From c100e97e9c60aee8585b135834c6cd6166b3ea69 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 10 Aug 2022 11:56:56 +0200
Subject: [PATCH] Fix CVE-2022-24785 and CVE-2022-31129
https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
Patches applied to:
notebook/static/components/moment/moment.js
notebook/static/components/moment/min/moment-with-locales.js
Manually updated:
notebook/static/components/moment/min/moment.min.js
notebook/static/components/moment/min/moment-with-locales.min.js
For easier review:
$ diff -u <(fold -s -w 80 moment.min.js) <(fold -s -w 80 moment.min.js_patched)
--- /dev/fd/63 2022-07-13 11:45:08.437165199 +0200
+++ /dev/fd/62 2022-07-13 11:45:08.434165181 +0200
@@ -127,10 +127,11 @@
this.hours()%12||12}function ne(e,t){P(e,0,0,function(){return
this.localeData().meridiem(this.hours(),this.minutes(),t)})}function
se(e,t){return t._meridiemParse}function ie(e){return
-e?e.toLowerCase().replace("_","-"):e}function re(e){var
+e?e.toLowerCase().replace("_","-"):e}function isLocaleNameSane(name){return
+name.match("^[^/\\\\]*$")!=null}function re(e){var
t=null;if(!Xt[e]&&"undefined"!=typeof
-module&&module&&module.exports)try{t=Jt._abbr;require("./locale/"+e),ae(t)}catch
-(e){}return Xt[e]}function ae(e,t){var n;return
+module&&module&&module.exports&&isLocaleNameSane(e))try{t=Jt._abbr;require("./lo
+cale/"+e),ae(t)}catch(e){}return Xt[e]}function ae(e,t){var n;return
e&&(n=s(t)?ue(e):oe(e,t))&&(Jt=n),Jt._abbr}function oe(e,t){if(null!==t){var
n=Qt;if(t.abbr=e,null!=Xt[e])M("defineLocaleOverride","use
moment.updateLocale(localeName, config) to change an existing locale.
@@ -187,7 +188,7 @@
t=parseInt(e,10);{if(t<=49)return 2e3+t;if(t<=999)return 1900+t}return
t}(e),Vt.indexOf(t),parseInt(n,10),parseInt(s,10),parseInt(i,10)];return
r&&a.push(parseInt(r,10)),a}function me(e){var t=on.exec(function(e){return
-e.replace(/\([^)]*\)|[\n\t]/g," ").replace(/(\s\s+)/g,"
+e.replace(/\([^()]*\)|[\n\t]/g," ").replace(/(\s\s+)/g,"
").trim()}(e._i));if(t){var
n=fe(t[4],t[3],t[2],t[5],t[6],t[7]);if(!function(e,t,n){if(e&&At.indexOf(e)!==ne
w Date(t[0],t[1],t[2]).getDay())return
$ diff -u <(fold -s -w 80 moment-with-locales.min.js) <(fold -s -w 80 moment-with-locales.min.js_patched)
--- /dev/fd/63 2022-07-13 11:45:23.280254917 +0200
+++ /dev/fd/62 2022-07-13 11:45:23.281254922 +0200
@@ -127,10 +127,12 @@
this.hours()%12||12}function te(e,a){j(e,0,0,function(){return
this.localeData().meridiem(this.hours(),this.minutes(),a)})}function
se(e,a){return a._meridiemParse}function ne(e){return
-e?e.toLowerCase().replace("_","-"):e}function re(e){var
+e?e.toLowerCase().replace("_","-"):e}function isLocaleNameSane(name){return
+name.match("^[^/\\\\]*$")!=null}function re(e){var
a=null;if(!At[e]&&"undefined"!=typeof
-module&&module&&module.exports)try{a=Ot._abbr;require("./locale/"+e),de(a)}catch
-(e){}return At[e]}function de(e,a){var t;return
+module&&module&&module.exports&&isLocaleNameSane(e))try{a=Ot._abbr;require("./lo
+cale/"+e),de(a)}catch(e){}return At[e]}
+function de(e,a){var t;return
e&&(t=s(a)?ie(e):_e(e,a))&&(Ot=t),Ot._abbr}function _e(e,a){if(null!==a){var
t=Et;if(a.abbr=e,null!=At[e])k("defineLocaleOverride","use
moment.updateLocale(localeName, config) to change an existing locale.
