File 0001-Fixed-a-security-issue-with-temporary-files-on-the-f.patch of Package python-Jinja2
From d4a5f480a6125389a831aa609192891024bfb2dc Mon Sep 17 00:00:00 2001
From: Armin Ronacher <armin.ronacher@active-4.com>
Date: Fri, 10 Jan 2014 10:40:51 +0000
Subject: [PATCH] Fixed a security issue with temporary files on the filesystem
cache on UNIX.
https://bugzilla.novell.com/show_bug.cgi?id=858239 CVE-2014-1402
cherry-picked-from: acb672b6a179567632e032f547582f30fa2f4aa7
---
CHANGES | 8 ++++++++
jinja2/bccache.py | 29 +++++++++++++++++++++++++++--
2 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/CHANGES b/CHANGES
index ae07828..5cbad91 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,14 @@
Jinja2 Changelog
================
+Version 2.6+
+-------------
+- Security issue: Changed the default folder for the filesystem cache to be
+ user specific and read and write protected on UNIX systems. See `Debian bug
+ 734747`_ for more information.
+
+.. _Debian bug 734747: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
+
Version 2.6
-----------
(codename Convolution, released on July 24th 2011)
diff --git a/jinja2/bccache.py b/jinja2/bccache.py
index 0b0ccad..28e3542 100644
--- a/jinja2/bccache.py
+++ b/jinja2/bccache.py
@@ -15,7 +15,9 @@
:license: BSD.
"""
from os import path, listdir
+import os
import sys
+import errno
import marshal
import tempfile
import cPickle as pickle
@@ -194,7 +196,9 @@ class FileSystemBytecodeCache(BytecodeCache):
two arguments: The directory where the cache items are stored and a
pattern string that is used to build the filename.
- If no directory is specified the system temporary items folder is used.
+ If no directory is specified a default cache directory is selected. On
+ Windows the user's temp directory is used, on UNIX systems a directory
+ is created for the user in the system temp directory.
The pattern can be used to have multiple separate caches operate on the
same directory. The default pattern is ``'__jinja2_%s.cache'``. ``%s``
@@ -207,10 +211,31 @@ class FileSystemBytecodeCache(BytecodeCache):
def __init__(self, directory=None, pattern='__jinja2_%s.cache'):
if directory is None:
- directory = tempfile.gettempdir()
+ directory = self._get_default_cache_dir()
self.directory = directory
self.pattern = pattern
+ def _get_default_cache_dir(self):
+ tmpdir = tempfile.gettempdir()
+
+ # On windows the temporary directory is used specific unless
+ # explicitly forced otherwise. We can just use that.
+ if os.name == 'n':
+ return tmpdir
+ if not hasattr(os, 'getuid'):
+ raise RuntimeError('Cannot determine safe temp directory. You '
+ 'need to explicitly provide one.')
+
+ dirname = '_jinja2-cache-%d' % os.getuid()
+ actual_dir = os.path.join(tmpdir, dirname)
+ try:
+ os.mkdir(actual_dir, 0700)
+ except OSError as e:
+ if e.errno != errno.EEXIST:
+ raise
+
+ return actual_dir
+
def _get_cache_filename(self, bucket):
return path.join(self.directory, self.pattern % bucket.key)
--
1.8.1.4
