Hello community,
here is the log from the commit of package openstack-cinder for
openSUSE:Factory checked in at 2013-02-23 08:09:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openstack-cinder (Old)
and /work/SRC/openSUSE:Factory/.openstack-cinder.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openstack-cinder", Maintainer is ""
Changes:
--------
--- /work/SRC/openSUSE:Factory/openstack-cinder/openstack-cinder.changes
2013-02-08 07:12:31.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.openstack-cinder.new/openstack-cinder.changes
2013-02-23 08:09:12.000000000 +0100
@@ -1,0 +2,13 @@
+Fri Feb 22 10:08:07 UTC 2013 - cloud-de...@suse.de
+
+- Update to version 2012.2.4+git.1361527687.68de70d:
+ + Add a safe_minidom_parse_string function. (CVE-2013-1664)
+
+-------------------------------------------------------------------
+Thu Feb 7 18:29:05 UTC 2013 - dmuel...@suse.com
+
+- Set auth_strategy to keystone for a good out-of-the-box experience
+- Add cinder-config-update.diff: move configuration changes to a
+ patch, instead of using sed.
+
+--------------------------------------------------------------------
New:
----
cinder-config-update.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openstack-cinder-doc.spec ++++++
--- /var/tmp/diff_new_pack.UsR3GF/_old 2013-02-23 08:09:14.000000000 +0100
+++ /var/tmp/diff_new_pack.UsR3GF/_new 2013-02-23 08:09:14.000000000 +0100
@@ -19,7 +19,7 @@
%define component cinder
Name: openstack-%{component}-doc
-Version: 2012.2.4+git.1360133755.a8caa79
+Version: 2012.2.4+git.1361527687.68de70d
Release: 1
License: Apache-2.0
Summary: OpenStack Block Storage (Cinder) - Documentation
++++++ openstack-cinder.spec ++++++
--- /var/tmp/diff_new_pack.UsR3GF/_old 2013-02-23 08:09:14.000000000 +0100
+++ /var/tmp/diff_new_pack.UsR3GF/_new 2013-02-23 08:09:14.000000000 +0100
@@ -21,7 +21,7 @@
%define username openstack-%{component}
Name: openstack-%{component}
-Version: 2012.2.4+git.1360133755.a8caa79
+Version: 2012.2.4+git.1361527687.68de70d
Release: 1
License: Apache-2.0
Summary: OpenStack Block Storage (Cinder)
@@ -32,6 +32,8 @@
Source2: %{name}.logrotate
# PATCH-FIX-UPSTREAM: sasc...@suse.de - Backport of
https://review.openstack.org/17347
Patch0: cinder-include-migratecfg.patch
+# PATCH-SUSE: dmuel...@suse.de - Set sane defaults for SUSE
+Patch1: cinder-config-update.diff
BuildRequires: fdupes
BuildRequires: openstack-macros
BuildRequires: python-base
@@ -145,14 +147,12 @@
%prep
%setup -q -n cinder-2012.2.4
%patch0 -p1
+%patch1
%openstack_cleanup_prep
# FIXME: Fix path to test/policy.json due to our special test setup
# maybe the code in cinder/utils.py#find_config could be fixed, too:
# ConfigNotFound: Could not find config at
/usr/lib64/python2.6/site-packages/cinder/tests/cinder/tests/policy.json
sed -i "s|cinder\/tests\/policy.json|policy.json|" ./cinder/tests/fake_flags.py
-# NOTE(saschpe): Adjust some config paths:
-sed -i -e "s|# rootwrap_config=.*|rootwrap_config=/etc/cinder/rootwrap.conf|" \
- -e "s|# state_path=.*|state_path=/var/lib/cinder|"
