kumquat-buildroot/package/python-web2py/python-web2py.mk
Fabrice Fontaine 30cb3d784c package/python-web2py: security bump to version 2.26.1
Fix CVE-2023-45158: An OS command injection vulnerability exists in
web2py 2.24.1 and earlier. When the product is configured to use
notifySendHandler for logging (not the default configuration), a crafted
web request may execute an arbitrary OS command on the web server using
the product.

https://jvn.jp/en/jp/JVN80476432
https://github.com/web2py/web2py/compare/v2.24.1...v2.26.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-11-01 21:54:55 +01:00

77 lines
2.1 KiB
Makefile

################################################################################
#
# python-web2py
#
################################################################################
PYTHON_WEB2PY_VERSION = 2.26.1
PYTHON_WEB2PY_SITE = $(call github,web2py,web2py,v$(PYTHON_WEB2PY_VERSION))
PYTHON_WEB2PY_LICENSE = LGPL-3.0
PYTHON_WEB2PY_LICENSE_FILES = LICENSE
PYTHON_WEB2PY_CPE_ID_VENDOR = web2py
PYTHON_WEB2PY_CPE_ID_PRODUCT = web2py
PYTHON_WEB2PY_DEPENDENCIES = host-python3 python3 \
host-python-pydal host-python-yatl
PYTHON_WEB2PY_EXCLUSIONS = \
welcome.w2p \
applications/examples \
applications/welcome \
deposit \
docs \
examples \
extras \
handlers \
scripts \
ABOUT \
anyserver.py \
CHANGELOG \
Makefile \
MANIFEST.in \
README.markdown \
setup.py \
tox.ini
define PYTHON_WEB2PY_GENERATE_PASSWORD
$(HOST_DIR)/bin/python -c 'import os; \
os.chdir("$(@D)"); \
from gluon.main import save_password; \
save_password($(BR2_PACKAGE_PYTHON_WEB2PY_PASSWORD),8000)'
endef
ifeq ($(BR2_PACKAGE_PYTHON_WEB2PY_INSTALL_ADMIN),y)
PYTHON_WEB2PY_POST_BUILD_HOOKS += PYTHON_WEB2PY_GENERATE_PASSWORD
else
PYTHON_WEB2PY_EXCLUSIONS += applications/admin
endif
define PYTHON_WEB2PY_INSTALL_TARGET_CMDS
mkdir -p $(TARGET_DIR)/var/www/web2py
rsync -a $(@D)/ $(TARGET_DIR)/var/www/web2py/ \
$(addprefix --exclude=,$(PYTHON_WEB2PY_EXCLUSIONS))
endef
define PYTHON_WEB2PY_INSTALL_INIT_SYSV
$(INSTALL) -m 0755 -D package/python-web2py/S51web2py \
$(TARGET_DIR)/etc/init.d/S51web2py
endef
define PYTHON_WEB2PY_INSTALL_INIT_SYSTEMD
$(INSTALL) -D -m 0644 package/python-web2py/web2py.service \
$(TARGET_DIR)/usr/lib/systemd/system/web2py.service
endef
# www-data user and group are used for web2py. Because these user and group
# are already set by buildroot, it is not necessary to redefine them.
# See system/skeleton/etc/passwd
# username: www-data uid: 33
# groupname: www-data gid: 33
#
# So, we just need to create the directories used by web2py with the right
# ownership.
define PYTHON_WEB2PY_PERMISSIONS
/var/www/web2py r 750 33 33 - - - - -
endef
$(eval $(generic-package))