[gentoo-commits] gentoo-x86 commit in dev-python/ipython/files: ipython-2.2.0-login-backport.patch

Mon, 22 Jun 2015 02:47:03 -0700 

jlec        15/06/22 09:45:52

  Added:                ipython-2.2.0-login-backport.patch
  Log:
  Backport vulnerability fix, bug #552816; drop vulnerable versions; create 
mathjax symlink USE dependent, bug #481726
  
  (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 
E9402A79B03529A2!)

Revision  Changes    Path
1.1                  dev-python/ipython/files/ipython-2.2.0-login-backport.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-python/ipython/files/ipython-2.2.0-login-backport.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-python/ipython/files/ipython-2.2.0-login-backport.patch?rev=1.1&content-type=text/plain

Index: ipython-2.2.0-login-backport.patch
===================================================================
>From 5d6ce3671318c8d32bab770ece841590bbec358d Mon Sep 17 00:00:00 2001
From: Matthias Bussonnier <bussonniermatth...@gmail.com>
Date: Fri, 17 Apr 2015 13:08:32 -0700
Subject: [PATCH] Set secure cookie by default if login handler is hit.

    backport of https://github.com/jupyter/jupyter_notebook/pull/22 b8e99bc

>   There is few chances that logged-in people do not use https connexion,
>   but I guess it can happened if the server is ran in front of a proxy
>   that does the https termination, so leave it configurable.
>
>   closes ipython/ipython#8325
---
 IPython/html/auth/login.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/IPython/html/auth/login.py b/IPython/html/auth/login.py
index 1ad4673..1a340c8 100644
--- a/IPython/html/auth/login.py
+++ b/IPython/html/auth/login.py
@@ -46,7 +46,13 @@ class LoginHandler(IPythonHandler):
         pwd = self.get_argument('password', default=u'')
         if self.login_available:
             if passwd_check(self.password, pwd):
-                self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()))
+                # tornado <4.2 have a bug that consider secure==True as soon as
+                # 'secure' kwarg is passed to set_secure_cookie
+                if self.settings.get('secure_cookie', self.request.protocol == 
'https'):
+                    kwargs = {'secure':True}
+                else:
+                    kwargs = {}
+                self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), 
**kwargs)
             else:
                 self._render(message={'error': 'Invalid password'})
                 return

Reply via email to