Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-pyramid for openSUSE:Factory checked in at 2024-01-03 12:30:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-pyramid (Old) and /work/SRC/openSUSE:Factory/.python-pyramid.new.28375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyramid" Wed Jan 3 12:30:53 2024 rev:22 rq:1136288 version:2.0.2 Changes: -------- --- /work/SRC/openSUSE:Factory/python-pyramid/python-pyramid.changes 2023-06-12 15:26:25.695043770 +0200 +++ /work/SRC/openSUSE:Factory/.python-pyramid.new.28375/python-pyramid.changes 2024-01-03 12:31:34.405912580 +0100 @@ -1,0 +2,9 @@ +Tue Jan 2 21:17:44 UTC 2024 - Dirk Müller <[email protected]> + +- update to 2.0.2: + * Removed support for null-bytes in the path when making a + request for a file + * Backward Incompatibilities - Requests to a static_view are no + longer allowed to contain a null-byte in any + +------------------------------------------------------------------- Old: ---- pyramid-2.0.1.tar.gz New: ---- pyramid-2.0.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-pyramid.spec ++++++ --- /var/tmp/diff_new_pack.eWYnYk/_old 2024-01-03 12:31:35.041935841 +0100 +++ /var/tmp/diff_new_pack.eWYnYk/_new 2024-01-03 12:31:35.045935987 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-pyramid # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # Copyright (c) 2014-2017 LISA GmbH, Bingen, Germany. # # All modifications and additions to the file contributed by third parties @@ -19,7 +19,7 @@ %{?sle15_python_module_pythons} Name: python-pyramid -Version: 2.0.1 +Version: 2.0.2 Release: 0 Summary: The Pyramid web application development framework License: BSD-4-Clause AND ZPL-2.1 AND MIT @@ -68,6 +68,8 @@ + + # NOTE: The documentation in the docs/ directory is under a # non-free license (CC-BY-NC-SA-3.0). Do not package it. ++++++ pyramid-2.0.1.tar.gz -> pyramid-2.0.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/.readthedocs.yaml new/pyramid-2.0.2/.readthedocs.yaml --- old/pyramid-2.0.1/.readthedocs.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/pyramid-2.0.2/.readthedocs.yaml 2023-08-25 08:25:16.000000000 +0200 @@ -0,0 +1,17 @@ +# https://docs.readthedocs.io/en/stable/config-file/v2.html +version: 2 +build: + os: ubuntu-22.04 + tools: + python: '3.11' +sphinx: + configuration: docs/conf.py +formats: + - pdf + - epub +python: + install: + - method: pip + path: . + extra_requirements: + - docs diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/CHANGES.rst new/pyramid-2.0.2/CHANGES.rst --- old/pyramid-2.0.1/CHANGES.rst 2023-01-30 02:05:46.000000000 +0100 +++ new/pyramid-2.0.2/CHANGES.rst 2023-08-25 08:31:24.000000000 +0200 @@ -1,3 +1,28 @@ +.. _changes_2.0.2: + +2.0.2 (2023-08-25) +================== + +Bug Fixes +--------- + +- Removed support for null-bytes in the path when making a request for a file + against a static_view. Whille null-bytes are allowed by the HTTP + specification, due to the handling of null-bytes potentially leading to + security vulnerabilities it is no longer supported. + + This fixes a security vulnerability that is present due to a bug in Python + 3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an + ``index.html`` one directory up from the static views path. + + Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue. + +Backward Incompatibilities +-------------------------- + +- Requests to a static_view are no longer allowed to contain a null-byte in any + part of the path segment. + .. _changes_2.0.1: 2.0.1 (2023-01-29) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/MANIFEST.in new/pyramid-2.0.2/MANIFEST.in --- old/pyramid-2.0.1/MANIFEST.in 2023-01-30 00:43:14.000000000 +0100 +++ new/pyramid-2.0.2/MANIFEST.in 2023-08-25 08:25:16.000000000 +0200 @@ -8,7 +8,7 @@ include CONTRIBUTORS.txt LICENSE.txt COPYRIGHT.txt include .coveragerc .flake8 setup.cfg pyproject.toml -include tox.ini rtd.txt +include tox.ini .readthedocs.yaml include contributing.md RELEASING.txt HACKING.txt TODO.txt graft .github diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/PKG-INFO new/pyramid-2.0.2/PKG-INFO --- old/pyramid-2.0.1/PKG-INFO 2023-01-30 02:10:36.268694200 +0100 +++ new/pyramid-2.0.2/PKG-INFO 2023-08-25 08:32:29.172607200 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: pyramid -Version: 2.0.1 +Version: 2.0.2 Summary: The Pyramid Web Framework, a Pylons project Home-page: https://trypyramid.com Author: Chris McDonough, Agendaless Consulting @@ -100,6 +100,31 @@ <https://github.com/Pylons/pyramid/graphs/contributors>`_. +.. _changes_2.0.2: + +2.0.2 (2023-08-25) +================== + +Bug Fixes +--------- + +- Removed support for null-bytes in the path when making a request for a file + against a static_view. Whille null-bytes are allowed by the HTTP + specification, due to the handling of null-bytes potentially leading to + security vulnerabilities it is no longer supported. + + This fixes a security vulnerability that is present due to a bug in Python + 3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an + ``index.html`` one directory up from the static views path. + + Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue. + +Backward Incompatibilities +-------------------------- + +- Requests to a static_view are no longer allowed to contain a null-byte in any + part of the path segment. + .. _changes_2.0.1: 2.0.1 (2023-01-29) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/docs/conf.py new/pyramid-2.0.2/docs/conf.py --- old/pyramid-2.0.1/docs/conf.py 2023-01-30 02:05:27.000000000 +0100 +++ new/pyramid-2.0.2/docs/conf.py 2023-08-25 08:25:16.000000000 +0200 @@ -63,22 +63,22 @@ # Looks for objects in external projects intersphinx_mapping = { 'colander': ('https://docs.pylonsproject.org/projects/colander/en/latest/', None), - 'cookbook': ('https://docs.pylonsproject.org/projects/pyramid-cookbook/en/latest/', None), + 'cookbook': ('https://docs.pylonsproject.org/projects/pyramid_cookbook/en/latest/', None), 'deform': ('https://docs.pylonsproject.org/projects/deform/en/latest/', None), - 'jinja2': ('https://docs.pylonsproject.org/projects/pyramid-jinja2/en/latest/', None), + 'jinja2': ('https://docs.pylonsproject.org/projects/pyramid_jinja2/en/latest/', None), 'pylonswebframework': ('https://docs.pylonsproject.org/projects/pylons-webframework/en/latest/', None), 'python': ('https://docs.python.org/3/', None), 'pytest': ('https://docs.pytest.org/en/latest/', None), 'sqla': ('https://docs.sqlalchemy.org/en/latest/', None), - 'tm': ('https://docs.pylonsproject.org/projects/pyramid-tm/en/latest/', None), - 'toolbar': ('https://docs.pylonsproject.org/projects/pyramid-debugtoolbar/en/latest/', None), + 'tm': ('https://docs.pylonsproject.org/projects/pyramid_tm/en/latest/', None), + 'toolbar': ('https://docs.pylonsproject.org/projects/pyramid_debugtoolbar/en/latest/', None), 'transaction': ('https://transaction.readthedocs.io/en/latest/', None), - 'tutorials': ('https://docs.pylonsproject.org/projects/pyramid-tutorials/en/latest/', None), + 'tutorials': ('https://docs.pylonsproject.org/projects/pyramid_tutorials/en/latest/', None), 'venusian': ('https://docs.pylonsproject.org/projects/venusian/en/latest/', None), 'webtest': ('https://docs.pylonsproject.org/projects/webtest/en/latest/', None), 'webob': ('https://docs.pylonsproject.org/projects/webob/en/latest/', None), 'zcml': ( - 'https://docs.pylonsproject.org/projects/pyramid-zcml/en/latest/', None), + 'https://docs.pylonsproject.org/projects/pyramid_zcml/en/latest/', None), } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/docs/whatsnew-2.0.rst new/pyramid-2.0.2/docs/whatsnew-2.0.rst --- old/pyramid-2.0.1/docs/whatsnew-2.0.rst 2023-01-30 02:05:29.000000000 +0100 +++ new/pyramid-2.0.2/docs/whatsnew-2.0.rst 2023-08-25 08:25:16.000000000 +0200 @@ -16,6 +16,7 @@ The following bug fix releases were made since then. Bug fix releases also include documentation improvements and other minor feature changes. - :ref:`changes_2.0.1` +- :ref:`changes_2.0.2` Feature Additions ----------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/rtd.txt new/pyramid-2.0.2/rtd.txt --- old/pyramid-2.0.1/rtd.txt 2016-02-28 20:27:29.000000000 +0100 +++ new/pyramid-2.0.2/rtd.txt 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ --e .