Blame 0001-Fix-CVE-2022-24785-and-CVE-2022-31129.patch

ad55774
From c100e97e9c60aee8585b135834c6cd6166b3ea69 Mon Sep 17 00:00:00 2001
32547e5
From: rpm-build <rpm-build>
ad55774
Date: Wed, 10 Aug 2022 11:56:56 +0200
32547e5
Subject: [PATCH] Fix CVE-2022-24785 and CVE-2022-31129
32547e5
32547e5
https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
32547e5
https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
32547e5
32547e5
Patches applied to:
32547e5
32547e5
    notebook/static/components/moment/moment.js
32547e5
    notebook/static/components/moment/min/moment-with-locales.js
32547e5
32547e5
Manually updated:
32547e5
32547e5
    notebook/static/components/moment/min/moment.min.js
32547e5
    notebook/static/components/moment/min/moment-with-locales.min.js
32547e5
32547e5
For easier review:
32547e5
32547e5
    $ diff -u <(fold -s -w 80 moment.min.js) <(fold -s -w 80 moment.min.js_patched)
32547e5
    --- /dev/fd/63	2022-07-13 11:45:08.437165199 +0200
32547e5
    +++ /dev/fd/62	2022-07-13 11:45:08.434165181 +0200
32547e5
    @@ -127,10 +127,11 @@
32547e5
     this.hours()%12||12}function ne(e,t){P(e,0,0,function(){return
32547e5
     this.localeData().meridiem(this.hours(),this.minutes(),t)})}function
32547e5
     se(e,t){return t._meridiemParse}function ie(e){return
32547e5
    -e?e.toLowerCase().replace("_","-"):e}function re(e){var
32547e5
    +e?e.toLowerCase().replace("_","-"):e}function isLocaleNameSane(name){return
32547e5
    +name.match("^[^/\\\\]*$")!=null}function re(e){var
32547e5
     t=null;if(!Xt[e]&&"undefined"!=typeof
32547e5
    -module&&module&&module.exports)try{t=Jt._abbr;require("./locale/"+e),ae(t)}catch
32547e5
    -(e){}return Xt[e]}function ae(e,t){var n;return
32547e5
    +module&&module&&module.exports&&isLocaleNameSane(e))try{t=Jt._abbr;require("./lo
32547e5
    +cale/"+e),ae(t)}catch(e){}return Xt[e]}function ae(e,t){var n;return
32547e5
     e&&(n=s(t)?ue(e):oe(e,t))&&(Jt=n),Jt._abbr}function oe(e,t){if(null!==t){var
32547e5
     n=Qt;if(t.abbr=e,null!=Xt[e])M("defineLocaleOverride","use
32547e5
     moment.updateLocale(localeName, config) to change an existing locale.
32547e5
    @@ -187,7 +188,7 @@
32547e5
     t=parseInt(e,10);{if(t<=49)return 2e3+t;if(t<=999)return 1900+t}return
32547e5
     t}(e),Vt.indexOf(t),parseInt(n,10),parseInt(s,10),parseInt(i,10)];return
32547e5
     r&&a.push(parseInt(r,10)),a}function me(e){var t=on.exec(function(e){return
32547e5
    -e.replace(/\([^)]*\)|[\n\t]/g," ").replace(/(\s\s+)/g,"
32547e5
    +e.replace(/\([^()]*\)|[\n\t]/g," ").replace(/(\s\s+)/g,"
32547e5
     ").trim()}(e._i));if(t){var
32547e5
     n=fe(t[4],t[3],t[2],t[5],t[6],t[7]);if(!function(e,t,n){if(e&&At.indexOf(e)!==ne
32547e5
     w Date(t[0],t[1],t[2]).getDay())return
32547e5
32547e5
    $ diff -u <(fold -s -w 80 moment-with-locales.min.js) <(fold -s -w 80 moment-with-locales.min.js_patched)
32547e5
    --- /dev/fd/63	2022-07-13 11:45:23.280254917 +0200
32547e5
    +++ /dev/fd/62	2022-07-13 11:45:23.281254922 +0200
32547e5
    @@ -127,10 +127,12 @@
32547e5
     this.hours()%12||12}function te(e,a){j(e,0,0,function(){return
32547e5
     this.localeData().meridiem(this.hours(),this.minutes(),a)})}function
32547e5
     se(e,a){return a._meridiemParse}function ne(e){return
32547e5
    -e?e.toLowerCase().replace("_","-"):e}function re(e){var
32547e5
    +e?e.toLowerCase().replace("_","-"):e}function isLocaleNameSane(name){return
32547e5
    +name.match("^[^/\\\\]*$")!=null}function re(e){var
32547e5
     a=null;if(!At[e]&&"undefined"!=typeof
32547e5
    -module&&module&&module.exports)try{a=Ot._abbr;require("./locale/"+e),de(a)}catch
32547e5
    -(e){}return At[e]}function de(e,a){var t;return
32547e5
    +module&&module&&module.exports&&isLocaleNameSane(e))try{a=Ot._abbr;require("./lo
32547e5
    +cale/"+e),de(a)}catch(e){}return At[e]}
32547e5
    +function de(e,a){var t;return
32547e5
     e&&(t=s(a)?ie(e):_e(e,a))&&(Ot=t),Ot._abbr}function _e(e,a){if(null!==a){var
32547e5
     t=Et;if(a.abbr=e,null!=At[e])k("defineLocaleOverride","use
32547e5
     moment.updateLocale(localeName, config) to change an existing locale.
32547e5
    @@ -187,7 +189,7 @@
32547e5
     a=parseInt(e,10);{if(a<=49)return 2e3+a;if(a<=999)return 1900+a}return
32547e5
     a}(e),gt.indexOf(a),parseInt(t,10),parseInt(s,10),parseInt(n,10)];return
32547e5
     r&&d.push(parseInt(r,10)),d}function he(e){var a=Gt.exec(function(e){return
32547e5
    -e.replace(/\([^)]*\)|[\n\t]/g," ").replace(/(\s\s+)/g,"
32547e5
    +e.replace(/\([^()]*\)|[\n\t]/g," ").replace(/(\s\s+)/g,"
32547e5
     ").trim()}(e._i));if(a){var
32547e5
     t=Me(a[4],a[3],a[2],a[5],a[6],a[7]);if(!function(e,a,t){if(e&&Ht.indexOf(e)!==ne
32547e5
     w Date(a[0],a[1],a[2]).getDay())return
32547e5
32547e5
Run:
32547e5
32547e5
    $ npm install
32547e5
    $ python3 setup.py js --force
32547e5
32547e5
Added .gitattributes to force treating files with extremely long lines
32547e5
as if they were binary.
32547e5
That way, the patch is not readable by a human,
32547e5
but at least does not contain two full copies of everything.
32547e5
---
32547e5
 .gitattributes                                |   3 +++
32547e5
 .../moment/min/moment-with-locales.js         |   9 +++++++--
32547e5
 .../moment/min/moment-with-locales.min.js     | Bin 307839 -> 307933 bytes
32547e5
 .../components/moment/min/moment.min.js       | Bin 51190 -> 51283 bytes
32547e5
 notebook/static/components/moment/moment.js   |   9 +++++++--
32547e5
 notebook/static/edit/js/main.min.js           |   9 +++++++--
32547e5
 notebook/static/edit/js/main.min.js.map       | Bin 1740150 -> 1740372 bytes
32547e5
 notebook/static/notebook/js/main.min.js       |   9 +++++++--
ad55774
 notebook/static/notebook/js/main.min.js.map   | Bin 3469851 -> 3470078 bytes
32547e5
 notebook/static/terminal/js/main.min.js       |   9 +++++++--
32547e5
 notebook/static/terminal/js/main.min.js.map   | Bin 1510544 -> 1510766 bytes
32547e5
 notebook/static/tree/js/main.min.js           |   9 +++++++--
32547e5
 notebook/static/tree/js/main.min.js.map       | Bin 1495621 -> 1495843 bytes
32547e5
 13 files changed, 45 insertions(+), 12 deletions(-)
32547e5
 create mode 100644 .gitattributes
32547e5
32547e5
diff --git a/.gitattributes b/.gitattributes
32547e5
new file mode 100644
32547e5
index 0000000..68fdeb6
32547e5
--- /dev/null
32547e5
+++ b/.gitattributes
32547e5
@@ -0,0 +1,3 @@
32547e5
+moment.min.js binary
32547e5
+moment-with-locales.min.js binary
32547e5
+*.js.map binary
32547e5
diff --git a/notebook/static/components/moment/min/moment-with-locales.js b/notebook/static/components/moment/min/moment-with-locales.js
32547e5
index 574b770..bbcf913 100644
32547e5
--- a/notebook/static/components/moment/min/moment-with-locales.js
32547e5
+++ b/notebook/static/components/moment/min/moment-with-locales.js
32547e5
@@ -1828,11 +1828,16 @@ function chooseLocale(names) {
32547e5
     return null;
32547e5
 }
32547e5
 
