[Apt-listbugs-commits] [apt-listbugs] 01/02: drop HtmlTempfile, use standard Tempfile instead
Francesco Poli
frx-guest at moszumanska.debian.org
Wed Dec 4 20:32:41 UTC 2013
This is an automated email from the git hooks/post-receive script.
frx-guest pushed a commit to branch wheezy-update
in repository apt-listbugs.
commit cfd2b40812e48305ca134d29f01554801204294e
Author: Francesco Poli (wintermute) <invernomuto at paranoici.org>
Date: Thu Aug 8 14:16:19 2013 +0200
drop HtmlTempfile, use standard Tempfile instead
(cherry picked from commit 3adfaa8a912158820552a5e1e1dc0ff78d6fc8b7
with some readaptations)
---
apt-listbugs | 8 --
debian/changelog | 7 ++
lib/apt-listbugs/logic.rb | 3 +-
lib/debian/mytempfile.rb | 187 ----------------------------------------------
4 files changed, 9 insertions(+), 196 deletions(-)
diff --git a/apt-listbugs b/apt-listbugs
index afcce6d..05d2651 100755
--- a/apt-listbugs
+++ b/apt-listbugs
@@ -278,14 +278,6 @@ include GetText
GetText::bindtextdomain("apt-listbugs")
-# ad-hoc
-require 'debian/mytempfile'
-class HtmlTempfile < MyTempfile
- def _tmpname(basename,tmpdir,n)
- sprintf('%s/%s%d.%d.html', tmpdir, basename, $$, n)
- end
-end
-
## main from here
# Drop out as early as possible if this env var is set.
diff --git a/debian/changelog b/debian/changelog
index c3bba6f..d3c386e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apt-listbugs (0.1.8+deb7u1) stable; urgency=low
+
+ * adopted standard Ruby library Tempfile for HTML bug lists too, thus
+ dropping the ad-hoc HtmlTempfile (CVE-2013-6049)
+
+ -- Francesco Poli (wintermute) <invernomuto at paranoici.org> Mon, 11 Nov 2013 23:00:16 +0100
+
apt-listbugs (0.1.8) unstable; urgency=low
* improved internationalization
diff --git a/lib/apt-listbugs/logic.rb b/lib/apt-listbugs/logic.rb
index 64a223d..357e59a 100644
--- a/lib/apt-listbugs/logic.rb
+++ b/lib/apt-listbugs/logic.rb
@@ -610,7 +610,8 @@ class Viewer
bug_exist = 0
displayed_pkgs = []
- tmp = HtmlTempfile.new("apt-listbugs")
+ tmp = Tempfile.new(["apt-listbugs", ".html"])
+ tmp.chmod(0644)
tmp.puts "<html><head><title>" + _("Critical bugs for your upgrade") + "</title><meta http-equiv=\"Content-Type\" content=\"text/html; charset=#{Locale.charset}\"></head><body>"
tmp.puts "<h1 align=\"center\">" + _("Critical bugs for your upgrade") + "</h1>"
tmp.puts "<p align=\"right\">" + _("by apt-listbugs") + "</p><hr>"
diff --git a/lib/debian/mytempfile.rb b/lib/debian/mytempfile.rb
deleted file mode 100644
index 4e9cefa..0000000
--- a/lib/debian/mytempfile.rb
+++ /dev/null
@@ -1,187 +0,0 @@
-#
-# tempfile - manipulates temporary files
-# used only in generating HTML for browsing.
-#
-
-require 'delegate'
-require 'tmpdir'
-
-# A class for managing temporary files. This library is written to be
-# thread safe.
-class MyTempfile < DelegateClass(File)
- MAX_TRY = 10
- @@cleanlist = []
-
- # Creates a temporary file of mode 0600 in the temporary directory
- # whose name is basename.pid.n and opens with mode "w+". A Tempfile
- # object works just like a File object.
- #
- # If tmpdir is omitted, the temporary directory is determined by
- # Dir::tmpdir provided by 'tmpdir.rb'.
- # When $SAFE > 0 and the given tmpdir is tainted, it uses
- # /tmp. (Note that ENV values are tainted by default)
- def initialize(basename, tmpdir=Dir::tmpdir)
- if $SAFE > 0 and tmpdir.tainted?
