PyPi: Python-Clu

CVE-2019-19118

Transitive

Safety vulnerability ID: 37800

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 02, 2019 Updated at Nov 07, 2023
Scan your Python projects for vulnerabilities →

Advisory

Python-clu 0.5.1 removes an unsafe requirement (Django==2.2.5).

Affected package

python-clu

Latest version: 0.8.5

CLU - Common Lightweight Utilities, or Command-Line Utilities (your pick)

Affected versions

Fixed versions

Vulnerability changelog

Add

* Added baseline environment-variable-access function API ... also differentiated the testing of the “old-style” Flat and Nested classes, versus the new shit. [Alexander Böhn]

* Added a “FrozenNested.mapwalk()” method, delegates to “mapwalk(…)” [Alexander Böhn]

* Added namespaced “KeyMap.pop(…)” and “KeyMap.clear(…)” [Alexander Böhn]

* Added a test illustrating “try_items(…)” particular behavior ... w/r/t DefaultDict factories and “getitem(…)” [Alexander Böhn]

Other

* Bump version: 0.5.0 → 0.5.1. [Alexander Böhn]

* Actual inline tests for inline and friends. [Alexander Böhn]

* More inane dev-ish comments. [Alexander Böhn]

* Const-correct Craving. [Alexander Böhn]

* Developer-facing comments about what the fuck is going on. [Alexander Böhn]

* Fixed time reporting for one-off execution of inline tests. [Alexander Böhn]

* Killed a lot of dead code. [Alexander Böhn]

* Integrated ‘dbx-stopwatch’ with the inline test framework ... including a custom report-formatting function, as theirs is awful (and not like this one is much better but the need is there, and it’s something, OK?) ... inline tests auto-collect and run via local-variable mapping hook ”inline.test(«vars», [runcount])” ... a number of inline test suites were converted over to the new auto-collection API ... tweaked the requirements accordingly (N.B. this still needs some winnowing) [Alexander Böhn]

* Reorganized the “clu.config” testsuite ... moved all KeyMap-related tests to their own test class. [Alexander Böhn]

* Enabling last inline test. [Alexander Böhn]

* Nitpickery. [Alexander Böhn]

* Killed dead code. [Alexander Böhn]

* Docstrings and miscellany. [Alexander Böhn]

* Pure, unfiltered minutiae. [Alexander Böhn]

* Total minutiae. [Alexander Böhn]

* Being explicit about the class we’re using in the KeyMap env tests. [Alexander Böhn]

* Initial tests with new KeyMap-based environment access are GO. [Alexander Böhn]

* Simplifying some internal string-only comparisons. [Alexander Böhn]

* The very first of passing test runs WITH the new KeyMaps installed! ... getting to green on this involved finding and fixing a big-ish bug in the “compare_ns(…)” helper, which we use in implementing “Nested.__contains__(…)” and “Nested.__getitem__(…)” – dropping in “itertools.zip_longest(…)” therein in leu of a “zip(…)” call was the fortunately simple fix, once the flaw was discovered. ... We are using the new KeyMap classes in “clu.config.filebase” and all of the format definition modules e.g. ‘tomlfile’ &c. ... We were able to explicitly swap KeyMap ancestors in on at least one test – ‘test_nested_and_flat(¬)’ – wholesale with no issues (after squashing the big-ish bug of course). ... So yeah, here’s to many more! 🥂 [Alexander Böhn]

* Updated the REPL scripts for the new “clu.config” hot shit. [Alexander Böhn]

* Allowing keyword updates in “Flat” and “Nested” constructors. [Alexander Böhn]

* Gratuitous recursion added to “KeyMap.update(…)” [Alexander Böhn]

* One less import is one more fuck-yes in the pot ... you know, the fuck-yes pot. We all have one, somewhere. [Alexander Böhn]

* Another slight name disambiguation. [Alexander Böhn]

* Rewrote it again with a set comprehension. [Alexander Böhn]

* Rewrote “FrozenKeyMap.namespaces()” to suck a lot less. [Alexander Böhn]

* Faster still for the logic of “get_ns(…)” [Alexander Böhn]

* Another gratuitous function rename. [Alexander Böhn]

* Like I said. [Alexander Böhn]

* Since we aren’t worried about interstitial sequences anymore… ... we won’t need to expand iterable keys during namespace packing, like duh. [Alexander Böhn]

* Got rid of any naming ambiguity regarding keys, nskeys, and such. [Alexander Böhn]

* Minor simplification in “get_ns(…)” logic. [Alexander Böhn]

* Simplified the logic behind “FrozenNested.namespaces()” [Alexander Böhn]

* Same slight simplification in “FrozenKeyMap.submap(…)” logic. [Alexander Böhn]

* Slight simplification of the “KeyMap.clear(…)” logic. [Alexander Böhn]

* Simplified “KeyMap.pop(…)” logic. [Alexander Böhn]

* Moving disabled code. [Alexander Böhn]

* Disabling (for now) sequence expansion in nested trees. [Alexander Böhn]

* More professionalism. [Alexander Böhn]

* Making “FrozenNested.mapwalk()” look professional. [Alexander Böhn]

* Un-abstracting the “KeyMap.__reversed__(…)” method. [Alexander Böhn]

* “__contains__(…)” and “__iter__(…)” are abstract methods of “KeyMapViewBase” [Alexander Böhn]

* More flat/nested conversion test coverage. [Alexander Böhn]

* Testing roundtrip flatten-to-nestify and nestify-to-flatten. [Alexander Böhn]

* Removed sequence literals from nested sample data. [Alexander Böhn]

* The “mapwalk(…)” function includes sequence indexes. [Alexander Böhn]

* Compatibility stuff across the board for the new KeyMap API. [Alexander Böhn]

