30cb3d784c
Fix CVE-2023-45158: An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product. https://jvn.jp/en/jp/JVN80476432 https://github.com/web2py/web2py/compare/v2.24.1...v2.26.1 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
77 lines
2.1 KiB
Makefile
77 lines
2.1 KiB
Makefile
################################################################################
|
|
#
|
|
# python-web2py
|
|
#
|
|
################################################################################
|
|
|
|
PYTHON_WEB2PY_VERSION = 2.26.1
|
|
PYTHON_WEB2PY_SITE = $(call github,web2py,web2py,v$(PYTHON_WEB2PY_VERSION))
|
|
PYTHON_WEB2PY_LICENSE = LGPL-3.0
|
|
PYTHON_WEB2PY_LICENSE_FILES = LICENSE
|
|
PYTHON_WEB2PY_CPE_ID_VENDOR = web2py
|
|
PYTHON_WEB2PY_CPE_ID_PRODUCT = web2py
|
|
PYTHON_WEB2PY_DEPENDENCIES = host-python3 python3 \
|
|
host-python-pydal host-python-yatl
|
|
|
|
PYTHON_WEB2PY_EXCLUSIONS = \
|
|
welcome.w2p \
|
|
applications/examples \
|
|
applications/welcome \
|
|
deposit \
|
|
docs \
|
|
examples \
|
|
extras \
|
|
handlers \
|
|
scripts \
|
|
ABOUT \
|
|
anyserver.py \
|
|
CHANGELOG \
|
|
Makefile \
|
|
MANIFEST.in \
|
|
README.markdown \
|
|
setup.py \
|
|
tox.ini
|
|
|
|
define PYTHON_WEB2PY_GENERATE_PASSWORD
|
|
$(HOST_DIR)/bin/python -c 'import os; \
|
|
os.chdir("$(@D)"); \
|
|
from gluon.main import save_password; \
|
|
save_password($(BR2_PACKAGE_PYTHON_WEB2PY_PASSWORD),8000)'
|
|
endef
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON_WEB2PY_INSTALL_ADMIN),y)
|
|
PYTHON_WEB2PY_POST_BUILD_HOOKS += PYTHON_WEB2PY_GENERATE_PASSWORD
|
|
else
|
|
PYTHON_WEB2PY_EXCLUSIONS += applications/admin
|
|
endif
|
|
|
|
define PYTHON_WEB2PY_INSTALL_TARGET_CMDS
|
|
mkdir -p $(TARGET_DIR)/var/www/web2py
|
|
rsync -a $(@D)/ $(TARGET_DIR)/var/www/web2py/ \
|
|
$(addprefix --exclude=,$(PYTHON_WEB2PY_EXCLUSIONS))
|
|
endef
|
|
|
|
define PYTHON_WEB2PY_INSTALL_INIT_SYSV
|
|
$(INSTALL) -m 0755 -D package/python-web2py/S51web2py \
|
|
$(TARGET_DIR)/etc/init.d/S51web2py
|
|
endef
|
|
|
|
define PYTHON_WEB2PY_INSTALL_INIT_SYSTEMD
|
|
$(INSTALL) -D -m 0644 package/python-web2py/web2py.service \
|
|
$(TARGET_DIR)/usr/lib/systemd/system/web2py.service
|
|
endef
|
|
|
|
# www-data user and group are used for web2py. Because these user and group
|
|
# are already set by buildroot, it is not necessary to redefine them.
|
|
# See system/skeleton/etc/passwd
|
|
# username: www-data uid: 33
|
|
# groupname: www-data gid: 33
|
|
#
|
|
# So, we just need to create the directories used by web2py with the right
|
|
# ownership.
|
|
define PYTHON_WEB2PY_PERMISSIONS
|
|
/var/www/web2py r 750 33 33 - - - - -
|
|
endef
|
|
|
|
$(eval $(generic-package))
|