850410773 +0200
|
||||||
|
@@ -20,6 +20,9 @@
|
||||||
|
import tempfile
|
||||||
|
import cPickle as pickle
|
||||||
|
import fnmatch
|
||||||
|
+import os
|
||||||
|
+import errno
|
||||||
|
+import stat
|
||||||
|
try:
|
||||||
|
from hashlib import sha1
|
||||||
|
except ImportError:
|
||||||
|
@@ -194,7 +197,9 @@
|
||||||
|
two arguments: The directory where the cache items are stored and a
|
||||||
|
pattern string that is used to build the filename.
|
||||||
|
|
||||||
|
- If no directory is specified the system temporary items folder is used.
|
||||||
|
+ If no directory is specified a default cache directory is selected. On
|
||||||
|
+ Windows the user's temp directory is used, on UNIX systems a directory
|
||||||
|
+ is created for the user in the system temp directory.
|
||||||
|
|
||||||
|
The pattern can be used to have multiple separate caches operate on the
|
||||||
|
same directory. The default pattern is ``'__jinja2_%s.cache'``. ``%s``
|
||||||
|
@@ -207,10 +212,39 @@
|
||||||
|
|
||||||
|
def __init__(self, directory=None, pattern='__jinja2_%s.cache'):
|
||||||
|
if directory is None:
|
||||||
|
- directory = tempfile.gettempdir()
|
||||||
|
+ directory = self._get_default_cache_dir()
|
||||||
|
self.directory = directory
|
||||||
|
self.pattern = pattern
|
||||||
|
|
||||||
|
+ def _get_default_cache_dir(self):
|
||||||
|
+ tmpdir = tempfile.gettempdir()
|
||||||
|
+
|
||||||
|
+ # On windows the temporary directory is used specific unless
|
||||||
|
+ # explicitly forced otherwise. We can just use that.
|
||||||
|
+ if os.name == 'nt':
|
||||||
|
+ return tmpdir
|
||||||
|
+ if not hasattr(os, 'getuid'):
|
||||||
|
+ raise RuntimeError('Cannot determine safe temp directory. You '
|
||||||
|
+ 'need to explicitly provide one.')
|
||||||
|
+
|
||||||
|
+ dirname = '_jinja2-cache-%d' % os.getuid()
|
||||||
|
+ actual_dir = os.path.join(tmpdir, dirname)
|
||||||
|
+ try:
|
||||||
|
+ os.mkdir(actual_dir, stat.S_IRWXU) # 0o700
|
||||||
|
+ except OSError as e:
|
||||||
|
+ if e.errno != errno.EEXIST:
|
||||||
|
+ raise
|
||||||
|
+
|
||||||
|
+ actual_dir_stat = os.lstat(actual_dir)
|
||||||
|
+ if actual_dir_stat.st_uid != os.getuid() \
|
||||||
|
+ or not stat.S_ISDIR(actual_dir_stat.st_mode) \
|
||||||
|
+ or stat.S_IMODE(actual_dir_stat.st_mode) != stat.S_IRWXU:
|
||||||
|
+ raise RuntimeError('Temporary directory \'%s\' has an incorrect '
|
||||||
|
+ 'owner, permissions, or type.' % actual_dir)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ return actual_dir
|
||||||
|
+
|
||||||
|
def _get_cache_filename(self, bucket):
|
||||||
|
return path.join(self.directory, self.pattern % bucket.key)
|
||||||
|
|
||||||
|
|
@ -10,12 +10,17 @@
|
||||||
|
|
||||||
Name: python-jinja2
|
Name: python-jinja2
|
||||||
Version: 2.6
|
Version: 2.6
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
Summary: General purpose template engine
|
Summary: General purpose template engine
|
||||||
Group: Development/Languages
|
Group: Development/Languages
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: http://jinja.pocoo.org/
|
URL: http://jinja.pocoo.org/
|
||||||
Source0: http://pypi.python.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
|
Source0: http://pypi.python.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
|
||||||
|
# This patch consists of two upstream patches merged and rebased
|
||||||
|
# (the first upstream patch introduced CVE-2014-0012 and the second fixed it)
|
||||||
|
# https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
|
||||||
|
# https://github.com/mitsuhiko/jinja2/pull/296/files
|
||||||
|
Patch0: Jinja2-2.6-fix-CVE-2014-1402.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: python-devel
|
BuildRequires: python-devel
|
||||||
|
|
@ -69,6 +74,7 @@ environments.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n Jinja2-%{version}
|
%setup -q -n Jinja2-%{version}
|
||||||
|
%patch0 -p0
|
||||||
|
|
||||||
# cleanup
|
# cleanup
|
||||||
find . -name '*.pyo' -o -name '*.pyc' -delete
|
find . -name '*.pyo' -o -name '*.pyc' -delete
|
||||||
|
|
@ -155,6 +161,9 @@ popd
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jun 13 2014 Thomas Moschny <thomas.moschny@gmx.de> - 2.6-7
|
||||||
|
- Fix CVE-2014-1402 (using patch from RHSA-2014:0748).
|
||||||
|
|
||||||
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6-6
|
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6-6
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue