diff --git a/numpy16.patch b/numpy16.patch new file mode 100644 index 0000000..f8b0b95 --- /dev/null +++ b/numpy16.patch @@ -0,0 +1,57 @@ +From 0f1f647a8e2310a2291ea9ffab8c8336fc01f2c7 Mon Sep 17 00:00:00 2001 +From: Olivier Grisel +Date: Wed, 29 May 2019 15:52:38 +0200 +Subject: [PATCH] DOC emphasize security sensitivity of joblib.load (#879) + +--- + joblib/numpy_pickle.py | 4 ++++ + joblib/numpy_pickle_compat.py | 14 +++++++++++--- + 4 files changed, 44 insertions(+), 3 deletions(-) + +diff --git a/joblib/numpy_pickle.py b/joblib/numpy_pickle.py +index bae0df31..bd807db2 100644 +--- a/joblib/numpy_pickle.py ++++ b/joblib/numpy_pickle.py +@@ -550,6 +550,10 @@ def load(filename, mmap_mode=None): + + Read more in the :ref:`User Guide `. + ++ WARNING: joblib.load relies on the pickle module and can therefore ++ execute arbitrary Python code. It should therefore never be used ++ to load files from untrusted sources. ++ + Parameters + ----------- + filename: str, pathlib.Path, or file object. +diff --git a/joblib/numpy_pickle_compat.py b/joblib/numpy_pickle_compat.py +index ba8ab827..d1532415 100644 +--- a/joblib/numpy_pickle_compat.py ++++ b/joblib/numpy_pickle_compat.py +@@ -3,6 +3,8 @@ + import pickle + import os + import zlib ++import inspect ++ + from io import BytesIO + + from ._compat import PY3_OR_LATER +@@ -96,9 +98,15 @@ def read(self, unpickler): + # use getattr instead of self.allow_mmap to ensure backward compat + # with NDArrayWrapper instances pickled with joblib < 0.9.0 + allow_mmap = getattr(self, 'allow_mmap', True) +- memmap_kwargs = ({} if not allow_mmap +- else {'mmap_mode': unpickler.mmap_mode}) +- array = unpickler.np.load(filename, **memmap_kwargs) ++ kwargs = {} ++ if allow_mmap: ++ kwargs['mmap_mode'] = unpickler.mmap_mode ++ if "allow_pickle" in inspect.signature(unpickler.np.load).parameters: ++ # Required in numpy 1.16.3 and later to aknowledge the security ++ # risk. ++ kwargs["allow_pickle"] = True ++ array = unpickler.np.load(filename, **kwargs) ++ + # Reconstruct subclasses. This does not work with old + # versions of numpy + if (hasattr(array, '__array_prepare__') and diff --git a/python-joblib.changes b/python-joblib.changes index cbd487c..43410e6 100644 --- a/python-joblib.changes +++ b/python-joblib.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue May 28 10:34:57 UTC 2019 - Tomáš Chvátal + +- Switch to %pytest +- Add patch to work well with new numpy: + * numpy16.patch + ------------------------------------------------------------------- Tue Mar 26 14:45:24 UTC 2019 - Tomáš Chvátal diff --git a/python-joblib.spec b/python-joblib.spec index 3c13af3..77bf470 100644 --- a/python-joblib.spec +++ b/python-joblib.spec @@ -25,6 +25,7 @@ License: BSD-3-Clause Group: Development/Languages/Python URL: https://github.com/joblib/joblib Source: https://files.pythonhosted.org/packages/source/j/joblib/joblib-%{version}.tar.gz +Patch0: numpy16.patch BuildRequires: %{python_module lz4} BuildRequires: %{python_module numpy} BuildRequires: %{python_module psutil} @@ -53,6 +54,7 @@ Joblib can handle large data and has specific optimizations for `numpy` arrays. %prep %setup -q -n joblib-%{version} +%patch0 -p1 %build %python_build @@ -63,9 +65,7 @@ Joblib can handle large data and has specific optimizations for `numpy` arrays. %check export LANG=en_US.UTF-8 -%{python_expand export PYTHONPATH=%{buildroot}%{$python_sitelib} -py.test-%{$python_bin_suffix} joblib -} +%pytest %files %{python_files} %license LICENSE.txt