Hello community,
here is the log from the commit of package python-whitenoise for
openSUSE:Factory checked in at 2019-07-22 17:19:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-whitenoise (Old)
and /work/SRC/openSUSE:Factory/.python-whitenoise.new.4126 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-whitenoise"
Mon Jul 22 17:19:20 2019 rev:3 rq:717554 version:4.1.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-whitenoise/python-whitenoise.changes
2019-07-08 16:40:05.960881134 +0200
+++
/work/SRC/openSUSE:Factory/.python-whitenoise.new.4126/python-whitenoise.changes
2019-07-22 17:19:21.573912169 +0200
@@ -1,0 +2,7 @@
+Mon Jul 22 11:38:51 UTC 2019 - Tomáš Chvátal <[email protected]>
+
+- Update to 4.1.3:
+ * Fix handling of zero-valued mtimes which can occur when running on some
filesystems
+ * Fix potential path traversal attack while running in autorefresh mode on
Windows
+
+-------------------------------------------------------------------
Old:
----
whitenoise-4.1.2.tar.gz
New:
----
whitenoise-4.1.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-whitenoise.spec ++++++
--- /var/tmp/diff_new_pack.ghM0Ol/_old 2019-07-22 17:19:22.169911694 +0200
+++ /var/tmp/diff_new_pack.ghM0Ol/_new 2019-07-22 17:19:22.173911691 +0200
@@ -18,14 +18,13 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-whitenoise
-Version: 4.1.2
+Version: 4.1.3
Release: 0
Summary: Static file serving for WSGI applications
License: MIT
Group: Development/Languages/Python
-Url: http://whitenoise.evans.io
+Url: https://github.com/evansd/whitenoise
Source:
https://files.pythonhosted.org/packages/source/w/whitenoise/whitenoise-%{version}.tar.gz
-BuildRequires: %{python_module devel}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: python-rpm-macros
++++++ whitenoise-4.1.2.tar.gz -> whitenoise-4.1.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/PKG-INFO
new/whitenoise-4.1.3/PKG-INFO
--- old/whitenoise-4.1.2/PKG-INFO 2018-11-19 23:10:21.000000000 +0100
+++ new/whitenoise-4.1.3/PKG-INFO 2019-07-13 13:35:30.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: whitenoise
-Version: 4.1.2
+Version: 4.1.3
Summary: Radically simplified static file serving for WSGI applications
Home-page: http://whitenoise.evans.io
Author: David Evans
@@ -21,6 +21,10 @@
:target: https://pypi.python.org/pypi/whitenoise
:alt: Latest PyPI version
+ .. image:: https://img.shields.io/pypi/dm/whitenoise.svg
+ :target: https://pypistats.org/packages/whitenoise
+ :alt: Monthly PyPI downloads
+
.. image::
https://img.shields.io/github/stars/evansd/whitenoise.svg?style=social&label=Star
:target: https://github.com/evansd/whitenoise
:alt: GitHub project
@@ -63,6 +67,7 @@
Classifier: Framework :: Django :: 1.11
Classifier: Framework :: Django :: 2.0
Classifier: Framework :: Django :: 2.1
+Classifier: Framework :: Django :: 2.2
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/README.rst
new/whitenoise-4.1.3/README.rst
--- old/whitenoise-4.1.2/README.rst 2017-09-23 19:16:53.000000000 +0200
+++ new/whitenoise-4.1.3/README.rst 2019-02-09 21:29:32.000000000 +0100
@@ -13,6 +13,10 @@
:target: https://pypi.python.org/pypi/whitenoise
:alt: Latest PyPI version
+.. image:: https://img.shields.io/pypi/dm/whitenoise.svg
+ :target: https://pypistats.org/packages/whitenoise
+ :alt: Monthly PyPI downloads
+
.. image::
https://img.shields.io/github/stars/evansd/whitenoise.svg?style=social&label=Star
:target: https://github.com/evansd/whitenoise
:alt: GitHub project
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/docs/changelog.rst
new/whitenoise-4.1.3/docs/changelog.rst
--- old/whitenoise-4.1.2/docs/changelog.rst 2018-11-19 23:09:10.000000000
+0100
+++ new/whitenoise-4.1.3/docs/changelog.rst 2019-07-13 13:19:46.000000000
+0200
@@ -5,6 +5,18 @@
<br />
+v4.1.3
+------
+
+ * Fix handling of zero-valued mtimes which can occur when running on some
+ filesystems (thanks `@twosigmajab <https://github.com/twosigmajab>`_ for
+ reporting).