etc/cinder/cinder.conf.sample
%build
python setup.py build
++++++ cinder-config-update.diff ++++++
--- etc/cinder/cinder.conf.sample
+++ etc/cinder/cinder.conf.sample
@@ -65,7 +65,7 @@
# bindir=$pybasedir/bin
#### (StrOpt) Directory where cinder binaries are installed
-# state_path=$pybasedir
+state_path=/var/lib/cinder
#### (StrOpt) Top-level directory for maintaining cinder's state
# my_ip=10.0.0.1
@@ -148,7 +148,7 @@
# root_helper=sudo
#### (StrOpt) Deprecated: command to use for running commands as root
-# rootwrap_config=<None>
+rootwrap_config=/etc/cinder/rootwrap.conf
#### (StrOpt) Path to the rootwrap configuration file to use for running
#### commands as root
@@ -167,7 +167,7 @@
# volume_api_class=cinder.volume.api.API
#### (StrOpt) The full class name of the volume API class to use
-# auth_strategy=noauth
+auth_strategy=keystone
#### (StrOpt) The strategy to use for auth. Supports noauth, keystone, and
#### deprecated.
++++++ cinder-stable-folsom.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cinder-2012.2.4/ChangeLog
new/cinder-2012.2.4/ChangeLog
--- old/cinder-2012.2.4/ChangeLog 2013-02-04 15:48:43.000000000 +0100
+++ new/cinder-2012.2.4/ChangeLog 2013-02-20 01:51:09.000000000 +0100
@@ -1,3 +1,36 @@
+commit 68de70dd98911d44fc0825cfd9408ddbc7e978a4
+Merge: a8caa79 fcf249d
+Author: Jenkins <jenk...@review.openstack.org>
+Date: Wed Feb 20 00:25:38 2013 +0000
+
+ Merge "Add a safe_minidom_parse_string function." into stable/folsom
+
+commit fcf249d1f06938280d841cb13b61556971a58e0c
+Author: Dan Prince <dpri...@redhat.com>
+Date: Sun Feb 3 22:25:12 2013 -0500
+
+ Add a safe_minidom_parse_string function.
+
+ Adds a new utils.safe_minidom_parse_string function and
+ updates external API facing Cinder modules to use it.
+ This ensures we have safe defaults on our incoming API XML parsing.
+
+ Internally safe_minidom_parse_string uses a ProtectedExpatParser
+ class to disable DTDs and entities from being parsed when using
+ minidom.
+
+ Fixes LP Bug #1100282 for Folsom.
+
+ Change-Id: Ie8ae7a6e12fbf51de406d10ca21072140374abf5
+
+ cinder/api/openstack/common.py | 9 ++--
+ .../api/openstack/volume/contrib/volume_actions.py | 4 +-
+ cinder/api/openstack/volume/volumes.py | 3 +-
+ cinder/api/openstack/wsgi.py | 5 ++-
+ cinder/tests/test_utils.py | 33 +++++++++++++++
+ cinder/utils.py | 44 ++++++++++++++++++++
+ 6 files changed, 88 insertions(+), 10 deletions(-)
+
commit a8caa79fd93e9837055660904494141251572413
Author: Ollie Leahy <oliver.le...@hp.com>
Date: Tue Jan 29 11:25:27 2013 +0000
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cinder-2012.2.4/cinder/api/openstack/common.py
new/cinder-2012.2.4/cinder/api/openstack/common.py
--- old/cinder-2012.2.4/cinder/api/openstack/common.py 2013-02-04
15:45:39.000000000 +0100
+++ new/cinder-2012.2.4/cinder/api/openstack/common.py 2013-02-20
01:47:59.000000000 +0100
@@ -25,6 +25,7 @@
from cinder.api.openstack import wsgi
from cinder.api.openstack import xmlutil
from cinder.openstack.common import log as logging
+from cinder import utils
LOG = logging.getLogger(__name__)
@@ -247,7 +248,7 @@
class MetadataDeserializer(wsgi.MetadataXMLDeserializer):
def deserialize(self, text):
- dom = minidom.parseString(text)
+ dom = utils.safe_minidom_parse_string(text)
metadata_node = self.find_first_child_named(dom, "metadata")
metadata = self.extract_metadata(metadata_node)
return {'body': {'metadata': metadata}}
@@ -255,7 +256,7 @@
class MetaItemDeserializer(wsgi.MetadataXMLDeserializer):
def deserialize(self, text):
- dom = minidom.parseString(text)