[docs] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/setup.py new/pyramid-2.0.2/setup.py --- old/pyramid-2.0.1/setup.py 2023-01-30 02:05:28.000000000 +0100 +++ new/pyramid-2.0.2/setup.py 2023-08-25 08:25:16.000000000 +0200 @@ -22,7 +22,7 @@ README = readfile('README.rst') CHANGES = readfile('CHANGES.rst') -VERSION = '2.0.1' +VERSION = '2.0.2' install_requires = [ 'hupper >= 1.5', # ignore_files support diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/src/pyramid/static.py new/pyramid-2.0.2/src/pyramid/static.py --- old/pyramid-2.0.1/src/pyramid/static.py 2023-01-30 02:05:28.000000000 +0100 +++ new/pyramid-2.0.2/src/pyramid/static.py 2023-08-25 07:49:50.000000000 +0200 @@ -138,11 +138,11 @@ # normalize asset spec or fs path into resource_path if self.package_name: # package resource - resource_path = '%s/%s' % (self.docroot.rstrip('/'), path) + resource_path = '{}/{}'.format(self.docroot.rstrip('/'), path) if resource_isdir(self.package_name, resource_path): if not request.path_url.endswith('/'): raise self.add_slash_redirect(request) - resource_path = '%s/%s' % ( + resource_path = '{}/{}'.format( resource_path.rstrip('/'), self.index, ) @@ -260,12 +260,12 @@ response.vary = vary -_seps = {'/', os.sep} +_invalid_element_chars = {'/', os.sep, '\x00'} -def _contains_slash(item): - for sep in _seps: - if sep in item: +def _contains_invalid_element_char(item): + for invalid_element_char in _invalid_element_chars: + if invalid_element_char in item: return True @@ -279,7 +279,7 @@ # unless someone screws up the traversal_path code # (request.subpath is computed via traversal_path too) return None - if any([_contains_slash(item) for item in path_tuple]): + if any([_contains_invalid_element_char(item) for item in path_tuple]): return None encoded = '/'.join(path_tuple) # will be unicode return encoded diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/src/pyramid.egg-info/PKG-INFO new/pyramid-2.0.2/src/pyramid.egg-info/PKG-INFO --- old/pyramid-2.0.1/src/pyramid.egg-info/PKG-INFO 2023-01-30 02:10:35.000000000 +0100 +++ new/pyramid-2.0.2/src/pyramid.egg-info/PKG-INFO 2023-08-25 08:32:28.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: pyramid -Version: 2.0.1 +Version: 2.0.2 Summary: The Pyramid Web Framework, a Pylons project Home-page: https://trypyramid.com Author: Chris McDonough, Agendaless Consulting @@ -100,6 +100,31 @@ <https://github.com/Pylons/pyramid/graphs/contributors>`_. +.. _changes_2.0.2: + +2.0.2 (2023-08-25) +================== + +Bug Fixes +--------- + +- Removed support for null-bytes in the path when making a request for a file + against a static_view. Whille null-bytes are allowed by the HTTP + specification, due to the handling of null-bytes potentially leading to + security vulnerabilities it is no longer supported. + + This fixes a security vulnerability that is present due to a bug in Python + 3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an + ``index.html`` one directory up from the static views path. + + Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue. + +Backward Incompatibilities +-------------------------- + +- Requests to a static_view are no longer allowed to contain a null-byte in any + part of the path segment. + .. _changes_2.0.1: 2.0.1 (2023-01-29) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/src/pyramid.egg-info/SOURCES.txt new/pyramid-2.0.2/src/pyramid.egg-info/SOURCES.txt --- old/pyramid-2.0.1/src/pyramid.egg-info/SOURCES.txt 2023-01-30 02:10:35.000000000 +0100 +++ new/pyramid-2.0.2/src/pyramid.egg-info/SOURCES.txt 2023-08-25 08:32:28.000000000 +0200 @@ -1,5 +1,6 @@ .coveragerc .flake8 +.readthedocs.yaml BFG_HISTORY.rst CHANGES.rst CONTRIBUTORS.txt @@ -13,7 +14,6 @@ TODO.txt contributing.md pyproject.toml -rtd.txt setup.cfg setup.py tox.ini @@ -1043,6 +1043,7 @@ tests/test_viewderivers.py