| |
@@ -0,0 +1,85 @@
|
| |
+ From 34c73a5bb956bbe8a985fe3ac40fd36f255157b8 Mon Sep 17 00:00:00 2001
|
| |
+ From: Matthias Bussonnier <bussonniermatthias@gmail.com>
|
| |
+ Date: Sat, 15 Jan 2022 19:43:14 +0100
|
| |
+ Subject: [PATCH] FIX CVE-2022-21699
|
| |
+
|
| |
+ See https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x
|
| |
+
|
| |
+ (cherry picked from commit c306d208946604b1cfc7bcfdc5fb51daf7b8ceae)
|
| |
+ ---
|
| |
+ IPython/__init__.py | 4 ++++
|
| |
+ IPython/core/application.py | 2 +-
|
| |
+ IPython/core/profileapp.py | 6 +++---
|
| |
+ IPython/core/profiledir.py | 4 ++--
|
| |
+ 4 files changed, 10 insertions(+), 6 deletions(-)
|
| |
+
|
| |
+ diff --git a/IPython/__init__.py b/IPython/__init__.py
|
| |
+ index 69750f21b..f477c1f41 100644
|
| |
+ --- a/IPython/__init__.py
|
| |
+ +++ b/IPython/__init__.py
|
| |
+ @@ -59,6 +59,10 @@
|
| |
+ __license__ = release.license
|
| |
+ __version__ = release.version
|
| |
+ version_info = release.version_info
|
| |
+ +# list of CVEs that should have been patched in this release.
|
| |
+ +# this is informational and should not be relied upon.
|
| |
+ +__patched_cves__ = {"CVE-2022-21699"}
|
| |
+ +
|
| |
+
|
| |
+ def embed_kernel(module=None, local_ns=None, **kwargs):
|
| |
+ """Embed and start an IPython kernel in a given scope.
|
| |
+ diff --git a/IPython/core/application.py b/IPython/core/application.py
|
| |
+ index 9741baac7..76b62796b 100644
|
| |
+ --- a/IPython/core/application.py
|
| |
+ +++ b/IPython/core/application.py
|
| |
+ @@ -92,7 +92,7 @@ def _config_file_name_changed(self, name, old, new):
|
| |
+
|
| |
+ config_file_paths = List(Unicode)
|
| |
+ def _config_file_paths_default(self):
|
| |
+ - return [py3compat.getcwd()]
|
| |
+ + return []
|
| |
+
|
| |
+ extra_config_file = Unicode(config=True,
|
| |
+ help="""Path to an extra config file to load.
|
| |
+ diff --git a/IPython/core/profileapp.py b/IPython/core/profileapp.py
|
| |
+ index b5b2fdce6..a65b092ee 100644
|
| |
+ --- a/IPython/core/profileapp.py
|
| |
+ +++ b/IPython/core/profileapp.py
|
| |
+ @@ -184,9 +184,9 @@ def list_profile_dirs(self):
|
| |
+ profiles = list_profiles_in(py3compat.getcwd())
|
| |
+ if profiles:
|
| |
+ print()
|
| |
+ - print("Available profiles in current directory (%s):" % py3compat.getcwd())
|
| |
+ - self._print_profiles(profiles)
|
| |
+ -
|
| |
+ + print(
|
| |
+ + "Profiles from CWD have been removed for security reason, see CVE-2022-21699:"
|
| |
+ + )
|
| |
+ print()
|
| |
+ print("To use any of the above profiles, start IPython with:")
|
| |
+ print(" ipython --profile=<name>")
|
| |
+ diff --git a/IPython/core/profiledir.py b/IPython/core/profiledir.py
|
| |
+ index bff81e22e..baa42628d 100644
|
| |
+ --- a/IPython/core/profiledir.py
|
| |
+ +++ b/IPython/core/profiledir.py
|
| |
+ @@ -211,7 +211,7 @@ def find_profile_dir_by_name(cls, ipython_dir, name=u'default', config=None):
|
| |
+ is not found, a :class:`ProfileDirError` exception will be raised.
|
| |
+
|
| |
+ The search path algorithm is:
|
| |
+ - 1. ``py3compat.getcwd()``
|
| |
+ + 1. ``os.getcwd()`` # removed for security reason.
|
| |
+ 2. ``ipython_dir``
|
| |
+
|
| |
+ Parameters
|
| |
+ @@ -223,7 +223,7 @@ def find_profile_dir_by_name(cls, ipython_dir, name=u'default', config=None):
|
| |
+ will be "profile_<profile>".
|
| |
+ """
|
| |
+ dirname = u'profile_' + name
|
| |
+ - paths = [py3compat.getcwd(), ipython_dir]
|
| |
+ + paths = [ipython_dir]
|
| |
+ for p in paths:
|
| |
+ profile_dir = os.path.join(p, dirname)
|
| |
+ if os.path.isdir(profile_dir):
|
| |
+ --
|
| |
+ 2.38.1
|
| |
+
|
| |
carlwgeorge
commented 2 years ago
Resolves rhbz#2135164.