+ * Fix potential path traversal attack while running in autorefresh mode on
+ Windows (thanks `@phith0n <https://github.com/phith0n>`_ for reporting).
+ This is a good time to reiterate that autofresh mode is never intended for
+ production use.
+
+
v4.1.2
------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/docs/flask.rst
new/whitenoise-4.1.3/docs/flask.rst
--- old/whitenoise-4.1.2/docs/flask.rst 2017-11-20 19:02:49.000000000 +0100
+++ new/whitenoise-4.1.3/docs/flask.rst 2019-07-13 13:14:13.000000000 +0200
@@ -87,4 +87,4 @@
for static in my_static_folders:
app.wsgi_app.add_files(static)
-See the ``WhiteNoise.add_file`` documentation for further customization.
+See the ``WhiteNoise.add_files`` documentation for further customization.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/docs/index.rst
new/whitenoise-4.1.3/docs/index.rst
--- old/whitenoise-4.1.2/docs/index.rst 2018-08-10 13:28:47.000000000 +0200
+++ new/whitenoise-4.1.3/docs/index.rst 2019-02-09 21:30:06.000000000 +0100
@@ -13,6 +13,10 @@
:target: https://pypi.python.org/pypi/whitenoise
:alt: Latest PyPI version
+.. image:: https://img.shields.io/pypi/dm/whitenoise.svg
+ :target: https://pypistats.org/packages/whitenoise
+ :alt: Monthly PyPI downloads
+
.. image::
https://img.shields.io/github/stars/evansd/whitenoise.svg?style=social&label=Star
:target: https://github.com/evansd/whitenoise
:alt: GitHub project
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/setup.py
new/whitenoise-4.1.3/setup.py
--- old/whitenoise-4.1.2/setup.py 2018-09-11 22:48:45.000000000 +0200
+++ new/whitenoise-4.1.3/setup.py 2019-06-14 17:13:55.000000000 +0200
@@ -39,6 +39,7 @@
'Framework :: Django :: 1.11',
'Framework :: Django :: 2.0',
'Framework :: Django :: 2.1',
+ 'Framework :: Django :: 2.2',
'Intended Audience :: Developers',
'License :: OSI Approved :: MIT License',
'Operating System :: OS Independent',
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/whitenoise/__init__.py
new/whitenoise-4.1.3/whitenoise/__init__.py
--- old/whitenoise-4.1.2/whitenoise/__init__.py 2018-11-19 23:09:10.000000000
+0100
+++ new/whitenoise-4.1.3/whitenoise/__init__.py 2019-07-13 13:19:46.000000000
+0200
@@ -1,5 +1,5 @@
from .base import WhiteNoise
-__version__ = '4.1.2'
+__version__ = '4.1.3'
__all__ = ['WhiteNoise']
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/whitenoise/base.py
new/whitenoise-4.1.3/whitenoise/base.py
--- old/whitenoise-4.1.2/whitenoise/base.py 2018-11-12 22:52:29.000000000
+0100
+++ new/whitenoise-4.1.3/whitenoise/base.py 2018-12-24 16:09:12.000000000
+0100
@@ -89,6 +89,7 @@
def add_files(self, root, prefix=None):
root = decode_if_byte_string(root, force_text=True)
+ root = os.path.abspath(root)
root = root.rstrip(os.path.sep) + os.path.sep
prefix = decode_if_byte_string(prefix)
prefix = ensure_leading_trailing_slash(prefix)
@@ -140,7 +141,9 @@
def candidate_paths_for_url(self, url):
for root, prefix in self.directories:
if url.startswith(prefix):
- yield os.path.join(root, url[len(prefix):])
+ path = os.path.join(root, url[len(prefix):])
+ if os.path.commonprefix((root, path)) == root:
+ yield path
def find_file_at_path(self, path, url):
if self.is_compressed_variant(path):
@@ -168,8 +171,8 @@
@staticmethod
def url_is_canonical(url):
"""
- Check that the URL path does not contain any elements which might be
- used in a path traversal attack
+ Check that the URL path is in canonical format i.e. has normalised
