[tryton-debian-vcs] tryton-server branch debian-jessie-2.8 updated. debian/2.8.10-1-2-g9f5250e
Mathias Behrle
tryton-debian-vcs at alioth.debian.org
Tue Sep 30 10:54:16 UTC 2014
The following commit has been merged in the debian-jessie-2.8 branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/2.8.10-1-2-g9f5250e
commit 9f5250e1509f6a048c814ade6b8d0f2d37a1a09a
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Tue Sep 30 12:16:18 2014 +0200
Releasing debian version 2.8.11-1.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/debian/changelog b/debian/changelog
index 0411602..c4281de 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+tryton-server (2.8.11-1) unstable; urgency=high
+
+ * Merging upstream version 2.8.11.
+ * Contains fixes for CVE-2014-6633. This patch introduces fixes to not
+ allow double underscores in safe_eval and uses literal_eval wherever
+ possible. S.a https://bugs.tryton.org/issue4155.
+
+ -- Mathias Behrle <mathiasb at m9s.biz> Tue, 30 Sep 2014 12:16:17 +0200
+
tryton-server (2.8.10-1) unstable; urgency=medium
* Merging upstream version 2.8.10.
commit 49523541a641a75f814096a05539d9c8a8ed2087
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Tue Sep 30 12:16:15 2014 +0200
Merging upstream version 2.8.11.
diff --git a/CHANGELOG b/CHANGELOG
index ad7c4f9..213becf 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+Version 2.8.11 - 2014-09-29
+* Bug fixes (see mercurial logs for details)
+* Use literal_eval instead of safe_eval (CVE-2014-6633)
+* Prevent double underscore in safe_eval (CVE-2014-6633)
+
Version 2.8.10 - 2014-08-03
* Bug fixes (see mercurial logs for details)
diff --git a/PKG-INFO b/PKG-INFO
index 3576221..18cf148 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 2.8.10
+Version: 2.8.11
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index 3576221..18cf148 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 2.8.10
+Version: 2.8.11
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond/ir/cron.py b/trytond/ir/cron.py
index 320b9c1..7c18bb3 100644
--- a/trytond/ir/cron.py
+++ b/trytond/ir/cron.py
@@ -6,9 +6,9 @@ from dateutil.relativedelta import relativedelta
import traceback
import sys
import logging
+from ast import literal_eval
from ..model import ModelView, ModelSQL, fields
-from ..tools import safe_eval
from ..transaction import Transaction
from ..pool import Pool
from ..backend import TableHandler
@@ -149,7 +149,7 @@ class Cron(ModelSQL, ModelView):
pool = Pool()
Config = pool.get('ir.configuration')
try:
- args = (cron.args or []) and safe_eval(cron.args)
+ args = (cron.args or []) and literal_eval(cron.args)
Model = pool.get(cron.model)
with Transaction().set_user(cron.user.id):
getattr(Model, cron.function)(*args)
diff --git a/trytond/ir/lang.py b/trytond/ir/lang.py
index b8bf92d..169e02f 100644
--- a/trytond/ir/lang.py
+++ b/trytond/ir/lang.py
@@ -2,10 +2,11 @@
#this repository contains the full copyright notices and license terms.
