Hello community, here is the log from the commit of package openstack-cinder for openSUSE:Factory checked in at 2013-02-23 08:09:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openstack-cinder (Old) and /work/SRC/openSUSE:Factory/.openstack-cinder.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openstack-cinder", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/openstack-cinder/openstack-cinder.changes 2013-02-08 07:12:31.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openstack-cinder.new/openstack-cinder.changes 2013-02-23 08:09:12.000000000 +0100 @@ -1,0 +2,13 @@ +Fri Feb 22 10:08:07 UTC 2013 - cloud-de...@suse.de + +- Update to version 2012.2.4+git.1361527687.68de70d: + + Add a safe_minidom_parse_string function. (CVE-2013-1664) + +------------------------------------------------------------------- +Thu Feb 7 18:29:05 UTC 2013 - dmuel...@suse.com + +- Set auth_strategy to keystone for a good out-of-the-box experience +- Add cinder-config-update.diff: move configuration changes to a + patch, instead of using sed. + +-------------------------------------------------------------------- New: ---- cinder-config-update.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openstack-cinder-doc.spec ++++++ --- /var/tmp/diff_new_pack.UsR3GF/_old 2013-02-23 08:09:14.000000000 +0100 +++ /var/tmp/diff_new_pack.UsR3GF/_new 2013-02-23 08:09:14.000000000 +0100 @@ -19,7 +19,7 @@ %define component cinder Name: openstack-%{component}-doc -Version: 2012.2.4+git.1360133755.a8caa79 +Version: 2012.2.4+git.1361527687.68de70d Release: 1 License: Apache-2.0 Summary: OpenStack Block Storage (Cinder) - Documentation ++++++ openstack-cinder.spec ++++++ --- /var/tmp/diff_new_pack.UsR3GF/_old 2013-02-23 08:09:14.000000000 +0100 +++ /var/tmp/diff_new_pack.UsR3GF/_new 2013-02-23 08:09:14.000000000 +0100 @@ -21,7 +21,7 @@ %define username openstack-%{component} Name: openstack-%{component} -Version: 2012.2.4+git.1360133755.a8caa79 +Version: 2012.2.4+git.1361527687.68de70d Release: 1 License: Apache-2.0 Summary: OpenStack Block Storage (Cinder) @@ -32,6 +32,8 @@ Source2: %{name}.logrotate # PATCH-FIX-UPSTREAM: sasc...@suse.de - Backport of https://review.openstack.org/17347 Patch0: cinder-include-migratecfg.patch +# PATCH-SUSE: dmuel...@suse.de - Set sane defaults for SUSE +Patch1: cinder-config-update.diff BuildRequires: fdupes BuildRequires: openstack-macros BuildRequires: python-base @@ -145,14 +147,12 @@ %prep %setup -q -n cinder-2012.2.4 %patch0 -p1 +%patch1 %openstack_cleanup_prep # FIXME: Fix path to test/policy.json due to our special test setup # maybe the code in cinder/utils.py#find_config could be fixed, too: # ConfigNotFound: Could not find config at /usr/lib64/python2.6/site-packages/cinder/tests/cinder/tests/policy.json sed -i "s|cinder\/tests\/policy.json|policy.json|" ./cinder/tests/fake_flags.py -# NOTE(saschpe): Adjust some config paths: -sed -i -e "s|# rootwrap_config=.*|rootwrap_config=/etc/cinder/rootwrap.conf|" \ - -e "s|# state_path=.*|state_path=/var/lib/cinder|" etc/cinder/cinder.conf.sample %build python setup.py build ++++++ cinder-config-update.diff ++++++ --- etc/cinder/cinder.conf.sample +++ etc/cinder/cinder.conf.sample @@ -65,7 +65,7 @@ # bindir=$pybasedir/bin #### (StrOpt) Directory where cinder binaries are installed -# state_path=$pybasedir +state_path=/var/lib/cinder #### (StrOpt) Top-level directory for maintaining cinder's state # my_ip=10.0.0.1 @@ -148,7 +148,7 @@ # root_helper=sudo #### (StrOpt) Deprecated: command to use for running commands as root -# rootwrap_config=<None> +rootwrap_config=/etc/cinder/rootwrap.conf #### (StrOpt) Path to the rootwrap configuration file to use for running #### commands as root @@ -167,7 +167,7 @@ # volume_api_class=cinder.volume.api.API #### (StrOpt) The full class name of the volume API class to use -# auth_strategy=noauth +auth_strategy=keystone #### (StrOpt) The strategy to use for auth. Supports noauth, keystone, and #### deprecated. ++++++ cinder-stable-folsom.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cinder-2012.2.4/ChangeLog new/cinder-2012.2.4/ChangeLog --- old/cinder-2012.2.4/ChangeLog 2013-02-04 15:48:43.000000000 +0100 +++ new/cinder-2012.2.4/ChangeLog 2013-02-20 01:51:09.000000000 +0100 @@ -1,3 +1,36 @@ +commit 68de70dd98911d44fc0825cfd9408ddbc7e978a4 +Merge: a8caa79 fcf249d +Author: Jenkins <jenk...@review.openstack.org> +Date: Wed Feb 20 00:25:38 2013 +0000 + + Merge "Add a safe_minidom_parse_string function." into stable/folsom + +commit fcf249d1f06938280d841cb13b61556971a58e0c +Author: Dan Prince <dpri...