Hello community, here is the log from the commit of package webyast-base-ws for openSUSE:Factory checked in at Fri Feb 11 01:27:44 CET 2011. -------- --- webyast-base-ws/webyast-base-ws.changes 2011-01-06 14:29:03.000000000 +0100 +++ /mounts/work_src_done/STABLE/webyast-base-ws/webyast-base-ws.changes 2011-02-08 16:44:07.000000000 +0100 @@ -1,0 +2,7 @@ +Tue Feb 8 15:41:51 UTC 2011 - schubi@novell.com + +- rm webyast-base-ws-rpmlintrc +- added security flas +- 0.2.11 + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- webyast-base-ws-rpmlintrc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ webyast-base-ws.spec ++++++ --- /var/tmp/diff_new_pack.5W4E3K/_old 2011-02-11 01:27:33.000000000 +0100 +++ /var/tmp/diff_new_pack.5W4E3K/_new 2011-02-11 01:27:33.000000000 +0100 @@ -56,7 +56,7 @@ Group: Productivity/Networking/Web/Utilities Url: http://en.opensuse.org/Portal:WebYaST AutoReqProv: on -Version: 0.2.10 +Version: 0.2.11 Release: 1 Summary: WebYaST - base components for rest service Source: www.tar.bz2 ++++++ webyastPermissionsService.rb ++++++ --- /var/tmp/diff_new_pack.5W4E3K/_old 2011-02-11 01:27:34.000000000 +0100 +++ /var/tmp/diff_new_pack.5W4E3K/_new 2011-02-11 01:27:34.000000000 +0100 @@ -69,9 +69,9 @@ permissions.each do |p| #whitespace check for valid permission string to avoid attack if p.match(/^[a-zA-Z][a-zA-Z0-9.-]*$/) - result << `polkit-auth --user '#{user}' --#{command} '#{p}' 2>&1` + result << `polkit-auth --user '#{user}' --#{command} '#{p}' 2>&1` # RORSCAN_ITL else - result << "perm #{p} is INVALID" + result << "perm #{p} is INVALID" # XXX tom: better don't include invalif perms here, we do not know what the calling function is doing with it, like displaying it via the browser, passing it to the shell etc. end end return result @@ -89,7 +89,7 @@ end def invalid_user_name? user - active_directory_enabled = `/usr/sbin/pam-config -q --winbind 2>/dev/null | wc -w`.to_i > 0 + active_directory_enabled = `/usr/sbin/pam-config -q --winbind 2>/dev/null | wc -w`.to_i > 0 # RORSCAN_ITL return false if user.match(USER_REGEX) return false if active_directory_enabled && user.match(USER_WITH_DOMAIN_REGEX) return true ++++++ www.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/controllers/application_controller.rb new/www/app/controllers/application_controller.rb --- old/www/app/controllers/application_controller.rb 2010-10-26 15:06:16.000000000 +0200 +++ new/www/app/controllers/application_controller.rb 2011-02-01 10:49:25.000000000 +0100 @@ -68,7 +68,7 @@ # See ActionController::Base for details # Uncomment this to filter the contents of submitted sensitive data parameters # from your application log (in this case, all fields with names like "password"). - filter_parameter_logging :password + filter_parameter_logging :password # RORSCAN_ITL private def report_backend_exception(exception) @@ -124,13 +124,15 @@ logger.info "Loading textdomain #{domainname} from #{locale_path}" ActionController::Base.init_gettext(domainname, options) end - languages = Dir[ File.join(locale_path, '*') ].collect{|v| File.basename(v)} - I18n.supported_locales = languages - logger.info "Supported languages: #{languages.inspect}" - unless languages.empty? - language = (preferred_languages & languages).first unless (preferred_languages & languages).blank? - logger.info "Set language to #{language}" - set_locale language + unless locale_path.blank? + languages = Dir[ File.join(locale_path, '*') ].collect{|v| File.basename(v)} + I18n.supported_locales = languages + logger.info "Supported languages: #{languages.inspect}" + unless languages.empty? + language = (preferred_languages & languages).first unless (preferred_languages & languages).blank? + logger.info "Set language to #{language}" + set_locale language + end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/controllers/sessions_controller.rb