@@ -187,7 +189,7 @@
a=parseInt(e,10);{if(a<=49)return 2e3+a;if(a<=999)return 1900+a}return
a}(e),gt.indexOf(a),parseInt(t,10),parseInt(s,10),parseInt(n,10)];return
r&&d.push(parseInt(r,10)),d}function he(e){var a=Gt.exec(function(e){return
-e.replace(/\([^)]*\)|[\n\t]/g," ").replace(/(\s\s+)/g,"
+e.replace(/\([^()]*\)|[\n\t]/g," ").replace(/(\s\s+)/g,"
").trim()}(e._i));if(a){var
t=Me(a[4],a[3],a[2],a[5],a[6],a[7]);if(!function(e,a,t){if(e&&Ht.indexOf(e)!==ne
w Date(a[0],a[1],a[2]).getDay())return
Run:
$ npm install
$ python3 setup.py js --force
Added .gitattributes to force treating files with extremely long lines
as if they were binary.
That way, the patch is not readable by a human,
but at least does not contain two full copies of everything.
---
.gitattributes | 3 +++
.../moment/min/moment-with-locales.js | 9 +++++++--
.../moment/min/moment-with-locales.min.js | Bin 307839 -> 307933 bytes
.../components/moment/min/moment.min.js | Bin 51190 -> 51283 bytes
notebook/static/components/moment/moment.js | 9 +++++++--
notebook/static/edit/js/main.min.js | 9 +++++++--
notebook/static/edit/js/main.min.js.map | Bin 1740150 -> 1740372 bytes
notebook/static/notebook/js/main.min.js | 9 +++++++--
notebook/static/notebook/js/main.min.js.map | Bin 3469851 -> 3470078 bytes
notebook/static/terminal/js/main.min.js | 9 +++++++--
notebook/static/terminal/js/main.min.js.map | Bin 1510544 -> 1510766 bytes
notebook/static/tree/js/main.min.js | 9 +++++++--
notebook/static/tree/js/main.min.js.map | Bin 1495621 -> 1495843 bytes
13 files changed, 45 insertions(+), 12 deletions(-)
create mode 100644 .gitattributes
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..68fdeb6
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,3 @@
+moment.min.js binary
+moment-with-locales.min.js binary
+*.js.map binary
diff --git a/notebook/static/components/moment/min/moment-with-locales.js b/notebook/static/components/moment/min/moment-with-locales.js
index 574b770..bbcf913 100644
--- a/notebook/static/components/moment/min/moment-with-locales.js
+++ b/notebook/static/components/moment/min/moment-with-locales.js
@@ -1828,11 +1828,16 @@ function chooseLocale(names) {
return null;
}
+function isLocaleNameSane(name) {
+ // Prevent names that look like filesystem paths, i.e contain '/' or '\'
+ return name.match('^[^/\\\\]*$') != null;
+}
+
function loadLocale(name) {
var oldLocale = null;
// TODO: Find a better way to register and load all the locales in Node
if (!locales[name] && (typeof module !== 'undefined') &&
- module && module.exports) {
+ module && module.exports && isLocaleNameSane(name)) {
try {
oldLocale = globalLocale._abbr;
var aliasedRequire = require;
@@ -2269,7 +2274,7 @@ function untruncateYear(yearStr) {
function preprocessRFC2822(s) {
// Remove comments and folding whitespace and replace multiple-spaces with a single space
- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
+ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
}
function checkWeekday(weekdayStr, parsedInput, config) {
diff --git a/notebook/static/components/moment/min/moment-with-locales.min.js b/notebook/static/components/moment/min/moment-with-locales.min.js
index fef7c85fd429dc88f3c7195dd890bba655c400a7..9cb3030a8c459eafb769271e00349936b318bfc9 100644
GIT binary patch
delta 131
zcmezWMCk5Qp$&HxY%_~}@{<#DQvDKhQ-c%pQZ@2`49)7I)RNMoJOvO(FE_CyIYUD!
