Merge with 0.7.5

7ece8c26 · Jason R. Coombs · 72495bf9 · b99749aa · 7ece8c26 · 7ece8c26
Commit 7ece8c26 authored Jun 29, 2013 by Jason R. Coombs
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 0 deletions

.hgtags .hgtags +1 -0

CHANGES.txt CHANGES.txt +12 -0

pkg_resources.py pkg_resources.py +26 -0

setup.py setup.py +4 -0

No files found.
--- a/.hgtags
+++ b/.hgtags
@@ -65,3 +65,4 @@ d04c05f035e3a5636006fc34f4be7e6c77035d17 0.7.2
 d212e48e0cef689acba57ed017289c027660b23c 0.7.3
 74c6c12268059986f9cc0b535399594f1d131201 0.8b1
 85640475dda0621f20e11db0995fa07f51744a98 0.7.4
+dd5bbc116c53d3732d22f983e7ca6d8cfabd3b08 0.7.5
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -14,6 +14,10 @@ CHANGES
 -----
 * Issue #21: Restore Python 2.4 compatibility in ``test_easy_install``.
+* Distribute #375: Merged additional warning from Distribute 0.6.46.
+* Now honor the environment variable
+  ``SETUPTOOLS_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT`` in addition to the now
+  deprecated ``DISTRIBUTE_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT``.
 -----
 0.7.4
@@ -65,6 +69,14 @@ Added several features that were slated for setuptools 0.6c12:
 * Issue #3: Fixed NameError in SSL support.
+------
+0.6.46
+------
+* Issue #375: Issue a warning if the PYTHON_EGG_CACHE or otherwise
+  customized egg cache location specifies a directory that's group- or
+  world-writable.
 ------
 0.6.45
 ------

--- a/pkg_resources.py
+++ b/pkg_resources.py
@@ -14,6 +14,8 @@ method.
 """
 import sys, os, time, re, imp, types, zipfile, zipimport
+import warnings
+import stat
 try:
    from urlparse import urlparse, urlunparse
 except ImportError:
@@ -1016,6 +1018,7 @@ variable to point to an accessible directory.
        extract, as it tracks the generated names for possible cleanup later.
        """
        extract_path = self.extraction_path or get_default_cache()
+        self._warn_unsafe_extraction(extract_path)
        target_path = os.path.join(extract_path, archive_name+'-tmp', *names)
        try:
            _bypass_ensure_directory(target_path)
@@ -1025,6 +1028,29 @@ variable to point to an accessible directory.
        self.cached_files[target_path] = 1
        return target_path
+    @staticmethod
+    def warn_unsafe_extraction_path(path):
+        """
+        If the default extraction path is overridden and set to an insecure
+        location, such as /tmp, it opens up an opportunity for an attacker to
+        replace an extracted file with an unauthorized payload. Warn the user
+        if a known insecure location is used.
+        See Distribute #375 for more details.
+        """
+        if os.name == 'nt' and not path.startswith(os.environ['windir']):
+            # On Windows, permissions are generally restrictive by default
+            #  and temp directories are not writable by other users, so
+            #  bypass the warning.
+            return
+        mode = os.stat(path).st_mode
+        if mode & stat.S_IWOTH or mode & stat.S_IWGRP:
+            msg = ("%s is writable by group/others and vulnerable to attack "
+                "when "
+                "used with get_resource_filename. Consider a more secure "
+                "location (set with .set_extraction_path or the "
+                "PYTHON_EGG_CACHE environment variable)." % path)
+            warnings.warn(msg, UserWarning)

--- a/setup.py
+++ b/setup.py
@@ -56,6 +56,10 @@ from setuptools.command.test import test as _test
 scripts = []
 console_scripts = ["easy_install = setuptools.command.easy_install:main"]
+# Gentoo distributions manage the python-version-specific scripts themselves,
+# so they define an environment variable to suppress the creation of the
+# version-specific scripts.
 if os.environ.get("SETUPTOOLS_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT") in (None, "", "0") and \
    os.environ.get("DISTRIBUTE_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT") in (None, "", "0"):
    console_scripts.append("easy_install-%s = setuptools.command.easy_install:main" % sys.version[:3])