+ dom = utils.safe_minidom_parse_string(text)
metadata_item = self.extract_metadata(dom)
return {'body': {'meta': metadata_item}}
@@ -273,7 +274,7 @@
return metadata
def _extract_metadata_container(self, datastring):
- dom = minidom.parseString(datastring)
+ dom = utils.safe_minidom_parse_string(datastring)
metadata_node = self.find_first_child_named(dom, "metadata")
metadata = self.extract_metadata(metadata_node)
return {'body': {'metadata': metadata}}
@@ -285,7 +286,7 @@
return self._extract_metadata_container(datastring)
def update(self, datastring):
- dom = minidom.parseString(datastring)
+ dom = utils.safe_minidom_parse_string(datastring)
metadata_item = self.extract_metadata(dom)
return {'body': {'meta': metadata_item}}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cinder-2012.2.4/cinder/api/openstack/volume/contrib/volume_actions.py
new/cinder-2012.2.4/cinder/api/openstack/volume/contrib/volume_actions.py
--- old/cinder-2012.2.4/cinder/api/openstack/volume/contrib/volume_actions.py
2013-02-04 15:45:39.000000000 +0100
+++ new/cinder-2012.2.4/cinder/api/openstack/volume/contrib/volume_actions.py
2013-02-20 01:47:59.000000000 +0100
@@ -13,7 +13,6 @@
# under the License.
import webob
-from xml.dom import minidom
from cinder.api.openstack import extensions
from cinder.api.openstack import wsgi
@@ -23,6 +22,7 @@
from cinder import flags
from cinder.openstack.common import log as logging
from cinder.openstack.common.rpc import common as rpc_common
+from cinder import utils
FLAGS = flags.FLAGS
@@ -54,7 +54,7 @@
class VolumeToImageDeserializer(wsgi.XMLDeserializer):
"""Deserializer to handle xml-formatted requests"""
def default(self, string):
- dom = minidom.parseString(string)
+ dom = utils.safe_minidom_parse_string(string)
action_node = dom.childNodes[0]
action_name = action_node.tagName
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cinder-2012.2.4/cinder/api/openstack/volume/volumes.py
new/cinder-2012.2.4/cinder/api/openstack/volume/volumes.py
--- old/cinder-2012.2.4/cinder/api/openstack/volume/volumes.py 2013-02-04
15:45:39.000000000 +0100
+++ new/cinder-2012.2.4/cinder/api/openstack/volume/volumes.py 2013-02-20
01:47:59.000000000 +0100
@@ -17,7 +17,6 @@
from webob import exc
import webob
-from xml.dom import minidom
from cinder.api.openstack import common
from cinder.api.openstack import wsgi
@@ -194,7 +193,7 @@
def default(self, string):
"""Deserialize an xml-formatted volume create request."""
- dom = minidom.parseString(string)
+ dom = utils.safe_minidom_parse_string(string)
volume = self._extract_volume(dom)
return {'body': {'volume': volume}}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cinder-2012.2.4/cinder/api/openstack/wsgi.py
new/cinder-2012.2.4/cinder/api/openstack/wsgi.py
--- old/cinder-2012.2.4/cinder/api/openstack/wsgi.py 2013-02-04
15:45:39.000000000 +0100
+++ new/cinder-2012.2.4/cinder/api/openstack/wsgi.py 2013-02-20
01:47:59.000000000 +0100
@@ -24,6 +24,7 @@
from cinder import wsgi
from cinder.openstack.common import log as logging
from cinder.openstack.common import jsonutils
+from cinder import utils
from lxml import etree
from xml.dom import minidom
@@ -151,7 +152,7 @@
plurals = set(self.metadata.get('plurals', {}))
try:
- node = minidom.parseString(datastring).childNodes[0]
+ node = utils.safe_minidom_parse_string(datastring).childNodes[0]
return {node.nodeName: self._from_xml_node(node, plurals)}
except expat.ExpatError:
msg = _("cannot understand XML")
@@ -548,7 +549,7 @@
def action_peek_xml(body):
"""Determine action to invoke."""
