* [gentoo-commits] proj/sci:master commit in: dev-python/notebook/, dev-python/notebook/files/
@ 2015-09-17 21:56 Jauhien Piatlicki
0 siblings, 0 replies; 2+ messages in thread
From: Jauhien Piatlicki @ 2015-09-17 21:56 UTC (permalink / raw
To: gentoo-commits
commit: 94adbefba8336b4f08db6cb2ee881fd8da20ec91
Author: Marius Brehler <marbre <AT> linux <DOT> sungazer <DOT> de>
AuthorDate: Thu Sep 17 15:09:17 2015 +0000
Commit: Jauhien Piatlicki <jauhien <AT> gentoo <DOT> org>
CommitDate: Thu Sep 17 15:09:40 2015 +0000
URL: https://gitweb.gentoo.org/proj/sci.git/commit/?id=94adbefb
dev-python/notebook: Fix security issue
http://seclists.org/oss-sec/2015/q3/558
https://bugs.gentoo.org/show_bug.cgi?id=560708
Package-Manager: portage-2.2.20.1
dev-python/notebook/ChangeLog | 11 +++
...k-4.0.4-Don-t-redirect-from-edit-to-files.patch | 55 +++++++++++++
...nly-redirect-to-editor-for-text-documents.patch | 38 +++++++++
.../notebook-4.0.4-set-mime-type-on-files.patch | 35 ++++++++
...et-model-mimetype-even-when-content-False.patch | 64 +++++++++++++++
dev-python/notebook/notebook-4.0.4-r2.ebuild | 1 -
dev-python/notebook/notebook-4.0.4-r3.ebuild | 92 ++++++++++++++++++++++
7 files changed, 295 insertions(+), 1 deletion(-)
diff --git a/dev-python/notebook/ChangeLog b/dev-python/notebook/ChangeLog
index fdbc96c..367ccf3 100644
--- a/dev-python/notebook/ChangeLog
+++ b/dev-python/notebook/ChangeLog
@@ -2,6 +2,17 @@
# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
# $Id$
+*notebook-4.0.4-r3 (17 Sep 2015)
+
+ 17 Sep 2015; Marius Brehler <marbre@linux.sungazer.de>
+ +files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch,
+ +files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch,
+ +files/notebook-4.0.4-set-mime-type-on-files.patch,
+ +files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch,
+ +notebook-4.0.4-r3.ebuild, -notebook-4.0.4-r2.ebuild, notebook-9999.ebuild:
+ dev-python/notebook: Security fixes http://seclists.org/oss-sec/2015/q3/558
+ https://bugs.gentoo.org/show_bug.cgi?id=560708
+
07 Sep 2015; Marius Brehler <marbre@linux.sungazer.de> notebook-9999.ebuild:
dev-python/notebook: Fix deps, >=mathjax-2.4 required
diff --git a/dev-python/notebook/files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch b/dev-python/notebook/files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch
new file mode 100644
index 0000000..76d0e61
--- /dev/null
+++ b/dev-python/notebook/files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch
@@ -0,0 +1,55 @@
+Upstream patch to fix
+"Maliciously crafted text files in IPython/Jupyter editor".
+
+http://seclists.org/oss-sec/2015/q3/558
+https://bugs.gentoo.org/show_bug.cgi?id=560708
+
+
+From 23162fd2895ad7445fdbe095b8fc8633d95ec6e6 Mon Sep 17 00:00:00 2001
+From: Min RK <benjaminrk@gmail.com>
+Date: Mon, 20 Jul 2015 12:11:23 -0700
+Subject: [PATCH 4/4] Don't redirect from /edit/ to /files/
+
+show failure to decode, instead
+---
+ notebook/static/edit/js/editor.js | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/notebook/static/edit/js/editor.js b/notebook/static/edit/js/editor.js
+index ddbc2de..421fa57 100644
+--- a/notebook/static/edit/js/editor.js
++++ b/notebook/static/edit/js/editor.js
+@@ -90,19 +90,10 @@ function($,
+ }).catch(
+ function(error) {
+ that.events.trigger("file_load_failed.Editor", error);
+- if (((error.xhr||{}).responseJSON||{}).reason === 'bad format') {
+- window.location = utils.url_path_join(
+- that.base_url,
+- 'files',
+- that.file_path
+- );
+- } else {
+- console.warn('Error while loading: the error was:')
+- console.warn(error)
+- }
++ console.warn('Error loading: ', error);
+ cm.setValue("Error! " + error.message +
+ "\nSaving disabled.\nSee Console for more details.");
+- cm.setOption('readOnly','nocursor')
++ cm.setOption('readOnly','nocursor');
+ that.save_enabled = false;
+ }
+ );
+@@ -186,7 +177,7 @@ function($,
+ Editor.prototype._clean_state = function(){
+ var clean = this.codemirror.isClean(this.generation);
+ if (clean === this.clean){
+- return
++ return;
+ } else {
+ this.clean = clean;
+ }
+--
+2.4.6
+
diff --git a/dev-python/notebook/files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch b/dev-python/notebook/files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch
new file mode 100644
index 0000000..899cd31
--- /dev/null
+++ b/dev-python/notebook/files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch
@@ -0,0 +1,38 @@
+Upstream patch to fix
+"Maliciously crafted text files in IPython/Jupyter editor".
