add the redhat fix for CVE-2014-0012; debian has an alternative but this is better for cgi

2014-05-14 02:28:18 +00:00 · 2014-05-14 02:28:18 +00:00 · a4ddc061c4
commit a4ddc061c4
parent 6f6f30552d
2 changed files with 44 additions and 1 deletions
--- a/textproc/py-jinja2/distinfo
+++ b/textproc/py-jinja2/distinfo
@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.7 2014/01/19 00:18:37 rodent Exp $
+$NetBSD: distinfo,v 1.8 2014/05/14 02:28:18 mspo Exp $

 SHA1 (Jinja2-2.7.2.tar.gz) = 1ce4c8bc722444ec3e77ef9db76faebbd17a40d8
 RMD160 (Jinja2-2.7.2.tar.gz) = 7bf0278d6fd75fc402b5dba785b29badeb507650
 Size (Jinja2-2.7.2.tar.gz) = 378300 bytes
+SHA1 (patch-jinja2_bccache.py) = 0c1cab3fcc83d210569071ddb2e2c6713f8f9325
--- a/textproc/py-jinja2/patches/patch-jinja2_bccache.py
+++ b/textproc/py-jinja2/patches/patch-jinja2_bccache.py
@ -0,0 +1,42 @@
+$NetBSD: patch-jinja2_bccache.py,v 1.1 2014/05/14 02:28:18 mspo Exp $
+
+--- jinja2/bccache.py-orig	2014-05-14 02:23:49.000000000 +0000
+++ jinja2/bccache.py
+@@ -16,6 +16,7 @@
+ """
+ from os import path, listdir
+ import os
+import stat
+ import sys
+ import errno
+ import marshal
+@@ -215,7 +216,7 @@ class FileSystemBytecodeCache(BytecodeCa
+ 
+         # On windows the temporary directory is used specific unless
+         # explicitly forced otherwise.  We can just use that.
+-        if os.name == 'n':
+        if os.name == 'nt':
+             return tmpdir
+         if not hasattr(os, 'getuid'):
+             raise RuntimeError('Cannot determine safe temp directory.  You '
+@@ -224,12 +225,18 @@ class FileSystemBytecodeCache(BytecodeCa
+         dirname = '_jinja2-cache-%d' % os.getuid()
+         actual_dir = os.path.join(tmpdir, dirname)
+         try:
+-            # 448 == 0700
+-            os.mkdir(actual_dir, 448)
+            os.mkdir(actual_dir, stat.S_IRWXU) # 0o700
+         except OSError as e:
+             if e.errno != errno.EEXIST:
+                 raise
+ 
+        actual_dir_stat = os.lstat(actual_dir)
+        if actual_dir_stat.st_uid != os.getuid() \
+                or not stat.S_ISDIR(actual_dir_stat.st_mode) \
+                or stat.S_IMODE(actual_dir_stat.st_mode) != stat.S_IRWXU:
+            raise RuntimeError('Temporary directory \'%s\' has an incorrect '
+	                       'owner, permissions, or type.' % actual_dir)
+
+         return actual_dir
+ 
+     def _get_cache_filename(self, bucket):