32547e5
+function isLocaleNameSane(name) {
32547e5
+    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
32547e5
+    return name.match('^[^/\\\\]*$') != null;
32547e5
+}
32547e5
+
32547e5
 function loadLocale(name) {
32547e5
     var oldLocale = null;
32547e5
     // TODO: Find a better way to register and load all the locales in Node
32547e5
     if (!locales[name] && (typeof module !== 'undefined') &&
32547e5
-            module && module.exports) {
32547e5
+            module && module.exports && isLocaleNameSane(name)) {
32547e5
         try {
32547e5
             oldLocale = globalLocale._abbr;
32547e5
             var aliasedRequire = require;
32547e5
@@ -2269,7 +2274,7 @@ function untruncateYear(yearStr) {
32547e5
 
32547e5
 function preprocessRFC2822(s) {
32547e5
     // Remove comments and folding whitespace and replace multiple-spaces with a single space
32547e5
-    return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
+    return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
 }
32547e5
 
32547e5
 function checkWeekday(weekdayStr, parsedInput, config) {
32547e5
diff --git a/notebook/static/components/moment/min/moment-with-locales.min.js b/notebook/static/components/moment/min/moment-with-locales.min.js
32547e5
index fef7c85fd429dc88f3c7195dd890bba655c400a7..9cb3030a8c459eafb769271e00349936b318bfc9 100644
32547e5
GIT binary patch
32547e5
delta 131
32547e5
zcmezWMCk5Qp$&HxY%_~}@{<#DQvDKhQ-c%pQZ@2`49)7I)RNMoJOvO(FE_CyIYUD!
32547e5
zE;>#>1_)xcRFpIoZSzWVawcC^h!9m%!!RRNbF#Lg3nSO&e8nC
32547e5
Nh?%$l)@NyH0ss&(F%AF#
32547e5
32547e5
delta 43
32547e5
wcmccnROtT`p$&HxCaWm=O>S3o*?dN^hp#!(pgq!n5r~<9n0b4o0ZU600H{L{;s5{u
32547e5
32547e5
diff --git a/notebook/static/components/moment/min/moment.min.js b/notebook/static/components/moment/min/moment.min.js
32547e5
index a049687679c3d43895039554cfe5f477cd92a51d..a9231146c9e8912bb1ce3700c7db33d3b346c4bf 100644
32547e5
GIT binary patch
32547e5
delta 109
32547e5
zcmey?&wP0T^M<<$wwc8~`N@enseXyMslkbPsTz4ehGun9YDsBPo&t!Ymz!9UoS~r<
32547e5
u7agY`0|c>JDoUD)wt1yFIg>9dM2M=XVVIGsxmjEB0w1Hs=HL3irvm`%tti6)
32547e5
32547e5
delta 23
32547e5
fcmcaSf%#iM^M<<$lT{S`Hn%HY;M*Kw@OwG{f}aY=
32547e5
32547e5
diff --git a/notebook/static/components/moment/moment.js b/notebook/static/components/moment/moment.js
32547e5
index f10d709..b71107c 100644
32547e5
--- a/notebook/static/components/moment/moment.js
32547e5
+++ b/notebook/static/components/moment/moment.js
32547e5
@@ -1834,11 +1834,16 @@ function chooseLocale(names) {
32547e5
     return null;
32547e5
 }
32547e5
 
