debian/0000755000000000000000000000000013417130652007170 5ustar debian/changelog0000644000000000000000000001106313417130652011043 0ustar elixir (0.7.1-4build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Mike Salvatore Mon, 14 Jan 2019 10:58:34 -0500 elixir (0.7.1-4) unstable; urgency=high * Team upload. [ Ondřej Nový ] * Fixed VCS URL (https) [ Piotr Ożarowski ] * Apply fix for CVE-2012-2146 from RedHat's bugzilla (closes: 670919) (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2146) -- Ondřej Nový Tue, 29 Mar 2016 21:29:24 +0200 elixir (0.7.1-3) unstable; urgency=medium * Team upload. [ Piotr Ożarowski ] * Remove myself from Uploaders [ Scott Kitterman ] * Rebuild for sqlalchemy 1.0 * Update debian/watch to use pypi.debian.net redirector * Add python-crypto to build-depends for test execution -- Scott Kitterman Sat, 01 Aug 2015 21:34:44 -0400 elixir (0.7.1-2) unstable; urgency=low [ Jakub Wilk ] * Use canonical URIs for Vcs-* fields. [ Piotr Ożarowski ] * Add sa_0.9_compatibility.patch (closes: 739476) * Convert package to dh_python2 and pybuild buildsystem * Remove debian/preinst and debian/pycompat files, no longer needed * Change debhelper compatibility level to 9 * Source format changed to 3.0 (quilt) * Bump Standards-Version to 3.9.5 (no changes needed) -- Piotr Ożarowski Sun, 02 Mar 2014 00:39:08 +0100 elixir (0.7.1-1) unstable; urgency=low * New upstream release - examples are no longer in the tarball * Convert package to dh sequencer * Bump Standards-Version to 3.8.4 (no changes needed) -- Piotr Ożarowski Thu, 28 Jan 2010 19:58:27 +0100 elixir (0.7.0-1) unstable; urgency=low * New upstream release * Convert to python-support - add preinst file to remove old .pyc files * Bump Standards-Version to 3.8.3 (no changes needed) -- Piotr Ożarowski Thu, 01 Oct 2009 20:49:56 +0200 elixir (0.6.1-2) unstable; urgency=low [ Sandro Tosi ] * debian/control - switch Vcs-Browser field to viewsvn [ Piotr Ożarowski ] * Add ${misc:Depends} to Depends * Change Debian packaging license to MIT (to match upstream) * Upoad to unstable -- Piotr Ożarowski Sun, 22 Feb 2009 22:37:23 +0100 elixir (0.6.1-1) experimental; urgency=low * New upstream release (upload to experimental due to Lenny freeze, python-turbogears recommends this package) -- Piotr Ożarowski Tue, 19 Aug 2008 00:34:37 +0200 elixir (0.6.0-1) unstable; urgency=medium * New upstream release * python-sqlalchemy's required version bumped to 0.4.0 * Bump Standards-Version to 3.8.0 (no changes needed) -- Piotr Ożarowski Sun, 20 Jul 2008 23:34:01 +0200 elixir (0.5.2-1) unstable; urgency=low * New upstream release * debian/watch file updated (s/cheeseshop/pypi) -- Piotr Ożarowski Fri, 28 Mar 2008 22:30:26 +0100 elixir (0.5.1-2) unstable; urgency=medium * No need to rename Egg dir name anymore as pycentral handles it now (Closes: #472036) * Move python-central to Build-Depends-Indep * Bumped python-central required version to 0.6 (new .py files location) * Strip the "-1" from setuptools' required build version (to ease backports) -- Piotr Ożarowski Fri, 21 Mar 2008 21:10:19 +0100 elixir (0.5.1-1) unstable; urgency=low [ Sandro Tosi ] * debian/control - fix Vcs-Browser field [ Piotr Ożarowski ] * New upstream release -- Piotr Ożarowski Thu, 07 Feb 2008 20:15:12 +0100 elixir (0.5.0-1) unstable; urgency=low * New upstream release * Remove