- dom = minidom.parseString(body)
+ dom = utils.safe_minidom_parse_string(body)
action_node = dom.childNodes[0]
return action_node.tagName
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cinder-2012.2.4/cinder/tests/test_utils.py
new/cinder-2012.2.4/cinder/tests/test_utils.py
--- old/cinder-2012.2.4/cinder/tests/test_utils.py 2013-02-04
15:45:39.000000000 +0100
+++ new/cinder-2012.2.4/cinder/tests/test_utils.py 2013-02-20
01:47:59.000000000 +0100
@@ -423,6 +423,39 @@
result = utils.service_is_up(service)
self.assertFalse(result)
+ def test_safe_parse_xml(self):
+
+ normal_body = ("""
+ <?xml version="1.0" ?><foo>
+ <bar>
+ <v1>hey</v1>
+ <v2>there</v2>
+ </bar>
+ </foo>""").strip()
+
+ def killer_body():
+ return (("""<!DOCTYPE x [
+ <!ENTITY a "%(a)s">
+ <!ENTITY b "%(b)s">
+ <!ENTITY c "%(c)s">]>
+ <foo>
+ <bar>
+ <v1>%(d)s</v1>
+ </bar>
+ </foo>""") % {
+ 'a': 'A' * 10,
+ 'b': '&a;' * 10,
+ 'c': '&b;' * 10,
+ 'd': '&c;' * 9999,
+ }).strip()
+
+ dom = utils.safe_minidom_parse_string(normal_body)
+ self.assertEqual(normal_body, str(dom.toxml()))
+
+ self.assertRaises(ValueError,
+ utils.safe_minidom_parse_string,
+ killer_body())
+
def test_xhtml_escape(self):
self.assertEqual('"foo"', utils.xhtml_escape('"foo"'))
self.assertEqual(''foo'', utils.xhtml_escape("'foo'"))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cinder-2012.2.4/cinder/utils.py
new/cinder-2012.2.4/cinder/utils.py
--- old/cinder-2012.2.4/cinder/utils.py 2013-02-04 15:45:39.000000000 +0100
+++ new/cinder-2012.2.4/cinder/utils.py 2013-02-20 01:47:59.000000000 +0100
@@ -42,6 +42,10 @@
import types
import uuid
import warnings
+from xml.dom import minidom
+from xml.parsers import expat
+from xml import sax
+from xml.sax import expatreader
from xml.sax import saxutils
from eventlet import event
@@ -542,6 +546,46 @@
return self.done.wait()
+class ProtectedExpatParser(expatreader.ExpatParser):
+ """An expat parser which disables DTD's and entities by default."""
+
+ def __init__(self, forbid_dtd=True, forbid_entities=True,
+ *args, **kwargs):
+ # Python 2.x old style class
+ expatreader.ExpatParser.__init__(self, *args, **kwargs)
+ self.forbid_dtd = forbid_dtd
+ self.forbid_entities = forbid_entities
+
+ def start_doctype_decl(self, name, sysid, pubid, has_internal_subset):
+ raise ValueError("Inline DTD forbidden")
+
+ def entity_decl(self, entityName, is_parameter_entity, value, base,
+ systemId, publicId, notationName):
+ raise ValueError("<!ENTITY> forbidden")
+
+ def unparsed_entity_decl(self, name, base, sysid, pubid, notation_name):
+ # expat 1.2
+ raise ValueError("<!ENTITY> forbidden")
+
+ def reset(self):
+ expatreader.ExpatParser.reset(self)
+ if self.forbid_dtd:
+ self._parser.StartDoctypeDeclHandler = self.start_doctype_decl
+ if self.forbid_entities:
+ self._parser.EntityDeclHandler = self.entity_decl
+ self._parser.UnparsedEntityDeclHandler = self.unparsed_entity_decl
+
+
+def safe_minidom_parse_string(xml_string):
+ """Parse an XML string using minidom safely.
+
+ """
+ try:
+ return minidom.parseString(xml_string, parser=ProtectedExpatParser())
+ except sax.SAXParseException as se:
+ raise expat.ExpatError()
+
+
def xhtml_escape(value):
"""Escapes a string so it is valid within XML or XHTML.
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
