pool/python-Flask-Security-Too
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 904704 from devel:languages:python:flask

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/904704
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Flask-Security-Too?expand=0&rev=6
This commit is contained in:
Dominique Leuenberger 2021-07-08 20:49:16 +00:00 committed by Git OBS Bridge
commit 6986c13b44
7 changed files with 141 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch Normal file
View File

@ -0,0 +1,50 @@
From fc94ad58537d83b1f5500876da4a3026654645ba Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <antonio.larrosa@gmail.com>
Date: Tue, 15 Jun 2021 19:36:50 +0200
Subject: [PATCH] Do not raise a TypeError exception if phone.data is None
Running the tests on the openSUSE build service to generate
packages fails because a TypeError exception is raised.
```
TypeError: object of type 'NoneType' has no len()
```
This commit checks that phone.data is not None before calling
len() in the two lines where the exception is raised.
---
flask_security/forms.py | 3 ++-
flask_security/views.py | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/flask_security/forms.py b/flask_security/forms.py
index c793a99..83665fa 100644
--- a/flask_security/forms.py
+++ b/flask_security/forms.py
@@ -593,7 +593,8 @@ class TwoFactorSetupForm(Form, UserEmailFormMixin):
self.setup.errors = list()
self.setup.errors.append(get_message("TWO_FACTOR_METHOD_NOT_AVAILABLE")[0])
return False
- if self.setup.data == "sms" and len(self.phone.data) > 0:
+ if (self.setup.data == "sms" and
+ self.phone.data and len(self.phone.data) > 0):
# Somewhat bizarre - but this isn't required the first time around
# when they select "sms". Then they get a field to fill out with
# phone number, then Submit again.
diff --git a/flask_security/views.py b/flask_security/views.py
index c33a016..3aaca95 100644
--- a/flask_security/views.py
+++ b/flask_security/views.py
@@ -751,7 +751,8 @@ def two_factor_setup():
session["tf_primary_method"] = pm
session["tf_state"] = "validating_profile"
- new_phone = form.phone.data if len(form.phone.data) > 0 else None
+ new_phone = form.phone.data if (form.phone.data and
+ len(form.phone.data) > 0) else None
if new_phone:
user.tf_phone_number = new_phone
_datastore.put(user)
--
2.31.1

3
Flask-Security-Too-3.4.3.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1e46d660c89e2e76af2d77e63e6cdedf22f0df0179f12429badbc1d142dda35f
size 338127

3
Flask-Security-Too-3.4.5.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a09d051ed7616a99dcaa604e718792319521820e245758fe1f42f7554c538da5
size 340616

24
fix-dependencies.patch
View File

@ -5,7 +5,7 @@ Index: Flask-Security-Too-3.4.2/setup.py
@@ -14,20 +14,19 @@ with io.open("flask_security/__init__.py
tests_require = [
"Flask-Mongoengine>=0.9.5",
"Flask-Mongoengine~=0.9.5",
- "peewee>=3.11.2",
+ "peewee>=3.7.1",
"Flask-SQLAlchemy>=2.3",
@ -19,8 +19,8 @@ Index: Flask-Security-Too-3.4.2/setup.py
+ "cryptography>=2.1.4",
"isort>=4.2.2",
"mock>=1.3.0",
"mongoengine>=0.15.3",
"mongomock>=3.14.0",
"mongoengine~=0.19.1",
"mongomock~=3.19.0",
"msgcheck>=2.9",
- "pony>=0.7.11",
"phonenumberslite>=8.11.1",
@ -42,7 +42,7 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt
@@ -13,20 +13,19 @@ Pallets-Sphinx-Themes>=1.2.0
Sphinx>=1.8.5
sphinx-issues>=1.2.0
Flask-Mongoengine>=0.9.5
Flask-Mongoengine~=0.9.5
-peewee>=3.11.2
+peewee>=3.7.1
Flask-SQLAlchemy>=2.3
@ -56,8 +56,8 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt
+cryptography>=2.1.4
isort>=4.2.2
mock>=1.3.0
mongoengine>=0.15.3
mongomock>=3.14.0
mongoengine~=0.19.1
mongomock~=3.19.0
msgcheck>=2.9
-pony>=0.7.11
phonenumberslite>=8.11.1
@ -73,7 +73,7 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt
Pallets-Sphinx-Themes>=1.2.0
Sphinx>=1.8.5
sphinx-issues>=1.2.0
Flask-Mongoengine>=0.9.5
Flask-Mongoengine~=0.9.5
-peewee>=3.11.2
+peewee>=3.7.1
Flask-SQLAlchemy>=2.3
@ -87,8 +87,8 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt
+cryptography>=2.1.4
isort>=4.2.2
mock>=1.3.0
mongoengine>=0.15.3
mongomock>=3.14.0
mongoengine~=0.19.1
mongomock~=3.19.0
msgcheck>=2.9
-pony>=0.7.11
phonenumberslite>=8.11.1
@ -106,7 +106,7 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt
@@ -83,20 +81,19 @@ sphinx-issues>=1.2.0
[tests]
Flask-Mongoengine>=0.9.5
Flask-Mongoengine~=0.9.5
-peewee>=3.11.2
+peewee>=3.7.1
Flask-SQLAlchemy>=2.3
@ -120,8 +120,8 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt
+cryptography>=2.1.4
isort>=4.2.2
mock>=1.3.0
mongoengine>=0.15.3
mongomock>=3.14.0
mongoengine~=0.19.1
mongomock~=3.19.0
msgcheck>=2.9
-pony>=0.7.11
phonenumberslite>=8.11.1

