Accepting request 895422 from home:gladiac:mailman3

- Create static files as part of the build process - Fixed CVE-2021-25322 OBS-URL: https://build.opensuse.org/request/show/895422 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:mailman/python-HyperKitty?expand=0&rev=38
2021-05-26 12:00:41 +00:00
parent ce68ddfe22
commit 732d2c9a52
3 changed files with 59 additions and 37 deletions
--- a/hyperkitty-permissions.sh
+++ b/hyperkitty-permissions.sh
@@ -2,41 +2,29 @@
 LOG_DIR="/var/log/hyperkitty"
 LIB_DIR="/var/lib/hyperkitty"
 DATA_DIR="${LIB_DIR}/data"
-WEBAPPS_DIR="/srv/www/webapps/mailman/hyperkitty"
-CACHE_DIR="${WEBAPPS_DIR}/static/CACHE"
-
-setfacl -R    --no-mask -m u:hyperkitty-admin:rwX  ${DATA_DIR}
-setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX  ${DATA_DIR}

 chown   hyperkitty-admin:hyperkitty-admin          ${LIB_DIR}
 chmod   u=rwX,g=rwX,o=                             ${LIB_DIR}

-chown   -R hyperkitty:hyperkitty                   ${DATA_DIR}
-chmod   -R u=rwX,g=rwX,o=                          ${DATA_DIR}
+chown   hyperkitty:hyperkitty                      ${DATA_DIR}
+chmod   u=rwX,g=rwX,o=                             ${DATA_DIR}

 chown   hyperkitty:hyperkitty                      ${DATA_DIR}/hyperkitty.db 2>/dev/null
 chmod   u=rwX,g=rwX,o=                             ${DATA_DIR}/hyperkitty.db 2>/dev/null

-setfacl -R    --no-mask -m u:hyperkitty:rwX        ${DATA_DIR}
-setfacl -R -d --no-mask -m u:hyperkitty:rwX        ${DATA_DIR}
-setfacl -R    --no-mask -m u:hyperkitty-admin:rwX  ${DATA_DIR}
-setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX  ${DATA_DIR}
+setfacl    --no-mask -m u:hyperkitty:rwX           ${DATA_DIR}
+setfacl -d --no-mask -m u:hyperkitty:rwX           ${DATA_DIR}
+setfacl    --no-mask -m u:hyperkitty-admin:rwX     ${DATA_DIR}
+setfacl -d --no-mask -m u:hyperkitty-admin:rwX     ${DATA_DIR}
+setfacl    --no-mask -m u:hyperkitty-admin:rwX     ${DATA_DIR}/hyperkitty.db 2>/dev/null

 chown   hyperkitty-admin:hyperkitty-admin          ${LOG_DIR}
 chmod   u=rwX,g=rwX,o=                             ${LOG_DIR}
 chown   hyperkitty-admin:hyperkitty-admin          ${LOG_DIR}/hyperkitty.log 2>/dev/null
 chmod   u=rwX,g=rwX,o=                             ${LOG_DIR}/hyperkitty.log 2>/dev/null

-setfacl -R    --no-mask -m u:hyperkitty:rwX        ${LOG_DIR}
-setfacl -R -d --no-mask -m u:hyperkitty:rwX        ${LOG_DIR}
-setfacl -R    --no-mask -m u:hyperkitty-admin:rwX  ${LOG_DIR}
-setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX  ${LOG_DIR}
-
-# The wsgi needs to write to static/CACHE
-chown   -R hyperkitty:hyperkitty                   ${CACHE_DIR}
-chmod   -R u=rwX,g=rwX,o=rX                        ${CACHE_DIR}
-
-setfacl -R    --no-mask -m u:hyperkitty:rwX        ${CACHE_DIR}
-setfacl -R -d --no-mask -m u:hyperkitty:rwX        ${CACHE_DIR}
-setfacl -R    --no-mask -m u:hyperkitty-admin:rwX  ${CACHE_DIR}
-setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX  ${CACHE_DIR}
+setfacl    --no-mask -m u:hyperkitty:rwX           ${LOG_DIR}
+setfacl -d --no-mask -m u:hyperkitty:rwX           ${LOG_DIR}
+setfacl    --no-mask -m u:hyperkitty:rwX           ${LOG_DIR}/hyperkitty.log 2>/dev/null
+setfacl    --no-mask -m u:hyperkitty-admin:rwX     ${LOG_DIR}
+setfacl -d --no-mask -m u:hyperkitty-admin:rwX     ${LOG_DIR}
--- a/python-HyperKitty.changes
+++ b/python-HyperKitty.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue May 25 18:55:19 UTC 2021 - Andreas Schneider <asn@cryptomilk.org>
+
+- Create static files as part of the build process
+- Fixed CVE-2021-25322
+
 -------------------------------------------------------------------
 Tue May  4 09:31:59 UTC 2021 - Ben Greiner <code@bnavigator.de>

--- a/python-HyperKitty.spec
+++ b/python-HyperKitty.spec
@@ -64,6 +64,7 @@ BuildRequires:  acl
 BuildRequires:  fdupes
 BuildRequires:  openssl
 BuildRequires:  python-rpm-macros
+BuildRequires:  rsync
 BuildRequires:  sudo
 Requires:       python-Django >= 1.11
 Requires:       python-django-compressor >= 1.3
@@ -138,20 +139,27 @@ A web user interface for GNU Mailman.
 This package holds the uwsgi configuration.

 %prep
-%autosetup -p1 -n HyperKitty-%{version}
+%setup -n HyperKitty-%{version}
 cp %{SOURCE30} .
 touch settings_local.py

+# Copy exmaple_project to just build the static files
+rsync -a example_project/* build_static_files
+
+%autopatch -p1
+
 %build
 sed -i 's|^#!/usr/bin/env.*|#!%{_bindir}/python3|' \
    example_project/manage.py

 %python_build

-%install
-%python_install
-%python_expand %fdupes %{buildroot}%{$python_sitelib}
+# Build static files
+export PYTHONPATH=$(pwd)
+%python_exec build_static_files/manage.py collectstatic --clear --noinput
+%python_exec build_static_files/manage.py compress --force

+%install
 install -d -m 0750 \
    %{buildroot}%{hyperkitty_etcdir} \
    %{buildroot}%{hyperkitty_libdir} \
@@ -166,7 +174,15 @@ install -d -m 0755 \
    %{buildroot}%{hyperkitty_staticdir}/CACHE \
    %{buildroot}%{_unitdir}

-cp -a example_project/* %{buildroot}%{hyperkitty_basedir}
+%python_install
+%python_expand %fdupes %{buildroot}%{$python_sitelib}
+
+# Copy static files
+rsync -a build_static_files/static %{buildroot}%{hyperkitty_basedir}
+# Remove the directory
+rm -rf %{buildroot}%{python_sitelib}/build_static_files
+
+rsync -a example_project/* %{buildroot}%{hyperkitty_basedir}
 chmod -x %{buildroot}%{hyperkitty_basedir}/wsgi.py

 for f in \
@@ -235,7 +251,7 @@ done

 %check
 export DJANGO_SETTINGS_MODULE="hyperkitty.tests.settings_test"
-export PYTHONPATH='.'
+export PYTHONPATH=$(pwd)
 %python_exec example_project/manage.py test

 %pre -n %{hyperkitty_pkgname}-web
@@ -254,10 +270,6 @@ if ! grep -q "^SECRET_KEY.*" %{hyperkitty_etcdir}/settings_local.py; then
    echo "SECRET_KEY='$(openssl rand -base64 48)'" >> %{hyperkitty_etcdir}/settings_local.py
 fi
 %{_sbindir}/hyperkitty-manage migrate --pythonpath /srv/www/webapps/mailman/hyperkitty/ --settings settings
-%{_sbindir}/hyperkitty-manage collectstatic --pythonpath /srv/www/webapps/mailman/hyperkitty/ --settings settings --clear --noinput
-%{_sbindir}/hyperkitty-manage compress --pythonpath /srv/www/webapps/mailman/hyperkitty/ --settings settings --force
-# Run hyperkitty-fix-permissions again for cache dir permissions
-%{_sbindir}/hyperkitty-fix-permissions

 %service_add_post %{hyperkitty_services}

@@ -294,10 +306,26 @@ fi
 %{hyperkitty_basedir}/urls.py
 %{hyperkitty_basedir}/wsgi.py

-%dir %{hyperkitty_localedir}
+%dir %{hyperkitty_basedir}/static
+%{hyperkitty_basedir}/static/admin
+%{hyperkitty_basedir}/static/debug_toolbar
+%{hyperkitty_basedir}/static/django-mailman3
+%{hyperkitty_basedir}/static/django_extensions
+%{hyperkitty_basedir}/static/facebook
+%{hyperkitty_basedir}/static/hyperkitty
+%{hyperkitty_basedir}/static/rest_framework

-%dir %{hyperkitty_staticdir}
-%dir %{hyperkitty_staticdir}/CACHE
+# The wsgi needs to write to static/CACHE
+%attr(755,hyperkitty,hyperkitty) %dir %{hyperkitty_basedir}/static/CACHE
+%attr(644,hyperkitty,hyperkitty) %{hyperkitty_basedir}/static/CACHE/manifest.json
+
+%attr(755,hyperkitty,hyperkitty) %dir %{hyperkitty_basedir}/static/CACHE/css
+%attr(644,hyperkitty,hyperkitty) %{hyperkitty_basedir}/static/CACHE/css/output.*.css
+
+%attr(755,hyperkitty,hyperkitty) %dir %{hyperkitty_basedir}/static/CACHE/js
+%attr(644,hyperkitty,hyperkitty) %{hyperkitty_basedir}/static/CACHE/js/output.*.js
+
+%dir %{hyperkitty_localedir}

 %attr(750,hyperkitty-admin,hyperkitty) %dir %{hyperkitty_etcdir}
 %attr(640,hyperkitty-admin,hyperkitty) %config(noreplace) %{hyperkitty_etcdir}/settings_local.py