CVE-2019-19118

Advisory

Python-clu 0.5.1 removes an unsafe requirement (Django==2.2.5).

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Add

* Added baseline environment-variable-access function API ... also differentiated the testing of the “old-style” Flat and Nested classes, versus the new shit. [Alexander Böhn]

* Added a “FrozenNested.mapwalk()” method, delegates to “mapwalk(…)” [Alexander Böhn]

* Added namespaced “KeyMap.pop(…)” and “KeyMap.clear(…)” [Alexander Böhn]

* Added a test illustrating “try_items(…)” particular behavior ... w/r/t DefaultDict factories and “getitem(…)” [Alexander Böhn]

Other

* Bump version: 0.5.0 → 0.5.1. [Alexander Böhn]

* Actual inline tests for inline and friends. [Alexander Böhn]

* More inane dev-ish comments. [Alexander Böhn]

* Const-correct Craving. [Alexander Böhn]

* Developer-facing comments about what the fuck is going on. [Alexander Böhn]

* Fixed time reporting for one-off execution of inline tests. [Alexander Böhn]

* Killed a lot of dead code. [Alexander Böhn]

* Integrated ‘dbx-stopwatch’ with the inline test framework ... including a custom report-formatting function, as theirs is awful (and not like this one is much better but the need is there, and it’s something, OK?) ... inline tests auto-collect and run via local-variable mapping hook ”inline.test(«vars», [runcount])” ... a number of inline test suites were converted over to the new auto-collection API ... tweaked the requirements accordingly (N.B. this still needs some winnowing) [Alexander Böhn]

* Reorganized the “clu.config” testsuite ... moved all KeyMap-related tests to their own test class. [Alexander Böhn]

* Enabling last inline test. [Alexander Böhn]

* Nitpickery. [Alexander Böhn]

* Killed dead code. [Alexander Böhn]

* Docstrings and miscellany. [Alexander Böhn]

* Pure, unfiltered minutiae. [Alexander Böhn]

* Total minutiae. [Alexander Böhn]

* Being explicit about the class we’re using in the KeyMap env tests. [Alexander Böhn]

* Initial tests with new KeyMap-based environment access are GO. [Alexander Böhn]

* Simplifying some internal string-only comparisons. [Alexander Böhn]

* The very first of passing test runs WITH the new KeyMaps installed! ... getting to green on this involved finding and fixing a big-ish bug in the “compare_ns(…)” helper, which we use in implementing “Nested.__contains__(…)” and “Nested.__getitem__(…)” – dropping in “itertools.zip_longest(…)” therein in leu of a “zip(…)” call was the fortunately simple fix, once the flaw was discovered. ... We are using the new KeyMap classes in “clu.config.filebase” and all of the format definition modules e.g. ‘tomlfile’ &c. ... We were able to explicitly swap KeyMap ancestors in on at least one test – ‘test_nested_and_flat(¬)’ – wholesale with no issues (after squashing the big-ish bug of course). ... So yeah, here’s to many more! 🥂 [Alexander Böhn]

* Updated the REPL scripts for the new “clu.config” hot shit. [Alexander Böhn]

* Allowing keyword updates in “Flat” and “Nested” constructors. [Alexander Böhn]

* Gratuitous recursion added to “KeyMap.update(…)” [Alexander Böhn]

* One less import is one more fuck-yes in the pot ... you know, the fuck-yes pot. We all have one, somewhere. [Alexander Böhn]

* Another slight name disambiguation. [Alexander Böhn]

* Rewrote it again with a set comprehension. [Alexander Böhn]

* Rewrote “FrozenKeyMap.namespaces()” to suck a lot less. [Alexander Böhn]

* Faster still for the logic of “get_ns(…)” [Alexander Böhn]

* Another gratuitous function rename. [Alexander Böhn]

* Like I said. [Alexander Böhn]

* Since we aren’t worried about interstitial sequences anymore… ... we won’t need to expand iterable keys during namespace packing, like duh. [Alexander Böhn]

* Got rid of any naming ambiguity regarding keys, nskeys, and such. [Alexander Böhn]

* Minor simplification in “get_ns(…)” logic. [Alexander Böhn]

* Simplified the logic behind “FrozenNested.namespaces()” [Alexander Böhn]

* Same slight simplification in “FrozenKeyMap.submap(…)” logic. [Alexander Böhn]

* Slight simplification of the “KeyMap.clear(…)” logic. [Alexander Böhn]

* Simplified “KeyMap.pop(…)” logic. [Alexander Böhn]

* Moving disabled code. [Alexander Böhn]

* Disabling (for now) sequence expansion in nested trees. [Alexander Böhn]

* More professionalism. [Alexander Böhn]

* Making “FrozenNested.mapwalk()” look professional. [Alexander Böhn]

* Un-abstracting the “KeyMap.__reversed__(…)” method. [Alexander Böhn]

* “__contains__(…)” and “__iter__(…)” are abstract methods of “KeyMapViewBase” [Alexander Böhn]

* More flat/nested conversion test coverage. [Alexander Böhn]

* Testing roundtrip flatten-to-nestify and nestify-to-flatten. [Alexander Böhn]

* Removed sequence literals from nested sample data. [Alexander Böhn]

* The “mapwalk(…)” function includes sequence indexes. [Alexander Böhn]

* Compatibility stuff across the board for the new KeyMap API. [Alexander Böhn]

