gentoo-ebuilds/dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch
Aliaksei Urbanski 2a103afad6
dev-python/js2py: revbump to 0.74-r1
These changes:
  - fix CVE-2024-28397
  - fix ignoring of test failures
  - restrict the test feature since
    multiple tests are broken

Bug: https://bugs.gentoo.org/831356
Signed-off-by: Aliaksei Urbanski <aliaksei.urbanski@gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/37285
Signed-off-by: Maciej Barć <xgqt@gentoo.org>
2024-06-25 01:01:45 +02:00

21 lines
849 B
Diff

# https://nvd.nist.gov/vuln/detail/CVE-2024-28397
# https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/patch.txt
# https://github.com/PiotrDabkowski/Js2Py/pull/323
# https://github.com/Marven11/Js2Py/commit/56e244eb
Author: Marven11 <110723864+Marven11@users.noreply.github.com>
Date: Fri, 1 Mar 2024 12:53:58 +0800
diff --git a/js2py/constructors/jsobject.py b/js2py/constructors/jsobject.py
index c4e0ada3..b1806ea6 100644
--- a/js2py/constructors/jsobject.py
+++ b/js2py/constructors/jsobject.py
@@ -49,7 +49,7 @@ def getOwnPropertyNames(obj):
raise MakeError(
'TypeError',
'Object.getOwnPropertyDescriptor called on non-object')
- return obj.own.keys()
+ return list(obj.own.keys())
def create(obj):
if not (obj.is_object() or obj.is_null()):