+
+http://seclists.org/oss-sec/2015/q3/558
+https://bugs.gentoo.org/show_bug.cgi?id=560708
+
+
+From 4f0b3b8c10811d460efc67cf61e9f4df83d2a0a7 Mon Sep 17 00:00:00 2001
+From: Min RK <benjaminrk@gmail.com>
+Date: Mon, 20 Jul 2015 12:11:04 -0700
+Subject: [PATCH 3/4] only redirect to editor for text documents
+
+treat unidentified mime-types as text
+---
+ notebook/static/tree/js/notebooklist.js | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/notebook/static/tree/js/notebooklist.js b/notebook/static/tree/js/notebooklist.js
+index 6308d7f..0b71f42 100644
+--- a/notebook/static/tree/js/notebooklist.js
++++ b/notebook/static/tree/js/notebooklist.js
+@@ -536,6 +536,13 @@ define([
+ icon = 'running_' + icon;
+ }
+ var uri_prefix = NotebookList.uri_prefixes[model.type];
++ if (model.type === 'file' &&
++ model.mimetype && model.mimetype.substr(0,5) !== 'text/'
++ ) {
++ // send text/unidentified files to editor, others go to raw viewer
++ uri_prefix = 'files';
++ }
++
+ item.find(".item_icon").addClass(icon).addClass('icon-fixed-width');
+ var link = item.find("a.item_link")
+ .attr('href',
+--
+2.4.6
+
diff --git a/dev-python/notebook/files/notebook-4.0.4-set-mime-type-on-files.patch b/dev-python/notebook/files/notebook-4.0.4-set-mime-type-on-files.patch
new file mode 100644
index 0000000..055685f
--- /dev/null
+++ b/dev-python/notebook/files/notebook-4.0.4-set-mime-type-on-files.patch
@@ -0,0 +1,35 @@
+Upstream patch to fix
+"Maliciously crafted text files in IPython/Jupyter editor".
+
+http://seclists.org/oss-sec/2015/q3/558
+https://bugs.gentoo.org/show_bug.cgi?id=560708
+
+
+From 6ec427b5234bfc6c97065f130f762aee8ee67df4 Mon Sep 17 00:00:00 2001
+From: Min RK <benjaminrk@gmail.com>
+Date: Mon, 20 Jul 2015 12:10:10 -0700
+Subject: [PATCH 1/4] set mime-type on /files/
+
+---
+ notebook/files/handlers.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/notebook/files/handlers.py b/notebook/files/handlers.py
+index def3ec6..9d27261 100644
+--- a/notebook/files/handlers.py
++++ b/notebook/files/handlers.py
+@@ -40,6 +40,11 @@ class FilesHandler(IPythonHandler):
+ cur_mime = mimetypes.guess_type(name)[0]
+ if cur_mime is not None:
+ self.set_header('Content-Type', cur_mime)
++ else:
++ if model['format'] == 'base64':
++ self.set_header('Content-Type', 'application/octet-stream')
++ else:
++ self.set_header('Content-Type', 'text/plain')
+
+ if model['format'] == 'base64':
+ b64_bytes = model['content'].encode('ascii')
+--
+2.4.6
+
diff --git a/dev-python/notebook/files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch b/dev-python/notebook/files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch
new file mode 100644
index 0000000..46ef427
--- /dev/null
+++ b/dev-python/notebook/files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch
@@ -0,0 +1,64 @@
+Upstream patch to fix
+"Maliciously crafted text files in IPython/Jupyter editor".
