Hello community, here is the log from the commit of package python-whitenoise for openSUSE:Factory checked in at 2019-07-22 17:19:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-whitenoise (Old) and /work/SRC/openSUSE:Factory/.python-whitenoise.new.4126 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-whitenoise" Mon Jul 22 17:19:20 2019 rev:3 rq:717554 version:4.1.3 Changes: -------- --- /work/SRC/openSUSE:Factory/python-whitenoise/python-whitenoise.changes 2019-07-08 16:40:05.960881134 +0200 +++ /work/SRC/openSUSE:Factory/.python-whitenoise.new.4126/python-whitenoise.changes 2019-07-22 17:19:21.573912169 +0200 @@ -1,0 +2,7 @@ +Mon Jul 22 11:38:51 UTC 2019 - Tomáš Chvátal <tchva...@suse.com> + +- Update to 4.1.3: + * Fix handling of zero-valued mtimes which can occur when running on some filesystems + * Fix potential path traversal attack while running in autorefresh mode on Windows + +------------------------------------------------------------------- Old: ---- whitenoise-4.1.2.tar.gz New: ---- whitenoise-4.1.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-whitenoise.spec ++++++ --- /var/tmp/diff_new_pack.ghM0Ol/_old 2019-07-22 17:19:22.169911694 +0200 +++ /var/tmp/diff_new_pack.ghM0Ol/_new 2019-07-22 17:19:22.173911691 +0200 @@ -18,14 +18,13 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-whitenoise -Version: 4.1.2 +Version: 4.1.3 Release: 0 Summary: Static file serving for WSGI applications License: MIT Group: Development/Languages/Python -Url: http://whitenoise.evans.io +Url: https://github.com/evansd/whitenoise Source: https://files.pythonhosted.org/packages/source/w/whitenoise/whitenoise-%{version}.tar.gz -BuildRequires: %{python_module devel} BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: python-rpm-macros ++++++ whitenoise-4.1.2.tar.gz -> whitenoise-4.1.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/PKG-INFO new/whitenoise-4.1.3/PKG-INFO --- old/whitenoise-4.1.2/PKG-INFO 2018-11-19 23:10:21.000000000 +0100 +++ new/whitenoise-4.1.3/PKG-INFO 2019-07-13 13:35:30.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: whitenoise -Version: 4.1.2 +Version: 4.1.3 Summary: Radically simplified static file serving for WSGI applications Home-page: http://whitenoise.evans.io Author: David Evans @@ -21,6 +21,10 @@ :target: https://pypi.python.org/pypi/whitenoise :alt: Latest PyPI version + .. image:: https://img.shields.io/pypi/dm/whitenoise.svg + :target: https://pypistats.org/packages/whitenoise + :alt: Monthly PyPI downloads + .. image:: https://img.shields.io/github/stars/evansd/whitenoise.svg?style=social&label=Star :target: https://github.com/evansd/whitenoise :alt: GitHub project @@ -63,6 +67,7 @@ Classifier: Framework :: Django :: 1.11 Classifier: Framework :: Django :: 2.0 Classifier: Framework :: Django :: 2.1 +Classifier: Framework :: Django :: 2.2 Classifier: Intended Audience :: Developers Classifier: License :: OSI Approved :: MIT License Classifier: Operating System :: OS Independent diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/README.rst new/whitenoise-4.1.3/README.rst --- old/whitenoise-4.1.2/README.rst 2017-09-23 19:16:53.000000000 +0200 +++ new/whitenoise-4.1.3/README.rst 2019-02-09 21:29:32.000000000 +0100 @@ -13,6 +13,10 @@ :target: https://pypi.python.org/pypi/whitenoise :alt: Latest PyPI version +.. image:: https://img.shields.io/pypi/dm/whitenoise.svg + :target: https://pypistats.org/packages/whitenoise + :alt: Monthly PyPI downloads + .. image:: https://img.shields.io/github/stars/evansd/whitenoise.svg?style=social&label=Star :target: https://github.com/evansd/whitenoise :alt: GitHub project diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/docs/changelog.rst