zE;>#>1_)xcRFpIoZSzWVawcC^h!9m%!!RRNbF#Lg3nSO&e8nC<Mvdm*`t85<8G)Dy
Nh?%$l)@NyH0ss&(F%AF#
delta 43
wcmccnROtT`p$&HxCaWm=O>S3o*?dN^hp#!(pgq!n5r~<9n0b4o0ZU600H{L{;s5{u
diff --git a/notebook/static/components/moment/min/moment.min.js b/notebook/static/components/moment/min/moment.min.js
index a049687679c3d43895039554cfe5f477cd92a51d..a9231146c9e8912bb1ce3700c7db33d3b346c4bf 100644
GIT binary patch
delta 109
zcmey?&wP0T^M<<$wwc8~`N@enseXyMslkbPsTz4ehGun9YDsBPo&t!Ymz!9UoS~r<
u7agY`0|c>JDoUD)wt1yFIg>9dM2M=XVVIGsxmjEB0w1Hs=HL3irvm`%tti6)
delta 23
fcmcaSf%#iM^M<<$lT{S`Hn%HY;M*Kw@OwG{f}aY=
diff --git a/notebook/static/components/moment/moment.js b/notebook/static/components/moment/moment.js
index f10d709..b71107c 100644
--- a/notebook/static/components/moment/moment.js
+++ b/notebook/static/components/moment/moment.js
@@ -1834,11 +1834,16 @@ function chooseLocale(names) {
return null;
}
+function isLocaleNameSane(name) {
+ // Prevent names that look like filesystem paths, i.e contain '/' or '\'
+ return name.match('^[^/\\\\]*$') != null;
+}
+
function loadLocale(name) {
var oldLocale = null;
// TODO: Find a better way to register and load all the locales in Node
if (!locales[name] && (typeof module !== 'undefined') &&
- module && module.exports) {
+ module && module.exports && isLocaleNameSane(name)) {
try {
oldLocale = globalLocale._abbr;
var aliasedRequire = require;
@@ -2275,7 +2280,7 @@ function untruncateYear(yearStr) {
function preprocessRFC2822(s) {
// Remove comments and folding whitespace and replace multiple-spaces with a single space
- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
+ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
}
function checkWeekday(weekdayStr, parsedInput, config) {
diff --git a/notebook/static/edit/js/main.min.js b/notebook/static/edit/js/main.min.js
index 6add39b..b7bd4dd 100644
--- a/notebook/static/edit/js/main.min.js
+++ b/notebook/static/edit/js/main.min.js
@@ -11694,11 +11694,16 @@ function chooseLocale(names) {
return null;
}
+function isLocaleNameSane(name) {
+ // Prevent names that look like filesystem paths, i.e contain '/' or '\'
+ return name.match('^[^/\\\\]*$') != null;
+}
+
function loadLocale(name) {
var oldLocale = null;
// TODO: Find a better way to register and load all the locales in Node
if (!locales[name] && (typeof module !== 'undefined') &&
- module && module.exports) {
+ module && module.exports && isLocaleNameSane(name)) {
try {
oldLocale = globalLocale._abbr;
var aliasedRequire = require;
@@ -12135,7 +12140,7 @@ function untruncateYear(yearStr) {
function preprocessRFC2822(s) {
// Remove comments and folding whitespace and replace multiple-spaces with a single space
- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
+ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
}
function checkWeekday(weekdayStr, parsedInput, config) {
diff --git a/notebook/static/edit/js/main.min.js.map b/notebook/static/edit/js/main.min.js.map
index ddc673d1a87b773d078c87d7f2d13456e5e19b2b..9363090e719fcda7e2260b01b6226ddec4fbf1c4 100644
GIT binary patch
delta 331
zcmex1E9=UftcER&sy8Mluu8J&I651aBu$>kD&OvPgAs_CfS4JGS%8=oh}nRc9f&!A