dont_install_example_files_in_site-packages patch (applied upstream) * Add python-crypto to Recommends (elixir.ext.encrypted plugin) * Bump Standards-Version to 3.7.3 (no changes needed) -- Piotr Ożarowski Sun, 16 Dec 2007 13:31:17 +0100 elixir (0.4.0-1) unstable; urgency=low * New upstream release * Add dont_install_example_files_in_site-packages patch * Bump python-sqlalchemy required version to 0.3.9 * Homepage field added * Rename XS-Vcs-* fields to Vcs-* (dpkg supports them now) * Remove useless Provides field -- Piotr Ożarowski Mon, 29 Oct 2007 21:09:13 +0100 elixir (0.3.0-1) unstable; urgency=low * New upstream release * Changed my address to piotr@debian.org -- Piotr Ożarowski Tue, 10 Apr 2007 15:52:41 +0200 elixir (0.2.0-1) unstable; urgency=low * Initial release. (Closes: #412218) -- Piotr Ozarowski Wed, 28 Feb 2007 15:07:30 +0100 debian/compat0000644000000000000000000000000212676553624010404 0ustar 9 debian/rules0000755000000000000000000000010212676553624010257 0ustar #!/usr/bin/make -f %: dh $@ --with python2 --buildsystem=pybuild debian/patches/0000755000000000000000000000000012676553624010635 5ustar debian/patches/sa_0.9_compatibility.patch0000644000000000000000000000516012676553624015602 0ustar From 2c43934c7dfba603a841a86989cd13ab7ded2e8b Mon Sep 17 00:00:00 2001 From: SVN-Git Migration Date: Thu, 8 Oct 2015 09:01:26 -0700 Subject: sa_0.9_compatibility Patch-Name: sa_0.9_compatibility.patch --- elixir/entity.py | 6 +++--- elixir/options.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/elixir/entity.py b/elixir/entity.py index 5057457..1f4e5fb 100644 --- a/elixir/entity.py +++ b/elixir/entity.py @@ -15,7 +15,7 @@ import sqlalchemy from sqlalchemy import Table, Column, Integer, desc, ForeignKey, and_, \ ForeignKeyConstraint from sqlalchemy.orm import MapperExtension, mapper, object_session, \ - EXT_CONTINUE, polymorphic_union, ScopedSession, \ + EXT_CONTINUE, polymorphic_union, scoped_session, \ ColumnProperty from sqlalchemy.sql import ColumnCollection @@ -452,13 +452,13 @@ class EntityDescriptor(object): # do the mapping if self.session is None: self.entity.mapper = mapper(self.entity, *args, **kwargs) - elif isinstance(self.session, ScopedSession): + elif isinstance(self.session, scoped_session): session_mapper = session_mapper_factory(self.session) self.entity.mapper = session_mapper(self.entity, *args, **kwargs) else: raise Exception("Failed to map entity '%s' with its table or " "selectable. You can only bind an Entity to a " - "ScopedSession object or None for manual session " + "scoped_session object or None for manual session " "management." % self.entity.__name__) diff --git a/elixir/options.py b/elixir/options.py index 9284b04..948b568 100644 --- a/elixir/options.py +++ b/elixir/options.py @@ -116,7 +116,7 @@ The list of supported arguments are as follows: | ``session`` | Specify a custom contextual session for this entity. | | | By default, entities uses the global | | | ``elixir.session``. | -| | This option takes a ``ScopedSession`` object or | +| | This option takes a ``scoped_session`` object or | | | ``None``. In the later case your entity will be | | | mapped using a non-contextual mapper which requires | | | manual session management, as seen in pure SQLAlchemy.