- tmpdir = '/tmp'
- end
-
- lock = nil
- n = failure = 0
-
- begin
- Thread.critical = true
-
- begin
- tmpname = _tmpname(basename,tmpdir,n)
- lock = tmpname + '.lock'
- n += 1
- end while @@cleanlist.include?(tmpname) or
- File.exist?(lock) or File.exist?(tmpname)
-
- Dir.mkdir(lock)
- rescue
- failure += 1
- retry if failure < MAX_TRY
- raise "cannot generate tempfile `%s'" % tmpname
- ensure
- Thread.critical = false
- end
-
- @data = [tmpname]
- @clean_proc = MyTempfile.callback(@data)
- ObjectSpace.define_finalizer(self, @clean_proc)
-
- @tmpfile = File.open(tmpname, File::RDWR|File::CREAT|File::EXCL, 0644)
- @tmpname = tmpname
- @@cleanlist << @tmpname
- @data[1] = @tmpfile
- @data[2] = @@cleanlist
-
- super(@tmpfile)
-
- # Now we have all the File/IO methods defined, you must not
- # carelessly put bare puts(), etc. after this.
-
- Dir.rmdir(lock)
- end
-
- # Creates a temporary filename candidate
- def _tmpname(basename,tmpdir,n)
- sprintf('%s/%s%d.%d', tmpdir, basename, $$, n)
- end
- protected :_tmpname
-
- # Opens or reopens the file with mode "r+".
- def open
- @tmpfile.close if @tmpfile
- @tmpfile = File.open(@tmpname, 'r+')
- @data[1] = @tmpfile
- __setobj__(@tmpfile)
- end
-
- def _close # :nodoc:
- @tmpfile.close if @tmpfile
- @data[1] = @tmpfile = nil
- end
- protected :_close
-
- # Closes the file. If the optional flag is true, unlinks the file
- # after closing.
- #
- # If you don't explicitly unlink the temporary file, the removal
- # will be delayed until the object is finalized.
- def close(unlink_now=false)
- if unlink_now
- close!
- else
- _close
- end
- end
-
- # Closes and unlinks the file.
- def close!
- _close
- @clean_proc.call
- ObjectSpace.undefine_finalizer(self)
- end
-
- # Unlinks the file. On UNIX-like systems, it is often a good idea
- # to unlink a temporary file immediately after creating and opening
- # it, because it leaves other programs zero chance to access the
- # file.
- def unlink
- # keep this order for thread safeness
- File.unlink(@tmpname) if File.exist?(@tmpname)
- @@cleanlist.delete(@tmpname) if @@cleanlist
- end
- alias delete unlink
-
- # Returns the full path name of the temporary file.
- def path
- @tmpname
- end
-
- # Returns the size of the temporary file. As a side effect, the IO
- # buffer is flushed before determining the size.
- def size
- if @tmpfile
- @tmpfile.flush
- @tmpfile.stat.size
- else
- 0
- end
- end
- alias length size
-
- class << self
- def callback(data) # :nodoc:
- pid = $$
- lambda{
- if pid == $$
- path, tmpfile, cleanlist = *data
-
- print "removing ", path, "..." if $DEBUG
-
- tmpfile.close if tmpfile
-
- # keep this order for thread safeness
- File.unlink(path) if File.exist?(path)
- cleanlist.delete(path) if cleanlist
-
- print "done\n" if $DEBUG
- end
- }
- end
-
- # If no block is given, this is a synonym for new().
- #
- # If a block is given, it will be passed tempfile as an argument,
- # and the tempfile will automatically be closed when the block
- # terminates. In this case, open() returns nil.
- def open(*args)
- tempfile = new(*args)
-
- if block_given?
- begin
- yield(tempfile)
- ensure
- tempfile.close
- end
-
- nil
- else
- tempfile
- end
- end
- end
-end
-
-if __FILE__ == $0
-# $DEBUG = true
- f = MyTempfile.new("foo")
- f.print("foo\n")
- f.close
- f.open
- p f.gets # => "foo\n"
- f.close!
-end
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/apt-listbugs/apt-listbugs.git
More information about the Apt-listbugs-commits
mailing list