32547e5
+function isLocaleNameSane(name) {
32547e5
+    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
32547e5
+    return name.match('^[^/\\\\]*$') != null;
32547e5
+}
32547e5
+
32547e5
 function loadLocale(name) {
32547e5
     var oldLocale = null;
32547e5
     // TODO: Find a better way to register and load all the locales in Node
32547e5
     if (!locales[name] && (typeof module !== 'undefined') &&
32547e5
-            module && module.exports) {
32547e5
+            module && module.exports && isLocaleNameSane(name)) {
32547e5
         try {
32547e5
             oldLocale = globalLocale._abbr;
32547e5
             var aliasedRequire = require;
32547e5
@@ -2275,7 +2280,7 @@ function untruncateYear(yearStr) {
32547e5
 
32547e5
 function preprocessRFC2822(s) {
32547e5
     // Remove comments and folding whitespace and replace multiple-spaces with a single space
32547e5
-    return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
+    return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
 }
32547e5
 
32547e5
 function checkWeekday(weekdayStr, parsedInput, config) {
32547e5
diff --git a/notebook/static/edit/js/main.min.js b/notebook/static/edit/js/main.min.js
ad55774
index 6add39b..b7bd4dd 100644
32547e5
--- a/notebook/static/edit/js/main.min.js
32547e5
+++ b/notebook/static/edit/js/main.min.js
32547e5
@@ -11694,11 +11694,16 @@ function chooseLocale(names) {
32547e5
     return null;
32547e5
 }
32547e5
 
32547e5
+function isLocaleNameSane(name) {
32547e5
+    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
32547e5
+    return name.match('^[^/\\\\]*$') != null;
32547e5
+}
32547e5
+
32547e5
 function loadLocale(name) {
32547e5
     var oldLocale = null;
32547e5
     // TODO: Find a better way to register and load all the locales in Node
32547e5
     if (!locales[name] && (typeof module !== 'undefined') &&
32547e5
-            module && module.exports) {
32547e5
+            module && module.exports && isLocaleNameSane(name)) {
32547e5
         try {
32547e5
             oldLocale = globalLocale._abbr;
32547e5
             var aliasedRequire = require;
32547e5
@@ -12135,7 +12140,7 @@ function untruncateYear(yearStr) {
32547e5
 
32547e5
 function preprocessRFC2822(s) {
32547e5
     // Remove comments and folding whitespace and replace multiple-spaces with a single space
32547e5
-    return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
+    return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
 }
32547e5
 