new/whitenoise-4.1.3/docs/changelog.rst --- old/whitenoise-4.1.2/docs/changelog.rst 2018-11-19 23:09:10.000000000 +0100 +++ new/whitenoise-4.1.3/docs/changelog.rst 2019-07-13 13:19:46.000000000 +0200 @@ -5,6 +5,18 @@ <br /> +v4.1.3 +------ + + * Fix handling of zero-valued mtimes which can occur when running on some + filesystems (thanks `@twosigmajab <https://github.com/twosigmajab>`_ for + reporting). + * Fix potential path traversal attack while running in autorefresh mode on + Windows (thanks `@phith0n <https://github.com/phith0n>`_ for reporting). + This is a good time to reiterate that autofresh mode is never intended for + production use. + + v4.1.2 ------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/docs/flask.rst new/whitenoise-4.1.3/docs/flask.rst --- old/whitenoise-4.1.2/docs/flask.rst 2017-11-20 19:02:49.000000000 +0100 +++ new/whitenoise-4.1.3/docs/flask.rst 2019-07-13 13:14:13.000000000 +0200 @@ -87,4 +87,4 @@ for static in my_static_folders: app.wsgi_app.add_files(static) -See the ``WhiteNoise.add_file`` documentation for further customization. +See the ``WhiteNoise.add_files`` documentation for further customization. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/docs/index.rst new/whitenoise-4.1.3/docs/index.rst --- old/whitenoise-4.1.2/docs/index.rst 2018-08-10 13:28:47.000000000 +0200 +++ new/whitenoise-4.1.3/docs/index.rst 2019-02-09 21:30:06.000000000 +0100 @@ -13,6 +13,10 @@ :target: https://pypi.python.org/pypi/whitenoise :alt: Latest PyPI version +.. image:: https://img.shields.io/pypi/dm/whitenoise.svg + :target: https://pypistats.org/packages/whitenoise + :alt: Monthly PyPI downloads + .. image:: https://img.shields.io/github/stars/evansd/whitenoise.svg?style=social&label=Star :target: https://github.com/evansd/whitenoise :alt: GitHub project diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/setup.py new/whitenoise-4.1.3/setup.py --- old/whitenoise-4.1.2/setup.py 2018-09-11 22:48:45.000000000 +0200 +++ new/whitenoise-4.1.3/setup.py 2019-06-14 17:13:55.000000000 +0200 @@ -39,6 +39,7 @@ 'Framework :: Django :: 1.11', 'Framework :: Django :: 2.0', 'Framework :: Django :: 2.1', + 'Framework :: Django :: 2.2', 'Intended Audience :: Developers', 'License :: OSI Approved :: MIT License', 'Operating System :: OS Independent', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/whitenoise/__init__.py new/whitenoise-4.1.3/whitenoise/__init__.py --- old/whitenoise-4.1.2/whitenoise/__init__.py 2018-11-19 23:09:10.000000000 +0100 +++ new/whitenoise-4.1.3/whitenoise/__init__.py 2019-07-13 13:19:46.000000000 +0200 @@ -1,5 +1,5 @@ from .base import WhiteNoise -__version__ = '4.1.2' +__version__ = '4.1.3' __all__ = ['WhiteNoise'] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/whitenoise/base.py new/whitenoise-4.1.3/whitenoise/base.py --- old/whitenoise-4.1.2/whitenoise/base.py 2018-11-12 22:52:29.000000000 +0100 +++ new/whitenoise-4.1.3/whitenoise/base.py 2018-12-24 16:09:12.000000000 +0100 @@ -89,6 +89,7 @@ def add_files(self, root, prefix=None): root = decode_if_byte_string(root, force_text=True) + root = os.path.abspath(root) root = root.rstrip(os.path.sep) + os.path.sep prefix = decode_if_byte_string(prefix) prefix = ensure_leading_trailing_slash(prefix) @@ -140,7 +141,9 @@ def candidate_paths_for_url(self, url): for root, prefix in self.directories: if url.startswith(prefix): - yield os.path.join(root, url[len(prefix):]) + path = os.path.join(root, url[len(prefix):]) + if os.path.commonprefix((root, path)) == root: + yield path def find_file_at_path(self, path, url): if self.is_compressed_variant(path): @@ -168,8 +171,8 @@ @staticmethod def