diff --git a/0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch b/0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch new file mode 100644 index 0000000..a2ae896 --- /dev/null +++ b/0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch @@ -0,0 +1,50 @@ +From fc94ad58537d83b1f5500876da4a3026654645ba Mon Sep 17 00:00:00 2001 +From: Antonio Larrosa +Date: Tue, 15 Jun 2021 19:36:50 +0200 +Subject: [PATCH] Do not raise a TypeError exception if phone.data is None + +Running the tests on the openSUSE build service to generate +packages fails because a TypeError exception is raised. + +``` +TypeError: object of type 'NoneType' has no len() +``` + +This commit checks that phone.data is not None before calling +len() in the two lines where the exception is raised. +--- + flask_security/forms.py | 3 ++- + flask_security/views.py | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/flask_security/forms.py b/flask_security/forms.py +index c793a99..83665fa 100644 +--- a/flask_security/forms.py ++++ b/flask_security/forms.py +@@ -593,7 +593,8 @@ class TwoFactorSetupForm(Form, UserEmailFormMixin): + self.setup.errors = list() + self.setup.errors.append(get_message("TWO_FACTOR_METHOD_NOT_AVAILABLE")[0]) + return False +- if self.setup.data == "sms" and len(self.phone.data) > 0: ++ if (self.setup.data == "sms" and ++ self.phone.data and len(self.phone.data) > 0): + # Somewhat bizarre - but this isn't required the first time around + # when they select "sms". Then they get a field to fill out with + # phone number, then Submit again. +diff --git a/flask_security/views.py b/flask_security/views.py +index c33a016..3aaca95 100644 +--- a/flask_security/views.py ++++ b/flask_security/views.py +@@ -751,7 +751,8 @@ def two_factor_setup(): + + session["tf_primary_method"] = pm + session["tf_state"] = "validating_profile" +- new_phone = form.phone.data if len(form.phone.data) > 0 else None ++ new_phone = form.phone.data if (form.phone.data and ++ len(form.phone.data) > 0) else None + if new_phone: + user.tf_phone_number = new_phone + _datastore.put(user) +-- +2.31.1 + diff --git a/Flask-Security-Too-3.4.3.tar.gz b/Flask-Security-Too-3.4.3.tar.gz deleted file mode 100644 index 86bc7b3..0000000 --- a/Flask-Security-Too-3.4.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1e46d660c89e2e76af2d77e63e6cdedf22f0df0179f12429badbc1d142dda35f -size 338127 diff --git a/Flask-Security-Too-3.4.5.tar.gz b/Flask-Security-Too-3.4.5.tar.gz new file mode 100644 index 0000000..3cd083d --- /dev/null +++ b/Flask-Security-Too-3.4.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a09d051ed7616a99dcaa604e718792319521820e245758fe1f42f7554c538da5 +size 340616 diff --git a/fix-dependencies.patch b/fix-dependencies.patch index 4db83a2..c04afec 100644 --- a/fix-dependencies.patch +++ b/fix-dependencies.patch @@ -5,7 +5,7 @@ Index: Flask-Security-Too-3.4.2/setup.py @@ -14,20 +14,19 @@ with io.open("flask_security/__init__.py tests_require = [ - "Flask-Mongoengine>=0.9.5", + "Flask-Mongoengine~=0.9.5", - "peewee>=3.11.2", + "peewee>=3.7.1", "Flask-SQLAlchemy>=2.3", @@ -19,8 +19,8 @@ Index: Flask-Security-Too-3.4.2/setup.py + "cryptography>=2.1.4", "isort>=4.2.2", "mock>=1.3.0", - "mongoengine>=0.15.3", - "mongomock>=3.14.0", + "mongoengine~=0.19.1", + "mongomock~=3.19.0", "msgcheck>=2.9", - "pony>=0.7.11", "phonenumberslite>=8.11.1", @@ -42,7 +42,7 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt @@ -13,20 +13,19 @@ Pallets-Sphinx-Themes>=1.2.0 Sphinx>=1.8.5 sphinx-issues>=1.2.0 - Flask-Mongoengine>=0.9.5 + Flask-Mongoengine~=0.9.5 -peewee>=3.11.2 +peewee>=3.7.1 Flask-SQLAlchemy>=2.3 @@ -56,8 +56,8 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt +cryptography>=2.1.4 isort>=4.2.2 mock>=1.3.0 - mongoengine>=0.15.3 - mongomock>=3.14.0 + mongoengine~=0.19.1 + mongomock~=3.19.0 msgcheck>=2.9 -pony>=0.7.11 phonenumberslite>=8.11.1 @@ -73,7 +73,7 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt Pallets-Sphinx-Themes>=1.2.0 Sphinx>=1.8.5 sphinx-issues>=1.2.0 - Flask-Mongoengine>=0.9.5 + Flask-Mongoengine~=0.9.5 -peewee>=3.11.2 +peewee>=3.7.1 Flask-SQLAlchemy>=2.3 @@ -87,8 +87,8 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt +cryptography>=2.1.4 isort>=4.2.2 mock>=1.3.0 - mongoengine>=0.15.3 - mongomock>=3.14.0 + mongoengine~=0.19.1 + mongomock~=3.19.0 msgcheck>=2.9 -pony>=0.7.11 phonenumberslite>=8.11.1 @@ -106,7 +106,7 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt @@ -83,20 +81,19 @@ sphinx-issues>=1.2.0 [tests] - Flask-Mongoengine>=0.9.5 + Flask-Mongoengine~=0.9.5 -peewee>=3.11.2 +peewee>=3.7.1 Flask-SQLAlchemy>=2.3 @@ -120,8 +120,8 @@ Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt +cryptography>=2.1.4 isort>=4.2.2 mock>=1.3.0 - mongoengine>=0.15.3 - mongomock>=3.14.0 + mongoengine~=0.19.1 + mongomock~=3.19.0 msgcheck>=2.9 -pony>=0.7.11 phonenumberslite>=8.11.1 diff --git a/no-mongodb.patch b/no-mongodb.patch index 95b89ec..2b6f706 100644 --- a/no-mongodb.patch +++ b/no-mongodb.patch @@ -1,8 +1,17 @@ -Index: Flask-Security-Too-3.4.0/tests/conftest.py +Index: Flask-Security-Too-3.4.5/tests/conftest.py =================================================================== ---- Flask-Security-Too-3.4.0.orig/tests/conftest.py -+++ Flask-Security-Too-3.4.0/tests/conftest.py -@@ -617,7 +617,7 @@ def get_message(app): +--- Flask-Security-Too-3.4.5.orig/tests/conftest.py ++++ Flask-Security-Too-3.4.5/tests/conftest.py +@@ -607,7 +607,7 @@ def client_nc(request, sqlalchemy_app): + return app.test_client(use_cookies=False) + + +-@pytest.fixture(params=["cl-sqlalchemy", "c2", "cl-mongo", "cl-peewee"]) ++@pytest.fixture(params=["cl-sqlalchemy", "c2", "cl-peewee"]) + def clients(request, app, tmpdir, realdburl): + if request.param == "cl-sqlalchemy": + ds = sqlalchemy_setup(request, app, tmpdir, realdburl) +@@ -645,7 +645,7 @@ def get_message(app): @pytest.fixture( diff --git a/python-Flask-Security-Too.changes b/python-Flask-Security-Too.changes index 857f0c9..d0a3356 100644 --- a/python-Flask-Security-Too.changes +++ b/python-Flask-Security-Too.changes @@ -1,3 +1,63 @@ +------------------------------------------------------------------- +Tue Jun 15 16:37:41 UTC 2021 - Antonio Larrosa + +- Update to 3.4.5 + * Security Vulnerability Fix. Two CSRF vulnerabilities were + reported: qrcode and login. This release fixes the more severe + of the 2 - the /login vulnerability. The QRcode issue has a + much smaller risk profile since a) it is only for two-factor + authentication using an authenticator app b) the qrcode is only + available during the time the user is first setting up their + authentication app. The QRcode issue has been fixed in 4.0. + * Fixed + - GET on /login and /change could return the callers + authentication_token. This is a security concern since GETs + don't have CSRF protection. This bug was introduced in 3.3.0. + * Backwards Compatibility Concerns. Fix CSRF vulnerability on + /login and /change that could return the callers authentication + token. Now, callers can only get the authentication token on + successful POST calls. + +- Update to 3.4.4 + * Fix 3 regressions and a couple other bugs + * Fixed + - Basic Auth broken. When the unauthenticated handler was + changed to provide a more uniform/consistent response - it + broke using Basic Auth from a browser, since it always + redirected rather than returning 401. Now, if the response + headers contain WWW-Authenticate (which is set if basic + @auth_required method is used), a 401 is returned. See below + for backwards compatibility concerns. + - As part of figuring out issue 359 - a redirect loop was + found. In release 3.3.0 code was put in to redirect to + :py:data:`SECURITY_POST_LOGIN_VIEW` when GET or POST was + called and the caller was already authenticated. The method + used would honor the request next query parameter. This could + cause redirect loops. The pre-3.3.0 behavior of redirecting + to :py:data:`SECURITY_POST_LOGIN_VIEW` and ignoring the next + parameter has been restored. + - Fix peewee. Turns out - due to lack of unit tests - peewee + hasn't worked since 'permissions' were added in 3.3. + Furthermore, changes in 3.4 around get_id and alternative + tokens also didn't work since peewee defines its own get_id + method. + * Compatibility Concerns. In 3.3.0, flask_security.auth_required + was changed to add a default argument if none was given. The + default include all current methods - session, token, and + basic. However basic really isn't like the others and requires + that we send back a WWW-Authenticate header if authentication + fails (and return a 401 and not redirect). basic has been + removed from the default set and must once again be explicitly + requested. +- Rebase patch to remove another case where mongo is used: + * no-mongodb.patch +- Rebase patch to fix context: + * fix-dependencies.patch +- Add patch to fix failed tests (so an exception is not + raised if phone.data is None). Submitted upstream at + gh#Flask-Middleware/flask-security#495: + * 0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch + ------------------------------------------------------------------- Wed Jul 1 10:13:03 UTC 2020 - Marketa Calabkova diff --git a/python-Flask-Security-Too.spec b/python-Flask-Security-Too.spec index a8f7fc0..8005c2d 100644 --- a/python-Flask-Security-Too.spec +++ b/python-Flask-Security-Too.spec @@ -1,7 +1,7 @@ # # spec file for package python-Flask-Security-Too # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define skip_python2 1 %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-Flask-Security-Too -Version: 3.4.3 +Version: 3.4.5 Release: 0 Summary: Security for Flask apps License: MIT @@ -28,6 +28,7 @@ Source: https://files.pythonhosted.org/packages/source/F/Flask-Security- Patch0: no-mongodb.patch Patch1: no-setup-dependencies.patch Patch2: fix-dependencies.patch +Patch3: 0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch BuildRequires: %{python_module Babel >= 1.3} BuildRequires: %{python_module Flask >= 1.0.2} BuildRequires: %{python_module Flask-BabelEx >= 0.9.3}