commit: 94adbefba8336b4f08db6cb2ee881fd8da20ec91 Author: Marius Brehler <marbre <AT> linux <DOT> sungazer <DOT> de> AuthorDate: Thu Sep 17 15:09:17 2015 +0000 Commit: Jauhien Piatlicki <jauhien <AT> gentoo <DOT> org> CommitDate: Thu Sep 17 15:09:40 2015 +0000 URL: https://gitweb.gentoo.org/proj/sci.git/commit/?id=94adbefb
dev-python/notebook: Fix security issue http://seclists.org/oss-sec/2015/q3/558 https://bugs.gentoo.org/show_bug.cgi?id=560708 Package-Manager: portage-2.2.20.1 dev-python/notebook/ChangeLog | 11 +++ ...k-4.0.4-Don-t-redirect-from-edit-to-files.patch | 55 +++++++++++++ ...nly-redirect-to-editor-for-text-documents.patch | 38 +++++++++ .../notebook-4.0.4-set-mime-type-on-files.patch | 35 ++++++++ ...et-model-mimetype-even-when-content-False.patch | 64 +++++++++++++++ dev-python/notebook/notebook-4.0.4-r2.ebuild | 1 - dev-python/notebook/notebook-4.0.4-r3.ebuild | 92 ++++++++++++++++++++++ 7 files changed, 295 insertions(+), 1 deletion(-) diff --git a/dev-python/notebook/ChangeLog b/dev-python/notebook/ChangeLog index fdbc96c..367ccf3 100644 --- a/dev-python/notebook/ChangeLog +++ b/dev-python/notebook/ChangeLog @@ -2,6 +2,17 @@ # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 # $Id$ +*notebook-4.0.4-r3 (17 Sep 2015) + + 17 Sep 2015; Marius Brehler <[email protected]> + +files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch, + +files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch, + +files/notebook-4.0.4-set-mime-type-on-files.patch, + +files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch, + +notebook-4.0.4-r3.ebuild, -notebook-4.0.4-r2.ebuild, notebook-9999.ebuild: + dev-python/notebook: Security fixes http://seclists.org/oss-sec/2015/q3/558 + https://bugs.gentoo.org/show_bug.cgi?id=560708 + 07 Sep 2015; Marius Brehler <[email protected]> notebook-9999.ebuild: dev-python/notebook: Fix deps, >=mathjax-2.4 required diff --git a/dev-python/notebook/files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch b/dev-python/notebook/files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch new file mode 100644 index 0000000..76d0e61 --- /dev/null +++ b/dev-python/notebook/files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch @@ -0,0 +1,55 @@ +Upstream patch to fix +"Maliciously crafted text files in IPython/Jupyter editor". + +http://seclists.org/oss-sec/2015/q3/558 +https://bugs.gentoo.org/show_bug.cgi?id=560708 + + +From 23162fd2895ad7445fdbe095b8fc8633d95ec6e6 Mon Sep 17 00:00:00 2001 +From: Min RK <[email protected]> +Date: Mon, 20 Jul 2015 12:11:23 -0700 +Subject: [PATCH 4/4] Don't redirect from /edit/ to /files/ + +show failure to decode, instead +--- + notebook/static/edit/js/editor.js | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/notebook/static/edit/js/editor.js b/notebook/static/edit/js/editor.js +index ddbc2de..421fa57 100644 +--- a/notebook/static/edit/js/editor.js ++++ b/notebook/static/edit/js/editor.js +@@ -90,19 +90,10 @@ function($, + }).catch( + function(error) { + that.events.trigger("file_load_failed.Editor", error); +- if (((error.xhr||{}).responseJSON||{}).reason === 'bad format') { +- window.location = utils.url_path_join( +- that.base_url, +- 'files', +- that.file_path +- ); +- } else { +- console.warn('Error while loading: the error was:') +- console.warn(error) +- } ++ console.warn('Error loading: ', error); + cm.setValue("Error! " + error.message + + "\nSaving disabled.