From: Marius Brehler Date: Thu, 17 Sep 2015 18:11:24 +0000 (+0200) Subject: dev-python/ipython: Fix security issue X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=refs%2Fremotes%2Fgithub%2Fpr%2F100;p=gentoo.git dev-python/ipython: Fix security issue "Maliciously crafted text files in IPython/Jupyter editor" http://seclists.org/oss-sec/2015/q3/558 https://bugs.gentoo.org/show_bug.cgi?id=560708 Package-Manager: portage-2.2.20.1 --- diff --git a/dev-python/ipython/files/ipython-3.2.1-Don-t-redirect-from-edit-to-files.patch b/dev-python/ipython/files/ipython-3.2.1-Don-t-redirect-from-edit-to-files.patch new file mode 100644 index 000000000000..5ec742c34cf8 --- /dev/null +++ b/dev-python/ipython/files/ipython-3.2.1-Don-t-redirect-from-edit-to-files.patch @@ -0,0 +1,55 @@ +Upstream patch to fix +"Maliciously crafted text files in IPython/Jupyter editor". + +http://seclists.org/oss-sec/2015/q3/558 +https://bugs.gentoo.org/show_bug.cgi?id=560708 + + +From 2b835ca6daec2592d9127dc85bf2cdcfb718edf2 Mon Sep 17 00:00:00 2001 +From: Min RK +Date: Mon, 20 Jul 2015 12:11:23 -0700 +Subject: [PATCH 4/4] Don't redirect from /edit/ to /files/ + +show failure to decode, instead +--- + IPython/html/static/edit/js/editor.js | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/IPython/html/static/edit/js/editor.js b/IPython/html/static/edit/js/editor.js +index dd12ea4..75d65e0 100644 +--- a/IPython/html/static/edit/js/editor.js ++++ b/IPython/html/static/edit/js/editor.js +@@ -90,19 +90,10 @@ function($, + }).catch( + function(error) { + that.events.trigger("file_load_failed.Editor", error); +- if (((error.xhr||{}).responseJSON||{}).reason === 'bad format') { +- window.location = utils.url_path_join( +- that.base_url, +- 'files', +- that.file_path +- ); +- } else { +- console.warn('Error while loading: the error was:') +- console.warn(error) +- } ++ console.warn('Error loading: ', error); + cm.setValue("Error! " + error.message + + "\nSaving disabled.\nSee Console for more details."); +- cm.setOption('readOnly','nocursor') ++ cm.setOption('readOnly','nocursor'); + that.save_enabled = false; + } + ); +@@ -186,7 +177,7 @@ function($, + Editor.prototype._clean_state = function(){ + var clean = this.codemirror.isClean(this.generation); + if (clean === this.clean){ +- return ++ return; + } else { + this.clean = clean; + } +-- +2.4.6 + diff --git a/dev-python/ipython/files/ipython-3.2.1-only-redirect-to-editor-for-text-documents.patch b/dev-python/ipython/files/ipython-3.2.1-only-redirect-to-editor-for-text-documents.patch new file mode 100644 index 000000000000..4b1f7d3686c0 --- /dev/null +++ b/dev-python/ipython/files/ipython-3.2.1-only-redirect-to-editor-for-text-documents.patch @@ -0,0 +1,38 @@ +Upstream patch to fix +"Maliciously crafted text files in IPython/Jupyter editor". + +http://seclists.org/oss-sec/2015/q3/558 +https://bugs.gentoo.org/show_bug.cgi?id=560708 + + +From df24d9153b86863ccfa98bf509704d9304143ce1 Mon Sep 17 00:00:00 2001 +From: Min RK +Date: Mon, 20 Jul 2015 12:11:04 -0700 +Subject: [PATCH 3/4] only redirect to editor for text documents + +treat unidentified mime-types as text +--- + IPython/html/static/tree/js/notebooklist.js | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/IPython/html/static/tree/js/notebooklist.js b/IPython/html/static/tree/js/notebooklist.js +index 0065143..d8c7b2a 100644 +--- a/IPython/html/static/tree/js/notebooklist.js ++++ b/IPython/html/static/tree/js/notebooklist.js +@@ -532,6 +532,13 @@ define([ + icon = 'running_' + icon; + } + var uri_prefix = NotebookList.uri_prefixes[model.type]; ++ if (model.type === 'file' && ++ model.mimetype && model.mimetype.substr(0,5) !== 'text/' ++ ) { ++ // send text/unidentified files to editor, others go to raw viewer ++ uri_prefix = 'files'; ++ } ++ + item.find(".item_icon").addClass(icon).addClass('icon-fixed-width'); + var link = item.find("a.item_link") + .attr('href', +-- +2.4.6 + diff --git a/dev-python/ipython/files/ipython-3.2.1-set-mime-type-on-files.patch b/dev-python/ipython/files/ipython-3.2.1-set-mime-type-on-files.patch new file mode 100644 index 000000000000..b5d4b5fbd668 --- /dev/null +++ b/dev-python/ipython/files/ipython-3.2.1-set-mime-type-on-files.patch @@ -0,0 +1,35 @@ +Upstream patch to fix +"Maliciously crafted text files in IPython/Jupyter editor". + +http://seclists.org/oss-sec/2015/q3/558 +https://bugs.gentoo.org/show_bug.cgi?id=560708 + + +From d729ce7c2063c0de746a7c2ea39697040d0af5bf Mon Sep 17 00:00:00 2001 +From: Min RK +Date: Mon, 20 Jul 2015 12:10:10 -0700 +Subject: [PATCH 1/4] set mime-type on /files/ + +--- + IPython/html/files/handlers.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/IPython/html/files/handlers.py b/IPython/html/files/handlers.py +index 7727d08..b358d94 100644 +--- a/IPython/html/files/handlers.py ++++ b/IPython/html/files/handlers.py +@@ -40,6 +40,11 @@ def get(self, path): + cur_mime = mimetypes.guess_type(name)[0] + if cur_mime is not None: + self.set_header('Content-Type', cur_mime) ++ else: ++ if model['format'] == 'base64': ++ self.set_header('Content-Type', 'application/octet-stream') ++ else: ++ self.set_header('Content-Type', 'text/plain') + + if model['format'] == 'base64': + b64_bytes = model['content'].encode('ascii') +-- +2.4.6 + diff --git a/dev-python/ipython/files/ipython-3.2.1-set-model-mimetype-even-when-content-False.patch b/dev-python/ipython/files/ipython-3.2.1-set-model-mimetype-even-when-content-False.patch new file mode 100644 index 000000000000..a69f746f64c0 --- /dev/null +++ b/dev-python/ipython/files/ipython-3.2.1-set-model-mimetype-even-when-content-False.patch @@ -0,0 +1,64 @@ +Upstream patch to fix +"Maliciously crafted text files in IPython/Jupyter editor". + +http://seclists.org/oss-sec/2015/q3/558 +https://bugs.gentoo.org/show_bug.cgi?id=560708 + + +From 50a1366a8fcfb94671c87199515ebc922882f447 Mon Sep 17 00:00:00 2001 +From: Min RK +Date: Mon, 20 Jul 2015 12:10:25 -0700 +Subject: [PATCH 2/4] set model mimetype, even when content=False + +--- + IPython/html/services/contents/filemanager.py | 12 +++++++----- + IPython/html/services/contents/handlers.py | 3 --- + 2 files changed, 7 insertions(+), 8 deletions(-) + +diff --git a/IPython/html/services/contents/filemanager.py b/IPython/html/services/contents/filemanager.py +index 01ce07b..c869c75 100644 +--- a/IPython/html/services/contents/filemanager.py ++++ b/IPython/html/services/contents/filemanager.py +@@ -277,18 +277,20 @@ def _file_model(self, path, content=True, format=None): + model['type'] = 'file' + + os_path = self._get_os_path(path) ++ model['mimetype'] = mimetypes.guess_type(os_path)[0] + + if content: + content, format = self._read_file(os_path, format) +- default_mime = { +- 'text': 'text/plain', +- 'base64': 'application/octet-stream' +- }[format] ++ if model['mimetype'] is None: ++ default_mime = { ++ 'text': 'text/plain', ++ 'base64': 'application/octet-stream' ++ }[format] ++ model['mimetype'] = default_mime + + model.update( + content=content, + format=format, +- mimetype=mimetypes.guess_type(os_path)[0] or default_mime, + ) + + return model +diff --git a/IPython/html/services/contents/handlers.py b/IPython/html/services/contents/handlers.py +index 5cd849e..d77e70e 100644 +--- a/IPython/html/services/contents/handlers.py ++++ b/IPython/html/services/contents/handlers.py +@@ -52,9 +52,6 @@ def validate_model(model, expect_content): + ) + + maybe_none_keys = ['content', 'format'] +- if model['type'] == 'file': +- # mimetype should be populated only for file models +- maybe_none_keys.append('mimetype') + if expect_content: + errors = [key for key in maybe_none_keys if model[key] is None] + if errors: +-- +2.4.6 + diff --git a/dev-python/ipython/ipython-3.2.1-r1.ebuild b/dev-python/ipython/ipython-3.2.1-r1.ebuild new file mode 100644 index 000000000000..19a158882a27 --- /dev/null +++ b/dev-python/ipython/ipython-3.2.1-r1.ebuild @@ -0,0 +1,155 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +PYTHON_COMPAT=( python2_7 python3_{3,4} ) +PYTHON_REQ_USE='readline,sqlite' + +inherit distutils-r1 eutils virtualx + +DESCRIPTION="Advanced interactive shell for Python" +HOMEPAGE="http://ipython.org/" +SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~amd64 ~arm ~mips ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos" +IUSE="doc examples matplotlib mongodb notebook nbconvert octave qt4 +smp test wxwidgets" + +REQUIRED_USE=" + test? ( doc matplotlib mongodb notebook nbconvert octave qt4 wxwidgets ) + doc? ( mongodb )" + +CDEPEND=" + dev-python/decorator[${PYTHON_USEDEP}] + dev-python/pexpect[${PYTHON_USEDEP}] + dev-python/pyparsing[${PYTHON_USEDEP}] + dev-python/simplegeneric[${PYTHON_USEDEP}] + matplotlib? ( dev-python/matplotlib[${PYTHON_USEDEP}] ) + mongodb? ( =dev-python/pyzmq-13[${PYTHON_USEDEP}] ) + wxwidgets? ( $(python_gen_cond_dep 'dev-python/wxpython:*[${PYTHON_USEDEP}]' python2_7) )" +RDEPEND="${CDEPEND} + notebook? ( + dev-libs/mathjax + dev-python/jinja[${PYTHON_USEDEP}] + >=dev-python/jsonschema-2.0[${PYTHON_USEDEP}] + >=dev-python/mistune-0.5[${PYTHON_USEDEP}] + dev-python/pygments[${PYTHON_USEDEP}] + >=dev-python/pyzmq-13[${PYTHON_USEDEP}] + >=dev-python/terminado-0.3.3[${PYTHON_USEDEP}] + >=www-servers/tornado-4.0[${PYTHON_USEDEP}] + ) + nbconvert? ( + || ( >=net-libs/nodejs-0.9.12 >=app-text/pandoc-1.12.1 ) + dev-python/jinja[${PYTHON_USEDEP}] + >=dev-python/jsonschema-2.0[${PYTHON_USEDEP}] + >=dev-python/mistune-0.5[${PYTHON_USEDEP}] + dev-python/pygments[${PYTHON_USEDEP}] + dev-python/sphinx[${PYTHON_USEDEP}] + ) + qt4? ( + || ( + dev-python/PyQt4[${PYTHON_USEDEP},svg] + dev-python/PyQt5[${PYTHON_USEDEP},svg] + dev-python/pyside[${PYTHON_USEDEP},svg] + ) + dev-python/pygments[${PYTHON_USEDEP}] + >=dev-python/pyzmq-13[${PYTHON_USEDEP}] )" +DEPEND="${CDEPEND} + dev-python/setuptools[${PYTHON_USEDEP}] + test? ( + app-text/dvipng + dev-python/jinja[${PYTHON_USEDEP}] + $(python_gen_cond_dep 'dev-python/mock[${PYTHON_USEDEP}]' python2_7) + >=dev-python/nose-0.10.1[${PYTHON_USEDEP}] + dev-python/requests[${PYTHON_USEDEP}] + dev-python/sphinx[${PYTHON_USEDEP}] + >=www-servers/tornado-4.0[${PYTHON_USEDEP}] + ) + doc? ( + dev-python/cython[${PYTHON_USEDEP}] + $(python_gen_cond_dep 'dev-python/fabric[${PYTHON_USEDEP}]' python2_7) + >=dev-python/jsonschema-2.0[${PYTHON_USEDEP}] + dev-python/matplotlib[${PYTHON_USEDEP}] + >=dev-python/nose-0.10.1[${PYTHON_USEDEP}] + dev-python/numpydoc[${PYTHON_USEDEP}] + dev-python/rpy[${PYTHON_USEDEP}] + >=dev-python/sphinx-1.1[${PYTHON_USEDEP}] + >=www-servers/tornado-4.0[${PYTHON_USEDEP}] + )" + +PATCHES=( + "${FILESDIR}"/2.1.0-substitute-files.patch + "${FILESDIR}/${P}"-set-mime-type-on-files.patch + "${FILESDIR}/${P}"-set-model-mimetype-even-when-content-False.patch + "${FILESDIR}/${P}"-only-redirect-to-editor-for-text-documents.patch + "${FILESDIR}/${P}"-Don-t-redirect-from-edit-to-files.patch + ) + +DISTUTILS_IN_SOURCE_BUILD=1 + +python_prepare_all() { + # Remove out of date insource files + rm IPython/extensions/rmagic.py || die + + # Prevent un-needed download during build + if use doc; then + sed -e "/^ 'sphinx.ext.intersphinx',/d" -i docs/source/conf.py || die + fi + + distutils-r1_python_prepare_all +} + +python_compile_all() { + use doc && emake -C docs html_noapi +} + +python_test() { + distutils_install_for_testing + # https://github.com/ipython/ipython/issues/8639 + # Failure of some modules only in python3.4 + local fail + run_tests() { + pushd ${TEST_DIR} > /dev/null + "${PYTHON}" -m IPython.testing.iptestcontroller --all || fail=1 + popd > /dev/null + } + VIRTUALX_COMMAND=run_tests virtualmake + [[ ${fail} ]] && die "Tests fail with ${EPYTHON}" +} + +python_install() { + distutils-r1_python_install + use notebook && \ + ln -sf "${EPREFIX}/usr/share/mathjax" "${D}$(python_get_sitedir)/IPython/html/static/mathjax" + + # Create ipythonX.Y symlinks. + # TODO: + # 1. do we want them for pypy? No. pypy has no numpy + # 2. handle it in the eclass instead (use _python_ln_rel). + # With pypy not an option the dosym becomes unconditional + dosym ../lib/python-exec/${EPYTHON}/ipython \ + /usr/bin/ipython${EPYTHON#python} +} + +python_install_all() { + use doc && local HTML_DOCS=( docs/build/html/. ) + use examples && local EXAMPLES=( examples/. ) + distutils-r1_python_install_all +} + +pkg_postinst() { + optfeature "sympyprinting" dev-python/sympy + optfeature "cythonmagic" dev-python/cython + if use nbconvert; then + if ! has_version app-text/pandoc ; then + einfo "Node.js will be used to convert notebooks to other formats" + einfo "like HTML. Support for that is still experimental. If you" + einfo "encounter any problems, please use app-text/pandoc instead." + fi + fi +}