From 0bd80b2412af7bd1143f9bb9a3426ebdfab5c333 Mon Sep 17 00:00:00 2001
From: Justin Lecher <jlec@gentoo.org>
Date: Fri, 30 Oct 2015 12:14:00 +0100
Subject: dev-python/pygments: Backport fix for shell injection

Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=564478

Package-Manager: portage-2.2.23
Signed-off-by: Justin Lecher <jlec@gentoo.org>
---
 .../files/2.0.2-shell-injection-backport.patch     | 29 +++++++++++
 .../files/2.0.2-shell-injection-backport2.patch    | 56 +++++++++++++++++++++
 dev-python/pygments/metadata.xml                   |  2 +-
 dev-python/pygments/pygments-2.0.2-r1.ebuild       | 57 ++++++++++++++++++++++
 4 files changed, 143 insertions(+), 1 deletion(-)
 create mode 100644 dev-python/pygments/files/2.0.2-shell-injection-backport.patch
 create mode 100644 dev-python/pygments/files/2.0.2-shell-injection-backport2.patch
 create mode 100644 dev-python/pygments/pygments-2.0.2-r1.ebuild

diff --git a/dev-python/pygments/files/2.0.2-shell-injection-backport.patch b/dev-python/pygments/files/2.0.2-shell-injection-backport.patch
new file mode 100644
index 000000000000..0a23adce330d
--- /dev/null
+++ b/dev-python/pygments/files/2.0.2-shell-injection-backport.patch
@@ -0,0 +1,29 @@
+# HG changeset patch
+# User Javantea <jvoss@altsci.com>
+# Date 1443460403 25200
+# Node ID 6b4baae517b6aaff7142e66f1dbadf7b9b871f61
+# Parent  655dbebddc23943b8047b3c139c51c22ef18fd91
+Fix Shell Injection in FontManager._get_nix_font_path
+
+diff --git a/pygments/formatters/img.py b/pygments/formatters/img.py
+--- a/pygments/formatters/img.py
++++ b/pygments/formatters/img.py
+@@ -10,6 +10,7 @@
+ """
+ 
+ import sys
++import shlex
+ 
+ from pygments.formatter import Formatter
+ from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \
+@@ -79,8 +80,8 @@
+             from commands import getstatusoutput
+         except ImportError:
+             from subprocess import getstatusoutput
+-        exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
+-                                    (name, style))
++        exit, out = getstatusoutput('fc-list %s file' % 
++                                    shlex.quote("%s:style=%s" % (name, style)))
+         if not exit:
+             lines = out.splitlines()
+             if lines:
diff --git a/dev-python/pygments/files/2.0.2-shell-injection-backport2.patch b/dev-python/pygments/files/2.0.2-shell-injection-backport2.patch
new file mode 100644
index 000000000000..78bf4478ecd7
--- /dev/null
+++ b/dev-python/pygments/files/2.0.2-shell-injection-backport2.patch
@@ -0,0 +1,56 @@
+# HG changeset patch
+# User Tim Hatch <tim@timhatch.com>
+# Date 1445007300 25200
+# Node ID 0036ab1c99e256298094505e5e92fdacdfc5b0a8
+# Parent  c0c0d4049a7c325cd69b764c6ceb7747d319212d
+Avoid the shell entirely when finding fonts.
+
+Manually tested on OS X.
+
+diff --git a/pygments/formatters/img.py b/pygments/formatters/img.py
+--- a/pygments/formatters/img.py
++++ b/pygments/formatters/img.py
+@@ -10,12 +10,13 @@
+ """
+ 
+ import sys
+-import shlex
+ 
+ from pygments.formatter import Formatter
+ from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \
+     get_choice_opt, xrange
+ 
++import subprocess
++
+ # Import this carefully
+ try:
+     from PIL import Image, ImageDraw, ImageFont
+@@ -76,14 +77,11 @@
+             self._create_nix()
+ 
+     def _get_nix_font_path(self, name, style):
+-        try:
+-            from commands import getstatusoutput
+-        except ImportError:
+-            from subprocess import getstatusoutput
+-        exit, out = getstatusoutput('fc-list %s file' % 
+-                                    shlex.quote("%s:style=%s" % (name, style)))
+-        if not exit:
+-            lines = out.splitlines()
++        proc = subprocess.Popen(['fc-list', "%s:style=%s" % (name, style), 'file'],
++                                stdout=subprocess.PIPE, stderr=None)
++        stdout, _ = proc.communicate()
++        if proc.returncode == 0:
++            lines = stdout.splitlines()
+             if lines:
+                 path = lines[0].strip().strip(':')
+                 return path
+@@ -198,7 +196,7 @@
+         bold and italic fonts will be generated.  This really should be a
+         monospace font to look sane.
+ 
+-        Default: "Bitstream Vera Sans Mono"
++        Default: "Bitstream Vera Sans Mono" on Windows, Courier New on *nix
+ 
+     `font_size`
+         The font size in points to be used.
diff --git a/dev-python/pygments/metadata.xml b/dev-python/pygments/metadata.xml
index 10b24d26e8c2..f91efd2fd030 100644
--- a/dev-python/pygments/metadata.xml
+++ b/dev-python/pygments/metadata.xml
@@ -1,4 +1,4 @@
-<?xml version='1.0' encoding='UTF-8'?>
+<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<herd>python</herd>
diff --git a/dev-python/pygments/pygments-2.0.2-r1.ebuild b/dev-python/pygments/pygments-2.0.2-r1.ebuild
new file mode 100644
index 000000000000..3ee352b08972
--- /dev/null
+++ b/dev-python/pygments/pygments-2.0.2-r1.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 python3_{3,4,5} pypy pypy3 )
+
+inherit distutils-r1 bash-completion-r1 vcs-snapshot
+
+MY_PN="Pygments"
+MY_P="${MY_PN}-${PV}"
+
+DESCRIPTION="Pygments is a syntax highlighting package written in Python"
+HOMEPAGE="http://pygments.org/ https://pypi.python.org/pypi/Pygments"
+SRC_URI="mirror://pypi/${MY_PN:0:1}/${MY_PN}/${MY_P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="doc test"
+
+RDEPEND="dev-python/setuptools[${PYTHON_USEDEP}]"
+DEPEND="${RDEPEND}
+	doc? ( dev-python/sphinx[${PYTHON_USEDEP}] )
+	test? (
+		dev-python/nose[${PYTHON_USEDEP}]
+		virtual/ttf-fonts )"
+#		dev-texlive/texlive-latexrecommended
+# Removing / commenting out this dep. I can find no mention of it in tests other than
+# importing pygment's own tex module.  If it's there and I missed it just uncomment and re-add
+# Tests pass without it
+
+S="${WORKDIR}/${MY_P}"
+
+PATCHES=(
+	"${FILESDIR}"/${PV}-shell-injection-backport.patch
+	"${FILESDIR}"/${PV}-shell-injection-backport2.patch
+)
+
+python_compile_all() {
+	use doc && emake -C doc html
+}
+
+python_test() {
+	cp -r -l tests "${BUILD_DIR}"/ || die
+	# With pypy3 there is 1 error out of 1556 tests when run as is and
+	# (SKIP=8, errors=1, failures=1) when run with 2to3; meh
+	nosetests -w "${BUILD_DIR}"/tests || die "Tests fail with ${EPYTHON}"
+}
+
+python_install_all() {
+	use doc && local HTML_DOCS=( doc/_build/html/. )
+
+	distutils-r1_python_install_all
+	newbashcomp external/pygments.bashcomp pygmentize
+}
-- 
cgit v1.2.3-65-gdbad