Add upstream patch to fix file execution vulnerability (bug #1264068)

2015-09-17 13:24:52 -06:00 · 2015-09-17 13:24:52 -06:00 · 7f9f064af0
commit 7f9f064af0
parent d75e4d68f1
2 changed files with 162 additions and 1 deletions
--- a/0a8096adf165e2465550bd5893d7e352544e5967.patch
+++ b/0a8096adf165e2465550bd5893d7e352544e5967.patch
@ -0,0 +1,155 @@
 From d729ce7c2063c0de746a7c2ea39697040d0af5bf Mon Sep 17 00:00:00 2001
 From: Min RK <benjaminrk@gmail.com>
 Date: Mon, 20 Jul 2015 12:10:10 -0700
 Subject: [PATCH 1/4] set mime-type on /files/
 ---
 IPython/html/files/handlers.py | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/IPython/html/files/handlers.py b/IPython/html/files/handlers.py
 index 7727d08..b358d94 100644
 --- a/IPython/html/files/handlers.py
 +++ b/IPython/html/files/handlers.py
@@ -40,6 +40,11 @@ def get(self, path):
             cur_mime = mimetypes.guess_type(name)[0]
             if cur_mime is not None:
                 self.set_header('Content-Type', cur_mime)
 +            else:
 +                if model['format'] == 'base64':
 +                    self.set_header('Content-Type', 'application/octet-stream')
 +                else:
 +                    self.set_header('Content-Type', 'text/plain')
         if model['format'] == 'base64':
             b64_bytes = model['content'].encode('ascii')
 From 50a1366a8fcfb94671c87199515ebc922882f447 Mon Sep 17 00:00:00 2001
 From: Min RK <benjaminrk@gmail.com>
 Date: Mon, 20 Jul 2015 12:10:25 -0700
 Subject: [PATCH 2/4] set model mimetype, even when content=False
 ---
 IPython/html/services/contents/filemanager.py | 12 +++++++-----
 IPython/html/services/contents/handlers.py    |  3 ---
 2 files changed, 7 insertions(+), 8 deletions(-)
 diff --git a/IPython/html/services/contents/filemanager.py b/IPython/html/services/contents/filemanager.py
 index 01ce07b..c869c75 100644
 --- a/IPython/html/services/contents/filemanager.py
 +++ b/IPython/html/services/contents/filemanager.py
@@ -277,18 +277,20 @@ def _file_model(self, path, content=True, format=None):
         model['type'] = 'file'
         os_path = self._get_os_path(path)
 +        model['mimetype'] = mimetypes.guess_type(os_path)[0]
         if content:
             content, format = self._read_file(os_path, format)
 -            default_mime = {
 -                'text': 'text/plain',
 -                'base64': 'application/octet-stream'
 -            }[format]
 +            if model['mimetype'] is None:
 +                default_mime = {
 +                    'text': 'text/plain',
 +                    'base64': 'application/octet-stream'
 +                }[format]
 +                model['mimetype'] = default_mime
             model.update(
                 content=content,
                 format=format,
 -                mimetype=mimetypes.guess_type(os_path)[0] or default_mime,
             )
         return model
 diff --git a/IPython/html/services/contents/handlers.py b/IPython/html/services/contents/handlers.py
 index 5cd849e..d77e70e 100644
 --- a/IPython/html/services/contents/handlers.py
 +++ b/IPython/html/services/contents/handlers.py
@@ -52,9 +52,6 @@ def validate_model(model, expect_content):
         )
     maybe_none_keys = ['content', 'format']
 -    if model['type'] == 'file':
 -        # mimetype should be populated only for file models
 -        maybe_none_keys.append('mimetype')
     if expect_content:
         errors = [key for key in maybe_none_keys if model[key] is None]
         if errors:
 From df24d9153b86863ccfa98bf509704d9304143ce1 Mon Sep 17 00:00:00 2001
 From: Min RK <benjaminrk@gmail.com>
 Date: Mon, 20 Jul 2015 12:11:04 -0700
 Subject: [PATCH 3/4] only redirect to editor for text documents
 treat unidentified mime-types as text
 ---
