From 732d2c9a52a3b4aa7310b96e3ae8a874024c038a090d302ebe11130926c28576 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 26 May 2021 12:00:41 +0000 Subject: [PATCH] Accepting request 895422 from home:gladiac:mailman3 - Create static files as part of the build process - Fixed CVE-2021-25322 OBS-URL: https://build.opensuse.org/request/show/895422 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:mailman/python-HyperKitty?expand=0&rev=38 --- hyperkitty-permissions.sh | 36 +++++++++----------------- python-HyperKitty.changes | 6 +++++ python-HyperKitty.spec | 54 +++++++++++++++++++++++++++++---------- 3 files changed, 59 insertions(+), 37 deletions(-) diff --git a/hyperkitty-permissions.sh b/hyperkitty-permissions.sh index 3c626d3..01b5656 100644 --- a/hyperkitty-permissions.sh +++ b/hyperkitty-permissions.sh @@ -2,41 +2,29 @@ LOG_DIR="/var/log/hyperkitty" LIB_DIR="/var/lib/hyperkitty" DATA_DIR="${LIB_DIR}/data" -WEBAPPS_DIR="/srv/www/webapps/mailman/hyperkitty" -CACHE_DIR="${WEBAPPS_DIR}/static/CACHE" - -setfacl -R --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR} -setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR} chown hyperkitty-admin:hyperkitty-admin ${LIB_DIR} chmod u=rwX,g=rwX,o= ${LIB_DIR} -chown -R hyperkitty:hyperkitty ${DATA_DIR} -chmod -R u=rwX,g=rwX,o= ${DATA_DIR} +chown hyperkitty:hyperkitty ${DATA_DIR} +chmod u=rwX,g=rwX,o= ${DATA_DIR} chown hyperkitty:hyperkitty ${DATA_DIR}/hyperkitty.db 2>/dev/null chmod u=rwX,g=rwX,o= ${DATA_DIR}/hyperkitty.db 2>/dev/null -setfacl -R --no-mask -m u:hyperkitty:rwX ${DATA_DIR} -setfacl -R -d --no-mask -m u:hyperkitty:rwX ${DATA_DIR} -setfacl -R --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR} -setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR} +setfacl --no-mask -m u:hyperkitty:rwX ${DATA_DIR} +setfacl -d --no-mask -m u:hyperkitty:rwX ${DATA_DIR} +setfacl --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR} +setfacl -d --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR} +setfacl --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR}/hyperkitty.db 2>/dev/null chown hyperkitty-admin:hyperkitty-admin ${LOG_DIR} chmod u=rwX,g=rwX,o= ${LOG_DIR} chown hyperkitty-admin:hyperkitty-admin ${LOG_DIR}/hyperkitty.log 2>/dev/null chmod u=rwX,g=rwX,o= ${LOG_DIR}/hyperkitty.log 2>/dev/null -setfacl -R --no-mask -m u:hyperkitty:rwX ${LOG_DIR} -setfacl -R -d --no-mask -m u:hyperkitty:rwX ${LOG_DIR} -setfacl -R --no-mask -m u:hyperkitty-admin:rwX ${LOG_DIR} -setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX ${LOG_DIR} - -# The wsgi needs to write to static/CACHE -chown -R hyperkitty:hyperkitty ${CACHE_DIR} -chmod -R u=rwX,g=rwX,o=rX ${CACHE_DIR} - -setfacl -R --no-mask -m u:hyperkitty:rwX ${CACHE_DIR} -setfacl -R -d --no-mask -m u:hyperkitty:rwX ${CACHE_DIR} -setfacl -R --no-mask -m u:hyperkitty-admin:rwX ${CACHE_DIR} -setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX ${CACHE_DIR} +setfacl --no-mask -m u:hyperkitty:rwX ${LOG_DIR} +setfacl -d --no-mask -m u:hyperkitty:rwX ${LOG_DIR} +setfacl --no-mask -m u:hyperkitty:rwX ${LOG_DIR}/hyperkitty.log 2>/dev/null +setfacl --no-mask -m u:hyperkitty-admin:rwX ${LOG_DIR} +setfacl -d --no-mask -m u:hyperkitty-admin:rwX ${LOG_DIR} diff --git a/python-HyperKitty.changes b/python-HyperKitty.changes index ca560bd..a701893 100644 --- a/python-HyperKitty.changes +++ b/python-HyperKitty.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue May 25 18:55:19 UTC 2021 - Andreas Schneider + +- Create static files as part of the build process +- Fixed CVE-2021-25322 + ------------------------------------------------------------------- Tue May 4 09:31:59 UTC 2021 - Ben Greiner diff --git a/python-HyperKitty.spec b/python-HyperKitty.spec index 93c0e69..48e9beb 100644 --- a/python-HyperKitty.spec +++ b/python-HyperKitty.spec @@ -64,6 +64,7 @@ BuildRequires: acl BuildRequires: fdupes BuildRequires: openssl BuildRequires: python-rpm-macros +BuildRequires: rsync BuildRequires: sudo Requires: python-Django >= 1.11 Requires: python-django-compressor >= 1.3 @@ -138,20 +139,27 @@ A web user interface for GNU Mailman. This package holds the uwsgi configuration. %prep -%autosetup -p1 -n HyperKitty-%{version} +%setup -n HyperKitty-%{version} cp %{SOURCE30} . touch settings_local.py +# Copy exmaple_project to just build the static files +rsync -a example_project/* build_static_files + +%autopatch -p1 + %build sed -i 's|^#!/usr/bin/env.*|#!%{_bindir}/python3|' \ example_project/manage.py %python_build -%install -%python_install -%python_expand %fdupes %{buildroot}%{$python_sitelib} +# Build static files +export PYTHONPATH=$(pwd) +%python_exec build_static_files/manage.py collectstatic --clear --noinput +%python_exec build_static_files/manage.py compress --force +%install install -d -m 0750 \ %{buildroot}%{hyperkitty_etcdir} \ %{buildroot}%{hyperkitty_libdir} \ @@ -166,7 +174,15 @@ install -d -m 0755 \ %{buildroot}%{hyperkitty_staticdir}/CACHE \ %{buildroot}%{_unitdir} -cp -a example_project/* %{buildroot}%{hyperkitty_basedir} +%python_install +%python_expand %fdupes %{buildroot}%{$python_sitelib} + +# Copy static files +rsync -a build_static_files/static %{buildroot}%{hyperkitty_basedir} +# Remove the directory +rm -rf %{buildroot}%{python_sitelib}/build_static_files + +rsync -a example_project/* %{buildroot}%{hyperkitty_basedir} chmod -x %{buildroot}%{hyperkitty_basedir}/wsgi.py for f in \ @@ -235,7 +251,7 @@ done %check export DJANGO_SETTINGS_MODULE="hyperkitty.tests.settings_test" -export PYTHONPATH='.' +export PYTHONPATH=$(pwd) %python_exec example_project/manage.py test %pre -n %{hyperkitty_pkgname}-web @@ -254,10 +270,6 @@ if ! grep -q "^SECRET_KEY.*" %{hyperkitty_etcdir}/settings_local.py; then echo "SECRET_KEY='$(openssl rand -base64 48)'" >> %{hyperkitty_etcdir}/settings_local.py fi %{_sbindir}/hyperkitty-manage migrate --pythonpath /srv/www/webapps/mailman/hyperkitty/ --settings settings -%{_sbindir}/hyperkitty-manage collectstatic --pythonpath /srv/www/webapps/mailman/hyperkitty/ --settings settings --clear --noinput -%{_sbindir}/hyperkitty-manage compress --pythonpath /srv/www/webapps/mailman/hyperkitty/ --settings settings --force -# Run hyperkitty-fix-permissions again for cache dir permissions -%{_sbindir}/hyperkitty-fix-permissions %service_add_post %{hyperkitty_services} @@ -294,10 +306,26 @@ fi %{hyperkitty_basedir}/urls.py %{hyperkitty_basedir}/wsgi.py -%dir %{hyperkitty_localedir} +%dir %{hyperkitty_basedir}/static +%{hyperkitty_basedir}/static/admin +%{hyperkitty_basedir}/static/debug_toolbar +%{hyperkitty_basedir}/static/django-mailman3 +%{hyperkitty_basedir}/static/django_extensions +%{hyperkitty_basedir}/static/facebook +%{hyperkitty_basedir}/static/hyperkitty +%{hyperkitty_basedir}/static/rest_framework -%dir %{hyperkitty_staticdir} -%dir %{hyperkitty_staticdir}/CACHE +# The wsgi needs to write to static/CACHE +%attr(755,hyperkitty,hyperkitty) %dir %{hyperkitty_basedir}/static/CACHE +%attr(644,hyperkitty,hyperkitty) %{hyperkitty_basedir}/static/CACHE/manifest.json + +%attr(755,hyperkitty,hyperkitty) %dir %{hyperkitty_basedir}/static/CACHE/css +%attr(644,hyperkitty,hyperkitty) %{hyperkitty_basedir}/static/CACHE/css/output.*.css + +%attr(755,hyperkitty,hyperkitty) %dir %{hyperkitty_basedir}/static/CACHE/js +%attr(644,hyperkitty,hyperkitty) %{hyperkitty_basedir}/static/CACHE/js/output.*.js + +%dir %{hyperkitty_localedir} %attr(750,hyperkitty-admin,hyperkitty) %dir %{hyperkitty_etcdir} %attr(640,hyperkitty-admin,hyperkitty) %config(noreplace) %{hyperkitty_etcdir}/settings_local.py