32547e5
 function checkWeekday(weekdayStr, parsedInput, config) {
32547e5
diff --git a/notebook/static/edit/js/main.min.js.map b/notebook/static/edit/js/main.min.js.map
ad55774
index ddc673d1a87b773d078c87d7f2d13456e5e19b2b..9363090e719fcda7e2260b01b6226ddec4fbf1c4 100644
32547e5
GIT binary patch
32547e5
delta 331
32547e5
zcmex1E9=UftcER&sy8Mluu8J&I651aBu$>kD&OvPgAs_CfS4JGS%8=oh}nRc9f&!A
32547e5
zm~*?=4X%xC)9=0FX0K26OUz9TPRvWy$OAGo6{=(M6o5cqUm>6
32547e5
zSfY@VpP#LelbM~Wkd~Q~T3lINlA5bfkXVvYtfP>rm#UDQpI4HYnWvzxuda|^q@W%X
32547e5
zqYg2yD7B=tC=YCuUT$JZa)yR_Ty&g%OblNP7{qF+sB0=H+D;Et;uf3!JC6IFtb&@F
32547e5
zLT0f~esW?Cnj3+RoGwtsCB6N7JU5#qqelDR8Qeh31H`;Q%m>8$Kr8^nf
32547e5
V0>q*~EC$5lKrFHS?+nSxF8~|ffYks1
32547e5
32547e5
delta 146
32547e5
zcmcaIC+pj+tcER&syEnl9G#0wk|s}Nm2XeJ!3e}mK+FupEI`Z(#B4y!4#XTl%(*@J
32547e5
z2G_>6>HFfj?=fpCR8L=^A|<{3N&+{VW&7=!+(66&#JoVv2gLk9EC9rUKr95r!aytn
32547e5
U#G*hf2E^h(EV2FeOv%bG0KJYx2mk;8
32547e5
32547e5
diff --git a/notebook/static/notebook/js/main.min.js b/notebook/static/notebook/js/main.min.js
ad55774
index 8e3003e..8f1dff8 100644
32547e5
--- a/notebook/static/notebook/js/main.min.js
32547e5
+++ b/notebook/static/notebook/js/main.min.js
32547e5
@@ -11700,11 +11700,16 @@ function chooseLocale(names) {
32547e5
     return null;
32547e5
 }
32547e5
 
32547e5
+function isLocaleNameSane(name) {
32547e5
+    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
32547e5
+    return name.match('^[^/\\\\]*$') != null;
32547e5
+}
32547e5
+
32547e5
 function loadLocale(name) {
32547e5
     var oldLocale = null;
32547e5
     // TODO: Find a better way to register and load all the locales in Node
32547e5
     if (!locales[name] && (typeof module !== 'undefined') &&
32547e5
-            module && module.exports) {
32547e5
+            module && module.exports && isLocaleNameSane(name)) {
32547e5
         try {
32547e5
             oldLocale = globalLocale._abbr;
32547e5
             var aliasedRequire = require;
32547e5
@@ -12141,7 +12146,7 @@ function untruncateYear(yearStr) {
32547e5
 
32547e5
 function preprocessRFC2822(s) {
32547e5
     // Remove comments and folding whitespace and replace multiple-spaces with a single space
32547e5
-    return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
+    return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
 }
32547e5
 
