Hello community,
here is the log from the commit of package python-SQLAlchemy-Utils for
openSUSE:Factory checked in at 2018-03-26 13:13:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-SQLAlchemy-Utils (Old)
and /work/SRC/openSUSE:Factory/.python-SQLAlchemy-Utils.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-SQLAlchemy-Utils"
Mon Mar 26 13:13:14 2018 rev:9 rq:590818 version:0.33.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-SQLAlchemy-Utils/python-SQLAlchemy-Utils.changes
2018-02-20 17:55:52.476737512 +0100
+++
/work/SRC/openSUSE:Factory/.python-SQLAlchemy-Utils.new/python-SQLAlchemy-Utils.changes
2018-03-26 13:13:19.539208875 +0200
@@ -1,0 +2,7 @@
+Sat Mar 24 00:02:42 UTC 2018 - [email protected]
+
+- update to version 0.33.1:
+ * Fixed EncryptedType for Oracle padding attack (#316, pull request
+ courtesy of manishahluwalia)
+
+-------------------------------------------------------------------
Old:
----
SQLAlchemy-Utils-0.33.0.tar.gz
New:
----
SQLAlchemy-Utils-0.33.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-SQLAlchemy-Utils.spec ++++++
--- /var/tmp/diff_new_pack.MBUcSQ/_old 2018-03-26 13:13:21.131151627 +0200
+++ /var/tmp/diff_new_pack.MBUcSQ/_new 2018-03-26 13:13:21.139151340 +0200
@@ -18,7 +18,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-SQLAlchemy-Utils
-Version: 0.33.0
+Version: 0.33.1
Release: 0
Summary: Various utility functions for SQLAlchemy
License: BSD-3-Clause
++++++ SQLAlchemy-Utils-0.33.0.tar.gz -> SQLAlchemy-Utils-0.33.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SQLAlchemy-Utils-0.33.0/CHANGES.rst
new/SQLAlchemy-Utils-0.33.1/CHANGES.rst
--- old/SQLAlchemy-Utils-0.33.0/CHANGES.rst 2018-02-18 15:42:06.000000000
+0100
+++ new/SQLAlchemy-Utils-0.33.1/CHANGES.rst 2018-03-19 15:50:26.000000000
+0100
@@ -4,6 +4,12 @@
Here you can see the full list of changes between each SQLAlchemy-Utils
release.
+0.33.1 (2018-03-19)
+^^^^^^^^^^^^^^^^^^^
+
+- Fixed EncryptedType for Oracle padding attack (#316, pull request courtesy
of manishahluwalia)
+
+
0.33.0 (2018-02-18)
^^^^^^^^^^^^^^^^^^^
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SQLAlchemy-Utils-0.33.0/PKG-INFO
new/SQLAlchemy-Utils-0.33.1/PKG-INFO
--- old/SQLAlchemy-Utils-0.33.0/PKG-INFO 2018-02-18 15:47:12.000000000
+0100
+++ new/SQLAlchemy-Utils-0.33.1/PKG-INFO 2018-03-19 15:54:38.000000000
+0100
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: SQLAlchemy-Utils
-Version: 0.33.0
+Version: 0.33.1
Summary: Various utility functions for SQLAlchemy.
Home-page: https://github.com/kvesteri/sqlalchemy-utils
Author: Konsta Vesterinen, Ryan Leckey, Janne Vanhala, Vesa Uimonen
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/SQLAlchemy-Utils-0.33.0/SQLAlchemy_Utils.egg-info/PKG-INFO
new/SQLAlchemy-Utils-0.33.1/SQLAlchemy_Utils.egg-info/PKG-INFO
--- old/SQLAlchemy-Utils-0.33.0/SQLAlchemy_Utils.egg-info/PKG-INFO
2018-02-18 15:47:12.000000000 +0100
+++ new/SQLAlchemy-Utils-0.33.1/SQLAlchemy_Utils.egg-info/PKG-INFO
2018-03-19 15:54:38.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: SQLAlchemy-Utils
-Version: 0.33.0
+Version: 0.33.1
Summary: Various utility functions for SQLAlchemy.
