[tryton-debian-vcs] tryton-server branch upstream-3.0 updated. upstream/3.0.6-1-g09e34e6
Mathias Behrle
tryton-debian-vcs at alioth.debian.org
Tue Sep 30 14:16:28 UTC 2014
The following commit has been merged in the upstream-3.0 branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=upstream/3.0.6-1-g09e34e6
commit 09e34e6d6c7067b32aebf21281b2e54f2f58c433
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Tue Sep 30 12:19:59 2014 +0200
Adding upstream version 3.0.7.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/CHANGELOG b/CHANGELOG
index 0662f72..67b1862 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+Version 3.0.7 - 2014-09-29
+* Bug fixes (see mercurial logs for details)
+* Use literal_eval instead of safe_eval (CVE-2014-6633)
+* Prevent double underscore in safe_eval (CVE-2014-6633)
+
Version 3.0.6 - 2014-08-03
* Bug fixes (see mercurial logs for details)
diff --git a/PKG-INFO b/PKG-INFO
index dc47e60..998ae66 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 3.0.6
+Version: 3.0.7
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index dc47e60..998ae66 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 3.0.6
+Version: 3.0.7
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond/ir/cron.py b/trytond/ir/cron.py
index 904a2fd..c50fb1d 100644
--- a/trytond/ir/cron.py
+++ b/trytond/ir/cron.py
@@ -8,9 +8,10 @@ import sys
import logging
from email.mime.text import MIMEText
from email.header import Header
+from ast import literal_eval
from ..model import ModelView, ModelSQL, fields
-from ..tools import safe_eval, get_smtp_server
+from ..tools import get_smtp_server
from ..transaction import Transaction
from ..pool import Pool
from .. import backend
@@ -157,7 +158,7 @@ class Cron(ModelSQL, ModelView):
pool = Pool()
Config = pool.get('ir.configuration')
try:
- args = (cron.args or []) and safe_eval(cron.args)
+ args = (cron.args or []) and literal_eval(cron.args)
Model = pool.get(cron.model)
with Transaction().set_user(cron.user.id):
getattr(Model, cron.function)(*args)
diff --git a/trytond/ir/lang.py b/trytond/ir/lang.py
index d2270b9..6bda1f6 100644
--- a/trytond/ir/lang.py
+++ b/trytond/ir/lang.py
@@ -2,10 +2,11 @@
#this repository contains the full copyright notices and license terms.
import datetime
import warnings
+from ast import literal_eval
from ..model import ModelView, ModelSQL, fields
from ..cache import Cache
-from ..tools import safe_eval, datetime_strftime
+from ..tools import datetime_strftime
from ..transaction import Transaction
from ..pool import Pool
from .time_locale import TIME_LOCALE
@@ -132,7 +133,7 @@ class Lang(ModelSQL, ModelView):
'''
for lang in langs:
try:
- grouping = safe_eval(lang.grouping)
+ grouping = literal_eval(lang.grouping)
for i in grouping:
if not isinstance(i, int):
raise
@@ -254,10 +255,10 @@ class Lang(ModelSQL, ModelView):
if monetary:
thousands_sep = monetary.mon_thousands_sep
- grouping = safe_eval(monetary.mon_grouping)
+ grouping = literal_eval(monetary.mon_grouping)
else:
thousands_sep = lang.thousands_sep
- grouping = safe_eval(lang.grouping)
+ grouping = literal_eval(lang.grouping)
if not grouping:
return (s, 0)
if s[-1] == ' ':
diff --git a/trytond/res/user.py b/trytond/res/user.py
index e50c8fd..d3f7d94 100644
--- a/trytond/res/user.py
+++ b/trytond/res/user.py
@@ -9,12 +9,13 @@ import time
import datetime
from itertools import groupby, ifilter
from operator import attrgetter
+from ast import literal_eval
+
from sql import Literal
from sql.aggregate import Count
from ..model import ModelView, ModelSQL, fields
from ..wizard import Wizard, StateView, Button, StateTransition
-from ..tools import safe_eval
from .. import backend
from ..transaction import Transaction
from ..cache import Cache
@@ -331,7 +332,7 @@ class User(ModelSQL, ModelView):
date = date.replace(i, j)
res['locale'] = {
'date': date,
- 'grouping': safe_eval(user.language.grouping),
+ 'grouping': literal_eval(user.language.grouping),
'decimal_point': user.language.decimal_point,
'thousands_sep': user.language.thousands_sep,
}
diff --git a/trytond/tests/test_tools.py b/trytond/tests/test_tools.py
index 86881af..a0f4d4f 100644
--- a/trytond/tests/test_tools.py
+++ b/trytond/tests/test_tools.py
@@ -82,10 +82,8 @@ class ToolsTestCase(unittest.TestCase):
self.assertRaises(Exception, safe_eval, "open('test.txt', 'w')")
def test0061safe_eval_getattr(self):
- '''
- Attempt to get arround direct attr access.
- '''
- self.assertRaises(Exception, safe_eval, "getattr(int, '__abs__')")
+ 'Attempt to get arround direct attr access'
+ self.assertRaises(NameError, safe_eval, "getattr(int, 'real')")
def test0062safe_eval_func_globals(self):
'''
diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
index f6df849..80caf52 100644
--- a/trytond/tools/misc.py
+++ b/trytond/tools/misc.py
@@ -396,8 +396,8 @@ def _compile_source(source):
def safe_eval(source, data=None):
- if '__subclasses__' in source:
- raise ValueError('__subclasses__ not allowed')
+ if '__' in source:
+ raise ValueError('Double underscores not allowed')
comp = _compile_source(source)
return eval(comp, {'__builtins__': {
diff --git a/trytond/version.py b/trytond/version.py
index 4f845a5..ac4c04c 100644
--- a/trytond/version.py
+++ b/trytond/version.py
@@ -1,6 +1,6 @@
#This file is part of Tryton. The COPYRIGHT file at the top level of
#this repository contains the full copyright notices and license terms.
PACKAGE = "trytond"
-VERSION = "3.0.6"
+VERSION = "3.0.7"
LICENSE = "GPL-3"
WEBSITE = "http://www.tryton.org/"
diff --git a/trytond/webdav/webdav.py b/trytond/webdav/webdav.py
index d62179d..265faee 100644
--- a/trytond/webdav/webdav.py
+++ b/trytond/webdav/webdav.py
@@ -8,12 +8,14 @@ import socket
import encodings
import uuid
import datetime
+from ast import literal_eval
+
from dateutil.relativedelta import relativedelta
from sql.functions import Extract
from sql.conditionals import Coalesce
from trytond.model import ModelView, ModelSQL, fields
-from trytond.tools import reduce_ids, safe_eval
+from trytond.tools import reduce_ids
from trytond.transaction import Transaction
from trytond.pool import Pool
from trytond.config import CONFIG
@@ -306,7 +308,7 @@ class Collection(ModelSQL, ModelView):
if not Model:
return res
models = Model.search(
- safe_eval(collection.domain or "[]"))
+ literal_eval(collection.domain))
for child in models:
if '/' in child.rec_name:
continue
@@ -760,7 +762,7 @@ class Attachment(ModelSQL, ModelView):
model_name = collection.model.model
Model = pool.get(model_name)
ids = list(resources[model_name])
- domain = safe_eval(collection.domain or '[]')
+ domain = literal_eval(collection.domain)
domain = [domain, ('id', 'in', ids)]
records = Model.search(domain)
for record in records:
--
tryton-server
More information about the tryton-debian-vcs
mailing list