+
+http://seclists.org/oss-sec/2015/q3/558
+https://bugs.gentoo.org/show_bug.cgi?id=560708
+
+
+From f64aa490e3574ee2c2b504d0e0b39641c709a34f Mon Sep 17 00:00:00 2001
+From: Min RK <benjaminrk@gmail.com>
+Date: Mon, 20 Jul 2015 12:10:25 -0700
+Subject: [PATCH 2/4] set model mimetype, even when content=False
+
+---
+ notebook/services/contents/filemanager.py | 12 +++++++-----
+ notebook/services/contents/handlers.py | 3 ---
+ 2 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/notebook/services/contents/filemanager.py b/notebook/services/contents/filemanager.py
+index ff8ac7d..637ff52 100644
+--- a/notebook/services/contents/filemanager.py
++++ b/notebook/services/contents/filemanager.py
+@@ -278,18 +278,20 @@ class FileContentsManager(FileManagerMixin, ContentsManager):
+ model['type'] = 'file'
+
+ os_path = self._get_os_path(path)
++ model['mimetype'] = mimetypes.guess_type(os_path)[0]
+
+ if content:
+ content, format = self._read_file(os_path, format)
+- default_mime = {
+- 'text': 'text/plain',
+- 'base64': 'application/octet-stream'
+- }[format]
++ if model['mimetype'] is None:
++ default_mime = {
++ 'text': 'text/plain',
++ 'base64': 'application/octet-stream'
++ }[format]
++ model['mimetype'] = default_mime
+
+ model.update(
+ content=content,
+ format=format,
+- mimetype=mimetypes.guess_type(os_path)[0] or default_mime,
+ )
+
+ return model
+diff --git a/notebook/services/contents/handlers.py b/notebook/services/contents/handlers.py
+index 2a0a4cc..521aae5 100644
+--- a/notebook/services/contents/handlers.py
++++ b/notebook/services/contents/handlers.py
+@@ -55,9 +55,6 @@ def validate_model(model, expect_content):
+ )
+
+ maybe_none_keys = ['content', 'format']
+- if model['type'] == 'file':
+- # mimetype should be populated only for file models
+- maybe_none_keys.append('mimetype')
+ if expect_content:
+ errors = [key for key in maybe_none_keys if model[key] is None]
+ if errors:
+--
+2.4.6
+
diff --git a/dev-python/notebook/notebook-4.0.4-r2.ebuild b/dev-python/notebook/notebook-4.0.4-r2.ebuild
deleted file mode 120000
index 1a1451d..0000000
--- a/dev-python/notebook/notebook-4.0.4-r2.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-notebook-9999.ebuild
\ No newline at end of file
diff --git a/dev-python/notebook/notebook-4.0.4-r3.ebuild b/dev-python/notebook/notebook-4.0.4-r3.ebuild
new file mode 100644
index 0000000..810d194
--- /dev/null
+++ b/dev-python/notebook/notebook-4.0.4-r3.ebuild
@@ -0,0 +1,92 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 python{3_3,3_4} )
+
+inherit distutils-r1
+
+DESCRIPTION="Jupyter Interactive Notebook"
+HOMEPAGE="http://jupyter.org"
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+KEYWORDS="~amd64"
+
+LICENSE="BSD"
+SLOT="0"
+IUSE="doc test"
+RDEPEND="
+ >=dev-libs/mathjax-2.4
+ dev-python/jinja[${PYTHON_USEDEP}]
+ >=dev-python/terminado-0.3.3[${PYTHON_USEDEP}]
+ >=www-servers/tornado-4.0[${PYTHON_USEDEP}]
+ dev-python/ipython_genutils[${PYTHON_USEDEP}]
+ dev-python/traitlets[${PYTHON_USEDEP}]
+ dev-python/jupyter_core[${PYTHON_USEDEP}]
+ dev-python/jupyter_client[${PYTHON_USEDEP}]
+ dev-python/nbformat[${PYTHON_USEDEP}]
+ dev-python/nbconvert[${PYTHON_USEDEP}]
+ dev-python/ipykernel[${PYTHON_USEDEP}]
+ "
+DEPEND="${RDEPEND}
+ dev-python/setuptools[${PYTHON_USEDEP}]
+ test? (
+ $(python_gen_cond_dep 'dev-python/mock[${PYTHON_USEDEP}]' python2_7)
+ >=dev-python/nose-0.10.1[${PYTHON_USEDEP}]
+ dev-python/requests[${PYTHON_USEDEP}]
