jlec 15/06/22 09:45:52 Added: ipython-2.2.0-login-backport.patch Log: Backport vulnerability fix, bug #552816; drop vulnerable versions; create mathjax symlink USE dependent, bug #481726 (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key E9402A79B03529A2!)
Revision Changes Path 1.1 dev-python/ipython/files/ipython-2.2.0-login-backport.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-python/ipython/files/ipython-2.2.0-login-backport.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-python/ipython/files/ipython-2.2.0-login-backport.patch?rev=1.1&content-type=text/plain Index: ipython-2.2.0-login-backport.patch =================================================================== >From 5d6ce3671318c8d32bab770ece841590bbec358d Mon Sep 17 00:00:00 2001 From: Matthias Bussonnier <bussonniermatth...@gmail.com> Date: Fri, 17 Apr 2015 13:08:32 -0700 Subject: [PATCH] Set secure cookie by default if login handler is hit. backport of https://github.com/jupyter/jupyter_notebook/pull/22 b8e99bc > There is few chances that logged-in people do not use https connexion, > but I guess it can happened if the server is ran in front of a proxy > that does the https termination, so leave it configurable. > > closes ipython/ipython#8325 --- IPython/html/auth/login.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/IPython/html/auth/login.py b/IPython/html/auth/login.py index 1ad4673..1a340c8 100644 --- a/IPython/html/auth/login.py +++ b/IPython/html/auth/login.py @@ -46,7 +46,13 @@ class LoginHandler(IPythonHandler): pwd = self.get_argument('password', default=u'') if self.login_available: if passwd_check(self.password, pwd): - self.set_secure_cookie(self.cookie_name, str(uuid.uuid4())) + # tornado <4.2 have a bug that consider secure==True as soon as + # 'secure' kwarg is passed to set_secure_cookie + if self.settings.get('secure_cookie', self.request.protocol == 'https'): + kwargs = {'secure':True} + else: + kwargs = {} + self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), **kwargs) else: self._render(message={'error': 'Invalid password'}) return