| debian/patches/series0000644000000000000000000000011412676553624012046 0ustar sa_0.9_compatibility.patch 0002-CVE-2012-2146-aes-encryption-addition.patch debian/patches/0002-CVE-2012-2146-aes-encryption-addition.patch0000644000000000000000000000641212676553624020360 0ustar From 3a06ca56dc701e244c7e5240afc84f434aaa6b3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Piotr=20O=C5=BCarowski?= Date: Fri, 18 Nov 2016 14:02:47 +0100 Subject: CVE-2012-2146: aes encryption addition --- elixir/ext/encrypted.py | 42 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) diff --git a/elixir/ext/encrypted.py b/elixir/ext/encrypted.py index 410855d..ec99fbf 100644 --- a/elixir/ext/encrypted.py +++ b/elixir/ext/encrypted.py @@ -32,7 +32,9 @@ that attribute will be crypted in the in-memory object in addition to the database row. ''' -from Crypto.Cipher import Blowfish +import sys +import os +from Crypto.Cipher import Blowfish, AES from elixir.statements import Statement from sqlalchemy.orm import MapperExtension, EXT_CONTINUE, EXT_STOP @@ -49,7 +51,9 @@ __doc_all__ = [] # # encryption and decryption functions # - +# WARNING!!! Blowfish encryption method is vulnerable to attacks +# because it doesn't properly use random seed. It is provided just for +# backward compatibility needed to migrate data. Use AES instead! def encrypt_value(value, secret): return Blowfish.new(secret, Blowfish.MODE_CFB) \ .encrypt(value).encode('string_escape') @@ -58,6 +62,24 @@ def decrypt_value(value, secret): return Blowfish.new(secret, Blowfish.MODE_CFB) \ .decrypt(value.decode('string_escape')) +# Crypto.Cipher.AES is AES128 +def encrypt_value_aes(value, secret): + iv = os.urandom(AES.block_size) + + pad_len = AES.block_size - len(value) % AES.block_size + padded_value = value + pad_len * chr(pad_len) + res = iv + AES.new(secret, AES.MODE_CBC, iv).encrypt(padded_value) + return res.encode('string_escape') + +def decrypt_value_aes(value, secret): + value = value.decode('string_escape') + iv = value[:AES.block_size] + encrypted = value[AES.block_size:] + + padded_value = AES.new(secret, AES.MODE_CBC, iv).decrypt(encrypted) + pad_len = ord(padded_value[-1]) + assert pad_len >= 1 and pad_len <= AES.block_size + return padded_value[:-pad_len] # # acts_as_encrypted statement @@ -65,7 +87,11 @@ def decrypt_value(value, secret): class ActsAsEncrypted(object): - def __init__(self, entity, for_fields=[], with_secret='abcdef'): + def __init__(self, entity, for_fields=[], with_secret='abcdef', with_aes=False): + if not with_aes: + sys.stderr.write("""******* WARNING!!! ******** +Blowfish encryption method is vulnerable to attacks. +Migrate your data and use with_aes=True\n""") def perform_encryption(instance, encrypt=True): encrypted = getattr(instance, '_elixir_encrypted', None) @@ -77,9 +103,15 @@ class ActsAsEncrypted(object): instance._elixir_encrypted = encrypt if encrypt: - func = encrypt_value + if with_aes: + func = encrypt_value_aes + else: + func = encrypt_value else: - func = decrypt_value + if with_aes: + func = decrypt_value_aes + else: + func = decrypt_value for column_name in for_fields: current_value = getattr(instance, column_name) debian/control0000644000000000000000000000245712676553624010621 0ustar Source: elixir Section: python Priority: optional Maintainer: Debian Python Modules Team Uploaders: Gustavo Noronha Silva Build-Depends: debhelper (>= 9), dh-python, python-all (>= 2.3.5-11), python-setuptools (>= 0.6b3), # tests: python-sqlalchemy, python-nose, python-crypto