pool/jython
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
01e465f623
jython/jython-cached-classes.patch
Tomáš Chvátal 14adf8d273 - Added patches to fix CVE-2013-2027 bnc#916224: 
* jython-cached-classes.patch
  * jython-cacheperms.patch
  * jython-makeCompiledFilename.patch

OBS-URL: https://build.opensuse.org/package/show/Java:packages/jython?expand=0&rev=12
2015-02-04 14:24:57 +00:00

69 lines
2.4 KiB
Diff
Raw Blame History

From 85a88bcffe2d61d143b4f8c545bd28b152d8d05b Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lubo.rintel@gooddata.com>
Date: Wed, 3 Apr 2013 18:31:40 +0200
Subject: [PATCH 3/3] Use cache dir for classes too
Instead of attempting to write them next to source files.
Java 6 API does not allow for setting sane permissions (i.e. same as
those of a source file) and relying on defaults is a security hazard
which can lead to information disclosure, or, in case of a too relaxed
umask, arbitrary code execution.
Also, this will likely improve performance for non-privileged users
which can not write to their distribution's packaged jython tree.
---
src/org/python/core/PySystemState.java | 6 ++++++
src/org/python/core/imp.java | 12 ++++++++++--
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/org/python/core/PySystemState.java b/src/org/python/core/PySystemState.java
index 9de34e3..a124228 100644
--- a/src/org/python/core/PySystemState.java
+++ b/src/org/python/core/PySystemState.java
@@ -539,6 +539,12 @@ public class PySystemState extends PyObject
public static PackageManager packageManager;
public static File cachedir;
+ public static File classCache() {
+ if (cachedir == null)
+ return null;
+ return new File(cachedir, "classes");
+ }
+
public static boolean isPackageCacheEnabled() {
return cachedir != null;
}
diff --git a/src/org/python/core/imp.java b/src/org/python/core/imp.java
index a9868dd..67c33d6 100644
--- a/src/org/python/core/imp.java
+++ b/src/org/python/core/imp.java
@@ -117,8 +117,15 @@ public class imp {
}
private static String makeCompiledFilename(String filename) {
- return filename.substring(0, filename.length() - 3)
- + "$py.class";
+ String basename = filename.substring(0, filename.length() - 3)
+ + "$py.class";
+ File cache = Py.getSystemState().classCache();
+
+ if (cache == null) {
+ return basename;
+ } else {
+ return new File(cache, basename).getPath();
+ }
}
/**
@@ -144,6 +151,7 @@ public class imp {
}
FileOutputStream fop = null;
try {
+ new File(compiledFilename).getParentFile().mkdirs();
fop = new FileOutputStream(compiledFilename);
fop.write(compiledSource);
fop.close();
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink