From be8320718ce02583374df5312502490f0bd7e8a7 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Fri, 21 Jun 2013 23:11:41 -0400 Subject: Issue a UserWarning when the egg cache directory is likely to be vulnerable to security issues per #375. --HG-- branch : distribute --- pkg_resources.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/pkg_resources.py b/pkg_resources.py index f8de449e..50e4ce9b 100644 --- a/pkg_resources.py +++ b/pkg_resources.py @@ -14,6 +14,8 @@ method. """ import sys, os, zipimport, time, re, imp, types +import warnings +import stat from urlparse import urlparse, urlunparse try: @@ -987,6 +989,7 @@ variable to point to an accessible directory. extract, as it tracks the generated names for possible cleanup later. """ extract_path = self.extraction_path or get_default_cache() + self._warn_unsafe_extraction(extract_path) target_path = os.path.join(extract_path, archive_name+'-tmp', *names) try: _bypass_ensure_directory(target_path) @@ -996,6 +999,28 @@ variable to point to an accessible directory. self.cached_files[target_path] = 1 return target_path + @staticmethod + def warn_unsafe_extraction_path(path): + """ + If the default extraction path is overridden and set to an insecure + location, such as /tmp, it opens up an opportunity for an attacker to + replace an extracted file with an unauthorized payload. Warn the user + if a known insecure location is used. + + See Distribute #375 for more details. + """ + if os.name == 'nt' and not path.startswith(os.environ['windir']): + # On Windows, permissions are generally restrictive by default + # and temp directories are not writable by other users, so + # bypass the warning. + return + mode = os.stat(path).st_mode + if mode & stat.S_IWOTH: + msg = ("%s is writable by others and vulnerable to attack when " + "used with get_resource_filename. Consider a more secure " + "location (set with .set_extraction_path or the " + "PYTHON_EGG_CACHE environment variable)." % path) + warnings.warn(msg, UserWarning) -- cgit v1.2.3 From 7e8c32eeda9db5eab02e30ee4528c8c8674e57c5 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Mon, 24 Jun 2013 05:18:05 -0400 Subject: Also protect against group-writable files --HG-- branch : distribute --- pkg_resources.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg_resources.py b/pkg_resources.py index 50e4ce9b..69e53ebd 100644 --- a/pkg_resources.py +++ b/pkg_resources.py @@ -1015,8 +1015,9 @@ variable to point to an accessible directory. # bypass the warning. return mode = os.stat(path).st_mode - if mode & stat.S_IWOTH: - msg = ("%s is writable by others and vulnerable to attack when " + if mode & stat.S_IWOTH or mode & stat.S_IWGRP: + msg = ("%s is writable by group/others and vulnerable to attack " + "when " "used with get_resource_filename. Consider a more secure " "location (set with .set_extraction_path or the " "PYTHON_EGG_CACHE environment variable)." % path) -- cgit v1.2.3 From 1ba56e8ddabe69b7837307f260a6b5e2f1c0b7c2 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Sat, 29 Jun 2013 10:06:53 -0400 Subject: Update changelog --HG-- branch : distribute --- CHANGES.txt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGES.txt b/CHANGES.txt index 377dc8a5..42a5c3af 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -2,6 +2,14 @@ CHANGES ======= +------ +0.6.46 +------ + +* Issue #375: Issue a warning if the PYTHON_EGG_CACHE or otherwise + customized egg cache location specifies a directory that's group- or + world-writable. + ------ 0.6.39 ------ -- cgit v1.2.3 From 6d6dddc57e58e2387930040dfb56dd270408cb24 Mon Sep 17 00:00:00 2001 From: Arfrever Frehtes Taifersar Arahesis Date: Thu, 20 Jun 2013 10:03:23 +0200 Subject: Add support for SETUPTOOLS_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT variable. Support for old DISTRIBUTE_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT variable is kept temporarily for backward compatibility. --HG-- extra : source : eb58c3fe7c0881cbb28de1c523f083ad8e7f427d --- setup.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 8986e949..fcf61e75 100755 --- a/setup.py +++ b/setup.py @@ -55,7 +55,8 @@ from setuptools.command.test import test as _test scripts = [] console_scripts = ["easy_install = setuptools.command.easy_install:main"] -if os.environ.get("DISTRIBUTE_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT") is None: +if os.environ.get("SETUPTOOLS_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT") in (None, "", "0") and \ + os.environ.get("DISTRIBUTE_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT") in (None, "", "0"): console_scripts.append("easy_install-%s = setuptools.command.easy_install:main" % sys.version[:3]) # specific command that is used to generate windows .exe files -- cgit v1.2.3 From d259c91f17d0bf9a0ac91d61d0ea0c0b5e7f618f Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Sat, 29 Jun 2013 10:40:04 -0400 Subject: update changelog --- CHANGES.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES.txt b/CHANGES.txt index 4036e949..e4fcc37e 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -7,6 +7,10 @@ CHANGES ----- * Issue #21: Restore Python 2.4 compatibility in ``test_easy_install``. +* Distribute #375: Merged additional warning from Distribute 0.6.46. +* Now honor the environment variable + ``SETUPTOOLS_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT`` in addition to the now + deprecated ``DISTRIBUTE_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT``. ----- 0.7.4 -- cgit v1.2.3 From f5a609f696a9fdc85cefd09f97865282fa341631 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Sat, 29 Jun 2013 10:47:03 -0400 Subject: Add comment to capture the purpose of the environment variable --- setup.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup.py b/setup.py index fcf61e75..cb0ce012 100755 --- a/setup.py +++ b/setup.py @@ -55,6 +55,10 @@ from setuptools.command.test import test as _test scripts = [] console_scripts = ["easy_install = setuptools.command.easy_install:main"] + +# Gentoo distributions manage the python-version-specific scripts themselves, +# so they define an environment variable to suppress the creation of the +# version-specific scripts. if os.environ.get("SETUPTOOLS_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT") in (None, "", "0") and \ os.environ.get("DISTRIBUTE_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT") in (None, "", "0"): console_scripts.append("easy_install-%s = setuptools.command.easy_install:main" % sys.version[:3]) -- cgit v1.2.3 From 0c7de199c1a686ba1577ceb5bfce8ac43667faf7 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Sat, 29 Jun 2013 10:53:50 -0400 Subject: Added tag 0.7.5 for changeset dd5bbc116c53 --- .hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/.hgtags b/.hgtags index 1cc2fd48..f67224cd 100644 --- a/.hgtags +++ b/.hgtags @@ -64,3 +64,4 @@ ddca71ae5ceb9b14512dc60ea83802c10e224cf0 0.6.45 d04c05f035e3a5636006fc34f4be7e6c77035d17 0.7.2 d212e48e0cef689acba57ed017289c027660b23c 0.7.3 85640475dda0621f20e11db0995fa07f51744a98 0.7.4 +dd5bbc116c53d3732d22f983e7ca6d8cfabd3b08 0.7.5 -- cgit v1.2.3 From b99749aa06cc7c235cb456a81ad50187d701fc4c Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Sat, 29 Jun 2013 10:54:10 -0400 Subject: Bumped to 0.7.6 in preparation for next release. --- README.txt | 8 ++++---- docs/conf.py | 4 ++-- ez_setup.py | 2 +- release.py | 2 +- setup.py | 2 +- setuptools/__init__.py | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.txt b/README.txt index e0329345..bb57ea76 100755 --- a/README.txt +++ b/README.txt @@ -29,7 +29,7 @@ The recommended way to install setuptools on Windows is to download `ez_setup.py`_ and run it. The script will download the appropriate .egg file and install it for you. -.. _ez_setup.py: https://bitbucket.org/pypa/setuptools/raw/0.7.5/ez_setup.py +.. _ez_setup.py: https://bitbucket.org/pypa/setuptools/raw/0.7.6/ez_setup.py For best results, uninstall previous versions FIRST (see `Uninstalling`_). @@ -45,7 +45,7 @@ Unix-based Systems including Mac OS X Download `ez_setup.py`_ and run it using the target Python version. The script will download the appropriate version and install it for you:: - > wget https://bitbucket.org/pypa/setuptools/raw/0.7.5/ez_setup.py -O - | python + > wget https://bitbucket.org/pypa/setuptools/raw/0.7.6/ez_setup.py -O - | python Note that you will may need to invoke the command with superuser privileges to install to the system Python. @@ -53,7 +53,7 @@ install to the system Python. Alternatively, on Python 2.6 and later, Setuptools may be installed to a user-local path:: - > wget https://bitbucket.org/pypa/setuptools/raw/0.7.5/ez_setup.py + > wget https://bitbucket.org/pypa/setuptools/raw/0.7.6/ez_setup.py > python ez_setup.py --user @@ -66,7 +66,7 @@ tarball from `Setuptools on PyPI `_ and run setup.py with any supported distutils and Setuptools options. For example:: - setuptools-0.7.5$ python setup.py --prefix=/opt/setuptools + setuptools-0.7.6$ python setup.py --prefix=/opt/setuptools Use ``--help`` to get a full options list, but we recommend consulting the `EasyInstall manual`_ for detailed instructions, especially `the section diff --git a/docs/conf.py b/docs/conf.py index 88d9540d..0cae1621 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -48,9 +48,9 @@ copyright = u'2009-2013, The fellowship of the packaging' # built documents. # # The short X.Y version. -version = '0.7.5' +version = '0.7.6' # The full version, including alpha/beta/rc tags. -release = '0.7.5' +release = '0.7.6' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/ez_setup.py b/ez_setup.py index a0aa1299..f68388f1 100644 --- a/ez_setup.py +++ b/ez_setup.py @@ -28,7 +28,7 @@ try: except ImportError: USER_SITE = None -DEFAULT_VERSION = "0.7.5" +DEFAULT_VERSION = "0.7.6" DEFAULT_URL = "https://pypi.python.org/packages/source/s/setuptools/" def _python_cmd(*args): diff --git a/release.py b/release.py index 8d2f0bc7..46f32bbc 100644 --- a/release.py +++ b/release.py @@ -22,7 +22,7 @@ try: except Exception: pass -VERSION = '0.7.5' +VERSION = '0.7.6' PACKAGE_INDEX = 'https://pypi.python.org/pypi' def set_versions(): diff --git a/setup.py b/setup.py index cb0ce012..f2bd1fd5 100755 --- a/setup.py +++ b/setup.py @@ -46,7 +46,7 @@ exec(init_file.read(), d) init_file.close() SETUP_COMMANDS = d['__all__'] -VERSION = "0.7.5" +VERSION = "0.7.6" from setuptools import setup, find_packages from setuptools.command.build_py import build_py as _build_py diff --git a/setuptools/__init__.py b/setuptools/__init__.py index 6be7006a..5920170b 100644 --- a/setuptools/__init__.py +++ b/setuptools/__init__.py @@ -8,7 +8,7 @@ from distutils.util import convert_path import os import sys -__version__ = '0.7.5' +__version__ = '0.7.6' __all__ = [ 'setup', 'Distribution', 'Feature', 'Command', 'Extension', 'Require', 'find_packages' -- cgit v1.2.3