Compare commits
No commits in common. "factory" and "devel" have entirely different histories.
104
CVE-2024-39705-disable-download.patch
Normal file
104
CVE-2024-39705-disable-download.patch
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
---
|
||||||
|
nltk/app/chartparser_app.py | 13 +++++++++++++
|
||||||
|
nltk/corpus/reader/util.py | 2 ++
|
||||||
|
nltk/data.py | 2 ++
|
||||||
|
nltk/parse/transitionparser.py | 2 ++
|
||||||
|
nltk/tbl/demo.py | 4 +++-
|
||||||
|
5 files changed, 22 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/nltk/app/chartparser_app.py
|
||||||
|
+++ b/nltk/app/chartparser_app.py
|
||||||
|
@@ -800,6 +800,10 @@ class ChartComparer:
|
||||||
|
showerror("Error Saving Chart", f"Unable to open file: {filename!r}\n{e}")
|
||||||
|
|
||||||
|
def load_chart_dialog(self, *args):
|
||||||
|
+ showerror("Security Error",
|
||||||
|
+ "Due to gh#nltk/nltk#3266, deserializing from " +
|
||||||
|
+ "a pickle is forbidden.")
|
||||||
|
+ return
|
||||||
|
filename = askopenfilename(
|
||||||
|
filetypes=self.CHART_FILE_TYPES, defaultextension=".pickle"
|
||||||
|
)
|
||||||
|
@@ -811,6 +815,8 @@ class ChartComparer:
|
||||||
|
showerror("Error Loading Chart", f"Unable to open file: {filename!r}\n{e}")
|
||||||
|
|
||||||
|
def load_chart(self, filename):
|
||||||
|
+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " +
|
||||||
|
+ "a pickle is forbidden.")
|
||||||
|
with open(filename, "rb") as infile:
|
||||||
|
chart = pickle.load(infile)
|
||||||
|
name = os.path.basename(filename)
|
||||||
|
@@ -2268,6 +2274,10 @@ class ChartParserApp:
|
||||||
|
if not filename:
|
||||||
|
return
|
||||||
|
try:
|
||||||
|
+ showerror("Security Error",
|
||||||
|
+ "Due to gh#nltk/nltk#3266, deserializing from " +
|
||||||
|
+ "a pickle is forbidden.")
|
||||||
|
+ return
|
||||||
|
with open(filename, "rb") as infile:
|
||||||
|
chart = pickle.load(infile)
|
||||||
|
self._chart = chart
|
||||||
|
@@ -2306,6 +2316,9 @@ class ChartParserApp:
|
||||||
|
return
|
||||||
|
try:
|
||||||
|
if filename.endswith(".pickle"):
|
||||||
|
+ showerror("Due to gh#nltk/nltk#3266, deserializing from " +
|
||||||
|
+ "a pickle is forbidden.")
|
||||||
|
+ return
|
||||||
|
with open(filename, "rb") as infile:
|
||||||
|
grammar = pickle.load(infile)
|
||||||
|
else:
|
||||||
|
--- a/nltk/corpus/reader/util.py
|
||||||
|
+++ b/nltk/corpus/reader/util.py
|
||||||
|
@@ -521,6 +521,8 @@ class PickleCorpusView(StreamBackedCorpu
|
||||||
|
|
||||||
|
def read_block(self, stream):
|
||||||
|
result = []
|
||||||
|
+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " +
|
||||||
|
+ "a pickle is forbidden.")
|
||||||
|
for i in range(self.BLOCK_SIZE):
|
||||||
|
try:
|
||||||
|
result.append(pickle.load(stream))
|
||||||
|
--- a/nltk/data.py
|
||||||
|
+++ b/nltk/data.py
|
||||||
|
@@ -752,6 +752,8 @@ def load(
|
||||||
|
if format == "raw":
|
||||||
|
resource_val = opened_resource.read()
|
||||||
|
elif format == "pickle":
|
||||||
|
+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " +
|
||||||
|
+ "a pickle is forbidden.")
|
||||||
|
resource_val = pickle.load(opened_resource)
|
||||||
|
elif format == "json":
|
||||||
|
import json
|
||||||
|
--- a/nltk/parse/transitionparser.py
|
||||||
|
+++ b/nltk/parse/transitionparser.py
|
||||||
|
@@ -553,6 +553,8 @@ class TransitionParser(ParserI):
|
||||||
|
"""
|
||||||
|
result = []
|
||||||
|
# First load the model
|
||||||
|
+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " +
|
||||||
|
+ "a pickle is forbidden.")
|
||||||
|
model = pickle.load(open(modelFile, "rb"))
|
||||||
|
operation = Transition(self._algorithm)
|
||||||
|
|
||||||
|
--- a/nltk/tbl/demo.py
|
||||||
|
+++ b/nltk/tbl/demo.py
|
||||||
|
@@ -253,6 +253,8 @@ def postag(
|
||||||
|
)
|
||||||
|
)
|
||||||
|
with open(cache_baseline_tagger) as print_rules:
|
||||||
|
+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " +
|
||||||
|
+ "a pickle is forbidden.")
|
||||||
|
baseline_tagger = pickle.load(print_rules)
|
||||||
|
print(f"Reloaded pickled tagger from {cache_baseline_tagger}")
|
||||||
|
else:
|
||||||
|
@@ -327,7 +329,7 @@ def postag(
|
||||||
|
with open(serialize_output) as print_rules:
|
||||||
|
brill_tagger_reloaded = pickle.load(print_rules)
|
||||||
|
print(f"Reloaded pickled tagger from {serialize_output}")
|
||||||
|
- taggedtest_reloaded = brill_tagger.tag_sents(testing_data)
|
||||||
|
+ taggedtest_reloaded = brill_tagger_reloaded.tag_sents(testing_data)
|
||||||
|
if taggedtest == taggedtest_reloaded:
|
||||||
|
print("Reloaded tagger tried on test set, results identical")
|
||||||
|
else:
|
Loading…
Reference in New Issue
Block a user