Hello community, here is the log from the commit of package python3-tornado for openSUSE:Factory checked in at 2015-08-01 11:35:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python3-tornado (Old) and /work/SRC/openSUSE:Factory/.python3-tornado.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python3-tornado" Changes: -------- --- /work/SRC/openSUSE:Factory/python3-tornado/python3-tornado.changes 2015-06-01 09:51:39.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python3-tornado.new/python3-tornado.changes 2015-08-01 11:35:07.000000000 +0200 @@ -1,0 +2,9 @@ +Sat Jul 18 21:15:38 UTC 2015 - a...@gmx.de + +- update to version 4.2.1: + * This release fixes a path traversal vulnerability in + StaticFileHandler, in which files whose names started with the + static_path directory but were not actually in that directory + could be accessed. + +------------------------------------------------------------------- Old: ---- tornado-4.2.tar.gz New: ---- tornado-4.2.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-tornado.spec ++++++ --- /var/tmp/diff_new_pack.ezsdJn/_old 2015-08-01 11:35:08.000000000 +0200 +++ /var/tmp/diff_new_pack.ezsdJn/_new 2015-08-01 11:35:08.000000000 +0200 @@ -17,7 +17,7 @@ Name: python3-tornado -Version: 4.2 +Version: 4.2.1 Release: 0 Url: http://www.tornadoweb.org Summary: Open source version of scalable, non-blocking web server that power FriendFeed ++++++ tornado-4.2.tar.gz -> tornado-4.2.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/MANIFEST.in new/tornado-4.2.1/MANIFEST.in --- old/tornado-4.2/MANIFEST.in 2015-05-10 03:35:55.000000000 +0200 +++ new/tornado-4.2.1/MANIFEST.in 2015-07-17 17:31:34.000000000 +0200 @@ -9,6 +9,7 @@ include tornado/test/options_test.cfg include tornado/test/static/robots.txt include tornado/test/static/dir/index.html +include tornado/test/static_foo.txt include tornado/test/templates/utf8.html include tornado/test/test.crt include tornado/test/test.key diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/PKG-INFO new/tornado-4.2.1/PKG-INFO --- old/tornado-4.2/PKG-INFO 2015-05-27 03:49:14.000000000 +0200 +++ new/tornado-4.2.1/PKG-INFO 2015-07-17 17:50:27.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: tornado -Version: 4.2 +Version: 4.2.1 Summary: Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Home-page: http://www.tornadoweb.org/ Author: Facebook diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/docs/releases/v4.2.1.rst new/tornado-4.2.1/docs/releases/v4.2.1.rst --- old/tornado-4.2/docs/releases/v4.2.1.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/tornado-4.2.1/docs/releases/v4.2.1.rst 2015-07-17 17:46:10.000000000 +0200 @@ -0,0 +1,12 @@ +What's new in Tornado 4.2.1 +=========================== + +Jul 17, 2015 +------------ + +Security fix +~~~~~~~~~~~~ + +* This release fixes a path traversal vulnerability in `.StaticFileHandler`, + in which files whose names *started with* the ``static_path`` directory + but were not actually *in* that directory could be accessed. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/docs/releases.rst new/tornado-4.2.1/docs/releases.rst --- old/tornado-4.2/docs/releases.rst 2015-05-10 19:08:03.000000000 +0200 +++ new/tornado-4.2.1/docs/releases.rst 2015-07-17 17:39:36.000000000 +0200 @@ -4,6 +4,7 @@ .. toctree:: :maxdepth: 2 + releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/setup.cfg new/tornado-4.2.1/setup.cfg --- old/tornado-4.2/setup.cfg 2015-05-27 03:49:14.000000000 +0200 +++ new/tornado-4.2.1/setup.cfg 2015-07-17 17:50:27.000000000 +0200 @@ -1,5 +1,5 @@ [egg_info] -tag_svn_revision = 0 tag_date = 0 tag_build = +tag_svn_revision = 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/setup.py new/tornado-4.2.1/setup.py --- old/tornado-4.2/setup.py 2015-05-27 03:44:57.000000000 +0200 +++ new/tornado-4.2.1/setup.py 2015-07-17 17:39:13.000000000 +0200 @@ -99,7 +99,7 @@ kwargs = {} -version = "4.2" +version = "4.2.1" with open('README.rst') as f: kwargs['long_description'] = f.read() @@ -147,6 +147,7 @@ "options_test.cfg", "static/robots.txt", "static/dir/index.html", + "static_foo.txt", "templates/utf8.html", "test.crt", "test.key", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/tornado/__init__.py new/tornado-4.2.1/tornado/__init__.py --- old/tornado-4.2/tornado/__init__.py 2015-05-27 03:44:57.000000000 +0200 +++ new/tornado-4.2.1/tornado/__init__.py 2015-07-17 17:39:26.000000000 +0200 @@ -25,5 +25,5 @@ # is zero for an official release, positive for a development branch, # or negative for a release candidate or beta (after the base version # number has been incremented) -version = "4.2" -version_info = (4, 2, 0, 0) +version = "4.2.1" +version_info = (4, 2, 1, 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/tornado/test/static_foo.txt new/tornado-4.2.1/tornado/test/static_foo.txt --- old/tornado-4.2/tornado/test/static_foo.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/tornado-4.2.1/tornado/test/static_foo.txt 2015-07-17 17:31:34.000000000 +0200 @@ -0,0 +1,2 @@ +This file should not be served by StaticFileHandler even though +its name starts with "static". diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/tornado/test/web_test.py new/tornado-4.2.1/tornado/test/web_test.py --- old/tornado-4.2/tornado/test/web_test.py 2015-05-25 18:40:32.000000000 +0200 +++ new/tornado-4.2.1/tornado/test/web_test.py 2015-07-17 17:36:47.000000000 +0200 @@ -1181,6 +1181,15 @@ response = self.get_and_head('/static/blarg') self.assertEqual(response.code, 404) + def test_path_traversal_protection(self): + with ExpectLog(gen_log, ".*not in root static directory"): + response = self.get_and_head('/static/../static_foo.txt') + # Attempted path traversal should result in 403, not 200 + # (which means the check failed and the file was served) + # or 404 (which means that the file didn't exist and + # is probably a packaging error). + self.assertEqual(response.code, 403) + @wsgi_safe class StaticDefaultFilenameTest(WebTestCase): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/tornado/web.py new/tornado-4.2.1/tornado/web.py --- old/tornado-4.2/tornado/web.py 2015-05-10 03:53:54.000000000 +0200 +++ new/tornado-4.2.1/tornado/web.py 2015-07-17 17:31:34.000000000 +0200 @@ -2376,9 +2376,13 @@ .. versionadded:: 3.1 """ - root = os.path.abspath(root) - # os.path.abspath strips a trailing / - # it needs to be temporarily added back for requests to root/ + # os.path.abspath strips a trailing /. + # We must add it back to `root` so that we only match files + # in a directory named `root` instead of files starting with + # that prefix. + root = os.path.abspath(root) + os.path.sep + # The trailing slash also needs to be temporarily added back + # the requested path so a request to root/ will match. if not (absolute_path + os.path.sep).startswith(root): raise HTTPError(403, "%s is not in root static directory", self.path) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/tornado.egg-info/PKG-INFO new/tornado-4.2.1/tornado.egg-info/PKG-INFO --- old/tornado-4.2/tornado.egg-info/PKG-INFO 2015-05-27 03:49:08.000000000 +0200 +++ new/tornado-4.2.1/tornado.egg-info/PKG-INFO 2015-07-17 17:50:19.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: tornado -Version: 4.2 +Version: 4.2.1 Summary: Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Home-page: http://www.tornadoweb.org/ Author: Facebook diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tornado-4.2/tornado.egg-info/SOURCES.txt new/tornado-4.2.1/tornado.egg-info/SOURCES.txt --- old/tornado-4.2/tornado.egg-info/SOURCES.txt 2015-05-27 03:49:13.000000000 +0200 +++ new/tornado-4.2.1/tornado.egg-info/SOURCES.txt 2015-07-17 17:50:26.000000000 +0200 @@ -131,6 +131,7 @@ docs/releases/v4.0.2.rst docs/releases/v4.1.0.rst docs/releases/v4.2.0.rst +docs/releases/v4.2.1.rst tornado/__init__.py tornado/auth.py tornado/autoreload.py @@ -204,6 +205,7 @@ tornado/test/runtests.py tornado/test/simple_httpclient_test.py tornado/test/stack_context_test.py +tornado/test/static_foo.txt tornado/test/tcpclient_test.py tornado/test/tcpserver_test.py tornado/test/template_test.py