32547e5
 function checkWeekday(weekdayStr, parsedInput, config) {
32547e5
diff --git a/notebook/static/notebook/js/main.min.js.map b/notebook/static/notebook/js/main.min.js.map
ad55774
index f4050efb6ed33485fcc8f7439934cfcebbc66a28..70316ab5f0cec243d52d9ff806f4572f7c585efe 100644
32547e5
GIT binary patch
ad55774
delta 477
ad55774
zcmZwBOG^S_6b4`>(=L|T#Vj>DnK@eKWS2#Y7VQEfx-EjHY?3b=(wT5RgJ@AZH$t?U
ad55774
zpnuRpgd!JhqJI$X+gQJ#*3moVvI7sC_Z&E!+xNQg{ZSV#AB4|0lQ!%DTaq8%zlJtj
ad55774
zOR0tcEnovH+ra^C&<-8Y2~Oy$r5fFt>kHLb)iX+tttol7rD!awp^4GCtPx6*XuZHr
ad55774
zna0VQ8^p5;r<|@IQ%*f*bfo5(ab|FqrxS%|jX0?ZMj2h>imH()iKG`ulx6YnT!Hao
ad55774
zLHj+G$SXXPje5lW-F-=J*4|`TjM3PVdBa^_K8i%>|M$#v+8?al6
ad55774
z=!HJ$hXL@^s+GZ&N4p%_W;^EdlgDSenRlU?mtP{o<^l6MZPwOGr84uv5Lmqr{1AW<
ad55774
o2*M~3j6n#-Aq*1`0TH4QgGrczI7~wVB$$CD%)(r)%;vAkKk4PR4gdfE
32547e5
ad55774
delta 297
ad55774
zcmWN=Jxc;{9Kdm|uKJgCoz{6hX=y%HXJrpaOB61;1qw9>-YNw-IkX)~*c3m=cTj^%
ad55774
z^nW2X>te4!TBGj=K7T)bqdV#wkDtbPV0xFO`@kL=oZuu)PH~zuRGj4;L!8(4a6!My
ad55774
z-Geodk5)7!-FDj1Pfg1_3pzcEi?kVLgiBneqdUE5`AfdvJzFk{O382CJ(cP>6P9z|
ad55774
zbyT%hxyfJGZ>8{-bL6V1%%I`BT;VF$xXum680RLpm|&9IOfk(2v&?aayWFG4JokCP
ad55774
PLl$_%W8LsiUY`E}4C!?O
32547e5
32547e5
diff --git a/notebook/static/terminal/js/main.min.js b/notebook/static/terminal/js/main.min.js
ad55774
index 13e4a7d..bc3023b 100644
32547e5
--- a/notebook/static/terminal/js/main.min.js
32547e5
+++ b/notebook/static/terminal/js/main.min.js
32547e5
@@ -11610,11 +11610,16 @@ function chooseLocale(names) {
32547e5
     return null;
32547e5
 }
32547e5
 
32547e5
+function isLocaleNameSane(name) {
32547e5
+    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
32547e5
+    return name.match('^[^/\\\\]*$') != null;
32547e5
+}
32547e5
+
32547e5
 function loadLocale(name) {
32547e5
     var oldLocale = null;
32547e5
     // TODO: Find a better way to register and load all the locales in Node
32547e5
     if (!locales[name] && (typeof module !== 'undefined') &&
32547e5
-            module && module.exports) {
32547e5
+            module && module.exports && isLocaleNameSane(name)) {
32547e5
         try {
32547e5
             oldLocale = globalLocale._abbr;
32547e5
             var aliasedRequire = require;
32547e5
@@ -12051,7 +12056,7 @@ function untruncateYear(yearStr) {
32547e5
 
32547e5
 function preprocessRFC2822(s) {
32547e5
     // Remove comments and folding whitespace and replace multiple-spaces with a single space
32547e5
-    return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
+    return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
 }
32547e5
 
32547e5
 function checkWeekday(weekdayStr, parsedInput, config) {
32547e5
diff --git a/notebook/static/terminal/js/main.min.js.map b/notebook/static/terminal/js/main.min.js.map
ad55774
index 106191b03e9371a50830db08104d1341f3516fee..25ad449a1a59978f9c1aad8202ec9a7645d63b56 100644
32547e5
GIT binary patch
32547e5
delta 314
32547e5
zcmbO*Gv?i_n1(Hk6E06KV3K6hadb8;Nt#}GnNg{I$7Mz!W&&bnAZ7t#Rv=~rVs;?r
32547e5
z0AkMVJ1%p5Q>o7^_Q_99%t`f2%uNkW%uChC12Qxfs$=pLfIwegA)qL=EH$r00VH0m
32547e5
zP?C{YqL7oHpRJISnVqVTmYI`UTv=R_nyXNdSdvk!qmZeWs*s$YSCW{Sr=YH{u8?1(
32547e5
zpdJ&W4l%AMwWPEt4{VfPZemGthK8tmTy&g%3>3s_si
32547e5
zx7#74uzk%>E*48hjrI*j+(66&#JoVv2gLk9EC9rUKr95r!aytn#G>0b7>PZ&2>=Nr
32547e5
Bc31!a
32547e5
32547e5
delta 130
32547e5
zcmaDiD`vvXn1(Hk6E3sqI64=VBu!q(B;S7SG9wT(0WmWWvj8zG5VHX>I}mdKG3WMk
32547e5
zm$`nbOfUS&b#J=NP9cTuoxiwPEZh5xxq+Amh
32547e5
J8H+u*2>`4=Ie-8F
32547e5
32547e5
diff --git a/notebook/static/tree/js/main.min.js b/notebook/static/tree/js/main.min.js
ad55774
index 9775015..d3641ec 100644
32547e5
--- a/notebook/static/tree/js/main.min.js
32547e5
+++ b/notebook/static/tree/js/main.min.js
32547e5
@@ -13330,11 +13330,16 @@ function chooseLocale(names) {
32547e5
     return null;
32547e5
 }
32547e5
 
