Accepting request 1220124 from devel:languages:python:Factory

- Update CVE-2024-9287-venv_path_unquoted.patch according to the upstream PR gh#python/cpython!126301. OBS-URL: https://build.opensuse.org/request/show/1220124 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=51
2024-11-03 06:16:58 +00:00 · 2024-11-03 06:16:58 +00:00 · c683cd8edc
commit c683cd8edc
parent dfc11afc70 2bd9540ae5
2 changed files with 70 additions and 36 deletions
--- a/CVE-2024-9287-venv_path_unquoted.patch
+++ b/CVE-2024-9287-venv_path_unquoted.patch
@ -1,32 +1,31 @@
-From b6a3bbd155c558cdcda482629073e492437db3d0 Mon Sep 17 00:00:00 2001
+From 21139b45039a72e8346bdc32d498345ef174ba92 Mon Sep 17 00:00:00 2001
-From: y5c4l3 <y5c4l3@proton.me>
+From: Victor Stinner <vstinner@python.org>
-Date: Sat, 28 Sep 2024 02:09:07 +0800
+Date: Fri, 1 Nov 2024 14:11:47 +0100
-Subject: [PATCH] Quote template strings in `venv` activation scripts
+Subject: [PATCH] [3.11] gh-124651: Quote template strings in `venv` activation
 scripts (GH-124712) (GH-126185) (#126269)
-This patch properly quotes template strings in `venv` activation
+(cherry picked from commit ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97)
 scripts. This mitigates potential command injection.
 Signed-off-by: y5c4l3 <y5c4l3@proton.me>
 ---
 Lib/test/test_venv.py                                                   |   81 ++++++++++
 Lib/venv/__init__.py                                                    |   42 ++++-
- Lib/venv/scripts/common/activate                                        |    6 
+ Lib/venv/scripts/common/activate                                        |    8 
 Lib/venv/scripts/nt/activate.bat                                        |    6 
- Lib/venv/scripts/posix/activate.csh                                     |    6 
+ Lib/venv/scripts/posix/activate.csh                                     |    8 
 Lib/venv/scripts/posix/activate.fish                                    |    8 
 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst |    1 
- 6 files changed, 128 insertions(+), 14 deletions(-)
+ 7 files changed, 134 insertions(+), 20 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst
 --- a/Lib/test/test_venv.py
 +++ b/Lib/test/test_venv.py
-@@ -10,6 +10,7 @@ import ensurepip
+@@ -15,6 +15,7 @@ import struct
 import os
 import os.path
 import re
 +import shlex
 import shutil
 import struct
 import subprocess
 import sys
 import tempfile
 +import shlex
 from test.support import (captured_stdout, captured_stderr, requires_zlib,
                           skip_if_broken_multiprocessing_synchronize)
 from test.support.os_helper import (can_symlink, EnvironmentVarGuard, rmtree)
@@ -85,6 +86,10 @@ class BaseTest(unittest.TestCase):
             result = f.read()
         return result
@ -178,14 +177,14 @@ Signed-off-by: y5c4l3 <y5c4l3@proton.me>
         return text
     def install_scripts(self, context, path):
-@@ -409,6 +440,7 @@ class EnvBuilder:
+@@ -408,6 +439,7 @@ class EnvBuilder:
                 with open(srcfile, 'rb') as f:
                     data = f.read()
                 if not srcfile.endswith(('.exe', '.pdb')):
 +                    context.script_path = srcfile
                     try:
 +                        context.script_path = srcfile
                         data = data.decode('utf-8')
                         data = self.replace_variables(data, context)
                         data = data.encode('utf-8')
 --- a/Lib/venv/scripts/common/activate
 +++ b/Lib/venv/scripts/common/activate
@@ -38,11 +38,11 @@ deactivate () {
@ -202,15 +201,18 @@ Signed-off-by: y5c4l3 <y5c4l3@proton.me>
 export PATH
 # unset PYTHONHOME if set
-@@ -55,7 +55,7 @@ fi
+@@ -55,9 +55,9 @@ fi
 if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT:-}" ] ; then
     _OLD_VIRTUAL_PS1="${PS1:-}"
 -    PS1="__VENV_PROMPT__${PS1:-}"
 +    PS1=__VENV_PROMPT__"${PS1:-}"
     export PS1
-     VIRTUAL_ENV_PROMPT="__VENV_PROMPT__"
+-    VIRTUAL_ENV_PROMPT="__VENV_PROMPT__"
 +    VIRTUAL_ENV_PROMPT=__VENV_PROMPT__
     export VIRTUAL_ENV_PROMPT
 fi
 --- a/Lib/venv/scripts/nt/activate.bat
 +++ b/Lib/venv/scripts/nt/activate.bat
@@ -8,7 +8,7 @@ if defined _OLD_CODEPAGE (
@ -222,27 +224,20 @@ Signed-off-by: y5c4l3 <y5c4l3@proton.me>
 if not defined PROMPT set PROMPT=$P$G
-@@ -16,7 +16,7 @@ if defined _OLD_VIRTUAL_PROMPT set PROMP
+@@ -24,8 +24,8 @@ set PYTHONHOME=
 if defined _OLD_VIRTUAL_PYTHONHOME set PYTHONHOME=%_OLD_VIRTUAL_PYTHONHOME%
 set _OLD_VIRTUAL_PROMPT=%PROMPT%
 -set PROMPT=__VENV_PROMPT__%PROMPT%
 +set "PROMPT=__VENV_PROMPT__%PROMPT%"
 if defined PYTHONHOME set _OLD_VIRTUAL_PYTHONHOME=%PYTHONHOME%
 set PYTHONHOME=
@@ -24,7 +24,7 @@ set PYTHONHOME=
 if defined _OLD_VIRTUAL_PATH set PATH=%_OLD_VIRTUAL_PATH%
 if not defined _OLD_VIRTUAL_PATH set _OLD_VIRTUAL_PATH=%PATH%
 -set PATH=%VIRTUAL_ENV%\__VENV_BIN_NAME__;%PATH%
 -set VIRTUAL_ENV_PROMPT=__VENV_PROMPT__
 +set "PATH=%VIRTUAL_ENV%\__VENV_BIN_NAME__;%PATH%"
- set VIRTUAL_ENV_PROMPT=__VENV_PROMPT__
+set "VIRTUAL_ENV_PROMPT=__VENV_PROMPT__"
 :END
 if defined _OLD_CODEPAGE (
 --- a/Lib/venv/scripts/posix/activate.csh
 +++ b/Lib/venv/scripts/posix/activate.csh
-@@ -8,16 +8,16 @@ alias deactivate 'test $?_OLD_VIRTUAL_PA
+@@ -8,17 +8,17 @@ alias deactivate 'test $?_OLD_VIRTUAL_PA
 # Unset irrelevant variables.
 deactivate nondestructive
@ -258,10 +253,43 @@ Signed-off-by: y5c4l3 <y5c4l3@proton.me>
 if (! "$?VIRTUAL_ENV_DISABLE_PROMPT") then
 -    set prompt = "__VENV_PROMPT__$prompt"
 -    setenv VIRTUAL_ENV_PROMPT "__VENV_PROMPT__"
 +    set prompt = __VENV_PROMPT__"$prompt"
-     setenv VIRTUAL_ENV_PROMPT "__VENV_PROMPT__"
+    setenv VIRTUAL_ENV_PROMPT __VENV_PROMPT__
 endif
 alias pydoc python -m pydoc
 --- a/Lib/venv/scripts/posix/activate.fish
 +++ b/Lib/venv/scripts/posix/activate.fish
@@ -33,10 +33,10 @@ end
 # Unset irrelevant variables.
 deactivate nondestructive
 -set -gx VIRTUAL_ENV "__VENV_DIR__"
 +set -gx VIRTUAL_ENV __VENV_DIR__
 set -gx _OLD_VIRTUAL_PATH $PATH
 -set -gx PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__" $PATH
 +set -gx PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__ $PATH
 # Unset PYTHONHOME if set.
 if set -q PYTHONHOME
@@ -56,7 +56,7 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
         set -l old_status $status
         # Output the venv prompt; color taken from the blue of the Python logo.
 -        printf "%s%s%s" (set_color 4B8BBE) "__VENV_PROMPT__" (set_color normal)
 +        printf "%s%s%s" (set_color 4B8BBE) __VENV_PROMPT__ (set_color normal)
         # Restore the return status of the previous command.
         echo "exit $old_status" | .
@@ -65,5 +65,5 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
     end
     set -gx _OLD_FISH_PROMPT_OVERRIDE "$VIRTUAL_ENV"
 -    set -gx VIRTUAL_ENV_PROMPT "__VENV_PROMPT__"
 +    set -gx VIRTUAL_ENV_PROMPT __VENV_PROMPT__
 end
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst
@@ -0,0 +1 @@
--- a/python310.changes
+++ b/python310.changes
@ -1,3 +1,9 @@
 -------------------------------------------------------------------
 Fri Nov  1 21:38:45 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 - Update CVE-2024-9287-venv_path_unquoted.patch according to the
  upstream PR gh#python/cpython!126301.
 -------------------------------------------------------------------
 Thu Oct 24 16:09:00 UTC 2024 - Matej Cepl <mcepl@cepl.eu>