Update the patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=79
2024-11-02 00:55:18 +00:00 · 2024-11-02 00:55:18 +00:00 · 803cb95998
commit 803cb95998
parent cd88adc808
1 changed files with 37 additions and 68 deletions
--- a/CVE-2024-9287-venv_path_unquoted.patch
+++ b/CVE-2024-9287-venv_path_unquoted.patch
@ -1,4 +1,4 @@
-From 4072b983d36ceccefec931ba614eeffa1a3a4536 Mon Sep 17 00:00:00 2001
+From 1408cc9bf9e8b19968761548c30b78d37074c21c Mon Sep 17 00:00:00 2001
 From: Y5 <124019959+y5c4l3@users.noreply.github.com>
 Date: Tue, 22 Oct 2024 04:48:04 +0800
 Subject: [PATCH] gh-124651: Quote template strings in `venv` activation
@ -10,13 +10,13 @@ scripts. This mitigates potential command injection.
 (cherry picked from commit d48cc82ed25e26b02eb97c6263d95dcaa1e9111b)
 ---
 Lib/test/test_venv.py                                                   |   81 ++++++++++
- Lib/venv/__init__.py                                                    |   64 ++++++-
+ Lib/venv/__init__.py                                                    |   42 ++++-
- Lib/venv/scripts/common/activate                                        |   27 ++-
+ Lib/venv/scripts/common/activate                                        |   10 -
 Lib/venv/scripts/nt/activate.bat                                        |    6 
 Lib/venv/scripts/posix/activate.csh                                     |    8 
- Lib/venv/scripts/posix/activate.fish                                    |    7 
+ Lib/venv/scripts/posix/activate.fish                                    |    8 
 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst |    1 
- 7 files changed, 159 insertions(+), 35 deletions(-)
+ 7 files changed, 135 insertions(+), 21 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst
 --- a/Lib/test/test_venv.py
@ -180,83 +180,46 @@ scripts. This mitigates potential command injection.
         return text
     def install_scripts(self, context, path):
-@@ -465,16 +496,19 @@ class EnvBuilder:
+@@ -466,6 +497,7 @@ class EnvBuilder:
                 dstfile = os.path.join(dstdir, f)
                 with open(srcfile, 'rb') as f:
                     data = f.read()
-                if not srcfile.endswith(('.exe', '.pdb')):
+                 if not srcfile.endswith(('.exe', '.pdb')):
 -                    try:
 -                        data = data.decode('utf-8')
 -                        data = self.replace_variables(data, context)
 -                        data = data.encode('utf-8')
 -                    except UnicodeError as e:
 -                        data = None
 -                        logger.warning('unable to copy script %r, '
 -                                       'may be binary: %s', srcfile, e)
 -                if data is not None:
 +                try:
 +                    context.script_path = srcfile
-+                    new_data = (
+                     try:
-+                        self.replace_variables(data.decode('utf-8'), context)
+                         data = data.decode('utf-8')
-+                            .encode('utf-8')
+                         data = self.replace_variables(data, context)
 +                    )
 +                except UnicodeError as e:
 +                    logger.warning('unable to copy script %r, '
 +                                   'may be binary: %s', srcfile, e)
 +                    continue
 +                if new_data == data:
 +                    shutil.copy2(srcfile, dstfile)
 +                else:
                     with open(dstfile, 'wb') as f:
                         f.write(data)
                     shutil.copymode(srcfile, dstfile)
 --- a/Lib/venv/scripts/common/activate
 +++ b/Lib/venv/scripts/common/activate
-@@ -36,19 +36,26 @@ deactivate () {
+@@ -39,14 +39,14 @@ deactivate nondestructive
- deactivate nondestructive
+ if [ "${OSTYPE:-}" = "cygwin" ] || [ "${OSTYPE:-}" = "msys" ] ; then
- 
+     # transform D:\path\to\venv to /d/path/to/venv on MSYS
- # on Windows, a path can contain colons and backslashes and has to be converted:
+     # and to /cygdrive/d/path/to/venv on Cygwin
 -if [ "${OSTYPE:-}" = "cygwin" ] || [ "${OSTYPE:-}" = "msys" ] ; then
 -    # transform D:\path\to\venv to /d/path/to/venv on MSYS
 -    # and to /cygdrive/d/path/to/venv on Cygwin
 -    export VIRTUAL_ENV=$(cygpath "__VENV_DIR__")
-else
+    export VIRTUAL_ENV=$(cygpath __VENV_DIR__)
-    # use the path as-is
+ else
     # use the path as-is
 -    export VIRTUAL_ENV="__VENV_DIR__"
-fi
+    export VIRTUAL_ENV=__VENV_DIR__
-+case "$(uname)" in
+ fi
 +    CYGWIN*|MSYS*|MINGW*)
 +        # transform D:\path\to\venv to /d/path/to/venv on MSYS and MINGW
 +        # and to /cygdrive/d/path/to/venv on Cygwin
 +        VIRTUAL_ENV=$(cygpath __VENV_DIR__)
 +        export VIRTUAL_ENV
 +        ;;
 +    *)
 +        # use the path as-is
 +        export VIRTUAL_ENV=__VENV_DIR__
 +        ;;
 +esac
 _OLD_VIRTUAL_PATH="$PATH"
 -PATH="$VIRTUAL_ENV/__VENV_BIN_NAME__:$PATH"
 +PATH="$VIRTUAL_ENV/"__VENV_BIN_NAME__":$PATH"
 export PATH
 +VIRTUAL_ENV_PROMPT=__VENV_PROMPT__
 +export VIRTUAL_ENV_PROMPT
 +
 # unset PYTHONHOME if set
- # this will fail if PYTHONHOME is set to the empty string (which is bad anyway)
+@@ -59,9 +59,9 @@ fi
 # could use `if (set -u; : $PYTHONHOME) ;` in bash
@@ -59,7 +66,7 @@ fi
 if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT:-}" ] ; then
     _OLD_VIRTUAL_PS1="${PS1:-}"
 -    PS1="__VENV_PROMPT__${PS1:-}"
-+    PS1="("__VENV_PROMPT__") ${PS1:-}"
+    PS1=__VENV_PROMPT__"${PS1:-}"
     export PS1
-     VIRTUAL_ENV_PROMPT="__VENV_PROMPT__"
+-    VIRTUAL_ENV_PROMPT="__VENV_PROMPT__"
 +    VIRTUAL_ENV_PROMPT=__VENV_PROMPT__
     export VIRTUAL_ENV_PROMPT
 fi
 --- a/Lib/venv/scripts/nt/activate.bat
 +++ b/Lib/venv/scripts/nt/activate.bat
@@ -8,7 +8,7 @@ if defined _OLD_CODEPAGE (
@ -291,7 +254,6 @@ scripts. This mitigates potential command injection.
 set _OLD_VIRTUAL_PATH="$PATH"
 -setenv PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__:$PATH"
 +setenv PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__":$PATH"
 +setenv VIRTUAL_ENV_PROMPT __VENV_PROMPT__
 set _OLD_VIRTUAL_PROMPT="$prompt"
@ -299,13 +261,14 @@ scripts. This mitigates potential command injection.
 if (! "$?VIRTUAL_ENV_DISABLE_PROMPT") then
 -    set prompt = "__VENV_PROMPT__$prompt"
 -    setenv VIRTUAL_ENV_PROMPT "__VENV_PROMPT__"
-+    set prompt = "("__VENV_PROMPT__") $prompt:q"
+    set prompt = __VENV_PROMPT__"$prompt"
 +    setenv VIRTUAL_ENV_PROMPT __VENV_PROMPT__
 endif
 alias pydoc python -m pydoc
 --- a/Lib/venv/scripts/posix/activate.fish
 +++ b/Lib/venv/scripts/posix/activate.fish
-@@ -33,10 +33,11 @@ end
+@@ -33,10 +33,10 @@ end
 # Unset irrelevant variables.
 deactivate nondestructive
@ -315,19 +278,25 @@ scripts. This mitigates potential command injection.
 set -gx _OLD_VIRTUAL_PATH $PATH
 -set -gx PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__" $PATH
 +set -gx PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__ $PATH
 +set -gx VIRTUAL_ENV_PROMPT __VENV_PROMPT__
 # Unset PYTHONHOME if set.
 if set -q PYTHONHOME
-@@ -56,7 +57,7 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
+@@ -56,7 +56,7 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
         set -l old_status $status
         # Output the venv prompt; color taken from the blue of the Python logo.
 -        printf "%s%s%s" (set_color 4B8BBE) "__VENV_PROMPT__" (set_color normal)
-+        printf "%s(%s)%s " (set_color 4B8BBE) __VENV_PROMPT__ (set_color normal)
+        printf "%s%s%s" (set_color 4B8BBE) __VENV_PROMPT__ (set_color normal)
         # Restore the return status of the previous command.
         echo "exit $old_status" | .
@@ -65,5 +65,5 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
     end
     set -gx _OLD_FISH_PROMPT_OVERRIDE "$VIRTUAL_ENV"
 -    set -gx VIRTUAL_ENV_PROMPT "__VENV_PROMPT__"
 +    set -gx VIRTUAL_ENV_PROMPT __VENV_PROMPT__
 end
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst
@@ -0,0 +1 @@