Standards-Version: 3.9.5 Vcs-Git: https://anonscm.debian.org/git/python-modules/packages/elixir.git Vcs-Browser: https://anonscm.debian.org/cgit/python-modules/packages/elixir.git Homepage: http://elixir.ematia.de/ X-Python-Version: >= 2.4 Package: python-elixir Architecture: all Depends: ${python:Depends}, ${misc:Depends} Recommends: python-crypto Description: declarative mapper for SQLAlchemy A declarative layer on top of SQLAlchemy. It is a fairly thin wrapper, which provides the ability to define model objects following the Active Record design pattern, and using a DSL syntax similar to that of the Ruby on Rails ActiveRecord system. . Elixir does not intend to replace SQLAlchemy's core features, but instead focuses on providing a simpler syntax for defining model objects when you do not need the full expressiveness of SQLAlchemy's manual mapper definitions. . Elixir is intended to replace the ActiveMapper SQLAlchemy extension, and the TurboEntity project. debian/source/0000755000000000000000000000000012676553624010506 5ustar debian/source/format0000644000000000000000000000001412676553624011714 0ustar 3.0 (quilt) debian/copyright0000644000000000000000000000327512676553624011150 0ustar This package was debianized by Piotr Ożarowski on Sat, 24 Feb 2007 17:37:38 +0100 It was originally downloaded from http://elixir.ematia.de/download.html Upstream Authors: Jonathan LaCour, Daniel Haus, Gaetan de Menten Copyright: This is the MIT license: http://www.opensource.org/licenses/mit-license.php Copyright (c) 2006, 2007, 2008 Jonathan LaCour, Daniel Haus, and Gaetan de Menten. and contributors. SQLAlchemy is a trademark of Michael Bayer. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The Debian packaging is © 2007-2009 Piotr Ożarowski and Gustavo Noronha Silva - it is licensed under the MIT as well. debian/.git-dpm0000644000000000000000000000054012676553624010547 0ustar # see git-dpm(1) from git-dpm package 3a06ca56dc701e244c7e5240afc84f434aaa6b3d 3a06ca56dc701e244c7e5240afc84f434aaa6b3d 3dcd3abf09121451b9cc81cb1a7b4daad7a36f9f 3dcd3abf09121451b9cc81cb1a7b4daad7a36f9f elixir_0.7.1.orig.tar.gz 22a1fbdc0163532b7cfbbd54c074a0a5ccf7d060 47110 debianTag="debian/%e%v" patchedTag="patched/%e%v" upstreamTag="upstream/%e%u" debian/watch0000644000000000000000000000011412676553624010233 0ustar version=3 http://pypi.debian.net/Elixir/Elixir-(.*)\.tar\.gz debian uupdate debian/NEWS0000644000000000000000000000175312676553624007713 0ustar elixir (0.7.0-1) unstable; urgency=low Elixir 0.6 -> 0.7 migration notes can be found on the wiki page: http://elixir.ematia.de/trac/wiki/Migrate06to07 Upstream strongly advises to read them. -- Piotr Ożarowski Thu, 01 Oct 2009 20:49:56 +0200 elixir (0.6.0-1) unstable; urgency=medium Elixir 0.5 -> 0.6 migration notes can be found on the wiki page: http://elixir.ematia.de/trac/wiki/Migrate05to06 -- Piotr Ożarowski Sun, 20 Jul 2008 23:34:01 +0200 elixir (0.5.0-1) unstable; urgency=low Elixir 0.4 -> 0.5 migration notes can be found on the wiki page: http://elixir.ematia.de/trac/wiki/Migrate04to05 (Autosetup defaults to False!) -- Piotr Ożarowski Sun, 16 Dec 2007 13:50:43 +0100 elixir (0.4.0-1) unstable; urgency=low Elixir 0.3 -> 0.4 migration notes can be found on the wiki page: http://elixir.ematia.de/trac/wiki/Migrate03to04 -- Piotr Ożarowski Mon, 29 Oct 2007 21:09:13 +0100