import datetime
import warnings
+from ast import literal_eval
from ..model import ModelView, ModelSQL, fields
from ..cache import Cache
-from ..tools import safe_eval, datetime_strftime
+from ..tools import datetime_strftime
from ..transaction import Transaction
from ..pool import Pool
from .time_locale import TIME_LOCALE
@@ -132,7 +133,7 @@ class Lang(ModelSQL, ModelView):
'''
for lang in langs:
try:
- grouping = safe_eval(lang.grouping)
+ grouping = literal_eval(lang.grouping)
for i in grouping:
if not isinstance(i, int):
raise
@@ -245,10 +246,10 @@ class Lang(ModelSQL, ModelView):
if monetary:
thousands_sep = monetary.mon_thousands_sep
- grouping = safe_eval(monetary.mon_grouping)
+ grouping = literal_eval(monetary.mon_grouping)
else:
thousands_sep = lang.thousands_sep
- grouping = safe_eval(lang.grouping)
+ grouping = literal_eval(lang.grouping)
if not grouping:
return (s, 0)
if s[-1] == ' ':
diff --git a/trytond/res/user.py b/trytond/res/user.py
index 516f833..a300d49 100644
--- a/trytond/res/user.py
+++ b/trytond/res/user.py
@@ -9,10 +9,10 @@ import time
import datetime
from itertools import groupby, ifilter
from operator import attrgetter
+from ast import literal_eval
from ..model import ModelView, ModelSQL, fields
from ..wizard import Wizard, StateView, Button, StateTransition
-from ..tools import safe_eval
from ..backend import TableHandler
from ..transaction import Transaction
from ..cache import Cache
@@ -328,7 +328,7 @@ class User(ModelSQL, ModelView):
date = date.replace(i, j)
res['locale'] = {
'date': date,
- 'grouping': safe_eval(user.language.grouping),
+ 'grouping': literal_eval(user.language.grouping),
'decimal_point': user.language.decimal_point,
'thousands_sep': user.language.thousands_sep,
}
diff --git a/trytond/tests/test_tools.py b/trytond/tests/test_tools.py
index 3a04553..dc54c96 100644
--- a/trytond/tests/test_tools.py
+++ b/trytond/tests/test_tools.py
@@ -78,10 +78,8 @@ class ToolsTestCase(unittest.TestCase):
self.assertRaises(Exception, safe_eval, "open('test.txt', 'w')")
def test0061safe_eval_getattr(self):
- '''
- Attempt to get arround direct attr access.
- '''
- self.assertRaises(Exception, safe_eval, "getattr(int, '__abs__')")
+ 'Attempt to get arround direct attr access'
+ self.assertRaises(NameError, safe_eval, "getattr(int, 'real')")
def test0062safe_eval_func_globals(self):
'''
diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
index a632f7c..b6246b7 100644
--- a/trytond/tools/misc.py
+++ b/trytond/tools/misc.py
@@ -403,8 +403,8 @@ def _compile_source(source):
def safe_eval(source, data=None):
- if '__subclasses__' in source:
- raise ValueError('__subclasses__ not allowed')
+ if '__' in source:
+ raise ValueError('Double underscores not allowed')
comp = _compile_source(source)
return eval(comp, {'__builtins__': {
diff --git a/trytond/version.py b/trytond/version.py
index 3b3cc4a..1a7efe7 100644
--- a/trytond/version.py
+++ b/trytond/version.py
@@ -1,6 +1,6 @@
#This file is part of Tryton. The COPYRIGHT file at the top level of
#this repository contains the full copyright notices and license terms.
PACKAGE = "trytond"
-VERSION = "2.8.10"
+VERSION = "2.8.11"
LICENSE = "GPL-3"
WEBSITE = "http://www.tryton.org/"
diff --git a/trytond/webdav/webdav.py b/trytond/webdav/webdav.py
index 258955a..c52c662 100644
--- a/trytond/webdav/webdav.py
+++ b/trytond/webdav/webdav.py
@@ -8,9 +8,11 @@ import socket
import encodings
import uuid
import datetime
+from ast import literal_eval
+
from dateutil.relativedelta import relativedelta
from trytond.model import ModelView, ModelSQL, fields
-from trytond.tools import reduce_ids, safe_eval
+from trytond.tools import reduce_ids
from trytond.transaction import Transaction
from trytond.pool import Pool
from trytond.config import CONFIG
@@ -299,7 +301,7 @@ class Collection(ModelSQL, ModelView):
if not Model:
return res
models = Model.search(
- safe_eval(collection.domain or "[]"))
+ literal_eval(collection.domain))
for child in models:
if '/' in child.rec_name:
continue
@@ -753,7 +755,7 @@ class Attachment(ModelSQL, ModelView):
model_name = collection.model.model
Model = pool.get(model_name)
ids = list(resources[model_name])
- domain = safe_eval(collection.domain or '[]')
+ domain = literal_eval(collection.domain)
domain = [domain, ('id', 'in', ids)]
records = Model.search(domain)
for record in records:
--
tryton-server
More information about the tryton-debian-vcs
mailing list