url_is_canonical(url): """ - Check that the URL path does not contain any elements which might be - used in a path traversal attack + Check that the URL path is in canonical format i.e. has normalised + slashes and no path traversal elements """ if '\\' in url: return False diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/whitenoise/middleware.py new/whitenoise-4.1.3/whitenoise/middleware.py --- old/whitenoise-4.1.2/whitenoise/middleware.py 2018-11-19 23:09:01.000000000 +0100 +++ new/whitenoise-4.1.3/whitenoise/middleware.py 2019-06-14 17:13:55.000000000 +0200 @@ -7,7 +7,10 @@ from django.contrib.staticfiles.storage import staticfiles_storage from django.contrib.staticfiles import finders from django.http import FileResponse -from django.utils.six.moves.urllib.parse import urlparse +try: + from urllib.parse import urlparse # PY3 +except ImportError: + from urlparse import urlparse # PY2 from .base import WhiteNoise from .string_utils import decode_if_byte_string, ensure_leading_trailing_slash diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/whitenoise/responders.py new/whitenoise-4.1.3/whitenoise/responders.py --- old/whitenoise-4.1.2/whitenoise/responders.py 2018-11-12 22:53:41.000000000 +0100 +++ new/whitenoise-4.1.3/whitenoise/responders.py 2019-07-13 13:14:13.000000000 +0200 @@ -8,6 +8,7 @@ import os import re import stat +from time import mktime try: from urllib.parse import quote except ImportError: @@ -133,10 +134,16 @@ headers['Vary'] = 'Accept-Encoding' if 'Last-Modified' not in headers: mtime = main_file.stat.st_mtime - headers['Last-Modified'] = formatdate(mtime, usegmt=True) + # Not all filesystems report mtimes, and sometimes they report an + # mtime of 0 which we know is incorrect + if mtime: + headers['Last-Modified'] = formatdate(mtime, usegmt=True) if 'ETag' not in headers: - headers['ETag'] = '"{:x}-{:x}"'.format( - int(main_file.stat.st_mtime), main_file.stat.st_size) + last_modified = parsedate(headers['Last-Modified']) + if last_modified: + timestamp = int(mktime(last_modified)) + headers['ETag'] = '"{:x}-{:x}"'.format( + timestamp, main_file.stat.st_size) return headers @staticmethod @@ -170,6 +177,8 @@ previous_etag = request_headers.get('HTTP_IF_NONE_MATCH') if previous_etag is not None: return previous_etag == self.etag + if self.last_modified is None: + return False try: last_requested = request_headers['HTTP_IF_MODIFIED_SINCE'] except KeyError: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/whitenoise-4.1.2/whitenoise.egg-info/PKG-INFO new/whitenoise-4.1.3/whitenoise.egg-info/PKG-INFO --- old/whitenoise-4.1.2/whitenoise.egg-info/PKG-INFO 2018-11-19 23:10:21.000000000 +0100 +++ new/whitenoise-4.1.3/whitenoise.egg-info/PKG-INFO 2019-07-13 13:35:30.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: whitenoise -Version: 4.1.2 +Version: 4.1.3 Summary: Radically simplified static file serving for WSGI applications Home-page: http://whitenoise.evans.io Author: David Evans @@ -21,6 +21,10 @@ :target: https://pypi.python.org/pypi/whitenoise :alt: Latest PyPI version + .. image:: https://img.shields.io/pypi/dm/whitenoise.svg + :target: https://pypistats.org/packages/whitenoise + :alt: Monthly PyPI downloads + .. image:: https://img.shields.io/github/stars/evansd/whitenoise.svg?style=social&label=Star :target: https://github.com/evansd/whitenoise :alt: GitHub project @@ -63,6 +67,7 @@ Classifier: Framework :: Django :: 1.11 Classifier: Framework :: Django :: 2.0 Classifier: Framework :: Django :: 2.1 +Classifier: Framework :: Django :: 2.2 Classifier: Intended Audience :: Developers Classifier: License :: OSI Approved :: MIT License Classifier: Operating System :: OS Independent