+ slashes and no path traversal elements
"""
if '\\' in url:
return False
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/whitenoise/middleware.py
new/whitenoise-4.1.3/whitenoise/middleware.py
--- old/whitenoise-4.1.2/whitenoise/middleware.py 2018-11-19
23:09:01.000000000 +0100
+++ new/whitenoise-4.1.3/whitenoise/middleware.py 2019-06-14
17:13:55.000000000 +0200
@@ -7,7 +7,10 @@
from django.contrib.staticfiles.storage import staticfiles_storage
from django.contrib.staticfiles import finders
from django.http import FileResponse
-from django.utils.six.moves.urllib.parse import urlparse
+try:
+ from urllib.parse import urlparse # PY3
+except ImportError:
+ from urlparse import urlparse # PY2
from .base import WhiteNoise
from .string_utils import decode_if_byte_string, ensure_leading_trailing_slash
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/whitenoise/responders.py
new/whitenoise-4.1.3/whitenoise/responders.py
--- old/whitenoise-4.1.2/whitenoise/responders.py 2018-11-12
22:53:41.000000000 +0100
+++ new/whitenoise-4.1.3/whitenoise/responders.py 2019-07-13
13:14:13.000000000 +0200
@@ -8,6 +8,7 @@
import os
import re
import stat
+from time import mktime
try:
from urllib.parse import quote
except ImportError:
@@ -133,10 +134,16 @@
headers['Vary'] = 'Accept-Encoding'
if 'Last-Modified' not in headers:
mtime = main_file.stat.st_mtime
- headers['Last-Modified'] = formatdate(mtime, usegmt=True)
+ # Not all filesystems report mtimes, and sometimes they report an
+ # mtime of 0 which we know is incorrect
+ if mtime:
+ headers['Last-Modified'] = formatdate(mtime, usegmt=True)
if 'ETag' not in headers:
- headers['ETag'] = '"{:x}-{:x}"'.format(
- int(main_file.stat.st_mtime), main_file.stat.st_size)
+ last_modified = parsedate(headers['Last-Modified'])
+ if last_modified:
+ timestamp = int(mktime(last_modified))
+ headers['ETag'] = '"{:x}-{:x}"'.format(
+ timestamp, main_file.stat.st_size)
return headers
@staticmethod
@@ -170,6 +177,8 @@
previous_etag = request_headers.get('HTTP_IF_NONE_MATCH')
if previous_etag is not None:
return previous_etag == self.etag
+ if self.last_modified is None:
+ return False
try:
last_requested = request_headers['HTTP_IF_MODIFIED_SINCE']
except KeyError:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/whitenoise-4.1.2/whitenoise.egg-info/PKG-INFO
new/whitenoise-4.1.3/whitenoise.egg-info/PKG-INFO
--- old/whitenoise-4.1.2/whitenoise.egg-info/PKG-INFO 2018-11-19
23:10:21.000000000 +0100
+++ new/whitenoise-4.1.3/whitenoise.egg-info/PKG-INFO 2019-07-13
13:35:30.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: whitenoise
-Version: 4.1.2
+Version: 4.1.3
Summary: Radically simplified static file serving for WSGI applications
Home-page: http://whitenoise.evans.io
Author: David Evans
@@ -21,6 +21,10 @@
:target: https://pypi.python.org/pypi/whitenoise
:alt: Latest PyPI version
+ .. image:: https://img.shields.io/pypi/dm/whitenoise.svg
+ :target: https://pypistats.org/packages/whitenoise
+ :alt: Monthly PyPI downloads
+
.. image::
https://img.shields.io/github/stars/evansd/whitenoise.svg?style=social&label=Star
:target: https://github.com/evansd/whitenoise
:alt: GitHub project
@@ -63,6 +67,7 @@
Classifier: Framework :: Django :: 1.11
Classifier: Framework :: Django :: 2.0
Classifier: Framework :: Django :: 2.1
+Classifier: Framework :: Django :: 2.2
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
