[racket-dev] [plt] Push #27862: master branch updated
There is an important change in this commit. Since we've created the
release branch for 6.0, I think we should stop automatically
installing and executing arbitrary code when people open files in
DrRacket. Currently the error message suggests using "raco planet" but
I think we need a bit of a GUI shim for other users.
On Wed, Nov 27, 2013 at 3:40 PM, <jay at racket-lang.org> wrote:
> jay has updated `master' from 033065f632 to 60ae164d05.
> http://git.racket-lang.org/plt/033065f632..60ae164d05
>
> =====[ 6 Commits ]======================================================
> Directory summary:
> 57.6% pkgs/plt-services/meta/pkg-index/official/static/
> 17.6% pkgs/plt-services/meta/pkg-index/official/
> 22.0% racket/collects/planet/private/
>
> ~~~~~~~~~~
>
> 2413278 Jay McCarthy <jay at racket-lang.org> 2013-11-27 14:51
> :
> | moving delete button
> :
> M .../meta/pkg-index/official/static/index.html | 2 ++
> M .../meta/pkg-index/official/static/index.js | 16 +++++++++-------
> M .../meta/pkg-index/official/static/style.css | 4 ++++
>
> ~~~~~~~~~~
>
> 113696c Jay McCarthy <jay at racket-lang.org> 2013-11-27 14:54
> :
> | edit on lose focus
> :
> M pkgs/plt-services/meta/pkg-index/official/static/index.js | 4 +++-
>
> ~~~~~~~~~~
>
> cf1755f Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:19
> :
> | Remove arbitrary code execution exploit from Racket and DrRacket
> |
> | This is particularly bad with DrRacket's online syntax checking, which
> | causes opening a file to download and executed aribtrary code.
> :
> M racket/collects/planet/private/resolver.rkt | 8 ++++----
>
> ~~~~~~~~~~
>
> 98df30c Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:30
> :
> | deleting static s3 content properly
> :
> M pkgs/plt-services/meta/pkg-index/official/static.rkt | 11 ++++++++++-
>
> ~~~~~~~~~~
>
> 7b7a5ad Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:33
> :
> | increase pkg test timeout
> :
> M pkgs/plt-services/meta/props | 2 +-
>
> ~~~~~~~~~~
>
> 60ae164 Jay McCarthy <jay at racket-lang.org> 2013-11-27 15:39
> :
> | Removing add tag button when not logged in re mflatt
> :
> M pkgs/plt-services/meta/pkg-index/official/static/index.js | 11 +++++++++--
> M .../plt-services/meta/pkg-index/official/static/index.html | 2 +-
>
> =====[ Overall Diff ]===================================================
>
> pkgs/plt-services/meta/pkg-index/official/static.rkt
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static.rkt
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static.rkt
> @@ -304,7 +304,16 @@
> (cache "/pkgs" "pkgs")
> (cache "/pkgs-all" "pkgs-all")
> (for ([p (in-list pkg-list)])
> - (cache (format "/pkg/~a" p) (format "pkg/~a" p))))
> + (cache (format "/pkg/~a" p) (format "pkg/~a" p)))
> +
> + (let ()
> + (define pkg-path (build-path static-path "pkg"))
> + (for ([f (in-list (directory-list pkg-path))]
> + #:unless (regexp-match #"json$" (path->string f))
> + #:unless (member (path->string f) pkg-list))
> + (with-handlers ([exn:fail:filesystem? void])
> + (delete-file (build-path pkg-path f))
> + (delete-file (build-path pkg-path (path-add-suffix f #".json")))))))
>
> (module+ main
> (require racket/cmdline)
>
> pkgs/plt-services/meta/pkg-index/official/static/index.html
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.html
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.html
> @@ -54,12 +54,14 @@
> <tr><td>Last Edit:</td><td><span id="pi_last_edit"></span></td></tr>
> <tr><td>Description:</td><td><span id="pi_description"></span></td></tr>
> <tr><td>Tags:</td><td><span id="pi_tags"></span></td></tr>
> - <tr><td></td><td><input type="text" id="pi_add_tag_text" class="text ui-widget-content ui-corner-all" /><button id="pi_add_tag_button">Add Tag</button></td></tr>
> + <tr id="pi_add_tag_row"><td></td><td><input type="text" id="pi_add_tag_text" class="text ui-widget-content ui-corner-all" /><button id="pi_add_tag_button">Add Tag</button></td></tr>
> <tr id="pi_versions_row"><td>Versions Exceptions</td><td><table id="pi_versions"></table></td></tr>
> <tr id="pi_add_version_row"><td></td><td><label>Version:</label> <input type="text" id="pi_add_version_text" class="text ui-widget-content ui-corner-all" /><br /><label>Source:</label> <input type="text" id="pi_add_version_source_text" class="text ui-widget-content ui-corner-all" /><button id="pi_add_version_button">Add Version Exception</button></td></tr>
> <tr id="pi_dependencies_row"><td>Dependencies</td><td><span id="pi_dependencies"></span></td></tr>
> <tr id="pi_conflicts_row"><td>Conflicts</td><td><span id="pi_conflicts"></span></td></tr>
> <tr><td>Modules</td><td><span id="pi_modules"></span></td></tr>
> + <tr id="pi_delete_row"><td colspan="2"><button id="pi_delete_button">Delete
> + Package</button><br />(there is no undo!)</td></tr>
> </table>
>
> <div id="pi_install" class="install">Install this package with:<br><br><tt>raco pkg install <span id="pi_name_inst"></span></tt><br><br>or, with the 'File|Install Package...' menu option in DrRacket.</div>
>
> pkgs/plt-services/meta/pkg-index/official/static/index.js
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.js
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.js
> @@ -8,6 +8,8 @@ function me () {
> return localStorage['email']; }
>
> $( document ).ready(function() {
> + var logged_in = false;
> +
> function jslink ( texts, clickf) {
> return $('<a>', { href: "javascript:void(0)",
> click: clickf } ).html(texts); }
> @@ -43,7 +45,7 @@ $( document ).ready(function() {
> update_package_on_list ( pkgi );
> // console.log( pkgi );
> change_hash( "[" + pkgi['name'] + "]" );
> -
> +
> var mypkg_p = ($.inArray(me(), pkgi['authors'] ) != -1);
>
> function make_editbutton ( spot, initv, fun ) {
> @@ -56,17 +58,20 @@ $( document ).ready(function() {
> var it = $( "#" + spot + "_text" );
> it.keypress( function (e) {
> if (e.which == 13) { fun (it.val()); } } );
> + it.focusout( function (e) {
> + fun (it.val()); } );
> it.val(initv).focus(); } ) ); } }
>
> $( "#pi_name" ).text( pkgi['name'] );
> make_editbutton ( "pi_name", pkgi['name'], submit_mod_name );
> if ( mypkg_p ) {
> - $( "#pi_name" ).append( $('<button>')
> - .button({ icons: { primary: "ui-icon-trash" } })
> - .click( function (e) {
> - dynamic_pkgsend( "/jsonp/package/del", { } );
> - $(pkgi['dom_obj']).remove();
> - $("#package_info").dialog("close"); } ) ); }
> + $( "#pi_delete_button" ).click( function (e) {
> + dynamic_pkgsend( "/jsonp/package/del", { } );
> + $(pkgi['dom_obj']).remove();
> + $("#package_info").dialog("close"); } );
> + $( "#pi_delete_row" ).show(); }
> + else {
> + $( "#pi_delete_row" ).hide(); }
>
> $( "#pi_name_inst" ).text( pkgi['name'] );
> $( "#pi_ring" ).text( pkgi['ring'] );
> @@ -104,6 +109,10 @@ $( document ).ready(function() {
> " "]; }
> else {
> return [tag, " "]; } } ) ));
> + if ( logged_in ) {
> + $( "#pi_add_tag_row" ).show(); }
> + else {
> + $( "#pi_add_tag_row" ).hide(); }
>
> $( "#pi_versions" ).html("").append( $.map( Object.keys(pkgi['versions']).sort(), function ( v, vi ) {
