import babel-2.5.1-7.el8
This commit is contained in:
parent
ffa63b5d1b
commit
991bc4be23
|
@ -0,0 +1,128 @@
|
||||||
|
diff --git a/babel/localedata.py b/babel/localedata.py
|
||||||
|
index 4b6d3b6..080b723 100644
|
||||||
|
--- a/babel/localedata.py
|
||||||
|
+++ b/babel/localedata.py
|
||||||
|
@@ -13,6 +13,8 @@
|
||||||
|
"""
|
||||||
|
|
||||||
|
import os
|
||||||
|
+import re
|
||||||
|
+import sys
|
||||||
|
import threading
|
||||||
|
from collections import MutableMapping
|
||||||
|
from itertools import chain
|
||||||
|
@@ -33,6 +35,7 @@ def get_base_dir():
|
||||||
|
_cache = {}
|
||||||
|
_cache_lock = threading.RLock()
|
||||||
|
_dirname = os.path.join(get_base_dir(), 'locale-data')
|
||||||
|
+_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I)
|
||||||
|
|
||||||
|
|
||||||
|
def normalize_locale(name):
|
||||||
|
@@ -49,6 +52,22 @@ def normalize_locale(name):
|
||||||
|
return locale_id
|
||||||
|
|
||||||
|
|
||||||
|
+def resolve_locale_filename(name):
|
||||||
|
+ """
|
||||||
|
+ Resolve a locale identifier to a `.dat` path on disk.
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ # Clean up any possible relative paths.
|
||||||
|
+ name = os.path.basename(name)
|
||||||
|
+
|
||||||
|
+ # Ensure we're not left with one of the Windows reserved names.
|
||||||
|
+ if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]):
|
||||||
|
+ raise ValueError("Name %s is invalid on Windows" % name)
|
||||||
|
+
|
||||||
|
+ # Build the path.
|
||||||
|
+ return os.path.join(_dirname, '%s.dat' % name)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def exists(name):
|
||||||
|
"""Check whether locale data is available for the given locale.
|
||||||
|
|
||||||
|
@@ -60,7 +79,7 @@ def exists(name):
|
||||||
|
return False
|
||||||
|
if name in _cache:
|
||||||
|
return True
|
||||||
|
- file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
|
||||||
|
+ file_found = os.path.exists(resolve_locale_filename(name))
|
||||||
|
return True if file_found else bool(normalize_locale(name))
|
||||||
|
|
||||||
|
|
||||||
|
@@ -102,6 +121,7 @@ def load(name, merge_inherited=True):
|
||||||
|
:raise `IOError`: if no locale data file is found for the given locale
|
||||||
|
identifer, or one of the locales it inherits from
|
||||||
|
"""
|
||||||
|
+ name = os.path.basename(name)
|
||||||
|
_cache_lock.acquire()
|
||||||
|
try:
|
||||||
|
data = _cache.get(name)
|
||||||
|
@@ -119,7 +139,7 @@ def load(name, merge_inherited=True):
|
||||||
|
else:
|
||||||
|
parent = '_'.join(parts[:-1])
|
||||||
|
data = load(parent).copy()
|
||||||
|
- filename = os.path.join(_dirname, '%s.dat' % name)
|
||||||
|
+ filename = resolve_locale_filename(name)
|
||||||
|
with open(filename, 'rb') as fileobj:
|
||||||
|
if name != 'root' and merge_inherited:
|
||||||
|
merge(data, pickle.load(fileobj))
|
||||||
|
diff --git a/tests/test_localedata.py b/tests/test_localedata.py
|
||||||
|
index 3599b21..173e7a3 100644
|
||||||
|
--- a/tests/test_localedata.py
|
||||||
|
+++ b/tests/test_localedata.py
|
||||||
|
@@ -11,12 +11,18 @@
|
||||||
|
# individuals. For the exact contribution history, see the revision
|
||||||
|
# history and logs, available at http://babel.edgewall.org/log/.
|
||||||
|
|
||||||
|
+import os
|
||||||
|
+import pickle
|
||||||
|
+import sys
|
||||||
|
+import tempfile
|
||||||
|
import unittest
|
||||||
|
import random
|
||||||
|
from operator import methodcaller
|
||||||
|
import sys
|
||||||
|
|
||||||
|
-from babel import localedata, numbers
|
||||||
|
+import pytest
|
||||||
|
+
|
||||||
|
+from babel import localedata, Locale, UnknownLocaleError, numbers
|
||||||
|
|
||||||
|
class MergeResolveTestCase(unittest.TestCase):
|
||||||
|
|
||||||
|
@@ -117,3 +123,33 @@ def test_locale_argument_acceptance():
|
||||||
|
assert normalized_locale == None
|
||||||
|
locale_exist = localedata.exists(['en_us', None])
|
||||||
|
assert locale_exist == False
|
||||||
|
+
|
||||||
|
+def test_locale_name_cleanup():
|
||||||
|
+ """
|
||||||
|
+ Test that locale identifiers are cleaned up to avoid directory traversal.
