commit be1e1bb0034f94c09c1b00b63faf0cc1761d7182
Author: Xavier Lamien <laxathom(a)fedoraproject.org>
Date: Tue Mar 7 14:30:33 2017 +0100
Add hotfix on tgcaptcha2 to prevent code execution
files/hotfix/python-tgcaptcha2/model.py | 66 +++++++++++++++++++++++++++++++
roles/fas_server/tasks/main.yml | 9 ++++
2 files changed, 75 insertions(+), 0 deletions(-)
---
diff --git a/files/hotfix/python-tgcaptcha2/model.py
b/files/hotfix/python-tgcaptcha2/model.py
new file mode 100644
index 0000000..50b943a
--- /dev/null
+++ b/files/hotfix/python-tgcaptcha2/model.py
@@ -0,0 +1,66 @@
+from datetime import datetime
+import calendar
+import json
+import uuid
+
+
+class Captcha(object):
+ """Pertinent data about a Captcha.
+
+ Exposed properties are:
+ plaintext: (read/write) a string representing the text of the captcha
+ (i.e. what is it supposed to say)
+ created: (read only) the UTC date when the captcha was created. This
+ data is updated when the plaintext property is updated.
+
+ Exposed methods:
+ serialize(): returns a binary representation of the object
+ deseralize(obj): creates a Captcha object given the output of the
+ serialize() method. This is a classmethod.
+ """
+
+ _plaintext = None
+ _created = None # stored as UTC
+ _nonce = None
+
+ def __init__(self, plaintext=''):
+ super(Captcha, self).__init__()
+ self.plaintext = plaintext
+ self.label = None
+ self._nonce = uuid.uuid1().hex
+
+ def get_plaintext(self):
+ return self._plaintext
+
+ def set_plaintext(self, text):
+ self._plaintext = text
+ self._created = datetime.utcnow()
+
+ plaintext = property(get_plaintext, set_plaintext)
+ # def get_created(self):
+ # return self._created
+
+ c = lambda s: s._created
+
+ nonce = property(lambda s: s._nonce)
+ created = property(lambda s: s._created)
+
+ def serialize(self):
+ """Get a serialized binary representation of the
object."""
+ # Serializing to a tuple containing the data elements instead of
+ # just pickling the object is being done because the tuple
+ # pickle is much smaller than the pickled object itself.
+ secs = int(calendar.timegm(self.created.utctimetuple()))
+ t = (self.plaintext, secs, self.label, self.nonce)
+ return json.dumps(t)
+
+ def deserialize(cls, serialized_obj):
+ "Create a new Captcha object given output from the serialize method."
+ t = json.loads(serialized_obj)
+ scp = cls()
+ scp._plaintext = t[0]
+ scp._created = datetime.utcfromtimestamp(t[1])
+ scp.label = t[2]
+ scp._nonce = t[3]
+ return scp
+ deserialize = classmethod(deserialize)
diff --git a/roles/fas_server/tasks/main.yml b/roles/fas_server/tasks/main.yml
index f4499d4..ee04516 100644
--- a/roles/fas_server/tasks/main.yml
+++ b/roles/fas_server/tasks/main.yml
@@ -376,3 +376,12 @@
- fas
- hotfixfas
+- name: HOTFIX on tgcatpcha2's model to prevent code execution
+ copy: src={{ files}}/hotfix/python-tgcaptcha2/model.py
+ dest={{ pythonsitelib }}/tgcaptcha2/model.py
+ mode=644 owner=root group=root
+ when: master_fas_node = True
+ tags:
+ - fas
+ - hotfix-captcha2
+ - hostfix-fas
Show replies by date