Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15:Update
python-rope
CVE-2014-3539-disable-doa.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2014-3539-disable-doa.patch of Package python-rope
From 5cd16e47baf76f57b0dab0d9ab1684a8e02ea6a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu> Date: Wed, 11 Feb 2015 22:06:44 +0100 Subject: [PATCH 1/2] Simple hackish solution to CVE-2014-3539. This doesn't resolve the issue, but at least people using DOA should be intentional about it and aware of the security risks. It is also necessary explicitly switch on 'perform_doa' preference for tests that require it. Fixes #105 --- rope/base/default_config.py | 12 +++++++++++- ropetest/advanced_oi_test.py | 23 +++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/rope/base/default_config.py b/rope/base/default_config.py index 0ee9937..e46509f 100644 --- a/rope/base/default_config.py +++ b/rope/base/default_config.py @@ -46,7 +46,17 @@ def set_prefs(prefs): # If `False` when running modules or unit tests "dynamic object # analysis" is turned off. This makes them much faster. - prefs['perform_doa'] = True + # + # There is also a security risk involved with this (CVE-2014-3539), + # because during by this rope can be persuaded to open under some + # circumstances a network port for short moment of time, which can + # be used to push commands to the running process, so that such + # process could proceed some commands under the privilegis of the + # user running rope. Therefore this variable defaults to False, and + # anybody who would like to change its value to True is advised to + # make sure the computer is well firewalled against possible + # intruders. + prefs['perform_doa'] = False # Rope can check the validity of its object DB when running. prefs['validate_objectdb'] = True diff --git a/ropetest/advanced_oi_test.py b/ropetest/advanced_oi_test.py index 4130fae..e862307 100644 --- a/ropetest/advanced_oi_test.py +++ b/ropetest/advanced_oi_test.py @@ -17,6 +17,7 @@ def tearDown(self): super(DynamicOITest, self).tearDown() def test_simple_dti(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'def a_func(arg):\n return eval("arg")\n' \ 'a_var = a_func(a_func)\n' @@ -27,6 +28,7 @@ def test_simple_dti(self): pymod['a_var'].get_object()) def test_module_dti(self): + self.project.prefs['perform_doa'] = True mod1 = testutils.create_module(self.project, 'mod1') mod2 = testutils.create_module(self.project, 'mod2') code = 'import mod1\ndef a_func(arg):\n return eval("arg")\n' \ @@ -38,6 +40,7 @@ def test_module_dti(self): pymod2['a_var'].get_object()) def test_class_from_another_module_dti(self): + self.project.prefs['perform_doa'] = True mod1 = testutils.create_module(self.project, 'mod1') mod2 = testutils.create_module(self.project, 'mod2') code1 = 'class AClass(object):\n pass\n' @@ -54,6 +57,7 @@ def test_class_from_another_module_dti(self): def test_class_dti(self): mod = testutils.create_module(self.project, 'mod') + self.project.prefs['perform_doa'] = True code = 'class AClass(object):\n pass\n' \ '\ndef a_func(arg):\n return eval("arg")\n' \ 'a_var = a_func(AClass)\n' @@ -64,6 +68,7 @@ def test_class_dti(self): pymod['a_var'].get_object()) def test_instance_dti(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'class AClass(object):\n pass\n' \ '\ndef a_func(arg):\n return eval("arg()")\n' \ @@ -75,6 +80,7 @@ def test_instance_dti(self): pymod['a_var'].get_object().get_type()) def test_method_dti(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'class AClass(object):\n def a_method(self, arg):\n' \ ' return eval("arg()")\n' \ @@ -87,6 +93,7 @@ def test_method_dti(self): pymod['a_var'].get_object().get_type()) def test_function_argument_dti(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'def a_func(arg):\n pass\n' \ 'a_func(a_func)\n' @@ -97,6 +104,7 @@ def test_function_argument_dti(self): pyscope.get_scopes()[0]['arg'].get_object()) def test_classes_with_the_same_name(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'def a_func(arg):\n class AClass(object):\n' \ ' pass\n return eval("arg")\n' \ @@ -109,6 +117,7 @@ def test_classes_with_the_same_name(self): pymod['a_var'].get_object()) def test_nested_classes(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'def a_func():\n class AClass(object):\n' \ ' pass\n return AClass\n' \ @@ -121,6 +130,7 @@ def test_nested_classes(self): pyscope['a_var'].get_object()) def test_function_argument_dti2(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'def a_func(arg, a_builtin_type):\n pass\n' \ 'a_func(a_func, [])\n' @@ -131,6 +141,7 @@ def test_function_argument_dti2(self): pyscope.get_scopes()[0]['arg'].get_object()) def test_dti_and_concluded_data_invalidation(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'def a_func(arg):\n return eval("arg")\n' \ 'a_var = a_func(a_func)\n' @@ -142,6 +153,7 @@ def test_dti_and_concluded_data_invalidation(self): pymod['a_var'].get_object()) def test_list_objects_and_dynamicoi(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'class C(object):\n pass\n' \ 'def a_func(arg):\n return eval("arg")\n' \ @@ -154,6 +166,7 @@ def test_list_objects_and_dynamicoi(self): self.assertEquals(c_class, a_var.get_type()) def test_for_loops_and_dynamicoi(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'class C(object):\n pass\n' \ 'def a_func(arg):\n return eval("arg")\n' \ @@ -166,6 +179,7 @@ def test_for_loops_and_dynamicoi(self): self.assertEquals(c_class, a_var.get_type()) def test_dict_objects_and_dynamicoi(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'class C(object):\n pass\n' \ 'def a_func(arg):\n return eval("arg")\n' \ @@ -178,6 +192,7 @@ def test_dict_objects_and_dynamicoi(self): self.assertEquals(c_class, a_var.get_type()) def test_dict_keys_and_dynamicoi(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') if pycompat.PY3: code = 'class C(object):\n pass\n' \ @@ -190,6 +205,7 @@ def test_dict_keys_and_dynamicoi(self): self.assertEquals(c_class, a_var.get_type()) def test_dict_keys_and_dynamicoi2(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ 'def a_func(arg):\n return eval("arg")\n' \ @@ -205,6 +221,7 @@ def test_dict_keys_and_dynamicoi2(self): self.assertEquals(c2_class, b_var.get_type()) def test_strs_and_dynamicoi(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'def a_func(arg):\n return eval("arg")\n' \ 'a_var = a_func("hey")\n' @@ -239,6 +256,7 @@ def complex_to_textual(pyobject): def test_arguments_with_keywords(self): mod = testutils.create_module(self.project, 'mod') + self.project.prefs['perform_doa'] = True code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ 'def a_func(arg):\n return eval("arg")\n' \ 'a = a_func(arg=C1())\nb = a_func(arg=C2())\n' @@ -254,6 +272,7 @@ def test_arguments_with_keywords(self): def test_a_function_with_different_returns(self): mod = testutils.create_module(self.project, 'mod') + self.project.prefs['perform_doa'] = True code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ 'def a_func(arg):\n return eval("arg")\n' \ 'a = a_func(C1())\nb = a_func(C2())\n' @@ -269,6 +288,7 @@ def test_a_function_with_different_returns(self): def test_a_function_with_different_returns2(self): mod = testutils.create_module(self.project, 'mod') + self.project.prefs['perform_doa'] = True code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ 'def a_func(p):\n if p == C1:\n return C1()\n' \ ' else:\n return C2()\n' \ @@ -284,6 +304,7 @@ def test_a_function_with_different_returns2(self): self.assertEquals(c2_class, b_var.get_type()) def test_ignoring_star_args(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ 'def a_func(p, *args):' \ @@ -301,6 +322,7 @@ def test_ignoring_star_args(self): self.assertEquals(c2_class, b_var.get_type()) def test_ignoring_double_star_args(self): + self.project.prefs['perform_doa'] = True mod = testutils.create_module(self.project, 'mod') code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ 'def a_func(p, *kwds, **args):\n ' \ @@ -330,6 +352,7 @@ def test_invalidating_data_after_changing(self): pymod['a_var'].get_object()) def test_invalidating_data_after_moving(self): + self.project.prefs['perform_doa'] = True mod2 = testutils.create_module(self.project, 'mod2') mod2.write('class C(object):\n pass\n') mod = testutils.create_module(self.project, 'mod') From 8e9667d3318f2846362b8a3c350a9d27d7222818 Mon Sep 17 00:00:00 2001 From: Matej Cepl <mcepl@cepl.eu> Date: Thu, 12 Feb 2015 01:12:15 +0100 Subject: [PATCH 2/2] limit socket connections to localhost --- rope/base/oi/doa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rope/base/oi/doa.py b/rope/base/oi/doa.py index 1b2a00f..74bb91b 100644 --- a/rope/base/oi/doa.py +++ b/rope/base/oi/doa.py @@ -113,7 +113,7 @@ def __init__(self): self.data_port = 3037 while self.data_port < 4000: try: - self.server_socket.bind(('', self.data_port)) + self.server_socket.bind(('127.0.0.1', self.data_port)) break except socket.error: self.data_port += 1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor