Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-12:Update
python-reportlab
CVE-2020-28463_fix_ssrf.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-28463_fix_ssrf.patch of Package python-reportlab
# HG changeset patch # User robin # Date 1603974725 0 # Node ID 7f2231703dc7ba8d0758550936d1366fb91a64d3 # Parent e1390a6dfd33ae5f296153bc63df0256cd7e8fd9 added trustedHosts & trustedSchemes settings; version --> 3.5.55 Index: reportlab-2.7/docs/userguide/ch1_intro.py =================================================================== --- reportlab-2.7.orig/docs/userguide/ch1_intro.py +++ reportlab-2.7/docs/userguide/ch1_intro.py @@ -296,8 +296,13 @@ or want to draw attention to an issue, p heading2("Site Configuration") disc("""There are a number of options which most likely need to be configured globally for a site. -The python script module $reportlab/rl_config.py$ may be edited to change the values of several -important sitewide properties.""") +The python script module $reportlab/rl_config.py$ aggregates the various settings files. You may want inspect the file $reportlab/$rl_settings.py$ which +contains defaults for the currently used variables. There are several overrides for $rl_settings" +modules $reportlab.local_rl_settings$, $reportlab_settings$ (a script file anywhere on the python path) +and finally the file $~/.reportlab_settings$ (note no .py). Temporary changes can be made using evironment variables which +are the variables from $rl_settings.py" prefixed with $RL_$ eg $RL_verbose=1$. +""") +heading3("Useful rl_config variables") bullet("""verbose: set to integer values to control diagnostic output.""") bullet("""shapeChecking: set this to zero to turn off a lot of error checking in the graphics modules""") bullet("""defaultEncoding: set this to WinAnsiEncoding or MacRomanEncoding.""") @@ -313,9 +318,16 @@ bullet("""CMapSearchPath: this is a pyth may be queried for information on font code maps.""") bullet("""showBoundary: set to non-zero to get boundary lines drawn.""") bullet("""ZLIB_WARNINGS: set to non-zero to get warnings if the Python compression extension is not found.""") -bullet("""pageComression: set to non-zero to try and get compressed PDF.""") +bullet("""pageCompression: set to non-zero to try and get compressed PDF.""") bullet("""allowtableBoundsErrors: set to 0 to force an error on very large Platypus table elements""") bullet("""emptyTableAction: Controls behaviour for empty tables, can be 'error' (default), 'indicate' or 'ignore'.""") +bullet("""trustedHosts: if not $None$ a list of glob patterns of trusted hosts; these may be used in places like <img> tags in paragraph texts.""") +bullet("""trustedSchemes: a list of allowed $URL$ schemes used with $trustedHosts$""") +disc("""For the full list of variables see the file $reportlab/rl_settings.py$.""") +heading3("Other modifications") +disc("""More complex modifications to the reportlab toolkit environment may be made using one +of the modules $rep[ortlab.local_rl_mods$ (.py script in reportlab folder), +$reportlab_mods$ (.py file on the python path) or $~/.reportlab_mods$ (note no .py).""") heading2("Learning More About Python") Index: reportlab-2.7/docs/userguide/ch2a_fonts.py =================================================================== --- reportlab-2.7.orig/docs/userguide/ch2a_fonts.py +++ reportlab-2.7/docs/userguide/ch2a_fonts.py @@ -216,7 +216,7 @@ for Type-1 fonts. disc(""" Unfortunately, there is no reliable standard yet for such locations (not even on the same platform) and, hence, you might -have to edit the file $reportlab/rl_config.py$ to modify the +have to edit one of the files $reportlab_settings.py$ or $~/.reportlab_settings$ to modify the value of the $T1SearchPath$ identifier to contain additional directories. Our own recommendation is to use the ^reportlab/fonts^ folder in development; and to have any needed fonts as packaged parts of Index: reportlab-2.7/docs/userguide/ch5_paragraphs.py =================================================================== --- reportlab-2.7.orig/docs/userguide/ch5_paragraphs.py +++ reportlab-2.7/docs/userguide/ch5_paragraphs.py @@ -294,6 +294,9 @@ This <img/> <img src="../images/te This <img/> <img src="../images/testimg.gif" valign="+4"/> is aligned <b>+4</b>.<br/><br/> This <img/> <img src="../images/testimg.gif" width="10"/> has width <b>10</b>.<br/><br/> </para>""","Inline images") +disc("""The $src$ attribute can refer to a remote location eg $src="https://www.reportlab.com/images/logo.gif"$. By default we set $rl_config.trustedShemes$ to $['https','http', 'file', 'data', 'ftp']$ and +$rl_config.trustedHosts=None$ the latter meaning no-restriction. You can modify these variables using one of the override files eg $reportlab_settings.py$ or $~/.reportlab_settings$. Or as comma seprated strings in the +environment variables $RL_trustedSchemes$ & $RL_trustedHosts$. Note that the $trustedHosts$ values may contain <b>glob</b> wild cars so <i>*.reportlab.com</i> will match the obvious domains.""") heading3("Numbering Paragraphs and Lists") disc("""The $<seq>$ tag provides comprehensive support Index: reportlab-2.7/src/reportlab/lib/utils.py =================================================================== --- reportlab-2.7.orig/src/reportlab/lib/utils.py +++ reportlab-2.7/src/reportlab/lib/utils.py @@ -443,12 +443,26 @@ def open_for_read_by_name(name,mode='b') import urllib2 def open_for_read(name,mode='b', urlopen=urllib2.urlopen): + from reportlab.rl_config import trustedHosts, trustedSchemes + if trustedHosts: + import re, fnmatch + def xre(s): + s = fnmatch.translate(s) + return s[4:-3] if s.startswith('(?s:') else s[:-7] + trustedHosts = re.compile(''.join(('^(?:', + '|'.join(map(xre,trustedHosts)), + ')\\Z'))) '''attempt to open a file or URL for reading''' if hasattr(name,'read'): return name try: return open_for_read_by_name(name,mode) except: try: + if trustedHosts is not None: + from urlparse import urlparse + purl = urlparse(name) + if purl[0] and not ((purl[0] in ('data','file') or trustedHosts.match(purl[1])) and (purl[0] in trustedSchemes)): + raise ValueError('Attempted untrusted host access') return getStringIO(urlopen(name).read()) except: raise IOError('Cannot open resource "%s"' % name) Index: reportlab-2.7/src/reportlab/rl_config.py =================================================================== --- reportlab-2.7.orig/src/reportlab/rl_config.py +++ reportlab-2.7/src/reportlab/rl_config.py @@ -46,6 +46,11 @@ paraFontSizeHeightOffset= 1 canvas_baseColor= None #initialize the canvas fill and stroke colors if this is set ignoreContainerActions= 1 #if true then action flowables in flowable _Containers will be ignored ttfAsciiReadable= 1 #smaller subsets when set to 0 +trustedHosts=None #set to a list of trusted for access hosts None means + #all are trusted glob patterns eg *.reportlab.com are + #allowed. In environment use a comma separated string. +trustedSchemes=['file', 'rml', 'data', 'https', #these url schemes are trusted + 'http', 'ftp'] # places to look for T1Font information T1SearchPath = ( @@ -177,7 +182,9 @@ imageReaderFlags paraFontSizeHeightOffset canvas_baseColor ignoreContainerActions -ttfAsciiReadable'''.split() +ttfAsciiReadable +trustedHosts +trustedSchemes'''.split() import os, sys global sys_version, _unset_ sys_version = sys.version.split()[0] #strip off the other garbage @@ -209,8 +216,12 @@ ttfAsciiReadable'''.split() for k in V[3:]: v = _SAVED[k] - if isinstance(v,(int,float)): conv = type(v) - elif k=='defaultPageSize': conv = lambda v,M=pagesizes: getattr(M,v) + if isinstance(v,(int,float)): + conv = type(v) + elif k=='defaultPageSize': + conv = lambda v,M=pagesizes: getattr(M,v) + elif k in ('trustedHosts','trustedSchemes'): + conv = lambda v: None if v is None else [y for y in [x.strip() for x in v.split(',')] if y] if isinstance(v,str) else v else: conv = None _setOpt(k,v,conv) Index: reportlab-2.7/tests/runAll.py =================================================================== --- reportlab-2.7.orig/tests/runAll.py +++ reportlab-2.7/tests/runAll.py @@ -11,6 +11,7 @@ import os, glob, sys, string, traceback, #directory and run this directly if __name__=='__main__': P=[] + os.environ['RL_trustedHosts'] = '*.reportlab.com' try: from reportlab.lib.testutils import setOutDir except ImportError: Index: reportlab-2.7/tests/test_lib_rl_safe_eval.py =================================================================== --- reportlab-2.7.orig/tests/test_lib_rl_safe_eval.py +++ reportlab-2.7/tests/test_lib_rl_safe_eval.py @@ -107,7 +107,7 @@ class SafeEvalTestSequenceMeta(type): tfmt = 'test_ExpectedTo%s_%%02d' % kind.capitalize() for i, expr in enumerate(_data): if expr is None: - test = genTest('skip','') + continue #test = genTest('skip','') else: expr, kwds = expr if isinstance(expr,tuple) else (expr,{}) test = genTest(kind, expr,**kwds)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