zm~*?=4X%xC)9=0FX0K26OUz9TPRvWy$OAGo6{=(M6o5cqUm>6<wJbHSL;)mTtWc7X
zSfY@VpP#LelbM~Wkd~Q~T3lINlA5bfkXVvYtfP>rm#UDQpI4HYnWvzxuda|^q@W%X
zqYg2yD7B=tC=YCuUT$JZa)yR_Ty&g%OblNP7{qF+sB0=H+D;Et;uf3!JC6IFtb&@F
zLT0f~esW?Cnj3+RoGwtsCB6N7JU5#qqelDR8Qeh31H`;Q%m>8$Kr8^nf<P<;#KJ%<
V0>q*~EC$5lKrFHS?+nSxF8~|ffYks1
delta 146
zcmcaIC+pj+tcER&syEnl9G#0wk|s}Nm2XeJ!3e}mK+FupEI`Z(#B4y!4#XTl%(*@J
z2G_>6>HFfj?=fpCR8L=^A|<{3N&+{VW&7=!+(66&#JoVv2gLk9EC9rUKr95r!aytn
U#G*hf2E^h(EV2FeOv%bG0KJYx2mk;8
diff --git a/notebook/static/notebook/js/main.min.js b/notebook/static/notebook/js/main.min.js
index 8e3003e..8f1dff8 100644
--- a/notebook/static/notebook/js/main.min.js
+++ b/notebook/static/notebook/js/main.min.js
@@ -11700,11 +11700,16 @@ function chooseLocale(names) {
return null;
}
+function isLocaleNameSane(name) {
+ // Prevent names that look like filesystem paths, i.e contain '/' or '\'
+ return name.match('^[^/\\\\]*$') != null;
+}
+
function loadLocale(name) {
var oldLocale = null;
// TODO: Find a better way to register and load all the locales in Node
if (!locales[name] && (typeof module !== 'undefined') &&
- module && module.exports) {
+ module && module.exports && isLocaleNameSane(name)) {
try {
oldLocale = globalLocale._abbr;
var aliasedRequire = require;
@@ -12141,7 +12146,7 @@ function untruncateYear(yearStr) {
function preprocessRFC2822(s) {
// Remove comments and folding whitespace and replace multiple-spaces with a single space
- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
+ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
}
function checkWeekday(weekdayStr, parsedInput, config) {
diff --git a/notebook/static/notebook/js/main.min.js.map b/notebook/static/notebook/js/main.min.js.map
index f4050efb6ed33485fcc8f7439934cfcebbc66a28..70316ab5f0cec243d52d9ff806f4572f7c585efe 100644
GIT binary patch
delta 477
zcmZwBOG^S_6b4`>(=L|T#Vj>DnK@eKWS2#Y7VQEfx-EjHY?3b=(wT5RgJ@AZH$t?U
zpnuRpgd!JhqJI$X+gQJ#*3moVvI7sC_Z&E!+xNQg{ZSV#AB4|0lQ!%DTaq8%zlJtj
zOR0tcEnovH+ra^C&<-8Y2~Oy$r5fFt>kHLb)iX+tttol7rD!awp^4GCtPx6*XuZHr
zna0VQ8^p5;r<|@IQ%*f*bfo5(ab|FqrxS%|jX0?ZMj2h>imH()iKG`ulx6YnT!Hao
zLHj+G$SXXPje5lW-F-=J*4|`TjM3PVdBa^_K8i%>|M$#v+8?al6<v-+AzG?dT+jn<
z=!HJ$hXL@^s+GZ&N4p%_W;^EdlgDSenRlU?mtP{o<^l6MZPwOGr84uv5Lmqr{1AW<
o2*M~3j6n#-Aq*1`0TH4QgGrczI7~wVB$$CD%)(r)%;vAkKk4PR4gdfE
delta 297
zcmWN=Jxc;{9Kdm|uKJgCoz{6hX=y%HXJrpaOB61;1qw9>-YNw-IkX)~*c3m=cTj^%
z^nW2X>te4!TBGj=K7T)bqdV#wkDtbPV0xFO`@kL=oZuu)PH~zuRGj4;L!8(4a6!My
z-Geodk5)7!-FDj1Pfg1_3pzcEi?kVLgiBneqdUE5`AfdvJzFk{O382CJ(cP>6P9z|
zbyT%hxyfJGZ>8{-bL6V1%%I`BT;VF$xXum680RLpm|&9IOfk(2v&?aayWFG4JokCP
PLl$_%W8LsiUY`E}4C!?O
diff --git a/notebook/static/terminal/js/main.min.js b/notebook/static/terminal/js/main.min.js
index 13e4a7d..bc3023b 100644
--- a/notebook/static/terminal/js/main.min.js
+++ b/notebook/static/terminal/js/main.min.js
@@ -11610,11 +11610,16 @@ function chooseLocale(names) {
return null;
}
+function isLocaleNameSane(name) {
+ // Prevent names that look like filesystem paths, i.e contain '/' or '\'
+ return name.match('^[^/\\\\]*$') != null;
+}
+
function loadLocale(name) {
var oldLocale = null;
// TODO: Find a better way to register and load all the locales in Node
