File: 0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch

package info (click to toggle)
calibre 6.13.0%2Brepack-2%2Bdeb12u5
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 1,147,768 kB
  • sloc: python: 461,364; ansic: 80,698; cpp: 18,081; javascript: 2,855; xml: 1,297; sh: 892; sql: 683; objc: 544; makefile: 71; perl: 66; sed: 6
file content (48 lines) | stat: -rw-r--r-- 2,119 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Tue, 30 Jul 2024 13:51:33 +0530
Subject: Fix #2075128 [Private
 bug](https://bugs.launchpad.net/calibre/+bug/2075128)

Origin: backport, https://github.com/kovidgoyal/calibre/commit/38a1bf50d8cd22052ae59c513816706c6445d5e9.patch
Forwarded: not-needed
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-6782
---
 src/calibre/db/cli/cmd_list.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/calibre/db/cli/cmd_list.py b/src/calibre/db/cli/cmd_list.py
index 9907b26..65935b5 100644
--- a/src/calibre/db/cli/cmd_list.py
+++ b/src/calibre/db/cli/cmd_list.py
@@ -36,6 +36,12 @@ def implementation(
     db, notify_changes, fields, sort_by, ascending, search_text, limit, template=None
 ):
     is_remote = notify_changes is not None
+    if is_remote:
+        # templates allow arbitrary code execution via python templates. We
+        # could possibly disallow only python templates but that is more work
+        # than I feel like doing for this, so simply ignore templates on remote
+        # connections.
+        template = None
     formatter = None
     with db.safe_read_lock:
         fm = db.field_metadata
@@ -164,6 +170,8 @@ def do_list(
 ):
     if sort_by is None:
         ascending = True
+    if dbctx.is_remote and (template or template_file or template_title):
+        raise SystemExit(_('The use of templates is disallowed when connecting to remote servers for security reasons'))
     if 'template' in (f.strip() for f in fields):
         if template_file:
             with open(template_file, 'rb') as f:
@@ -334,7 +342,8 @@ List the books available in the calibre database.
     parser.add_option(
         '--template',
         default=None,
-        help=_('The template to run if "{}" is in the field list. Default: None').format('template')
+        help=_('The template to run if "{}" is in the field list. Note that templates are ignored while connecting to a calibre server.'
+               ' Default: None').format('template')
     )
     parser.add_option(
         '--template_file',