@redhat.com> +Date: Sun Feb 3 22:25:12 2013 -0500 + + Add a safe_minidom_parse_string function. + + Adds a new utils.safe_minidom_parse_string function and + updates external API facing Cinder modules to use it. + This ensures we have safe defaults on our incoming API XML parsing. + + Internally safe_minidom_parse_string uses a ProtectedExpatParser + class to disable DTDs and entities from being parsed when using + minidom. + + Fixes LP Bug #1100282 for Folsom. + + Change-Id: Ie8ae7a6e12fbf51de406d10ca21072140374abf5 + + cinder/api/openstack/common.py | 9 ++-- + .../api/openstack/volume/contrib/volume_actions.py | 4 +- + cinder/api/openstack/volume/volumes.py | 3 +- + cinder/api/openstack/wsgi.py | 5 ++- + cinder/tests/test_utils.py | 33 +++++++++++++++ + cinder/utils.py | 44 ++++++++++++++++++++ + 6 files changed, 88 insertions(+), 10 deletions(-) + commit a8caa79fd93e9837055660904494141251572413 Author: Ollie Leahy <oliver.le...@hp.com> Date: Tue Jan 29 11:25:27 2013 +0000 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cinder-2012.2.4/cinder/api/openstack/common.py new/cinder-2012.2.4/cinder/api/openstack/common.py --- old/cinder-2012.2.4/cinder/api/openstack/common.py 2013-02-04 15:45:39.000000000 +0100 +++ new/cinder-2012.2.4/cinder/api/openstack/common.py 2013-02-20 01:47:59.000000000 +0100 @@ -25,6 +25,7 @@ from cinder.api.openstack import wsgi from cinder.api.openstack import xmlutil from cinder.openstack.common import log as logging +from cinder import utils LOG = logging.getLogger(__name__) @@ -247,7 +248,7 @@ class MetadataDeserializer(wsgi.MetadataXMLDeserializer): def deserialize(self, text): - dom = minidom.parseString(text) + dom = utils.safe_minidom_parse_string(text) metadata_node = self.find_first_child_named(dom, "metadata") metadata = self.extract_metadata(metadata_node) return {'body': {'metadata': metadata}} @@ -255,7 +256,7 @@ class MetaItemDeserializer(wsgi.MetadataXMLDeserializer): def deserialize(self, text): - dom = minidom.parseString(text) + dom = utils.safe_minidom_parse_string(text) metadata_item = self.extract_metadata(dom) return {'body': {'meta': metadata_item}} @@ -273,7 +274,7 @@ return metadata def _extract_metadata_container(self, datastring): - dom = minidom.parseString(datastring) + dom = utils.safe_minidom_parse_string(datastring) metadata_node = self.find_first_child_named(dom, "metadata") metadata = self.extract_metadata(metadata_node) return {'body': {'metadata': metadata}} @@ -285,7 +286,7 @@ return self._extract_metadata_container(datastring) def update(self, datastring): - dom = minidom.parseString(datastring) + dom = utils.safe_minidom_parse_string(datastring) metadata_item = self.extract_metadata(dom) return {'body': {'meta': metadata_item}} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cinder-2012.2.4/cinder/api/openstack/volume/contrib/volume_actions.py new/cinder-2012.2.4/cinder/api/openstack/volume/contrib/volume_actions.py --- old/cinder-2012.2.4/cinder/api/openstack/volume/contrib/volume_actions.py 2013-02-04 15:45:39.000000000 +0100 +++ new/cinder-2012.2.4/cinder/api/openstack/volume/contrib/volume_actions.py 2013-02-20 01:47:59.000000000 +0100 @@ -13,7 +13,6 @@ # under the License. import webob -from xml.dom import minidom from cinder.api.openstack import extensions from cinder.api.openstack import wsgi @@ -23,6 +22,7 @@ from cinder import flags from cinder.openstack.common import log as logging from cinder.openstack.common.rpc import common as rpc_common +from cinder import utils FLAGS = flags.FLAGS @@ -54,7 +54,7 @@ class VolumeToImageDeserializer(wsgi.XMLDeserializer): """Deserializer to handle xml-formatted requests""" def default(self, string): - dom = minidom.parseString(string) + dom = utils.safe_minidom_parse_string(string) action_node = dom.childNodes[0] action_name = action_node.tagName diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cinder-2012.2.4/cinder/api/openstack/volume/volumes.py new/cinder-2012.2.4/cinder/api/openstack/volume/volumes.py --- old/cinder-2012.2.4/cinder/api/openstack/volume/volumes.py 2013-02-04 15:45:39.000000000 +0100 +++ new/cinder-2012.2.4/cinder/api/openstack/volume/volumes.py 2013-02-20 01:47:59.000000000 +0100 @@ -17,7 +17,6 @@ from webob import exc import webob -from xml.dom import minidom from cinder.api.openstack import common from cinder.api.openstack import wsgi @@ -194,7 +193,7 @@ def default(self, string): """Deserialize an xml-formatted volume create request.""" - dom = minidom.parseString(string) + dom = utils.safe_minidom_parse_string(string) volume = self._extract_volume(dom) return {'body': {'volume': volume}} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cinder-2012.2.4/cinder/api/openstack/wsgi.py new/cinder-2012.2.4/cinder/api/openstack/wsgi.py --- old/cinder-2012.2.4/cinder/api/openstack/wsgi.py 2013-02-04 15:45:39.000000000 +0100 +++ new/cinder-2012.2.4/cinder/api/openstack/wsgi.py 2013-02-20 01:47:59.000000000 +0100 @@ -24,6 +24,7 @@ from cinder import wsgi from cinder.openstack.common import log as logging from cinder.openstack.common import jsonutils +from cinder import utils from lxml import etree from xml.dom import minidom @@ -151,7 +152,7 @@ plurals = set(self.metadata.get('plurals', {})) try: - node = minidom.parseString(datastring).childNodes[0] + node = utils.safe_minidom_parse_string(datastring).childNodes[0] return {node.nodeName: self._from_xml_node(node, plurals)} except expat.ExpatError: msg = _("cannot understand XML") @@ -548,7 +549,7 @@ def action_peek_xml(body): """Determine action to invoke.""" - dom = minidom.parseString(body) + dom = utils.safe_minidom_parse_string(body) action_node = dom.childNodes[0] return action_node.tagName diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cinder-2012.2.4/cinder/tests/test_utils.py new/cinder-2012.2.4/cinder/tests/test_utils.py --- old/cinder-2012.2.4/cinder/tests/test_utils.py 2013-02-04 15:45:39.000000000 +0100 +++ new/cinder-2012.2.4/cinder/tests/test_utils.py 2013-02-20 01:47:59.000000000 +0100 @@ -423,6 +423,39 @@ result = utils.service_is_up(service) self.assertFalse(result) + def test_safe_parse_xml(self): + + normal_body = (""" + <?xml version="1.0" ?><foo> + <bar> + <v1>hey</v1> + <v2>there</v2> + </bar> + </foo>""").strip() + + def killer_body(): + return (("""<!DOCTYPE x [ + <!ENTITY a "%(a)s"> + <!ENTITY b "%(b)s"> + <!ENTITY c "%(c)s">]> + <foo> + <bar> + <v1>%(d)s</v1> + </bar> + </foo>""") % { + 'a': 'A' * 10, + 'b': '&a;' * 10, + 'c': '&b;' * 10, + 'd': '&c;' * 9999, + }).strip() + + dom = utils.safe_minidom_parse_string(normal_body) + self.assertEqual(normal_body, str(dom.toxml())) + + self.assertRaises(ValueError, + utils.safe_minidom_parse_string, + killer_body()) + def test_xhtml_escape(self): self.assertEqual('"foo"', utils.xhtml_escape('"foo"')) self.assertEqual(''foo'', utils.xhtml_escape("'foo'")) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cinder-2012.2.4/cinder/utils.py new/cinder-2012.2.4/cinder/utils.py --- old/cinder-2012.2.4/cinder/utils.py 2013-02-04 15:45:39.000000000 +0100 +++ new/cinder-2012.2.4/cinder/utils.py 2013-02-20 01:47:59.000000000 +0100 @@ -42,6 +42,10 @@ import types import uuid import warnings +from xml.dom import minidom +from xml.parsers import expat +from xml import sax +from xml.sax import expatreader from xml.sax import saxutils from eventlet import event @@ -542,6 +546,46 @@ return self.done.wait() +class ProtectedExpatParser(expatreader.ExpatParser): + """An expat parser which disables DTD's and entities by default.""" + + def __init__(self, forbid_dtd=True, forbid_entities=True, + *args, **kwargs): + # Python 2.x old style class + expatreader.ExpatParser.__init__(self, *args, **kwargs) + self.forbid_dtd = forbid_dtd + self.forbid_entities = forbid_entities + + def start_doctype_decl(self, name, sysid, pubid, has_internal_subset): + raise ValueError("Inline DTD forbidden") + + def entity_decl(self, entityName, is_parameter_entity, value, base, + systemId, publicId, notationName): + raise ValueError("<!ENTITY> forbidden") + + def unparsed_entity_decl(self, name, base, sysid, pubid, notation_name): + # expat 1.2 + raise ValueError("<!ENTITY> forbidden") + + def reset(self): + expatreader.ExpatParser.reset(self) + if self.forbid_dtd: + self._parser.StartDoctypeDeclHandler = self.start_doctype_decl + if self.forbid_entities: + self._parser.EntityDeclHandler = self.entity_decl + self._parser.UnparsedEntityDeclHandler = self.unparsed_entity_decl + + +def safe_minidom_parse_string(xml_string): + """Parse an XML string using minidom safely. + + """ + try: + return minidom.parseString(xml_string, parser=ProtectedExpatParser()) + except sax.SAXParseException as se: + raise expat.ExpatError() + + def xhtml_escape(value): """Escapes a string so it is valid within XML or XHTML. -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org