if (!locales[name] && (typeof module !== 'undefined') &&
- module && module.exports) {
+ module && module.exports && isLocaleNameSane(name)) {
try {
oldLocale = globalLocale._abbr;
var aliasedRequire = require;
@@ -12051,7 +12056,7 @@ function untruncateYear(yearStr) {
function preprocessRFC2822(s) {
// Remove comments and folding whitespace and replace multiple-spaces with a single space
- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
+ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
}
function checkWeekday(weekdayStr, parsedInput, config) {
diff --git a/notebook/static/terminal/js/main.min.js.map b/notebook/static/terminal/js/main.min.js.map
index 106191b03e9371a50830db08104d1341f3516fee..25ad449a1a59978f9c1aad8202ec9a7645d63b56 100644
GIT binary patch
delta 314
zcmbO*Gv?i_n1(Hk6E06KV3K6hadb8;Nt#}GnNg{I$7Mz!W&&bnAZ7t#Rv=~rVs;?r
z0AkMVJ1%p5Q>o7^_Q_99%t`f2%uNkW%uChC12Qxfs$=pLfIwegA)qL=EH$r00VH0m
zP?C{YqL7oHpRJISnVqVTmYI`UTv=R_nyXNdSdvk!qmZeWs*s$YSCW{Sr=YH{u8?1(
zpdJ&W4l%AMwWPEt4{VfPZemGthK8tmTy&g%3>3s_si<ozDB4b+@q_D&l!BU?0(R$3
zx7#74uzk%>E*48hjrI*j+(66&#JoVv2gLk9EC9rUKr95r!aytn#G>0b7>PZ&2>=Nr
Bc31!a
delta 130
zcmaDiD`vvXn1(Hk6E3sqI64=VBu!q(B;S7SG9wT(0WmWWvj8zG5VHX>I}mdKG3WMk
zm$`nbOfUS&b#J=NP9cTuoxiwPEZh5xxq+Amh<SmS4~Y4JSOACxfmjHLg@ITEh()*e
J8H+u*2>`4=Ie-8F
diff --git a/notebook/static/tree/js/main.min.js b/notebook/static/tree/js/main.min.js
index 9775015..d3641ec 100644
--- a/notebook/static/tree/js/main.min.js
+++ b/notebook/static/tree/js/main.min.js
@@ -13330,11 +13330,16 @@ function chooseLocale(names) {
return null;
}
+function isLocaleNameSane(name) {
+ // Prevent names that look like filesystem paths, i.e contain '/' or '\'
+ return name.match('^[^/\\\\]*$') != null;
+}
+
function loadLocale(name) {
var oldLocale = null;
// TODO: Find a better way to register and load all the locales in Node
if (!locales[name] && (typeof module !== 'undefined') &&
- module && module.exports) {
+ module && module.exports && isLocaleNameSane(name)) {
try {
oldLocale = globalLocale._abbr;
var aliasedRequire = require;
@@ -13771,7 +13776,7 @@ function untruncateYear(yearStr) {
function preprocessRFC2822(s) {
// Remove comments and folding whitespace and replace multiple-spaces with a single space
- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
+ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim();
}
function checkWeekday(weekdayStr, parsedInput, config) {
diff --git a/notebook/static/tree/js/main.min.js.map b/notebook/static/tree/js/main.min.js.map
index e334a06e00b8bc700135b95328fbd9f7ab9e86a7..e6862e8f1b1409c65000d38a3c004138926213c7 100644
GIT binary patch
delta 322
zcmX@QBzp0(=!Pwf8^29rkz~_xbT%wWn*5MizWv%aMj&PaVrC#_0b*7lW&>h&Am#vK
zP9Wyme(f8#^Q8LBVxRov#GF*W#N5>2#Jp6EJRn0;p*ki{0SNT<6#|M<%Tn`76hPv|
z3MCndB?>wD`Pm9Nnc1ldX_+~x#g)Y+sksUTi6t4uItrP3sS3&Yc_oRNc?#<K>I(Tq
z3hFU2>Ja0KQcFsU^1w#v<tCOSXK0A3$3@5K$3Q`>mWsNjf}-v8d><aM>5`p1_v97S
z)D*D05$wq6jDjN4+r_(hSS%Se+NBTk05LBR^8qnG5DNgYAP@@yu`m#e0I}$H>BC}L
F`~YDycVhqm
delta 135
zcmZ3yEc)n@=!Pwf8^5vXI64=VBu#$EEZ_eA8zT@i0WmWWvj8zG5VHX>I}mdKF((jn
zZGZob+j-LTJDoiDrq7P&=AJ%nIk)KcFI_w=mhC?e^8hg~5c2^sKM)H5u^<o&0kJR;
OivY3c_MeBvwD<u^5lF}Y
--
2.37.1