diff options
author | Daniel Gryniewicz <dang@gentoo.org> | 2005-10-03 16:09:38 +0000 |
---|---|---|
committer | Daniel Gryniewicz <dang@gentoo.org> | 2005-10-03 16:09:38 +0000 |
commit | 5509ae9807515aa7227a8f4e4a0cca200ada48b5 (patch) | |
tree | 00aca966c80b0570dbf1adb6a2b45bfd86d96718 /app-office/dia/files | |
parent | Fixed #106032, #94899, #96202. (diff) | |
download | historical-5509ae9807515aa7227a8f4e4a0cca200ada48b5.tar.gz historical-5509ae9807515aa7227a8f4e4a0cca200ada48b5.tar.bz2 historical-5509ae9807515aa7227a8f4e4a0cca200ada48b5.zip |
Fix insecure python eval. Bug #107916
Package-Manager: portage-2.0.52-r1
Diffstat (limited to 'app-office/dia/files')
-rw-r--r-- | app-office/dia/files/dia-0.94-secure-eval.patch | 52 | ||||
-rw-r--r-- | app-office/dia/files/digest-dia-0.94-r3 | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/app-office/dia/files/dia-0.94-secure-eval.patch b/app-office/dia/files/dia-0.94-secure-eval.patch new file mode 100644 index 000000000000..7126dc78838c --- /dev/null +++ b/app-office/dia/files/dia-0.94-secure-eval.patch @@ -0,0 +1,52 @@ +Index: plug-ins/python/diasvg_import.py +=================================================================== +--- plug-ins/python/diasvg_import.py (revision 7) ++++ plug-ins/python/diasvg_import.py (working copy) +@@ -54,6 +54,10 @@ + return (int(m.group(1)) / 255.0, int(m.group(2)) / 255.0, int(m.group(2)) / 255.0) + # any more ugly color definitions not compatible with pango_color_parse() ? + return string.strip(s) ++ ++def eval_secure(s): ++ return string.translate(s, string.maketrans("\"()", "___")) ++ + class Object : + def __init__(self) : + self.props = {"x" : 0, "y" : 0, "stroke" : "none"} +@@ -65,7 +69,8 @@ + sp2 = string.split(string.strip(s1), ":") + if len(sp2) == 2 : + try : +- eval("self." + string.replace(sp2[0], "-", "_") + "(\"" + string.strip(sp2[1]) + "\")") ++ eval("self." + eval_secure(string.replace(sp2[0], "-", "_")) + ++ "(\"" + eval_secure(string.strip(sp2[1])) + "\")") + except AttributeError : + self.props[sp2[0]] = string.strip(sp2[1]) + def x(self, s) : +@@ -282,7 +287,7 @@ + def CopyProps(self, dest) : + # to be used to inherit group props to childs _before_ they get their own + for p in self.props.keys() : +- sf = "dest." + string.replace(p, "-", "_") + "(\"" + str(self.props[p]) + "\")" ++ sf = "dest." + eval_secure(string.replace(p, "-", "_")) + "(\"" + eval_secure(str(self.props[p])) + "\")" + try : # accessor first + eval(sf) + except : +@@ -561,7 +566,7 @@ + o = Group() + stack.append(o) + else : +- s = string.capitalize(name) + "()" ++ s = eval_secure(string.capitalize(name)) + "()" + try : + o = eval(s) + except : +@@ -575,7 +580,7 @@ + ma = string.replace(a, "-", "_") + # e.g. xlink:href -> xlink__href + ma = string.replace(ma, ":", "__") +- s = "o." + ma + "(\"" + attrs[a] + "\")" ++ s = "o." + eval_secure(ma) + "(\"" + eval_secure(attrs[a]) + "\")" + try : + eval(s) + except AttributeError, msg : diff --git a/app-office/dia/files/digest-dia-0.94-r3 b/app-office/dia/files/digest-dia-0.94-r3 new file mode 100644 index 000000000000..a4366b0c6a35 --- /dev/null +++ b/app-office/dia/files/digest-dia-0.94-r3 @@ -0,0 +1 @@ +MD5 63584224912dab49fed8d2cf87ea2d85 dia-0.94.tar.bz2 3348869 |