update to 2.9.1

2021-07-30 16:01:23 +08:00 · 2021-07-30 16:01:23 +08:00 · bd986e443e
commit bd986e443e
parent 010a784eab
5 changed files with 9 additions and 193 deletions
--- a/Babel-2.9.1.tar.gz
+++ b/Babel-2.9.1.tar.gz
--- a/babel-2.3.4-remove-pytz-version.patch
+++ b/babel-2.3.4-remove-pytz-version.patch
@ -1,15 +0,0 @@
 diff -up Babel-2.3.4/setup.py.orig Babel-2.3.4/setup.py
 --- Babel-2.3.4/setup.py.orig	2016-04-11 11:58:25.000000000 +0200
 +++ Babel-2.3.4/setup.py	2016-04-25 13:35:54.458765892 +0200
@@ -59,7 +59,10 @@ setup(
         # This version identifier is currently necessary as
         # pytz otherwise does not install on pip 1.4 or
         # higher.
 -        'pytz>=2015.7',
 +        ### But the version confuses setuptools 8 and higher so remove it in the
 +        ### system package
 +        #'pytz>=2015.7',
 +        'pytz',
     ],
     cmdclass={'import_cldr': import_cldr},
--- a/babel.spec
+++ b/babel.spec
@ -1,15 +1,11 @@
 Name: babel
-Version: 2.9.0
+Version: 2.9.1
-Release: 2
+Release: 1
 Summary: Tools for internationalizing and localizing Python applications
 License: BSD
 URL: http://babel.pocoo.org/
 Source0: https://files.pythonhosted.org/packages/source/B/Babel/Babel-%{version}.tar.gz
 Patch0: babel-2.3.4-remove-pytz-version.patch
 Patch1: backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch
 Patch2: backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch
 BuildArch: noarch
 BuildRequires: gcc git make
@ -60,7 +56,7 @@ rm -f "$BUILDDIR/html/.buildinfo"
 %py3_install
 %check
-export TZ=Asia/Shanghai
+export TZ=UTC
 %{__python3} -m pytest
 %pre
@ -84,6 +80,12 @@ export TZ=Asia/Shanghai
 %doc built-docs/html/*
 %changelog
 * Fri Jul 30 2021 panxiaohe <panxiaohe@huawei.com> - 2.9.1-1
 - Type:enhancement
 - ID:NA
 - SUG:NA
 - DESC:update to 2.9.1
 * Tue May 11 2021 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 2.9.0-2
 - Type:bugfix
 - ID:NA
--- a/backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch
+++ b/backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch
@ -1,79 +0,0 @@
 From 3a700b5b8b53606fd98ef8294a56f9510f7290f8 Mon Sep 17 00:00:00 2001
 From: Aarni Koskela <akx@iki.fi>
 Date: Wed, 28 Apr 2021 10:33:40 +0300
 Subject: [PATCH] Run locale identifiers through `os.path.basename()`
 ---
 babel/localedata.py      |  2 ++
 tests/test_localedata.py | 30 +++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 diff --git a/babel/localedata.py b/babel/localedata.py
 index f4771d1f..11085490 100644
 --- a/babel/localedata.py
 +++ b/babel/localedata.py
@@ -47,6 +47,7 @@ def exists(name):
     """
     if not name or not isinstance(name, string_types):
         return False
 +    name = os.path.basename(name)
     if name in _cache:
         return True
     file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
     :raise `IOError`: if no locale data file is found for the given locale
                       identifer, or one of the locales it inherits from
     """
 +    name = os.path.basename(name)
     _cache_lock.acquire()
     try:
         data = _cache.get(name)
 diff --git a/tests/test_localedata.py b/tests/test_localedata.py
 index 83cd6699..9cb4282e 100644
 --- a/tests/test_localedata.py
 +++ b/tests/test_localedata.py
@@ -11,11 +11,17 @@
 # individuals. For the exact contribution history, see the revision
 # history and logs, available at http://babel.edgewall.org/log/.
 +import os
 +import pickle
 +import sys
 +import tempfile
 import unittest
 import random
 from operator import methodcaller
 -from babel import localedata
 +import pytest
 +
 +from babel import localedata, Locale, UnknownLocaleError
 class MergeResolveTestCase(unittest.TestCase):
@@ -131,3 +137,25 @@ def listdir_spy(*args):
     localedata.locale_identifiers.cache = None
     assert localedata.locale_identifiers()
     assert len(listdir_calls) == 2
 +
 +
 +def test_locale_name_cleanup():
 +    """
 +    Test that locale identifiers are cleaned up to avoid directory traversal.
 +    """
 +    no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
 +    with open(no_exist_name, "wb") as f:
 +        pickle.dump({}, f)
 +
 +    try:
 +        name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
 +    except ValueError:
 +        if sys.platform == "win32":
 +            pytest.skip("unable to form relpath")
 +        raise
 +
 +    assert not localedata.exists(name)
 +    with pytest.raises(IOError):
 +        localedata.load(name)
 +    with pytest.raises(UnknownLocaleError):
 +        Locale(name)
--- a/backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch
+++ b/backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch
@ -1,92 +0,0 @@
 From 5caf717ceca4bd235552362b4fbff88983c75d8c Mon Sep 17 00:00:00 2001
 From: Aarni Koskela <akx@iki.fi>
 Date: Wed, 28 Apr 2021 11:47:42 +0300
 Subject: [PATCH] Disallow special filenames on Windows
 ---
 babel/localedata.py      | 24 +++++++++++++++++++++---
 tests/test_localedata.py |  9 +++++++++
 2 files changed, 30 insertions(+), 3 deletions(-)
 diff --git a/babel/localedata.py b/babel/localedata.py
 index 11085490..782b7afa 100644
 --- a/babel/localedata.py
 +++ b/babel/localedata.py
@@ -13,6 +13,8 @@
 """
 import os
 +import re
 +import sys
 import threading
 from itertools import chain
@@ -22,6 +24,7 @@
 _cache = {}
 _cache_lock = threading.RLock()
 _dirname = os.path.join(os.path.dirname(__file__), 'locale-data')
 +_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I)
 def normalize_locale(name):
@@ -38,6 +41,22 @@ def normalize_locale(name):
             return locale_id
 +def resolve_locale_filename(name):
 +    """
 +    Resolve a locale identifier to a `.dat` path on disk.
 +    """
 +
 +    # Clean up any possible relative paths.
 +    name = os.path.basename(name)
 +
 +    # Ensure we're not left with one of the Windows reserved names.
 +    if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]):
 +        raise ValueError("Name %s is invalid on Windows" % name)
 +
 +    # Build the path.
 +    return os.path.join(_dirname, '%s.dat' % name)
 +
 +
 def exists(name):
     """Check whether locale data is available for the given locale.
@@ -47,10 +66,9 @@ def exists(name):
     """
     if not name or not isinstance(name, string_types):
         return False
 -    name = os.path.basename(name)
     if name in _cache:
         return True
 -    file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
 +    file_found = os.path.exists(resolve_locale_filename(name))
     return True if file_found else bool(normalize_locale(name))
@@ -121,7 +139,7 @@ def load(name, merge_inherited=True):
                     else:
                         parent = '_'.join(parts[:-1])
                 data = load(parent).copy()
 -            filename = os.path.join(_dirname, '%s.dat' % name)
 +            filename = resolve_locale_filename(name)
             with open(filename, 'rb') as fileobj:
                 if name != 'root' and merge_inherited:
                     merge(data, pickle.load(fileobj))
 diff --git a/tests/test_localedata.py b/tests/test_localedata.py
 index 9cb4282e..c852c1b6 100644
 --- a/tests/test_localedata.py
 +++ b/tests/test_localedata.py
@@ -159,3 +159,12 @@ def test_locale_name_cleanup():
         localedata.load(name)
     with pytest.raises(UnknownLocaleError):
         Locale(name)
 +
 +
 +@pytest.mark.skipif(sys.platform != "win32", reason="windows-only test")
 +def test_reserved_locale_names():
 +    for name in ("con", "aux", "nul", "prn", "com8", "lpt5"):
 +        with pytest.raises(ValueError):
 +            localedata.load(name)
 +        with pytest.raises(ValueError):
 +            Locale(name)