tests/test_wsgi.py tests/fixtures/dummy.ini +tests/fixtures/index.html tests/fixtures/manifest.json tests/fixtures/manifest2.json tests/fixtures/minimal.jpg @@ -1108,7 +1109,9 @@ tests/pkgs/restbugapp/views.py tests/pkgs/securityapp/__init__.py tests/pkgs/static_abspath/__init__.py +tests/pkgs/static_abspath_nulbyte/__init__.py tests/pkgs/static_assetspec/__init__.py +tests/pkgs/static_assetspec_nulbyte/__init__.py tests/pkgs/static_encodings/__init__.py tests/pkgs/static_routeprefix/__init__.py tests/pkgs/staticpermapp/__init__.py diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/tests/fixtures/index.html new/pyramid-2.0.2/tests/fixtures/index.html --- old/pyramid-2.0.1/tests/fixtures/index.html 1970-01-01 01:00:00.000000000 +0100 +++ new/pyramid-2.0.2/tests/fixtures/index.html 2023-08-25 07:49:50.000000000 +0200 @@ -0,0 +1 @@ +<h1>DON'T GO HERE</h1> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/tests/pkgs/static_abspath_nulbyte/__init__.py new/pyramid-2.0.2/tests/pkgs/static_abspath_nulbyte/__init__.py --- old/pyramid-2.0.1/tests/pkgs/static_abspath_nulbyte/__init__.py 1970-01-01 01:00:00.000000000 +0100 +++ new/pyramid-2.0.2/tests/pkgs/static_abspath_nulbyte/__init__.py 2023-08-25 07:49:50.000000000 +0200 @@ -0,0 +1,9 @@ +import os + + +def includeme(config): + here = here = os.path.dirname(__file__) + static = os.path.normpath( + os.path.join(here, '..', '..', 'fixtures', 'static') + ) + config.add_static_view('/', static) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/tests/pkgs/static_assetspec_nulbyte/__init__.py new/pyramid-2.0.2/tests/pkgs/static_assetspec_nulbyte/__init__.py --- old/pyramid-2.0.1/tests/pkgs/static_assetspec_nulbyte/__init__.py 1970-01-01 01:00:00.000000000 +0100 +++ new/pyramid-2.0.2/tests/pkgs/static_assetspec_nulbyte/__init__.py 2023-08-25 07:49:50.000000000 +0200 @@ -0,0 +1,6 @@ +def includeme(config): + config.add_static_view('/', 'tests:fixtures/static') + config.add_static_view('/sub', 'tests:fixtures/static/subdir') + config.override_asset( + 'tests:fixtures/static/subdir', 'tests:fixtures/static' + ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/tests/test_integration.py new/pyramid-2.0.2/tests/test_integration.py --- old/pyramid-2.0.1/tests/test_integration.py 2023-01-30 02:05:28.000000000 +0100 +++ new/pyramid-2.0.2/tests/test_integration.py 2023-08-25 08:25:16.000000000 +0200 @@ -225,6 +225,26 @@ package = 'tests.pkgs.static_assetspec' +class TestStaticAppUsingAbsPathNulByte(IntegrationBase, unittest.TestCase): + package = 'tests.pkgs.static_abspath_nulbyte' + + def test_nulbyte_chroot(self): + super_w_null = '..\x00/' + self.testapp.get(f'/{super_w_null}', status=404) + + +class TestStaticAppUsingAssetSpecNulByte(IntegrationBase, unittest.TestCase): + package = 'tests.pkgs.static_assetspec_nulbyte' + + def test_nulbyte_chroot(self): + super_w_null = '..\x00/' + self.testapp.get(f'/{super_w_null}', status=404) + + def test_nulbyte_chroot_assetspec_override(self): + super_w_null = '..\x00/' + self.testapp.get(f'/sub/{super_w_null}', status=404) + + class TestStaticAppWithEncodings(IntegrationBase, unittest.TestCase): package = 'tests.pkgs.static_encodings' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyramid-2.0.1/tests/test_static.py new/pyramid-2.0.2/tests/test_static.py --- old/pyramid-2.0.1/tests/test_static.py 2023-01-30 02:05:28.000000000 +0100 +++ new/pyramid-2.0.2/tests/test_static.py 2023-08-25 08:25:16.000000000 +0200 @@ -104,6 +104,17 @@ self.assertRaises(HTTPNotFound, inst, context, request) + def test_oob_nul_char(self): + import os + + inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static') + super_w_null = '..\x00/' + request = self._makeRequest({'PATH_INFO': f'/{super_w_null}'}) + context = DummyContext() + from pyramid.httpexceptions import HTTPNotFound + + self.assertRaises(HTTPNotFound, inst, context, request) + def test_resource_doesnt_exist(self): inst = self._makeOne('tests:fixtures/static') request = self._makeRequest({'PATH_INFO': '/notthere'})