\nSee Console for more details."); +- cm.setOption('readOnly','nocursor') ++ cm.setOption('readOnly','nocursor'); + that.save_enabled = false; + } + ); +@@ -186,7 +177,7 @@ function($, + Editor.prototype._clean_state = function(){ + var clean = this.codemirror.isClean(this.generation); + if (clean === this.clean){ +- return ++ return; + } else { + this.clean = clean; + } +-- +2.4.6 + diff --git a/dev-python/notebook/files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch b/dev-python/notebook/files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch new file mode 100644 index 0000000..899cd31 --- /dev/null +++ b/dev-python/notebook/files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch @@ -0,0 +1,38 @@ +Upstream patch to fix +"Maliciously crafted text files in IPython/Jupyter editor". + +http://seclists.org/oss-sec/2015/q3/558 +https://bugs.gentoo.org/show_bug.cgi?id=560708 + + +From 4f0b3b8c10811d460efc67cf61e9f4df83d2a0a7 Mon Sep 17 00:00:00 2001 +From: Min RK <[email protected]> +Date: Mon, 20 Jul 2015 12:11:04 -0700 +Subject: [PATCH 3/4] only redirect to editor for text documents + +treat unidentified mime-types as text +--- + notebook/static/tree/js/notebooklist.js | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/notebook/static/tree/js/notebooklist.js b/notebook/static/tree/js/notebooklist.js +index 6308d7f..0b71f42 100644 +--- a/notebook/static/tree/js/notebooklist.js ++++ b/notebook/static/tree/js/notebooklist.js +@@ -536,6 +536,13 @@ define([ + icon = 'running_' + icon; + } + var uri_prefix = NotebookList.uri_prefixes[model.type]; ++ if (model.type === 'file' && ++ model.mimetype && model.mimetype.substr(0,5) !== 'text/' ++ ) { ++ // send text/unidentified files to editor, others go to raw viewer ++ uri_prefix = 'files'; ++ } ++ + item.find(".item_icon").addClass(icon).addClass('icon-fixed-width'); + var link = item.find("a.item_link") + .attr('href', +-- +2.4.6 + diff --git a/dev-python/notebook/files/notebook-4.0.4-set-mime-type-on-files.patch b/dev-python/notebook/files/notebook-4.0.4-set-mime-type-on-files.patch new file mode 100644 index 0000000..055685f --- /dev/null +++ b/dev-python/notebook/files/notebook-4.0.4-set-mime-type-on-files.patch @@ -0,0 +1,35 @@ +Upstream patch to fix +"Maliciously crafted text files in IPython/Jupyter editor". + +http://seclists.org/oss-sec/2015/q3/558 +https://bugs.gentoo.org/show_bug.cgi?id=560708 + + +From 6ec427b5234bfc6c97065f130f762aee8ee67df4 Mon Sep 17 00:00:00 2001 +From: Min RK <[email protected]> +Date: Mon, 20 Jul 2015 12:10:10 -0700 +Subject: [PATCH 1/4] set mime-type on /files/ + +--- + notebook/files/handlers.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/notebook/files/handlers.py b/notebook/files/handlers.py +index def3ec6..9d27261 100644 +--- a/notebook/files/handlers.py ++++ b/notebook/files/handlers.py +@@ -40,6 +40,11 @@ class FilesHandler(IPythonHandler): + cur_mime = mimetypes.guess_type(name)[0] + if cur_mime is not None: + self.set_header('Content-Type', cur_mime) ++ else: ++ if model['format'] == 'base64': ++ self.set_header('Content-Type', 'application/octet-stream') ++ else: ++ self.set_header('Content-Type', 'text/plain') + + if model['format'] == 'base64': + b64_bytes = model['content'].encode('ascii') +-- +2.4.6 + diff --git a/dev-python/notebook/files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch b/dev-python/notebook/files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch new file mode 100644 index 0000000..46ef427 --- /dev/null +++ b/dev-python/notebook/files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch @@ -0,0 +1,64 @@ +Upstream patch to fix +"Maliciously crafted text files in IPython/Jupyter editor". + +http://seclists.org/oss-sec/2015/q3/558 +https://bugs.gentoo.org/show_bug.cgi?id=560708 + + +From f64aa490e3574ee2c2b504d0e0b39641c709a34f Mon Sep 17 00:00:00 2001 +From: Min RK <[email protected]> +Date: Mon, 20 Jul 2015 12:10:25 -0700 +Subject: [PATCH 2/4] set model mimetype, even when content=False + +--- + notebook/services/contents/filemanager.py | 12 +++++++----- + notebook/services/contents/handlers.py | 3 --- + 2 files changed, 7 insertions(+), 8 deletions(-) + +diff --git a/notebook/services/contents/filemanager.py b/notebook/services/contents/filemanager.py +index ff8ac7d..637ff52 100644 +--- a/notebook/services/contents/filemanager.py ++++ b/notebook/services/contents/filemanager.py +@@ -278,18 +278,20 @@ class FileContentsManager(FileManagerMixin, ContentsManager): + model['type'] = 'file' + + os_path = self._get_os_path(path) ++ model['mimetype'] = mimetypes.guess_type(os_path)[0] + + if