> var vo = pkgi['versions'][v];
> @@ -494,8 +503,10 @@ $( document ).ready(function() {
> $( "#login_code_row" ).hide();
>
> function menu_logout () {
> + logged_in = false;
> $("#logout").html( jslink( "login", function () { $( "#login" ).dialog( "open" ); } ) ); }
> function menu_loggedin ( curate_p ) {
> + logged_in = true;
> $("#logout").html("")
> .append( me(),
> ( curate_p ? [ " (", jslink( "curator", function () {
>
> pkgs/plt-services/meta/pkg-index/official/static/style.css
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static/style.css
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/style.css
> @@ -150,3 +150,7 @@ a.possible {
> text-align: center;
> color: red;
> }
> +
> +tr#pi_delete_row td {
> + text-align: center;
> +}
>
> pkgs/plt-services/meta/props
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> --- OLD/pkgs/plt-services/meta/props
> +++ NEW/pkgs/plt-services/meta/props
> @@ -1289,7 +1289,7 @@ path/s is either such a string or a list of them.
> "pkgs/racket-pkgs/racket-test/tests/openssl/basic.rkt" drdr:random #t
> "pkgs/racket-pkgs/racket-test/tests/pkg" responsible (jay) drdr:command-line (mzc *)
> "pkgs/racket-pkgs/racket-test/tests/pkg/test-pkgs" drdr:command-line #f
> -"pkgs/racket-pkgs/racket-test/tests/pkg/test.rkt" drdr:command-line (raco "test" *) drdr:timeout 600
> +"pkgs/racket-pkgs/racket-test/tests/pkg/test.rkt" drdr:command-line (raco "test" *) drdr:timeout 2400
> "pkgs/racket-pkgs/racket-test/tests/racket" responsible (mflatt)
> "pkgs/racket-pkgs/racket-test/tests/racket/all.rktl" drdr:command-line #f
> "pkgs/racket-pkgs/racket-test/tests/racket/basic.rktl" drdr:command-line #f
>
> racket/collects/planet/private/resolver.rkt
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> --- OLD/racket/collects/planet/private/resolver.rkt
> +++ NEW/racket/collects/planet/private/resolver.rkt
> @@ -219,9 +219,9 @@ See the scribble documentation on the planet/resolver module.
> (struct-out exn:fail:planet))
>
> ;; if #f, will not install packages and instead raise a exn:fail:install? error
> -(define install? (make-parameter #t))
> +(define install? (make-parameter #f))
> ;; if #f, will not download packages and instead raise a exn:fail:install? error
> -(define download? (make-parameter #t))
> +(define download? (make-parameter #f))
> (define-struct (exn:fail:planet exn:fail) ())
>
> ;; update doc index only once for a set of installs:
> @@ -541,7 +541,7 @@ See the scribble documentation on the planet/resolver module.
> (unless (download?)
> (raise (make-exn:fail:planet
> (format
> - "PLaneT error: cannot download package ~s since the download? parameter is set to #f"
> + "PLaneT error: cannot download package ~s without permission. Give permission with download? parameter or use 'raco planet install'"
> (list (car (pkg-spec-path pkg)) (pkg-spec-name pkg)))
> (current-continuation-marks))))
> ((if (USE-HTTP-DOWNLOADS?) download-package/http download-package/planet)
> @@ -577,7 +577,7 @@ See the scribble documentation on the planet/resolver module.
> (unless (install?)
> (raise (make-exn:fail:planet
> (format
> - "PLaneT error: cannot install package ~s since the install? parameter is set to #f"
> + "PLaneT error: cannot install package ~s without permission. Give permission with download? parameter or use 'raco planet install'"
> (list (car pkg-path) pkg-name maj min))
> (current-continuation-marks))))
> (define owner (car pkg-path))
![[logo]](/logo.png){kind=logo}