Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/www-apps/roundup/files
diff options
context:
space:
mode:
authorBenedikt Boehm <hollow@gentoo.org>2008-04-03 10:42:56 +0000
committerBenedikt Boehm <hollow@gentoo.org>2008-04-03 10:42:56 +0000
commitf378045579c1f2e3121c5863d709be76a6ae9b42 (patch)
tree9216cc45d1d3c11f420b34c6f312623e0949a6bb /www-apps/roundup/files
parentversion bump wrt security #214212 (diff)
downloadhistorical-f378045579c1f2e3121c5863d709be76a6ae9b42.tar.gz
historical-f378045579c1f2e3121c5863d709be76a6ae9b42.tar.bz2
historical-f378045579c1f2e3121c5863d709be76a6ae9b42.zip
fix security #214666; remove old versions
Package-Manager: portage-2.1.4.4
Diffstat (limited to 'www-apps/roundup/files')
-rw-r--r--www-apps/roundup/files/roundup-1.4.4-CVE-2008-1475.patch215
1 files changed, 215 insertions, 0 deletions
diff --git a/www-apps/roundup/files/roundup-1.4.4-CVE-2008-1475.patch b/www-apps/roundup/files/roundup-1.4.4-CVE-2008-1475.patch
new file mode 100644
index 000000000000..8cf9c2ae0f39
--- /dev/null
+++ b/www-apps/roundup/files/roundup-1.4.4-CVE-2008-1475.patch
@@ -0,0 +1,215 @@
+Index: roundup/xmlrpc.py
+===================================================================
+RCS file: /cvsroot/roundup/roundup/roundup/xmlrpc.py,v
+retrieving revision 1.5
+diff -u -r1.5 xmlrpc.py
+--- roundup/xmlrpc.py 3 Nov 2007 00:50:37 -0000 1.5
++++ roundup/xmlrpc.py 4 Mar 2008 18:13:49 -0000
+@@ -63,13 +63,10 @@
+ def close(self):
+ """Close the database, after committing any changes, if needed."""
+
+- if getattr(self, 'db'):
+- try:
+- if self.db.transactions:
+- self.db.commit()
+- finally:
+- self.db.close()
+-
++ try:
++ self.db.commit()
++ finally:
++ self.db.close()
+
+ def get_class(self, classname):
+ """Return the class for the given classname."""
+@@ -115,51 +112,52 @@
+
+ def list(self, username, password, classname, propname=None):
+ r = RoundupRequest(self.tracker, username, password)
+- cl = r.get_class(classname)
+- if not propname:
+- propname = cl.labelprop()
+- def has_perm(itemid):
+- return True
+- r.db.security.hasPermission('View', r.userid, classname,
+- itemid=itemid, property=propname)
+- result = [cl.get(id, propname) for id in cl.list()
+- if has_perm(id)]
+- r.close()
++ try:
++ cl = r.get_class(classname)
++ if not propname:
++ propname = cl.labelprop()
++ result = [ cl.get(itemid, propname) for itemid in cl.list()
++ if r.db.security.hasPermission \
++ ('View', r.userid, classname, propname, itemid)
++ ]
++ finally:
++ r.close()
+ return result
+
+ def display(self, username, password, designator, *properties):
+ r = RoundupRequest(self.tracker, username, password)
+- classname, itemid = hyperdb.splitDesignator(designator)
+-
+- if not r.db.security.hasPermission('View', r.userid, classname,
+- itemid=itemid):
+- raise Unauthorised('Permission to view %s denied'%designator)
+-
+- cl = r.get_class(classname)
+- props = properties and list(properties) or cl.properties.keys()
+- props.sort()
+- result = [(property, cl.get(itemid, property)) for property in props]
+- r.close()
++ try:
++ classname, itemid = hyperdb.splitDesignator(designator)
++ cl = r.get_class(classname)
++ props = properties and list(properties) or cl.properties.keys()
++ props.sort()
++ for p in props:
++ if not r.db.security.hasPermission \
++ ('View', r.userid, classname, p, itemid):
++ raise Unauthorised \
++ ('Permission to view %s of %s denied' % (p, designator))
++ result = [(prop, cl.get(itemid, prop)) for prop in props]
++ finally:
++ r.close()
+ return dict(result)
+
+ def create(self, username, password, classname, *args):
+ r = RoundupRequest(self.tracker, username, password)
++ try:
++ if not r.db.security.hasPermission('Create', r.userid, classname):
++ raise Unauthorised('Permission to create %s denied'%classname)
+
+- if not r.db.security.hasPermission('Create', r.userid, classname):
+- raise Unauthorised('Permission to create %s denied'%classname)
+-
+- cl = r.get_class(classname)
++ cl = r.get_class(classname)
+
+- # convert types
+- props = r.props_from_args(cl, args)
++ # convert types
++ props = r.props_from_args(cl, args)
+
+- # check for the key property
+- key = cl.getkey()
+- if key and not props.has_key(key):
+- raise UsageError, 'you must provide the "%s" property.'%key
++ # check for the key property
++ key = cl.getkey()
++ if key and not props.has_key(key):
++ raise UsageError, 'you must provide the "%s" property.'%key
+
+- # do the actual create
+- try:
++ # do the actual create
+ try:
+ result = cl.create(**props)
+ except (TypeError, IndexError, ValueError), message:
+@@ -170,19 +168,17 @@
+
+ def set(self, username, password, designator, *args):
+ r = RoundupRequest(self.tracker, username, password)
+- classname, itemid = hyperdb.splitDesignator(designator)
+-
+- if not r.db.security.hasPermission('Edit', r.userid, classname,
+- itemid=itemid):
+- raise Unauthorised('Permission to edit %s denied'%designator)
+-
+- cl = r.get_class(classname)
+-
+- # convert types
+- props = r.props_from_args(cl, args)
+ try:
++ classname, itemid = hyperdb.splitDesignator(designator)
++ cl = r.get_class(classname)
++ props = r.props_from_args(cl, args) # convert types
++ for p in props.iterkeys ():
++ if not r.db.security.hasPermission \
++ ('Edit', r.userid, classname, p, itemid):
++ raise Unauthorised\
++ ('Permission to edit %s of %s denied'%(p, designator))
+ try:
+- cl.set(itemid, **props)
++ return cl.set(itemid, **props)
+ except (TypeError, IndexError, ValueError), message:
+ raise UsageError, message
+ finally:
+Index: test/db_test_base.py
+===================================================================
+RCS file: /cvsroot/roundup/roundup/test/db_test_base.py,v
+retrieving revision 1.96
+diff -u -r1.96 db_test_base.py
+--- test/db_test_base.py 7 Feb 2008 03:28:34 -0000 1.96
++++ test/db_test_base.py 4 Mar 2008 18:13:50 -0000
+@@ -62,6 +62,7 @@
+ tracker = instance.open(dirname)
+ if tracker.exists():
+ tracker.nuke()
++ init.write_select_db(dirname, backend)
+ tracker.init(password.Password('sekrit'))
+ return tracker
+
+@@ -293,7 +294,7 @@
+ l = [u1,u2]; l.sort()
+ m = self.db.issue.get(nid, "nosy"); m.sort()
+ self.assertEqual(l, m)
+-
++
+
+ # XXX one day, maybe...
+ # def testMultilinkOrdering(self):
+Index: test/test_xmlrpc.py
+===================================================================
+RCS file: /cvsroot/roundup/roundup/test/test_xmlrpc.py,v
+retrieving revision 1.4
+diff -u -r1.4 test_xmlrpc.py
+--- test/test_xmlrpc.py 3 Nov 2007 00:50:38 -0000 1.4
++++ test/test_xmlrpc.py 4 Mar 2008 18:13:50 -0000
+@@ -9,23 +9,26 @@
+ from roundup.cgi.exceptions import *
+ from roundup import init, instance, password, hyperdb, date
+ from roundup.xmlrpc import RoundupServer
++from roundup.backends import list_backends
+
+ import db_test_base
+
+ NEEDS_INSTANCE = 1
+
+ class TestCase(unittest.TestCase):
++
++ backend = None
++
+ def setUp(self):
+ self.dirname = '_test_xmlrpc'
+ # set up and open a tracker
+- self.instance = db_test_base.setupTracker(self.dirname)
++ self.instance = db_test_base.setupTracker(self.dirname, self.backend)
+
+ # open the database
+ self.db = self.instance.open('admin')
+ self.joeid = 'user' + self.db.user.create(username='joe',
+ password=password.Password('random'), address='random@home.org',
+ realname='Joe Random', roles='User')
+-
+ self.db.commit()
+ self.db.close()
+
+@@ -89,10 +92,12 @@
+
+ def test_suite():
+ suite = unittest.TestSuite()
+- suite.addTest(unittest.makeSuite(TestCase))
++ for l in list_backends() :
++ dct = dict(backend = l)
++ subcls = type(TestCase)('TestCase_%s' % l, (TestCase,), dct)
++ suite.addTest(unittest.makeSuite(subcls))
+ return suite
+
+ if __name__ == '__main__':
+ runner = unittest.TextTestRunner()
+ unittest.main(testRunner=runner)
+-