+ dev-python/coverage[${PYTHON_USEDEP}]
+ )
+ doc? (
+ app-text/pandoc
+ >=dev-python/ipython-4.0.0[${PYTHON_USEDEP}]
+ >=dev-python/sphinx-1.1[${PYTHON_USEDEP}]
+ )
+ "
+
+PATCHES=(
+ "${FILESDIR}/${P}"-set-mime-type-on-files.patch
+ "${FILESDIR}/${P}"-set-model-mimetype-even-when-content-False.patch
+ "${FILESDIR}/${P}"-only-redirect-to-editor-for-text-documents.patch
+ "${FILESDIR}/${P}"-Don-t-redirect-from-edit-to-files.patch
+)
+
+python_prepare_all() {
+ sed \
+ -e "/import setup/s:$:\nimport setuptools:g" \
+ -i setup.py || die
+
+ # disable bundled mathjax
+ sed -i 's/^.*MathJax.*$//' bower.json || die
+ sed -i 's/mj(/#mj(/' setupbase.py || die
+
+ # Prevent un-needed download during build
+ if use doc; then
+ sed -e "/^ 'sphinx.ext.intersphinx',/d" -i docs/source/conf.py || die
+ fi
+
+ distutils-r1_python_prepare_all
+}
+
+python_compile_all() {
+ use doc && emake -C docs html
+}
+
+python_test() {
+ nosetests --with-coverage --cover-package=notebook notebook || die
+}
+
+python_install() {
+ distutils-r1_python_install
+
+ ln -sf "${EPREFIX}/usr/share/mathjax" "${D}$(python_get_sitedir)/notebook/static/components/MathJax" || die
+}
+
+python_install_all() {
+ use doc && HTML_DOCS=( docs/build/html/. )
+ distutils-r1_python_install_all
+}
+
+pkg_preinst() {
+ # remove old mathjax folder if present
+ rm -rf "${EROOT}"/usr/lib*/python*/site-packages/notebook/static/components/MathJax
+}
^ permalink raw reply related [flat|nested] 2+ messages in thread* [gentoo-commits] proj/sci:master commit in: dev-python/notebook/, dev-python/notebook/files/
@ 2016-05-17 13:01 Marius Brehler
0 siblings, 0 replies; 2+ messages in thread
From: Marius Brehler @ 2016-05-17 13:01 UTC (permalink / raw
To: gentoo-commits
commit: dbb43424cf13adf94071f7a76a81b7b83adb5a6e
Author: Marius Brehler <marbre <AT> linux <DOT> sungazer <DOT> de>
AuthorDate: Tue May 17 12:59:42 2016 +0000
Commit: Marius Brehler <marbre <AT> linux <DOT> sungazer <DOT> de>
CommitDate: Tue May 17 12:59:42 2016 +0000
URL: https://gitweb.gentoo.org/proj/sci.git/commit/?id=dbb43424
dev-python/notebook: Version bump
Package-Manager: portage-2.2.28
.../files/notebook-4.2.0-setupbase.py.patch | 42 ++++++++++
dev-python/notebook/notebook-4.2.0.ebuild | 94 ++++++++++++++++++++++
2 files changed, 136 insertions(+)
diff --git a/dev-python/notebook/files/notebook-4.2.0-setupbase.py.patch b/dev-python/notebook/files/notebook-4.2.0-setupbase.py.patch
new file mode 100644
index 0000000..949c445
--- /dev/null
+++ b/dev-python/notebook/files/notebook-4.2.0-setupbase.py.patch
@@ -0,0 +1,42 @@
+Disable bundled mathjax.
+
+Patch by Marius Brehler
+--- ${WORKDIR}/setupbase.py 2016-04-15 21:15:35.000000000 +0200
++++ ${WORKDIR}/setupbase.py 2016-05-17 14:54:04.998783993 +0200
+@@ -152,36 +152,6 @@ def find_package_data():
+ if f.endswith(('.js', '.css')):
+ static_data.append(pjoin(parent, f))
+
+- # Trim mathjax
+- mj = lambda *path: pjoin(components, 'MathJax', *path)
+- static_data.extend([
+- mj('MathJax.js'),
+- mj('config', 'TeX-AMS_HTML-full.js'),
+- mj('config', 'Safe.js'),
+- ])
+-
+- trees = []
+- mj_out = mj('jax', 'output')
+-
+- if os.path.exists(mj_out):
+- for output in os.listdir(mj_out):
+- path = pjoin(mj_out, output)
+- static_data.append(pjoin(path, '*.js'))
+- autoload = pjoin(path, 'autoload')
+- if os.path.isdir(autoload):
+- trees.append(autoload)
+-
+- for tree in trees + [
+- mj('localization'), # limit to en?