content: + content, format = self._read_file(os_path, format) +- default_mime = { +- 'text': 'text/plain', +- 'base64': 'application/octet-stream' +- }[format] ++ if model['mimetype'] is None: ++ default_mime = { ++ 'text': 'text/plain', ++ 'base64': 'application/octet-stream' ++ }[format] ++ model['mimetype'] = default_mime + + model.update( + content=content, + format=format, +- mimetype=mimetypes.guess_type(os_path)[0] or default_mime, + ) + + return model +diff --git a/notebook/services/contents/handlers.py b/notebook/services/contents/handlers.py +index 2a0a4cc..521aae5 100644 +--- a/notebook/services/contents/handlers.py ++++ b/notebook/services/contents/handlers.py +@@ -55,9 +55,6 @@ def validate_model(model, expect_content): + ) + + maybe_none_keys = ['content', 'format'] +- if model['type'] == 'file': +- # mimetype should be populated only for file models +- maybe_none_keys.append('mimetype') + if expect_content: + errors = [key for key in maybe_none_keys if model[key] is None] + if errors: +-- +2.4.6 + diff --git a/dev-python/notebook/notebook-4.0.4-r2.ebuild b/dev-python/notebook/notebook-4.0.4-r2.ebuild deleted file mode 120000 index 1a1451d..0000000 --- a/dev-python/notebook/notebook-4.0.4-r2.ebuild +++ /dev/null @@ -1 +0,0 @@ -notebook-9999.ebuild \ No newline at end of file diff --git a/dev-python/notebook/notebook-4.0.4-r3.ebuild b/dev-python/notebook/notebook-4.0.4-r3.ebuild new file mode 100644 index 0000000..810d194 --- /dev/null +++ b/dev-python/notebook/notebook-4.0.4-r3.ebuild @@ -0,0 +1,92 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +PYTHON_COMPAT=( python2_7 python{3_3,3_4} ) + +inherit distutils-r1 + +DESCRIPTION="Jupyter Interactive Notebook" +HOMEPAGE="http://jupyter.org"; +SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" +KEYWORDS="~amd64" + +LICENSE="BSD" +SLOT="0" +IUSE="doc test" +RDEPEND=" + >=dev-libs/mathjax-2.4 + dev-python/jinja[${PYTHON_USEDEP}] + >=dev-python/terminado-0.3.3[${PYTHON_USEDEP}] + >=www-servers/tornado-4.0[${PYTHON_USEDEP}] + dev-python/ipython_genutils[${PYTHON_USEDEP}] + dev-python/traitlets[${PYTHON_USEDEP}] + dev-python/jupyter_core[${PYTHON_USEDEP}] + dev-python/jupyter_client[${PYTHON_USEDEP}] + dev-python/nbformat[${PYTHON_USEDEP}] + dev-python/nbconvert[${PYTHON_USEDEP}] + dev-python/ipykernel[${PYTHON_USEDEP}] + " +DEPEND="${RDEPEND} + dev-python/setuptools[${PYTHON_USEDEP}] + test? ( + $(python_gen_cond_dep 'dev-python/mock[${PYTHON_USEDEP}]' python2_7) + >=dev-python/nose-0.10.1[${PYTHON_USEDEP}] + dev-python/requests[${PYTHON_USEDEP}] + dev-python/coverage[${PYTHON_USEDEP}] + ) + doc? ( + app-text/pandoc + >=dev-python/ipython-4.0.0[${PYTHON_USEDEP}] + >=dev-python/sphinx-1.1[${PYTHON_USEDEP}] + ) + " + +PATCHES=( + "${FILESDIR}/${P}"-set-mime-type-on-files.patch + "${FILESDIR}/${P}"-set-model-mimetype-even-when-content-False.patch + "${FILESDIR}/${P}"-only-redirect-to-editor-for-text-documents.patch + "${FILESDIR}/${P}"-Don-t-redirect-from-edit-to-files.patch +) + +python_prepare_all() { + sed \ + -e "/import setup/s:$:\nimport setuptools:g" \ + -i setup.py || die + + # disable bundled mathjax + sed -i 's/^.*MathJax.*$//' bower.json || die + sed -i 's/mj(/#mj(/' setupbase.py || die + + # Prevent un-needed download during build + if use doc; then + sed -e "/^ 'sphinx.ext.intersphinx',/d" -i docs/source/conf.py || die + fi + + distutils-r1_python_prepare_all +} + +python_compile_all() { + use doc && emake -C docs html +} + +python_test() { + nosetests --with-coverage --cover-package=notebook notebook || die +} + +python_install() { + distutils-r1_python_install + + ln -sf "${EPREFIX}/usr/share/mathjax" "${D}$(python_get_sitedir)/notebook/static/components/MathJax" || die +} + +python_install_all() { + use doc && HTML_DOCS=( docs/build/html/. ) + distutils-r1_python_install_all +} + +pkg_preinst() { + # remove old mathjax folder if present + rm -rf "${EROOT}"/usr/lib*/python*/site-packages/notebook/static/components/MathJax +}