 IPython/html/static/tree/js/notebooklist.js | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/IPython/html/static/tree/js/notebooklist.js b/IPython/html/static/tree/js/notebooklist.js
 index 0065143..d8c7b2a 100644
 --- a/IPython/html/static/tree/js/notebooklist.js
 +++ b/IPython/html/static/tree/js/notebooklist.js
@@ -532,6 +532,13 @@ define([
             icon = 'running_' + icon;
         }
         var uri_prefix = NotebookList.uri_prefixes[model.type];
 +        if (model.type === 'file' &&
 +            model.mimetype && model.mimetype.substr(0,5) !== 'text/'
 +        ) {
 +            // send text/unidentified files to editor, others go to raw viewer
 +            uri_prefix = 'files';
 +        }
 +        
         item.find(".item_icon").addClass(icon).addClass('icon-fixed-width');
         var link = item.find("a.item_link")
             .attr('href',
 From 2b835ca6daec2592d9127dc85bf2cdcfb718edf2 Mon Sep 17 00:00:00 2001
 From: Min RK <benjaminrk@gmail.com>
 Date: Mon, 20 Jul 2015 12:11:23 -0700
 Subject: [PATCH 4/4] Don't redirect from /edit/ to /files/
 show failure to decode, instead
 ---
 IPython/html/static/edit/js/editor.js | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)
 diff --git a/IPython/html/static/edit/js/editor.js b/IPython/html/static/edit/js/editor.js
 index dd12ea4..75d65e0 100644
 --- a/IPython/html/static/edit/js/editor.js
 +++ b/IPython/html/static/edit/js/editor.js
@@ -90,19 +90,10 @@ function($,
             }).catch(
             function(error) {
                 that.events.trigger("file_load_failed.Editor", error);
 -                if (((error.xhr||{}).responseJSON||{}).reason === 'bad format') {
 -                    window.location = utils.url_path_join(
 -                        that.base_url,
 -                        'files',
 -                        that.file_path
 -                    );
 -                } else {
 -                    console.warn('Error while loading: the error was:')
 -                    console.warn(error)
 -                }
 +                console.warn('Error loading: ', error);
                 cm.setValue("Error! " + error.message +
                                 "\nSaving disabled.\nSee Console for more details.");
 -                cm.setOption('readOnly','nocursor')
 +                cm.setOption('readOnly','nocursor');
                 that.save_enabled = false;
             }
         );
@@ -186,7 +177,7 @@ function($,
     Editor.prototype._clean_state = function(){
         var clean = this.codemirror.isClean(this.generation);
         if (clean === this.clean){
 -            return
 +            return;
         } else {
             this.clean = clean;
         }
--- a/ipython.spec
+++ b/ipython.spec
@ -14,7 +14,7 @@
 Name:           ipython
 Version:        3.2.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        An enhanced interactive Python shell
 # See bug #603178 for a quick overview for the choice of licenses
@ -28,6 +28,9 @@ Patch0:         ipython-2.1.0-_jsdir-search-path.patch
 # Fix XSS vulnerability in notebook HTML template handling
 # https://bugzilla.redhat.com/show_bug.cgi?id=1259405
 Patch1:         https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892.patch
 # Fix Maliciously crafted files can be executed due to wrong file type determination
 # https://bugzilla.redhat.com/show_bug.cgi?id=1264067
 Patch2:         https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967.patch
 BuildArch:      noarch
 BuildRequires:  python-devel
@ -713,6 +716,9 @@ popd
 %endif # with_python3
 %changelog
 * Thu Sep 19 2015 Orion Poplawski <orion@cora.nwra.com> - 3.2.1-3
 - Add upstream patch to fix file execution vulnerability (bug #1264068)
 * Wed Sep 2 2015 Orion Poplawski <orion@cora.nwra.com> - 3.2.1-2
 - Add upstream patch to fix XSS vulnerability (bug #1259405)