32547e5
+function isLocaleNameSane(name) {
32547e5
+    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
32547e5
+    return name.match('^[^/\\\\]*$') != null;
32547e5
+}
32547e5
+
32547e5
 function loadLocale(name) {
32547e5
     var oldLocale = null;
32547e5
     // TODO: Find a better way to register and load all the locales in Node
32547e5
     if (!locales[name] && (typeof module !== 'undefined') &&
32547e5
-            module && module.exports) {
32547e5
+            module && module.exports && isLocaleNameSane(name)) {
32547e5
         try {
32547e5
             oldLocale = globalLocale._abbr;
32547e5
             var aliasedRequire = require;
32547e5
@@ -13771,7 +13776,7 @@ function untruncateYear(yearStr) {
32547e5
 
32547e5
 function preprocessRFC2822(s) {
32547e5
     // Remove comments and folding whitespace and replace multiple-spaces with a single space
32547e5
-    return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
+    return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
32547e5
 }
32547e5
 
32547e5
 function checkWeekday(weekdayStr, parsedInput, config) {
32547e5
diff --git a/notebook/static/tree/js/main.min.js.map b/notebook/static/tree/js/main.min.js.map
ad55774
index e334a06e00b8bc700135b95328fbd9f7ab9e86a7..e6862e8f1b1409c65000d38a3c004138926213c7 100644
32547e5
GIT binary patch
32547e5
delta 322
32547e5
zcmX@QBzp0(=!Pwf8^29rkz~_xbT%wWn*5MizWv%aMj&PaVrC#_0b*7lW&>h&Am#vK
32547e5
zP9Wyme(f8#^Q8LBVxRov#GF*W#N5>2#Jp6EJRn0;p*ki{0SNT<6#|M<%Tn`76hPv|
32547e5
z3MCndB?>wD`Pm9Nnc1ldX_+~x#g)Y+sksUTi6t4uItrP3sS3&Yc_oRNc?#<K>I(Tq
32547e5
z3hFU2>Ja0KQcFsU^1w#v<tCOSXK0A3$3@5K$3Q`>mWsNjf}-v8d><aM>5`p1_v97S
32547e5
z)D*D05$wq6jDjN4+r_(hSS%Se+NBTk05LBR^8qnG5DNgYAP@@yu`m#e0I}$H>BC}L
32547e5
F`~YDycVhqm
32547e5
32547e5
delta 135
32547e5
zcmZ3yEc)n@=!Pwf8^5vXI64=VBu#$EEZ_eA8zT@i0WmWWvj8zG5VHX>I}mdKF((jn
32547e5
zZGZob+j-LTJDoiDrq7P&=AJ%nIk)KcFI_w=mhC?e^8hg~5c2^sKM)H5u^
32547e5
OivY3c_MeBvwD
32547e5
32547e5
-- 
ad55774
2.37.1
32547e5