17
no-mongodb.patch
View File

@ -1,8 +1,17 @@
Index: Flask-Security-Too-3.4.0/tests/conftest.py
Index: Flask-Security-Too-3.4.5/tests/conftest.py
===================================================================
--- Flask-Security-Too-3.4.0.orig/tests/conftest.py
+++ Flask-Security-Too-3.4.0/tests/conftest.py
@@ -617,7 +617,7 @@ def get_message(app):
--- Flask-Security-Too-3.4.5.orig/tests/conftest.py
+++ Flask-Security-Too-3.4.5/tests/conftest.py
@@ -607,7 +607,7 @@ def client_nc(request, sqlalchemy_app):
return app.test_client(use_cookies=False)
-@pytest.fixture(params=["cl-sqlalchemy", "c2", "cl-mongo", "cl-peewee"])
+@pytest.fixture(params=["cl-sqlalchemy", "c2", "cl-peewee"])
def clients(request, app, tmpdir, realdburl):
if request.param == "cl-sqlalchemy":
ds = sqlalchemy_setup(request, app, tmpdir, realdburl)
@@ -645,7 +645,7 @@ def get_message(app):
@pytest.fixture(

60
python-Flask-Security-Too.changes
View File

@ -1,3 +1,63 @@
-------------------------------------------------------------------
Tue Jun 15 16:37:41 UTC 2021 - Antonio Larrosa <alarrosa@suse.com>
- Update to 3.4.5
* Security Vulnerability Fix. Two CSRF vulnerabilities were
reported: qrcode and login. This release fixes the more severe
of the 2 - the /login vulnerability. The QRcode issue has a
much smaller risk profile since a) it is only for two-factor
authentication using an authenticator app b) the qrcode is only
available during the time the user is first setting up their
authentication app. The QRcode issue has been fixed in 4.0.
* Fixed
- GET on /login and /change could return the callers
authentication_token. This is a security concern since GETs
don't have CSRF protection. This bug was introduced in 3.3.0.
* Backwards Compatibility Concerns. Fix CSRF vulnerability on
/login and /change that could return the callers authentication
token. Now, callers can only get the authentication token on
successful POST calls.
- Update to 3.4.4
* Fix 3 regressions and a couple other bugs
* Fixed
- Basic Auth broken. When the unauthenticated handler was
changed to provide a more uniform/consistent response - it
broke using Basic Auth from a browser, since it always
redirected rather than returning 401. Now, if the response
headers contain WWW-Authenticate (which is set if basic
@auth_required method is used), a 401 is returned. See below
for backwards compatibility concerns.
- As part of figuring out issue 359 - a redirect loop was
found. In release 3.3.0 code was put in to redirect to
:py:data:`SECURITY_POST_LOGIN_VIEW` when GET or POST was
called and the caller was already authenticated. The method
used would honor the request next query parameter. This could
cause redirect loops. The pre-3.3.0 behavior of redirecting
to :py:data:`SECURITY_POST_LOGIN_VIEW` and ignoring the next
parameter has been restored.
- Fix peewee. Turns out - due to lack of unit tests - peewee
hasn't worked since 'permissions' were added in 3.3.
Furthermore, changes in 3.4 around get_id and alternative
tokens also didn't work since peewee defines its own get_id
method.
* Compatibility Concerns. In 3.3.0, flask_security.auth_required
was changed to add a default argument if none was given. The
default include all current methods - session, token, and
basic. However basic really isn't like the others and requires
that we send back a WWW-Authenticate header if authentication
fails (and return a 401 and not redirect). basic has been
removed from the default set and must once again be explicitly
requested.
- Rebase patch to remove another case where mongo is used:
* no-mongodb.patch
- Rebase patch to fix context:
* fix-dependencies.patch
- Add patch to fix failed tests (so an exception is not
raised if phone.data is None). Submitted upstream at
gh#Flask-Middleware/flask-security#495:
* 0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch
-------------------------------------------------------------------
Wed Jul 1 10:13:03 UTC 2020 - Marketa Calabkova <mcalabkova@suse.com>

5
python-Flask-Security-Too.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package python-Flask-Security-Too
#
# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -19,7 +19,7 @@
%define skip_python2 1
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-Flask-Security-Too
Version: 3.4.3
Version: 3.4.5
Release: 0
Summary: Security for Flask apps
License: MIT
@ -28,6 +28,7 @@ Source: https://files.pythonhosted.org/packages/source/F/Flask-Security-
Patch0: no-mongodb.patch
Patch1: no-setup-dependencies.patch
Patch2: fix-dependencies.patch
Patch3: 0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch
BuildRequires: %{python_module Babel >= 1.3}
BuildRequires: %{python_module Flask >= 1.0.2}
BuildRequires: %{python_module Flask-BabelEx >= 0.9.3}