Home-page: https://github.com/kvesteri/sqlalchemy-utils
Author: Konsta Vesterinen, Ryan Leckey, Janne Vanhala, Vesa Uimonen
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/SQLAlchemy-Utils-0.33.0/SQLAlchemy_Utils.egg-info/SOURCES.txt
new/SQLAlchemy-Utils-0.33.1/SQLAlchemy_Utils.egg-info/SOURCES.txt
--- old/SQLAlchemy-Utils-0.33.0/SQLAlchemy_Utils.egg-info/SOURCES.txt
2018-02-18 15:47:12.000000000 +0100
+++ new/SQLAlchemy-Utils-0.33.1/SQLAlchemy_Utils.egg-info/SOURCES.txt
2018-03-19 15:54:38.000000000 +0100
@@ -195,4 +195,5 @@
tests/types/test_tsvector.py
tests/types/test_url.py
tests/types/test_uuid.py
-tests/types/test_weekdays.py
\ No newline at end of file
+tests/types/test_weekdays.py
+tests/types/encrypted/test_padding.py
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SQLAlchemy-Utils-0.33.0/sqlalchemy_utils/__init__.py
new/SQLAlchemy-Utils-0.33.1/sqlalchemy_utils/__init__.py
--- old/SQLAlchemy-Utils-0.33.0/sqlalchemy_utils/__init__.py 2018-02-18
15:42:27.000000000 +0100
+++ new/SQLAlchemy-Utils-0.33.1/sqlalchemy_utils/__init__.py 2018-03-19
15:50:31.000000000 +0100
@@ -99,4 +99,4 @@
WeekDaysType
)
-__version__ = '0.33.0'
+__version__ = '0.33.1'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/SQLAlchemy-Utils-0.33.0/sqlalchemy_utils/types/encrypted/padding.py
new/SQLAlchemy-Utils-0.33.1/sqlalchemy_utils/types/encrypted/padding.py
--- old/SQLAlchemy-Utils-0.33.0/sqlalchemy_utils/types/encrypted/padding.py
2018-02-18 15:38:57.000000000 +0100
+++ new/SQLAlchemy-Utils-0.33.1/sqlalchemy_utils/types/encrypted/padding.py
2018-03-19 15:48:30.000000000 +0100
@@ -1,6 +1,10 @@
import six
+class InvalidPaddingError(Exception):
+ pass
+
+
class Padding(object):
"""Base class for padding and unpadding."""
@@ -27,10 +31,27 @@
return value_with_padding
def unpad(self, value):
+ # Perform some input validations.
+ # In case of error, we throw a generic InvalidPaddingError()
+ if not value or len(value) < self.block_size:
+ # PKCS5 padded output will always be at least 1 block size
+ raise InvalidPaddingError()
+ if len(value) % self.block_size != 0:
+ # PKCS5 padded output will be a multiple of the block size
+ raise InvalidPaddingError()
if isinstance(value, six.binary_type):
padding_length = value[-1]
if isinstance(value, six.string_types):
padding_length = ord(value[-1])
+ if padding_length == 0 or padding_length > self.block_size:
+ raise InvalidPaddingError()
+
+ def convert_byte_or_char_to_number(x):
+ return ord(x) if isinstance(x, six.string_types) else x
+ if any([padding_length != convert_byte_or_char_to_number(x)
+ for x in value[-padding_length:]]):
+ raise InvalidPaddingError()
+
value_without_padding = value[0:-padding_length]
return value_without_padding
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/SQLAlchemy-Utils-0.33.0/tests/types/encrypted/test_padding.py
new/SQLAlchemy-Utils-0.33.1/tests/types/encrypted/test_padding.py
--- old/SQLAlchemy-Utils-0.33.0/tests/types/encrypted/test_padding.py
1970-01-01 01:00:00.000000000 +0100
+++ new/SQLAlchemy-Utils-0.33.1/tests/types/encrypted/test_padding.py
2018-03-19 15:48:30.000000000 +0100
@@ -0,0 +1,48 @@
+import pytest
+
+from sqlalchemy_utils.types.encrypted.padding import (
+ InvalidPaddingError,
+ PKCS5Padding
+)
+
+
+class TestPkcs5Padding(object):
+ def setup_method(self):
+ self.BLOCK_SIZE = 8
+ self.padder = PKCS5Padding(self.BLOCK_SIZE)
+
+ def test_various_lengths_roundtrip(self):
+ for l in range(0, 3 * self.BLOCK_SIZE):
+ val = b'*' * l
+ padded = self.padder.pad(val)
+ unpadded = self.padder.unpad(padded)
+ assert val == unpadded, 'Round trip error for length %d' % l
+
+ def test_invalid_unpad(self):
+ with pytest.raises(InvalidPaddingError):
+ self.padder.unpad(None)
+ with pytest.raises(InvalidPaddingError):
+ self.padder.unpad(b'')
+ with pytest.raises(InvalidPaddingError):
+ self.padder.unpad(b'\01')
+ with pytest.raises(InvalidPaddingError):
+ self.padder.unpad((b'*' * (self.BLOCK_SIZE - 1)) + b'\00')
+ with pytest.raises(InvalidPaddingError):
+ self.padder.unpad((b'*' * self.BLOCK_SIZE) + b'\01')
+
+ def test_pad_longer_than_block(self):
+ with pytest.raises(InvalidPaddingError):
+ self.padder.unpad(
+ 'x' * (self.BLOCK_SIZE - 1) +
+ chr(self.BLOCK_SIZE + 1) * (self.BLOCK_SIZE + 1)
+ )
+
+ def test_incorrect_padding(self):
+ # Hard-coded for blocksize of 8
+ assert self.padder.unpad(b'1234\04\04\04\04') == b'1234'
+ with pytest.raises(InvalidPaddingError):
+ self.padder.unpad(b'1234\02\04\04\04')
+ with pytest.raises(InvalidPaddingError):
+ self.padder.unpad(b'1234\04\02\04\04')
+ with pytest.raises(InvalidPaddingError):
+ self.padder.unpad(b'1234\04\04\02\04')