|
||||||
|
+ """
|
||||||
|
+ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
|
||||||
|
+ with open(no_exist_name, "wb") as f:
|
||||||
|
+ pickle.dump({}, f)
|
||||||
|
+
|
||||||
|
+ try:
|
||||||
|
+ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
|
||||||
|
+ except ValueError:
|
||||||
|
+ if sys.platform == "win32":
|
||||||
|
+ pytest.skip("unable to form relpath")
|
||||||
|
+ raise
|
||||||
|
+
|
||||||
|
+ assert not localedata.exists(name)
|
||||||
|
+ with pytest.raises(IOError):
|
||||||
|
+ localedata.load(name)
|
||||||
|
+ with pytest.raises(UnknownLocaleError):
|
||||||
|
+ Locale(name)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+@pytest.mark.skipif(sys.platform != "win32", reason="windows-only test")
|
||||||
|
+def test_reserved_locale_names():
|
||||||
|
+ for name in ("con", "aux", "nul", "prn", "com8", "lpt5"):
|
||||||
|
+ with pytest.raises(ValueError):
|
||||||
|
+ localedata.load(name)
|
||||||
|
+ with pytest.raises(ValueError):
|
||||||
|
+ Locale(name)
|
|
@ -17,7 +17,7 @@
|
||||||
|
|
||||||
Name: babel
|
Name: babel
|
||||||
Version: 2.5.1
|
Version: 2.5.1
|
||||||
Release: 5%{?dist}
|
Release: 7%{?dist}
|
||||||
Summary: Tools for internationalizing Python applications
|
Summary: Tools for internationalizing Python applications
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
|
@ -25,6 +25,12 @@ URL: http://babel.pocoo.org/
|
||||||
Source0: https://files.pythonhosted.org/packages/source/B/%{srcname}/%{srcname}-%{version}.tar.gz
|
Source0: https://files.pythonhosted.org/packages/source/B/%{srcname}/%{srcname}-%{version}.tar.gz
|
||||||
Patch0: babel-2.3.4-remove-pytz-version.patch
|
Patch0: babel-2.3.4-remove-pytz-version.patch
|
||||||
|
|
||||||
|
# Fix CVE-2021-20095: relative path traversal allows an attacker to load
|
||||||
|
# arbitrary locale files on disk and execute arbitrary code
|
||||||
|
# Resolved upstream: https://github.com/python-babel/babel/pull/782/
|
||||||
|
# CVE bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1955615
|
||||||
|
Patch1: CVE-2021-20095.patch
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
%if 0%{?rhel} && 0%{?rhel} <= 7
|
%if 0%{?rhel} && 0%{?rhel} <= 7
|
||||||
|
@ -111,7 +117,7 @@ Provides: python3-babel-doc = %{version}-%{release}
|
||||||
Documentation for Babel
|
Documentation for Babel
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -n %{srcname}-%{version}
|
%autosetup -n %{srcname}-%{version} -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%if 0%{?rhel} && 0%{?rhel} <= 7
|
%if 0%{?rhel} && 0%{?rhel} <= 7
|
||||||
|
@ -151,16 +157,15 @@ rm tests/messages/test_frontend.py
|
||||||
|
|
||||||
export TZ=America/New_York
|
export TZ=America/New_York
|
||||||
%if 0%{?rhel} && 0%{?rhel} <= 7
|
%if 0%{?rhel} && 0%{?rhel} <= 7
|
||||||
%{__python2} setup.py test
|
%{__python2} -m pytest
|
||||||
%endif
|
%endif
|
||||||
%if !%{bootstrap}
|
%if !%{bootstrap}
|
||||||
%{__python3} setup.py test
|
%{__python3} -m pytest
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%doc CHANGES AUTHORS
|
%doc CHANGES AUTHORS
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%{_bindir}/pybabel
|
|
||||||
|
|
||||||
%if 0%{?rhel} && 0%{?rhel} <= 7
|
%if 0%{?rhel} && 0%{?rhel} <= 7
|
||||||
%files -n python2-babel
|
%files -n python2-babel
|
||||||
|
@ -169,6 +174,7 @@ export TZ=America/New_York
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files -n python3-babel
|
%files -n python3-babel
|
||||||
|
%{_bindir}/pybabel
|
||||||
%{python3_sitelib}/Babel-%{version}-py*.egg-info
|
%{python3_sitelib}/Babel-%{version}-py*.egg-info
|
||||||
%{python3_sitelib}/babel
|
%{python3_sitelib}/babel
|
||||||
|
|
||||||
|
@ -176,6 +182,15 @@ export TZ=America/New_York
|
||||||
%doc built-docs/html/*
|
%doc built-docs/html/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jul 15 2021 Tomas Orsava <torsava@redhat.com> - 2.5.1-7
|
||||||
|
- Include the /usr/bin/pybabel binary that runs on Python 3.6 in the
|
||||||
|
python3-babel package
|
||||||
|
Resolves: rhbz#1967173
|
||||||
|
|
||||||
|
* Fri May 07 2021 Charalampos Stratakis <cstratak@redhat.com> - 2.5.1-6
|
||||||
|
- Fix CVE-2021-20095
|
||||||
|
Resolves: rhbz#1955615
|
||||||
|
|
||||||
* Thu Mar 28 2019 Nils Philippsen <nils@redhat.com> - 2.5.1-5
|
* Thu Mar 28 2019 Nils Philippsen <nils@redhat.com> - 2.5.1-5
|
||||||
- make spec file work without %%rhel being defined
|
- make spec file work without %%rhel being defined
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue