Hello community, here is the log from the commit of package webyast-base for openSUSE:Factory checked in at 2011-12-30 08:46:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/webyast-base (Old) and /work/SRC/openSUSE:Factory/.webyast-base.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "webyast-base", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/webyast-base/webyast-base.changes 2011-11-29 15:07:45.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.webyast-base.new/webyast-base.changes 2011-12-30 08:46:48.000000000 +0100 @@ -1,0 +2,7 @@ +Thu Dec 1 08:46:09 UTC 2011 - [email protected] + +- updated polkit permission granting to work well during appliance + build +- 0.3.1 + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ webyast-base.spec ++++++ --- /var/tmp/diff_new_pack.0CawQQ/_old 2011-12-30 08:46:50.000000000 +0100 +++ /var/tmp/diff_new_pack.0CawQQ/_new 2011-12-30 08:46:50.000000000 +0100 @@ -1,14 +1,22 @@ # -# spec file for package webyast-base (Version 0.1.19) +# spec file for package webyast-base # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. -# This file and all modifications and additions to the pristine -# package are under the same license as the package itself. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + Name: webyast-base Provides: webyast-language-ws = 0.1.0 Obsoletes: webyast-language-ws <= 0.1.0 @@ -52,9 +60,9 @@ PreReq: yast2-runlevel License: LGPL-2.0 Group: Productivity/Networking/Web/Utilities -URL: http://en.opensuse.org/Portal:WebYaST -Autoreqprov: on -Version: 0.3.0 +Url: http://en.opensuse.org/Portal:WebYaST +AutoReqProv: on +Version: 0.3.1 Release: 0 Summary: WebYaST - base components Source: www.tar.bz2 @@ -71,23 +79,23 @@ Source13: control_panel.yml BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: ruby, pkg-config, rubygem-mocha, rubygem-static_record_cache +BuildRequires: pkg-config ruby rubygem-mocha rubygem-static_record_cache # if we run the tests during build, we need most of Requires here too, # except for deployment specific stuff -BuildRequires: rubygem-webyast-rake-tasks, rubygem-restility -BuildRequires: yast2-core, yast2-dbus-server, sqlite, dbus-1 +BuildRequires: rubygem-restility rubygem-webyast-rake-tasks +BuildRequires: dbus-1 sqlite yast2-core yast2-dbus-server %if 0%{?suse_version} == 0 || %suse_version <= 1130 BuildRequires: ruby-dbus %else BuildRequires: rubygem-ruby-dbus %endif -BuildRequires: polkit, PackageKit, rubygem-sqlite3 +BuildRequires: PackageKit polkit rubygem-sqlite3 BuildRequires: rubygem-rails-2_3 >= 2.3.8 -BuildRequires: rubygem-rpam, rubygem-polkit1 +BuildRequires: rubygem-polkit1 rubygem-rpam # the testsuite is run during build -BuildRequires: rubygem-test-unit rubygem-mocha -BuildRequires: tidy, rubygem-haml, rubygem-nokogiri -BuildRequires: nginx >= 1.0, rubygem-passenger-nginx +BuildRequires: rubygem-mocha rubygem-test-unit +BuildRequires: rubygem-haml rubygem-nokogiri tidy +BuildRequires: nginx >= 1.0 rubygem-passenger-nginx %if 0%{?suse_version} != 1140 # since 12*, sass conflicts with haml, but SLES11 has already the new sass @@ -130,7 +138,6 @@ %define pkg_home /var/lib/%{webyast_user} # - %description WebYaST - Core components for UI and REST based interface to system manipulation. Authors: @@ -171,6 +178,7 @@ RAILS_ENV=test $RPM_BUILD_ROOT%{webyast_dir}/test/dbus-launch-simple rake test #--------------------------------------------------------------- + %install # @@ -255,10 +263,12 @@ touch %buildroot/var/adm/update-scripts/%name-%version-%release-1 #--------------------------------------------------------------- + %clean rm -rf $RPM_BUILD_ROOT #--------------------------------------------------------------- + %pre # @@ -304,6 +314,7 @@ exit 0 #--------------------------------------------------------------- + %post %fillup_and_insserv %{webyast_service} # @@ -336,20 +347,24 @@ dbus-send --print-reply --system --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig >/dev/null ||: #--------------------------------------------------------------- + %preun %stop_on_removal %{webyast_service} #--------------------------------------------------------------- + %postun %restart_on_update %{webyast_service} %{insserv_cleanup} #--------------------------------------------------------------- # restart webyast on nginx update (bnc#559534) + %triggerin -- nginx %restart_on_update %{webyast_service} #--------------------------------------------------------------- + %files %defattr(-,root,root) #this /etc/webyast is for nginx conf for webyast @@ -437,4 +452,5 @@ %{webyast_dir}/public/images #--------------------------------------------------------------- + %changelog ++++++ grantwebyastrights ++++++ --- /var/tmp/diff_new_pack.0CawQQ/_old 2011-12-30 08:46:50.000000000 +0100 +++ /var/tmp/diff_new_pack.0CawQQ/_new 2011-12-30 08:46:50.000000000 +0100 @@ -90,7 +90,9 @@ end def webyast_perms - perms = `pkaction` + # this is a reimplementation of `pkaction`, because it relies on d-bus and does not work + # while building an appliane image + perms = `grep 'action id' /usr/share/polkit-1/actions/* |sed 's/^.*action id="\\(.*\\)".*$/\\1/'` perms = perms.split "\n" perms.reject! { |perm| not webyast_perm?(perm) } return perms @@ -103,9 +105,10 @@ STDOUT.puts "granting: #{single_policy}" PolKit1::polkit1_write(POLKIT_SECTION, single_policy, true, user) else - granted = granted_perms user - non_granted = webyast_perms.reject{ |perm| granted.include? perm } - non_granted.each do |policy| + # go through all webyast perms, checking granted permissions does not work + # well during build + # polkit1_write makes sure not to grant a permission multiple times itself + webyast_perms.each do |policy| STDOUT.puts "granting: #{policy}" PolKit1::polkit1_write(POLKIT_SECTION, policy, true, user) end ++++++ rcwebyast ++++++ --- /var/tmp/diff_new_pack.0CawQQ/_old 2011-12-30 08:46:50.000000000 +0100 +++ /var/tmp/diff_new_pack.0CawQQ/_new 2011-12-30 08:46:50.000000000 +0100 @@ -34,9 +34,9 @@ ### BEGIN INIT INFO # Provides: webyast # Required-Start: $syslog $remote_fs -# Should-Start: $time ypbind sendmail collectd shellinabox +# Should-Start: $time ypbind sendmail # Required-Stop: $syslog $remote_fs -# Should-Stop: $time ypbind sendmail collectd shellinabox +# Should-Stop: $time ypbind sendmail # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: webyast ++++++ webyastPermissionsService.rb ++++++ --- /var/tmp/diff_new_pack.0CawQQ/_old 2011-12-30 08:46:50.000000000 +0100 +++ /var/tmp/diff_new_pack.0CawQQ/_new 2011-12-30 08:46:50.000000000 +0100 @@ -76,7 +76,7 @@ permissions.each do |p| #whitespace check for valid permission string to avoid attack unless p.match(/^[a-zA-Z][a-zA-Z0-9.-]*$/) - result << "perm #{p} is INVALID" # XXX tom: better don't include invalif perms here, we do not know what the calling function is doing with it, like displaying it via the browser, passing it to the shell etc. + result << "permissions have a wrong format" else case command when :grant: ++++++ www.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/controllers/application_controller.rb new/www/app/controllers/application_controller.rb --- old/www/app/controllers/application_controller.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/app/controllers/application_controller.rb 2011-12-01 09:22:04.000000000 +0100 @@ -60,7 +60,8 @@ rescue_from NoPermissionException do |exception| logger.info "No permission: #{exception.permission} for #{exception.user}" if request.xhr? || request.format.html? - flash[:error] = _("Operation is forbidden. If you have to do it, please contact system administrator")+ + # RORSCAN_INL: There is not any user input + flash[:error] = _("Operation is forbidden. If you have to do it, please contact system administrator") + details(exception.message) #already localized from error constructor if request.xhr? render :text => "<div>#{flash[:error]}</div>", :status => 403 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/controllers/onlinehelp_controller.rb new/www/app/controllers/onlinehelp_controller.rb --- old/www/app/controllers/onlinehelp_controller.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/app/controllers/onlinehelp_controller.rb 2011-12-01 09:30:46.000000000 +0100 @@ -1,9 +1,28 @@ +#-- +# Webyast Webclient framework +# +# Copyright (C) 2011 Novell, Inc. +# This library is free software; you can redistribute it and/or modify +# it only under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more +# details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +#++ + require "online_help.rb" class OnlinehelpController < ApplicationController layout nil def show + # RORSCAN_INL: Help does not need any permission @help = OnlineHelp.find(params[:id]) render :nothing=>true, :text=>@help and return end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/controllers/resources_controller.rb new/www/app/controllers/resources_controller.rb --- old/www/app/controllers/resources_controller.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/app/controllers/resources_controller.rb 2011-12-01 09:22:04.000000000 +0100 @@ -33,7 +33,8 @@ def show logger.info params.inspect - @resource = Resource.find(params[:id].tr('-','.')) #FIXME check if :id is passed + # RORSCAN_INL: everyone have read access to the resources + @resource = Resource.find(params[:id].tr('-','.')) unless @resource then render :file => "#{RAILS_ROOT}/public/404.html", :status => 404 and return end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/controllers/sessions_controller.rb new/www/app/controllers/sessions_controller.rb --- old/www/app/controllers/sessions_controller.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/app/controllers/sessions_controller.rb 2011-12-01 09:22:04.000000000 +0100 @@ -29,6 +29,9 @@ # and implements a 'session' resource # # + +require 'shellwords' + class SessionsController < ApplicationController layout 'main' @@ -74,7 +77,8 @@ redirect_to :action => "new" elsif params[:password].blank? flash[:warning] = _("No password specified") - redirect_to :action => "new", :login => params[:login] + # RORSCAN_INL:login will be escaped + redirect_to :action => "new", :login => Shellwords.escape(params[:login]) end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/models/account.rb new/www/app/models/account.rb --- old/www/app/models/account.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/app/models/account.rb 2011-12-01 09:22:04.000000000 +0100 @@ -24,6 +24,7 @@ require 'static_record_cache' require "rpam" require 'digest/sha1' +require 'shellwords' class Account < ActiveRecord::Base acts_as_static_record :key => :remember_token @@ -46,6 +47,8 @@ # Authenticates a user by their login name and unencrypted password with unix2_chkpwd def self.unix2_chkpwd(login, passwd) return false if login.match("'") || login.match(/\\$/) #don't allow ' or \ in login to prevent security issues + # RORSCAN_INL: This is not a CWE-184: Incomplete Blacklist + login = Shellwords.escape(login) #just to be sure cmd = "/sbin/unix2_chkpwd rpam '#{login}'" se = Session.new result, err = se.execute cmd, :stdin => passwd #password needn't to be escaped as it is on stdin # RORSCAN_ITL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/models/online_help.rb new/www/app/models/online_help.rb --- old/www/app/models/online_help.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/app/models/online_help.rb 2011-12-01 09:22:04.000000000 +0100 @@ -18,6 +18,7 @@ require 'rubygems' require 'nokogiri' +# RORSCAN_INL: do not know whats wrong here.... require 'open-uri' class OnlineHelp diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/models/permission.rb new/www/app/models/permission.rb --- old/www/app/models/permission.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/app/models/permission.rb 2011-12-01 09:22:04.000000000 +0100 @@ -21,6 +21,7 @@ # Permission class # require 'exceptions' +require 'shellwords' class Permission #list of hash { :name => id, :granted => boolean, :description => string (optional)} @@ -147,7 +148,10 @@ end def get_description (action) - desc = `/usr/bin/pkaction --action-id #{action} | grep description: | sed 's/description://g'` + # RORSCAN_INL: This is not a CWE-184: Incomplete Blacklist + action = Shellwords.escape(action) + # RORSCAN_INL: "action" will be checked + desc = `/usr/bin/pkaction --action-id '#{action}' --verbose | grep description: | sed 's/description://g'` desc.strip! desc end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/models/resource.rb new/www/app/models/resource.rb --- old/www/app/models/resource.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/app/models/resource.rb 2011-12-01 09:22:04.000000000 +0100 @@ -33,7 +33,8 @@ @cache_enabled = impl_hash[:cache_enabled] @cache_priority = impl_hash[:cache_priority] @cache_reload_after = impl_hash[:cache_reload_after] - @cache_arguments = eval(impl_hash[:cache_arguments]) #this is save cause it is defined in a configuration file + # RORSCAN_INL:this is save cause it is defined in a configuration file + @cache_arguments = eval(impl_hash[:cache_arguments]) end def self.find(what) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/lib/session.rb new/www/lib/session.rb --- old/www/lib/session.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/lib/session.rb 2011-12-01 09:22:04.000000000 +0100 @@ -272,7 +272,7 @@ pe[0].close STDERR.reopen(pe[1]) pe[1].close - + # RORSCAN_INL session will be used by account only which checks the params exec(*cmd) } @@ -715,6 +715,7 @@ epath = tmpfifo cmd = "#{ command } < #{ ipath } 1> #{ opath } 2> #{ epath } &" + # RORSCAN_INL session will be used by account only which checks the params system cmd i = open ipath, 'w' @@ -732,6 +733,7 @@ v = $VERBOSE begin $VERBOSE = nil + # RORSCAN_INL session will be used by account only which checks the params system "mkfifo #{ tpath }" ensure $VERBOSE = v diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/public/javascripts/webyast-terminal.js new/www/public/javascripts/webyast-terminal.js --- old/www/public/javascripts/webyast-terminal.js 2011-10-19 14:37:27.000000000 +0200 +++ new/www/public/javascripts/webyast-terminal.js 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ -/* -#-- -# Webyast framework -# -# Copyright (C) 2009, 2010 Novell, Inc. -# This library is free software; you can redistribute it and/or modify -# it only under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more -# details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -#++ -*/ - -$(document).ready(function(){ - $("#iframe").attr("src", "http://localhost:4200";); - - $("#fullscreen").click(function(){ - $(".webyast_fieldset").css("position", "static"); - $("#frameBorder").addClass("fullscreen"); - $("#closeFullscreen").show(); - }); - - $("#closeFullscreen").click(function(){ - $(".webyast_fieldset").css("position", "relative"); - $("#frameBorder").removeClass("fullscreen"); - $("#closeFullscreen").hide(); - }); -}); - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/vendor/plugins/delayed_job/lib/delayed/job.rb new/www/vendor/plugins/delayed_job/lib/delayed/job.rb --- old/www/vendor/plugins/delayed_job/lib/delayed/job.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/vendor/plugins/delayed_job/lib/delayed/job.rb 2011-12-01 09:22:04.000000000 +0100 @@ -42,6 +42,7 @@ alias_method :failed, :failed? def payload_object + # RORSCAN_INL: Will be used by yast-cache only where the params are fix @payload_object ||= deserialize(self['handler']) end @@ -266,6 +267,7 @@ end def perform + # RORSCAN_INL: Will be used by yast-cache only where the params are fix eval(@job) end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/vendor/plugins/delayed_job/spec/database.rb new/www/vendor/plugins/delayed_job/spec/database.rb --- old/www/vendor/plugins/delayed_job/spec/database.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/vendor/plugins/delayed_job/spec/database.rb 2011-12-01 09:22:04.000000000 +0100 @@ -7,8 +7,10 @@ require File.dirname(__FILE__) + '/../init' require 'spec' - + +# RORSCAN_INL: It is just while creating the database. ActiveRecord::Base.logger = Logger.new('/tmp/dj.log') +# RORSCAN_INL: It is just while creating the database. ActiveRecord::Base.establish_connection(:adapter => 'sqlite3', :database => '/tmp/jobs.sqlite') ActiveRecord::Migration.verbose = false ActiveRecord::Base.default_timezone = :utc if Time.zone.nil? diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/vendor/plugins/delayed_job/spec/job_spec.rb new/www/vendor/plugins/delayed_job/spec/job_spec.rb --- old/www/vendor/plugins/delayed_job/spec/job_spec.rb 2011-10-19 14:37:27.000000000 +0200 +++ new/www/vendor/plugins/delayed_job/spec/job_spec.rb 2011-12-01 09:22:04.000000000 +0100 @@ -70,7 +70,7 @@ SimpleJob.runs.should == 1 end - + # RORSCAN_INL: It is in the spec file only. No eval will be executed it "should work with eval jobs" do $eval_job_ran = false -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