* Aaaaand BUNCHA DOCSTRINGS ... say it like Eddie Izzard saying “BUNCHA FLOWERS” in that bit that he did. [Alexander Böhn]

* Reworded that nota-benne. [Alexander Böhn]

* Bespoke namespace iterator function for “Nested” [Alexander Böhn]

* OK so the immutable namespacey rewrite of “clu.config.Nested” works. [Alexander Böhn]

* Logic notes for new REPL script. [Alexander Böhn]

* Inline test is the inliniest, testiest ever before seen. [Alexander Böhn]

* I give up, the KeyMap class tower is now ‘clu.abstract.Slotted’ ... like if this is a problem down the line doggie just stick in a ‘__dict__’ slot somewhere and everything’ll be A-OK, guaranteed. [Alexander Böhn]

* Moved “namespaces(…)” method up into ‘FrozenKeyMap’ [Alexander Böhn]

* I got your module exports, right over here within my pants. [Alexander Böhn]

* Well fuck – that actually worked pretty much the first time ... happy birthday to me, I guess, rite?? For reals dogg December the Fifth is my real actual birthday, so thank you, me, for conforming to the Me Coding Guidelines. [Alexander Böhn]

* And so commenceth the Great Re-Naming Of The Things. [Alexander Böhn]

* Trimmed disabled unprefixed-key-related code alternatives. [Alexander Böhn]

* Keyword API accomodations for retrieving views of unprefixed keys. [Alexander Böhn]

* Re-enabling “Flat.nestify(…)” [Alexander Böhn]

* Map-Walker™ [Alexander Böhn]

* Redoing the foundations of “clu.config.abc.NamespacedMutableMapping” [Alexander Böhn]

* Also made “clu.config.fieldtypes.__getattr__(…)” quiet down. [Alexander Böhn]

* The “qualified_name(…)” and “qualified_import(…)” fns are quieter ... they were, like, unnecessarily chatty there for a long while. [Alexander Böhn]

* Remove insecure Django requirement. [Alexander Böhn]

* Further fleshing out REPL script. [Alexander Böhn]

* Getting started on new REPL environment script. [Alexander Böhn]

* Tweaked a method name in “clu.dicts.ChainMap” ... specifically it is now “mapcontaining” instead of “mapcontains” [Alexander Böhn]

* Whitespace. [Alexander Böhn]

* One other spot where our ChainMaps and their ChainMaps may meet. [Alexander Böhn]

* Our ChainMap will take our ChainMaps and their ChainMaps too. [Alexander Böhn]

* Made “clu.naming.qualified_import(…)” work with just module names ... versus qualified-thing-names, which was what specifically it was expecting previously. [Alexander Böhn]

* I like “delattr(…)” more than “del «…»” [Alexander Böhn]

* WHOOOOPS. [Alexander Böhn]

* Setting importlib-metadata requirement in stone. [Alexander Böhn]

* Minor bpython REPL script update. [Alexander Böhn]

* HAAAAAACK ... until I summon the werewithall to do some kind of stem/leaf type of analysis or property or whatever the fuck – this total hackjob bullshit will do (and it actually is kind of totally effective for like the near-forseeable future actually, yeah) [Alexander Böhn]

* Iterchaining those “dir(…)” lists ahead-of-time ... Minimum waaaaaaaaaaage »¡HIYAAA!« [SFX: whip-crack] [Alexander Böhn]

* True paranoia ... I just remembered I read somewhere that “__init__(…)” methods are not guaranteed to run only once, and might run a couple of times just for shits ‘n’ giggles. [Alexander Böhn]

* Plugging yet another microsecond-in-diameter hole. [Alexander Böhn]

* Storing “__dir__(…)” results for ProxyModule’s “__dir__(…)” impl ... Also, I like ‘delattr(…)’ more than ‘del «thing»’ – the latter of which looks way too nondeterministic by association and also more problematically loosey-goosey like in general. [Alexander Böhn]

* Explicit, I am told, brings more general joy than (say) implicit ... I dunno whether premature optimization is better or more joyful or nicer or what-have-you than other kinds of optimization but you are getting those in this diff too whether you like it or not, doggie, OK? OK. [Alexander Böhn]

* Fixed possible race condition in “ProxyModule.__getattr__(…)” ... “ProxyModule._executed” could be True for like one or maybe two frames of interpreter execution during which the initialization mapping list “ProxyModule.target_dicts” still existed, which could short-circuit attribute-access for like half a frame more after calling for the deletion of the list – this is probably minute enough to qualify this diff as “premature optimization” – or “obsessive-compulsive flow control”, either-or – but I do not care as it is far more satisfying to have unfucked it than it’d be to leave it sitting there all fucked and such. [Alexander Böhn]

* Culling ‘sys.modules’ on “clu.importing.Registry.unregister(…)” ... fucking finally. [Alexander Böhn]

* Got rid of the ‘SubModule(…)’ class-module context-manager – ... it was waaaay more trouble than it was worth ... also stopped merging proxied modules’ exporters into the proxy module’s exporter – this was wreaking havoc with “nameof(…)” and “moduleof(…)” search-component mechanisms; ... INSTEAD we are simply leaving proxy-module exporters to work as they would normally – like e.g. on stuff explicitly defined therein – and using an overridden “ProxyModule.__dir__(…)” to get the job done. [Alexander Böhn]

* Module-importing “clu.constants.consts” instead of cherry-picking. [Alexander Böhn]

Resources

• https://pypi.org/project/python-clu
• https://pyup.io/changelogs/python-clu/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19118