new/www/app/controllers/sessions_controller.rb --- old/www/app/controllers/sessions_controller.rb 2010-10-26 15:06:16.000000000 +0200 +++ new/www/app/controllers/sessions_controller.rb 2011-02-01 10:49:25.000000000 +0100 @@ -48,6 +48,7 @@ #FIXME proper document this security sensitive part #FIXME better structuralize this method #FIXME document all possible parameters + #FIXME XXX tom: also reset_session here to fix possible session fixation attack etc. if params["hash"].is_a? Hash #FIXME report that "hash" value is not hash #checking if the session description is hosted in a own Hash params["hash"].each do |name,value| @@ -79,7 +80,7 @@ def destroy self.current_account.forget_me if logged_in? cookies.delete :auth_token - reset_session + reset_session # RORSCAN_ITL @cmd_ret = Hash.new @cmd_ret["logout"] = "Goodbye!" end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/models/account.rb new/www/app/models/account.rb --- old/www/app/models/account.rb 2010-10-26 15:06:16.000000000 +0200 +++ new/www/app/models/account.rb 2011-02-01 10:49:25.000000000 +0100 @@ -46,7 +46,7 @@ return false if login.match("'") || login.match(/\\$/) #don't allow ' or \ in login to prevent security issues cmd = "/sbin/unix2_chkpwd rpam '#{login}'" se = Session.new - result, err = se.execute cmd, :stdin => passwd #password needn't to be escaped as it is on stdin + result, err = se.execute cmd, :stdin => passwd #password needn't to be escaped as it is on stdin # RORSCAN_ITL ret = se.get_status.zero? # close the running shell se.close diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/app/models/permission.rb new/www/app/models/permission.rb --- old/www/app/models/permission.rb 2010-10-26 15:06:16.000000000 +0200 +++ new/www/app/models/permission.rb 2011-02-01 10:49:25.000000000 +0100 @@ -107,7 +107,7 @@ public def self.all_actions - `/usr/bin/polkit-action` + `/usr/bin/polkit-action` # RORSCAN_ITL end SUSE_STRING = "org.opensuse.yast" @@ -119,7 +119,7 @@ end def self.dbus_obj - bus = DBus.system_bus + bus = DBus.system_bus # RORSCAN_ITL ruby_service = bus.service("webyast.permissions.service") obj = ruby_service.object("/webyast/permissions/Interface") obj.introspect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/config/boot.rb new/www/config/boot.rb --- old/www/config/boot.rb 2010-10-26 15:06:16.000000000 +0200 +++ new/www/config/boot.rb 2011-02-01 10:49:25.000000000 +0100 @@ -63,7 +63,7 @@ gem 'rails' end rescue Gem::LoadError => load_error - $stderr.puts %(Missing the Rails #{version} gem. Please `gem install -v=#{version} rails`, update your RAILS_GEM_VERSION setting in config/environment.rb for the Rails version you do have installed, or comment out RAILS_GEM_VERSION to use the latest version installed.) + $stderr.puts %(Missing the Rails #{version} gem. Please `gem install -v=#{version} rails`, update your RAILS_GEM_VERSION setting in config/environment.rb for the Rails version you do have installed, or comment out RAILS_GEM_VERSION to use the latest version installed.) # RORSCAN_ITL exit 1 end @@ -86,7 +86,7 @@ require 'rubygems' min_version = '1.2.0' unless rubygems_version >= min_version - $stderr.puts %Q(Rails requires RubyGems >= #{min_version} (you have #{rubygems_version}). Please `gem update --system` and try again.) + $stderr.puts %Q(Rails requires RubyGems >= #{min_version} (you have #{rubygems_version}). Please `gem update --system` and try again.) # RORSCAN_ITL exit 1 end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/config/environment.rb new/www/config/environment.rb --- old/www/config/environment.rb 2010-10-26 15:06:16.000000000 +0200 +++ new/www/config/environment.rb 2011-02-01 10:49:25.000000000 +0100 @@ -76,7 +76,7 @@ # no regular words or you'll be exposed to dictionary