+- mj('fonts', 'HTML-CSS', 'STIX-Web', 'woff'),
+- mj('extensions'),
+- mj('jax', 'input', 'TeX'),
+- mj('jax', 'output', 'HTML-CSS', 'fonts', 'STIX-Web'),
+- mj('jax', 'output', 'SVG', 'fonts', 'STIX-Web'),
+- ]:
+- for parent, dirs, files in os.walk(tree):
+- for f in files:
+- static_data.append(pjoin(parent, f))
+
+ os.chdir(os.path.join('tests',))
+ js_tests = glob('*.js') + glob('*/*.js')
diff --git a/dev-python/notebook/notebook-4.2.0.ebuild b/dev-python/notebook/notebook-4.2.0.ebuild
new file mode 100644
index 0000000..5aeeac7
--- /dev/null
+++ b/dev-python/notebook/notebook-4.2.0.ebuild
@@ -0,0 +1,94 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 python3_{3,4,5} )
+PYTHON_REQ_USE="threads(+)"
+
+inherit distutils-r1
+
+DESCRIPTION="Jupyter Interactive Notebook"
+HOMEPAGE="http://jupyter.org"
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="doc test"
+RDEPEND="
+ >=dev-libs/mathjax-2.4
+ dev-python/jinja[${PYTHON_USEDEP}]
+ >=dev-python/terminado-0.3.3[${PYTHON_USEDEP}]
+ >=www-servers/tornado-4.0[${PYTHON_USEDEP}]
+ dev-python/ipython_genutils[${PYTHON_USEDEP}]
+ dev-python/traitlets[${PYTHON_USEDEP}]
+ dev-python/jupyter_core[${PYTHON_USEDEP}]
+ dev-python/jupyter_client[${PYTHON_USEDEP}]
+ dev-python/nbformat[${PYTHON_USEDEP}]
+ >=dev-python/nbconvert-4.2.0[${PYTHON_USEDEP}]
+ dev-python/ipykernel[${PYTHON_USEDEP}]
+ "
+DEPEND="${RDEPEND}
+ dev-python/setuptools[${PYTHON_USEDEP}]
+ test? (
+ $(python_gen_cond_dep 'dev-python/mock[${PYTHON_USEDEP}]' python2_7)
+ >=dev-python/nose-0.10.1[${PYTHON_USEDEP}]
+ dev-python/requests[${PYTHON_USEDEP}]
+ dev-python/coverage[${PYTHON_USEDEP}]
+ )
+ doc? (
+ app-text/pandoc
+ >=dev-python/ipython-4.0.0[${PYTHON_USEDEP}]
+ >=dev-python/sphinx-1.1[${PYTHON_USEDEP}]
+ )
+ "
+
+python_prepare_all() {
+ eapply "${FILESDIR}/${P}"-setupbase.py.patch
+
+ sed \
+ -e "/import setup/s:$:\nimport setuptools:g" \
+ -i setup.py || die
+
+ # disable bundled mathjax
+ sed -i 's/^.*MathJax.*$//' bower.json || die
+
+ # Prevent un-needed download during build
+ if use doc; then
+ sed \
+ -e "/^ 'sphinx.ext.intersphinx',/d" \
+ -i docs/source/conf.py || die
+ fi
+
+ distutils-r1_python_prepare_all
+}
+
+python_compile_all() {
+ use doc && emake -C docs html
+}
+
+python_test() {
+ nosetests \
+ --verbosity=3 \
+ notebook || die
+}
+
+python_install() {
+ distutils-r1_python_install
+
+ ln -sf \
+ "${EPREFIX}/usr/share/mathjax" \
+ "${D}$(python_get_sitedir)/notebook/static/components/MathJax" || die
+}
+
+python_install_all() {
+ use doc && HTML_DOCS=( docs/build/html/. )
+ distutils-r1_python_install_all
+}
+
+pkg_preinst() {
+ # remove old mathjax folder if present
+ rm -rf "${EROOT}"/usr/lib*/python*/site-packages/notebook/static/components/MathJax
+}
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-05-17 13:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-17 21:56 [gentoo-commits] proj/sci:master commit in: dev-python/notebook/, dev-python/notebook/files/ Jauhien Piatlicki
-- strict thread matches above, loose matches on Subject: below --
2016-05-17 13:01 Marius Brehler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox