From 94adbefba8336b4f08db6cb2ee881fd8da20ec91 Mon Sep 17 00:00:00 2001
From: Marius Brehler <marbre@linux.sungazer.de>
Date: Thu, 17 Sep 2015 17:09:17 +0200
Subject: dev-python/notebook: Fix security issue

http://seclists.org/oss-sec/2015/q3/558
https://bugs.gentoo.org/show_bug.cgi?id=560708

Package-Manager: portage-2.2.20.1
---
 dev-python/notebook/ChangeLog                      | 11 +++
 ...k-4.0.4-Don-t-redirect-from-edit-to-files.patch | 55 +++++++++++++
 ...nly-redirect-to-editor-for-text-documents.patch | 38 +++++++++
 .../notebook-4.0.4-set-mime-type-on-files.patch    | 35 ++++++++
 ...et-model-mimetype-even-when-content-False.patch | 64 +++++++++++++++
 dev-python/notebook/notebook-4.0.4-r2.ebuild       |  1 -
 dev-python/notebook/notebook-4.0.4-r3.ebuild       | 92 ++++++++++++++++++++++
 7 files changed, 295 insertions(+), 1 deletion(-)
 create mode 100644 dev-python/notebook/files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch
 create mode 100644 dev-python/notebook/files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch
 create mode 100644 dev-python/notebook/files/notebook-4.0.4-set-mime-type-on-files.patch
 create mode 100644 dev-python/notebook/files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch
 delete mode 120000 dev-python/notebook/notebook-4.0.4-r2.ebuild
 create mode 100644 dev-python/notebook/notebook-4.0.4-r3.ebuild

(limited to 'dev-python')

diff --git a/dev-python/notebook/ChangeLog b/dev-python/notebook/ChangeLog
index fdbc96cfe..367ccf303 100644
--- a/dev-python/notebook/ChangeLog
+++ b/dev-python/notebook/ChangeLog
@@ -2,6 +2,17 @@
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
 # $Id$
 
+*notebook-4.0.4-r3 (17 Sep 2015)
+
+  17 Sep 2015; Marius Brehler <marbre@linux.sungazer.de>
+  +files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch,
+  +files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch,
+  +files/notebook-4.0.4-set-mime-type-on-files.patch,
+  +files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch,
+  +notebook-4.0.4-r3.ebuild, -notebook-4.0.4-r2.ebuild, notebook-9999.ebuild:
+  dev-python/notebook: Security fixes  http://seclists.org/oss-sec/2015/q3/558
+  https://bugs.gentoo.org/show_bug.cgi?id=560708
+
   07 Sep 2015; Marius Brehler <marbre@linux.sungazer.de> notebook-9999.ebuild:
   dev-python/notebook: Fix deps, >=mathjax-2.4 required
 
diff --git a/dev-python/notebook/files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch b/dev-python/notebook/files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch
new file mode 100644
index 000000000..76d0e61e4
--- /dev/null
+++ b/dev-python/notebook/files/notebook-4.0.4-Don-t-redirect-from-edit-to-files.patch
@@ -0,0 +1,55 @@
+Upstream patch to fix
+"Maliciously crafted text files in IPython/Jupyter editor".
+
+http://seclists.org/oss-sec/2015/q3/558
+https://bugs.gentoo.org/show_bug.cgi?id=560708
+
+
+From 23162fd2895ad7445fdbe095b8fc8633d95ec6e6 Mon Sep 17 00:00:00 2001
+From: Min RK <benjaminrk@gmail.com>
+Date: Mon, 20 Jul 2015 12:11:23 -0700
+Subject: [PATCH 4/4] Don't redirect from /edit/ to /files/
+
+show failure to decode, instead
+---
+ notebook/static/edit/js/editor.js | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/notebook/static/edit/js/editor.js b/notebook/static/edit/js/editor.js
+index ddbc2de..421fa57 100644
+--- a/notebook/static/edit/js/editor.js
++++ b/notebook/static/edit/js/editor.js
+@@ -90,19 +90,10 @@ function($,
+             }).catch(
+             function(error) {
+                 that.events.trigger("file_load_failed.Editor", error);
+-                if (((error.xhr||{}).responseJSON||{}).reason === 'bad format') {
+-                    window.location = utils.url_path_join(
+-                        that.base_url,
+-                        'files',
+-                        that.file_path
+-                    );
+-                } else {
+-                    console.warn('Error while loading: the error was:')
+-                    console.warn(error)
+-                }
++                console.warn('Error loading: ', error);
+                 cm.setValue("Error! " + error.message +
+                                 "\nSaving disabled.\nSee Console for more details.");
+-                cm.setOption('readOnly','nocursor')
++                cm.setOption('readOnly','nocursor');
+                 that.save_enabled = false;
+             }
+         );
+@@ -186,7 +177,7 @@ function($,
+     Editor.prototype._clean_state = function(){
+         var clean = this.codemirror.isClean(this.generation);
+         if (clean === this.clean){
+-            return
++            return;
+         } else {
+             this.clean = clean;
+         }
+-- 
+2.4.6
+
diff --git a/dev-python/notebook/files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch b/dev-python/notebook/files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch
new file mode 100644
index 000000000..899cd3165
--- /dev/null
+++ b/dev-python/notebook/files/notebook-4.0.4-only-redirect-to-editor-for-text-documents.patch
@@ -0,0 +1,38 @@
+Upstream patch to fix
+"Maliciously crafted text files in IPython/Jupyter editor".
+
+http://seclists.org/oss-sec/2015/q3/558
+https://bugs.gentoo.org/show_bug.cgi?id=560708
+
+
+From 4f0b3b8c10811d460efc67cf61e9f4df83d2a0a7 Mon Sep 17 00:00:00 2001
+From: Min RK <benjaminrk@gmail.com>
+Date: Mon, 20 Jul 2015 12:11:04 -0700
+Subject: [PATCH 3/4] only redirect to editor for text documents
+
+treat unidentified mime-types as text
+---
+ notebook/static/tree/js/notebooklist.js | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/notebook/static/tree/js/notebooklist.js b/notebook/static/tree/js/notebooklist.js
+index 6308d7f..0b71f42 100644
+--- a/notebook/static/tree/js/notebooklist.js
++++ b/notebook/static/tree/js/notebooklist.js
+@@ -536,6 +536,13 @@ define([
+             icon = 'running_' + icon;
+         }
+         var uri_prefix = NotebookList.uri_prefixes[model.type];
++        if (model.type === 'file' &&
++            model.mimetype && model.mimetype.substr(0,5) !== 'text/'
++        ) {
++            // send text/unidentified files to editor, others go to raw viewer
++            uri_prefix = 'files';
++        }
++        
+         item.find(".item_icon").addClass(icon).addClass('icon-fixed-width');
+         var link = item.find("a.item_link")
+             .attr('href',
+-- 
+2.4.6
+
diff --git a/dev-python/notebook/files/notebook-4.0.4-set-mime-type-on-files.patch b/dev-python/notebook/files/notebook-4.0.4-set-mime-type-on-files.patch
new file mode 100644
index 000000000..055685f8e
--- /dev/null
+++ b/dev-python/notebook/files/notebook-4.0.4-set-mime-type-on-files.patch
@@ -0,0 +1,35 @@
+Upstream patch to fix
+"Maliciously crafted text files in IPython/Jupyter editor".
+
+http://seclists.org/oss-sec/2015/q3/558
+https://bugs.gentoo.org/show_bug.cgi?id=560708
+
+
+From 6ec427b5234bfc6c97065f130f762aee8ee67df4 Mon Sep 17 00:00:00 2001
+From: Min RK <benjaminrk@gmail.com>
+Date: Mon, 20 Jul 2015 12:10:10 -0700
+Subject: [PATCH 1/4] set mime-type on /files/
+
+---
+ notebook/files/handlers.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/notebook/files/handlers.py b/notebook/files/handlers.py
+index def3ec6..9d27261 100644
+--- a/notebook/files/handlers.py
++++ b/notebook/files/handlers.py
+@@ -40,6 +40,11 @@ class FilesHandler(IPythonHandler):
+             cur_mime = mimetypes.guess_type(name)[0]
+             if cur_mime is not None:
+                 self.set_header('Content-Type', cur_mime)
++            else:
++                if model['format'] == 'base64':
++                    self.set_header('Content-Type', 'application/octet-stream')
++                else:
++                    self.set_header('Content-Type', 'text/plain')
+         
+         if model['format'] == 'base64':
+             b64_bytes = model['content'].encode('ascii')
+-- 
+2.4.6
+
diff --git a/dev-python/notebook/files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch b/dev-python/notebook/files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch
new file mode 100644
index 000000000..46ef4272c
--- /dev/null
+++ b/dev-python/notebook/files/notebook-4.0.4-set-model-mimetype-even-when-content-False.patch
@@ -0,0 +1,64 @@
+Upstream patch to fix
+"Maliciously crafted text files in IPython/Jupyter editor".
+
+http://seclists.org/oss-sec/2015/q3/558
+https://bugs.gentoo.org/show_bug.cgi?id=560708
+
+
+From f64aa490e3574ee2c2b504d0e0b39641c709a34f Mon Sep 17 00:00:00 2001
+From: Min RK <benjaminrk@gmail.com>
+Date: Mon, 20 Jul 2015 12:10:25 -0700
+Subject: [PATCH 2/4] set model mimetype, even when content=False
+
+---
+ notebook/services/contents/filemanager.py | 12 +++++++-----
+ notebook/services/contents/handlers.py    |  3 ---
+ 2 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/notebook/services/contents/filemanager.py b/notebook/services/contents/filemanager.py
+index ff8ac7d..637ff52 100644
+--- a/notebook/services/contents/filemanager.py
++++ b/notebook/services/contents/filemanager.py
+@@ -278,18 +278,20 @@ class FileContentsManager(FileManagerMixin, ContentsManager):
+         model['type'] = 'file'
+ 
+         os_path = self._get_os_path(path)
++        model['mimetype'] = mimetypes.guess_type(os_path)[0]
+ 
+         if content:
+             content, format = self._read_file(os_path, format)
+-            default_mime = {
+-                'text': 'text/plain',
+-                'base64': 'application/octet-stream'
+-            }[format]
++            if model['mimetype'] is None:
++                default_mime = {
++                    'text': 'text/plain',
++                    'base64': 'application/octet-stream'
++                }[format]
++                model['mimetype'] = default_mime
+ 
+             model.update(
+                 content=content,
+                 format=format,
+-                mimetype=mimetypes.guess_type(os_path)[0] or default_mime,
+             )
+ 
+         return model
+diff --git a/notebook/services/contents/handlers.py b/notebook/services/contents/handlers.py
+index 2a0a4cc..521aae5 100644
+--- a/notebook/services/contents/handlers.py
++++ b/notebook/services/contents/handlers.py
+@@ -55,9 +55,6 @@ def validate_model(model, expect_content):
+         )
+ 
+     maybe_none_keys = ['content', 'format']
+-    if model['type'] == 'file':
+-        # mimetype should be populated only for file models
+-        maybe_none_keys.append('mimetype')
+     if expect_content:
+         errors = [key for key in maybe_none_keys if model[key] is None]
+         if errors:
+-- 
+2.4.6
+
diff --git a/dev-python/notebook/notebook-4.0.4-r2.ebuild b/dev-python/notebook/notebook-4.0.4-r2.ebuild
deleted file mode 120000
index 1a1451df1..000000000
--- a/dev-python/notebook/notebook-4.0.4-r2.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-notebook-9999.ebuild
\ No newline at end of file
diff --git a/dev-python/notebook/notebook-4.0.4-r3.ebuild b/dev-python/notebook/notebook-4.0.4-r3.ebuild
new file mode 100644
index 000000000..810d19466
--- /dev/null
+++ b/dev-python/notebook/notebook-4.0.4-r3.ebuild
@@ -0,0 +1,92 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 python{3_3,3_4} )
+
+inherit distutils-r1
+
+DESCRIPTION="Jupyter Interactive Notebook"
+HOMEPAGE="http://jupyter.org"
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+KEYWORDS="~amd64"
+
+LICENSE="BSD"
+SLOT="0"
+IUSE="doc test"
+RDEPEND="
+	>=dev-libs/mathjax-2.4
+	dev-python/jinja[${PYTHON_USEDEP}]
+	>=dev-python/terminado-0.3.3[${PYTHON_USEDEP}]
+	>=www-servers/tornado-4.0[${PYTHON_USEDEP}]
+	dev-python/ipython_genutils[${PYTHON_USEDEP}]
+	dev-python/traitlets[${PYTHON_USEDEP}]
+	dev-python/jupyter_core[${PYTHON_USEDEP}]
+	dev-python/jupyter_client[${PYTHON_USEDEP}]
+	dev-python/nbformat[${PYTHON_USEDEP}]
+	dev-python/nbconvert[${PYTHON_USEDEP}]
+	dev-python/ipykernel[${PYTHON_USEDEP}]
+	"
+DEPEND="${RDEPEND}
+	dev-python/setuptools[${PYTHON_USEDEP}]
+	test? (
+		$(python_gen_cond_dep 'dev-python/mock[${PYTHON_USEDEP}]' python2_7)
+		>=dev-python/nose-0.10.1[${PYTHON_USEDEP}]
+		dev-python/requests[${PYTHON_USEDEP}]
+		dev-python/coverage[${PYTHON_USEDEP}]
+	)
+	doc? (
+		app-text/pandoc
+		>=dev-python/ipython-4.0.0[${PYTHON_USEDEP}]
+		>=dev-python/sphinx-1.1[${PYTHON_USEDEP}]
+	)
+	"
+
+PATCHES=(
+	"${FILESDIR}/${P}"-set-mime-type-on-files.patch
+	"${FILESDIR}/${P}"-set-model-mimetype-even-when-content-False.patch
+	"${FILESDIR}/${P}"-only-redirect-to-editor-for-text-documents.patch
+	"${FILESDIR}/${P}"-Don-t-redirect-from-edit-to-files.patch
+)
+
+python_prepare_all() {
+	sed \
+		-e "/import setup/s:$:\nimport setuptools:g" \
+		-i setup.py || die
+
+	# disable bundled mathjax
+	sed -i 's/^.*MathJax.*$//' bower.json || die
+	sed -i 's/mj(/#mj(/' setupbase.py || die
+
+	# Prevent un-needed download during build
+	if use doc; then
+		sed -e "/^    'sphinx.ext.intersphinx',/d" -i docs/source/conf.py || die
+	fi
+
+	distutils-r1_python_prepare_all
+}
+
+python_compile_all() {
+	use doc && emake -C docs html
+}
+
+python_test() {
+	nosetests --with-coverage --cover-package=notebook notebook || die
+}
+
+python_install() {
+	distutils-r1_python_install
+
+	ln -sf "${EPREFIX}/usr/share/mathjax" "${D}$(python_get_sitedir)/notebook/static/components/MathJax" || die
+}
+
+python_install_all() {
+	use doc && HTML_DOCS=( docs/build/html/. )
+	distutils-r1_python_install_all
+}
+
+pkg_preinst() {
+	# remove old mathjax folder if present
+	rm -rf "${EROOT}"/usr/lib*/python*/site-packages/notebook/static/components/MathJax
+}
-- 
cgit v1.2.3-65-gdbad