attacks. config.action_controller.session = { :key => '_yast-api_session', - # It is overwritten during install time (bnc#550635), do not change key + # It is overwritten during install time (bnc#550635), do not change key # RORSCAN_INL :secret => '9d11bfc98abcf9799082d9c34ec94dc1cc926f0f1bf4bea8c440b497d96b14c1f712c8784d0303ee7dd69e382c3e5e4d38d4c56d1b619eae7acaa6516cd733b1' } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/doc/check-setup.rb new/www/doc/check-setup.rb --- old/www/doc/check-setup.rb 2010-10-26 15:06:16.000000000 +0200 +++ new/www/doc/check-setup.rb 2011-02-01 10:49:25.000000000 +0100 @@ -65,7 +65,7 @@ # else version string # def test_package severity, package - v = `rpm -q #{package}` + v = `rpm -q #{package}` # RORSCAN_ITL return nil if v =~ /is not installed/ nvr = v.split("-") # split name-version-release escape(severity, "can't extract version from #{v}", "check your installation") unless nvr.size > 2 @@ -141,7 +141,7 @@ test_module :development, 'tidy', 'rubygem-tidy' test_version :development, 'tidy' -test_policy "org.opensuse.yast.system.status.read", Etc.getlogin +test_policy "org.opensuse.yast.system.status.read", Etc.getlogin # RORSCAN_ITL # reqd for Users mgmt test_policy "org.opensuse.yast.modules.yapi.users.groupsget", Etc.getlogin diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/lib/authenticated_system.rb new/www/lib/authenticated_system.rb --- old/www/lib/authenticated_system.rb 2010-10-26 15:06:16.000000000 +0200 +++ new/www/lib/authenticated_system.rb 2011-02-01 10:49:25.000000000 +0100 @@ -27,7 +27,7 @@ # Accesses the current account from the session. # Future calls avoid the database because nil is not equal to false. def current_account - @current_account ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_account == false + @current_account ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_account == false # RORSCAN_ITL end # Store the given account id in the session. @@ -79,7 +79,7 @@ # to access the requested action. For example, a popup window might # simply close itself. def access_denied - request_http_basic_authentication 'YaST-Webservice Login' + request_http_basic_authentication 'YaST-Webservice Login' # RORSCAN_ITL end # Store the URI of the current request in the session. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/lib/exceptions.rb new/www/lib/exceptions.rb --- old/www/lib/exceptions.rb 2010-10-26 15:06:16.000000000 +0200 +++ new/www/lib/exceptions.rb 2011-02-01 10:49:25.000000000 +0100 @@ -137,7 +137,7 @@ class CorruptedFileException < BackendException def initialize(file) @file = file - super "Target system is not consistent: Missing or corrupted file #{@file}" + super "Target system is not consistent: Missing or corrupted file #{@file}" # RORSCAN_ITL end def to_xml(options={}) @@ -179,7 +179,7 @@ end def to_xml(options={}) - no_arg_to_xml(options,"EULA_NOT_ACCEPTED", "Functionality of the target system was required, but its EULA was not accepted yet.") + no_arg_to_xml(options,"EULA_NOT_ACCEPTED", "Functionality of the target system was required, but its EULA was not accepted yet.") # RORSCAN_ITL end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/www/lib/yast_service.rb new/www/lib/yast_service.rb --- old/www/lib/yast_service.rb 2010-10-26 15:06:16.000000000 +0200 +++ new/www/lib/yast_service.rb 2011-02-01 10:49:25.000000000 +0100 @@ -33,10 +33,10 @@ def YastService.Call(function, *arguments) # connect to the system bus - system_bus = DBus::SystemBus.instance + system_bus = DBus::SystemBus.instance # RORSCAN_ITL # get the Yast namespace service - yast = system_bus.service('org.opensuse.YaST.modules') + yast = system_bus.service('org.opensuse.YaST.modules') # RORSCAN_ITL # parse the function name parts = function.split('::') ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org