* Aaaaand BUNCHA DOCSTRINGS ... say it like Eddie Izzard saying “BUNCHA FLOWERS” in that bit that he did. [Alexander Böhn]

* Reworded that nota-benne. [Alexander Böhn]

* Bespoke namespace iterator function for “Nested” [Alexander Böhn]

* OK so the immutable namespacey rewrite of “clu.config.Nested” works. [Alexander Böhn]

* Logic notes for new REPL script. [Alexander Böhn]

* Inline test is the inliniest, testiest ever before seen. [Alexander Böhn]

* I give up, the KeyMap class tower is now ‘clu.abstract.Slotted’ ... like if this is a problem down the line doggie just stick in a ‘__dict__’ slot somewhere and everything’ll be A-OK, guaranteed. [Alexander Böhn]

* Moved “namespaces(…)” method up into ‘FrozenKeyMap’ [Alexander Böhn]

* I got your module exports, right over here within my pants. [Alexander Böhn]

* Well fuck – that actually worked pretty much the first time ... happy birthday to me, I guess, rite?? For reals dogg December the Fifth is my real actual birthday, so thank you, me, for conforming to the Me Coding Guidelines. [Alexander Böhn]

* And so commenceth the Great Re-Naming Of The Things. [Alexander Böhn]

* Trimmed disabled unprefixed-key-related code alternatives. [Alexander Böhn]

* Keyword API accomodations for retrieving views of unprefixed keys. [Alexander Böhn]

* Re-enabling “Flat.nestify(…)” [Alexander Böhn]

* Map-Walker™ [Alexander Böhn]

* Redoing the foundations of “clu.config.abc.NamespacedMutableMapping” [Alexander Böhn]

* Also made “clu.config.fieldtypes.__getattr__(…)” quiet down. [Alexander Böhn]

* The “qualified_name(…)” and “qualified_import(…)” fns are quieter ... they were, like, unnecessarily chatty there for a long while. [Alexander Böhn]

* Remove insecure Django requirement. [Alexander Böhn]

* Further fleshing out REPL script. [Alexander Böhn]

* Getting started on new REPL environment script. [Alexander Böhn]

* Tweaked a method name in “clu.dicts.ChainMap” ... specifically it is now “mapcontaining” instead of “mapcontains” [Alexander Böhn]

* Whitespace. [Alexander Böhn]

* One other spot where our ChainMaps and their ChainMaps may meet. [Alexander Böhn]

* Our ChainMap will take our ChainMaps and their ChainMaps too. [Alexander Böhn]

* Made “clu.naming.qualified_import(…)” work with just module names ... versus qualified-thing-names, which was what specifically it was expecting previously. [Alexander Böhn]

* I like “delattr(…)” more than “del «…»” [Alexander Böhn]

* WHOOOOPS. [Alexander Böhn]

* Setting importlib-metadata requirement in stone. [Alexander Böhn]

* Minor bpython REPL script update. [Alexander Böhn]

* HAAAAAACK ... until I summon the werewithall to do some kind of stem/leaf type of analysis or property or whatever the fuck – this total hackjob bullshit will do (and it actually is kind of totally effective for like the near-forseeable future actually, yeah) [Alexander Böhn]

* Iterchaining those “dir(…)” lists ahead-of-time ... Minimum waaaaaaaaaaage »¡HIYAAA!« [SFX: whip-crack] [Alexander Böhn]

* True paranoia ... I just remembered I read somewhere that “__init__(…)” methods are not guaranteed to run only once, and might run a couple of times just for shits ‘n’ giggles. [Alexander Böhn]

* Plugging yet another microsecond-in-diameter hole. [Alexander Böhn]

* Storing “__dir__(…)” results for ProxyModule’s “__dir__(…)” impl ... Also, I like ‘delattr(…)’ more than ‘del «thing»’ – the latter of which looks way too nondeterministic by association and also more problematically loosey-goosey like in general. [Alexander Böhn]

* Explicit, I am told, brings more general joy than (say) implicit ... I dunno whether premature optimization is better or more joyful or nicer or what-have-you than other kinds of optimization but you are getting those in this diff too whether you like it or not, doggie, OK? OK. [Alexander Böhn]

* Fixed possible race condition in “ProxyModule.__getattr__(…)” ... “ProxyModule._executed” could be True for like one or maybe two frames of interpreter execution during which the initialization mapping list “ProxyModule.target_dicts” still existed, which could short-circuit attribute-access for like half a frame more after calling for the deletion of the list – this is probably minute enough to qualify this diff as “premature optimization” – or “obsessive-compulsive flow control”, either-or – but I do not care as it is far more satisfying to have unfucked it than it’d be to leave it sitting there all fucked and such. [Alexander Böhn]

* Culling ‘sys.modules’ on “clu.importing.Registry.unregister(…)” ... fucking finally. [Alexander Böhn]

* Got rid of the ‘SubModule(…)’ class-module context-manager – ... it was waaaay more trouble than it was worth ... also stopped merging proxied modules’ exporters into the proxy module’s exporter – this was wreaking havoc with “nameof(…)” and “moduleof(…)” search-component mechanisms; ... INSTEAD we are simply leaving proxy-module exporters to work as they would normally – like e.g. on stuff explicitly defined therein – and using an overridden “ProxyModule.__dir__(…)” to get the job done. [Alexander Böhn]

* Module-importing “clu.constants.consts” instead of cherry-picking. [Alexander Böhn]

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.5

CVSS v3 Details

MEDIUM 6.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
LOW
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
HIGH
Availability Availability (A)
NONE

CVSS v2 Details

MEDIUM 4.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
SINGLE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
PARTIAL
Availability Impact (A)
NONE