add the redhat fix for CVE-2014-0012; debian has an alternative but this is better for cgi

This commit is contained in:
mspo 2014-05-14 02:28:18 +00:00
parent 6f6f30552d
commit a4ddc061c4
2 changed files with 44 additions and 1 deletions

View file

@ -1,5 +1,6 @@
$NetBSD: distinfo,v 1.7 2014/01/19 00:18:37 rodent Exp $
$NetBSD: distinfo,v 1.8 2014/05/14 02:28:18 mspo Exp $
SHA1 (Jinja2-2.7.2.tar.gz) = 1ce4c8bc722444ec3e77ef9db76faebbd17a40d8
RMD160 (Jinja2-2.7.2.tar.gz) = 7bf0278d6fd75fc402b5dba785b29badeb507650
Size (Jinja2-2.7.2.tar.gz) = 378300 bytes
SHA1 (patch-jinja2_bccache.py) = 0c1cab3fcc83d210569071ddb2e2c6713f8f9325

View file

@ -0,0 +1,42 @@
$NetBSD: patch-jinja2_bccache.py,v 1.1 2014/05/14 02:28:18 mspo Exp $
--- jinja2/bccache.py-orig 2014-05-14 02:23:49.000000000 +0000
+++ jinja2/bccache.py
@@ -16,6 +16,7 @@
"""
from os import path, listdir
import os
+import stat
import sys
import errno
import marshal
@@ -215,7 +216,7 @@ class FileSystemBytecodeCache(BytecodeCa
# On windows the temporary directory is used specific unless
# explicitly forced otherwise. We can just use that.
- if os.name == 'n':
+ if os.name == 'nt':
return tmpdir
if not hasattr(os, 'getuid'):
raise RuntimeError('Cannot determine safe temp directory. You '
@@ -224,12 +225,18 @@ class FileSystemBytecodeCache(BytecodeCa
dirname = '_jinja2-cache-%d' % os.getuid()
actual_dir = os.path.join(tmpdir, dirname)
try:
- # 448 == 0700
- os.mkdir(actual_dir, 448)
+ os.mkdir(actual_dir, stat.S_IRWXU) # 0o700
except OSError as e:
if e.errno != errno.EEXIST:
raise
+ actual_dir_stat = os.lstat(actual_dir)
+ if actual_dir_stat.st_uid != os.getuid() \
+ or not stat.S_ISDIR(actual_dir_stat.st_mode) \
+ or stat.S_IMODE(actual_dir_stat.st_mode) != stat.S_IRWXU:
+ raise RuntimeError('Temporary directory \'%s\' has an incorrect '
+ 'owner, permissions, or type.' % actual_dir)
+
return actual_dir
def _get_cache_filename(self, bucket):