From 3ba53655378cbe00245354bce159d720fb2cbbd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Tue, 25 Oct 2022 18:56:40 +0200 Subject: [PATCH 1/4] sec: fix xblock ajax handler vulnerability --- CHANGELOG.md | 3 ++- tutor/templates/build/openedx/Dockerfile | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5ecb6c..3d9fa1c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,7 +18,8 @@ Every user-facing change should have an entry in this changelog. Please respect ## Unreleased -- [Improvement] use caddy `encode gzip` directive to optimize transfer size (by @ghassanmas) +- [Security] Fix xblock ajax handler vulnerability. (by @regisb) +- [Improvement] Use web proxy gzip encoding to improve bandwidth. We observe a 75% size reduction on the LMS dashboard. (by @ghassanmas) ## v14.1.0 (2022-10-10) diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile index 60e5ceb..a7e15ad 100644 --- a/tutor/templates/build/openedx/Dockerfile +++ b/tutor/templates/build/openedx/Dockerfile @@ -50,6 +50,9 @@ RUN git config --global user.email "tutor@overhang.io" \ # Fix broken "Pages" view in Studio # https://github.com/openedx/edx-platform/pull/30550 RUN curl -fsSL https://github.com/open-craft/edx-platform/commit/3d54f284f82b61e693ad652d8d6e46a226fcb36d.patch | git am +# Fix xblock ajax handler vulnerability +# https://github.com/overhangio/edx-platform/tree/overhangio/sec-xblock-ajax +RUN curl -fsSL https://github.com/overhangio/edx-platform/commit/3f0f9eed42.patch | git am {%- endif %} {# Example: RUN curl -fsSL https://github.com/openedx/edx-platform/commit/ | git am #} From 7eeccfb5f5176f31dc45bd583e3275f335aff782 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Wed, 26 Oct 2022 11:24:51 +0200 Subject: [PATCH 2/4] chore: mark Python 3.6 as deprecated --- CHANGELOG.md | 1 + setup.py | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d9fa1c..479686d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ Every user-facing change should have an entry in this changelog. Please respect ## Unreleased +- [Deprecation] Tutor is no longer compatible with Python 3.6. (by @regisb) - [Security] Fix xblock ajax handler vulnerability. (by @regisb) - [Improvement] Use web proxy gzip encoding to improve bandwidth. We observe a 75% size reduction on the LMS dashboard. (by @ghassanmas) diff --git a/setup.py b/setup.py index c5ea762..ff7ee31 100644 --- a/setup.py +++ b/setup.py @@ -56,7 +56,7 @@ setup( long_description_content_type="text/x-rst", packages=find_packages(exclude=["tests*"]), include_package_data=True, - python_requires=">=3.6", + python_requires=">=3.7", install_requires=load_requirements("base.in"), extras_require={ "full": load_requirements("plugins.txt"), @@ -68,7 +68,6 @@ setup( "License :: OSI Approved :: GNU Affero General Public License v3", "Operating System :: OS Independent", "Programming Language :: Python", - "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", From 1161f925a454482f4f5dd7fa04f17be5ce2435c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Wed, 26 Oct 2022 11:25:58 +0200 Subject: [PATCH 3/4] feat: add py.typed for typing extensions Extensions which use the tutor API need to know that the tutor package is typed. For that we add the py.typed file. Also, we fix the signature of get_typed. See: https://mypy.readthedocs.io/en/stable/installed_packages.html#installed-packages --- MANIFEST.in | 1 + tutor/py.typed | 0 tutor/types.py | 5 ++++- 3 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 tutor/py.typed diff --git a/MANIFEST.in b/MANIFEST.in index 4b08bae..9b2c42c 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,3 +1,4 @@ include requirements/base.in include requirements/plugins.txt recursive-include tutor/templates * +include tutor/py.typed diff --git a/tutor/py.typed b/tutor/py.typed new file mode 100644 index 0000000..e69de29 diff --git a/tutor/types.py b/tutor/types.py index 973f580..e2a4469 100644 --- a/tutor/types.py +++ b/tutor/types.py @@ -35,7 +35,10 @@ T = t.TypeVar("T") def get_typed( - config: Config, key: str, expected_type: t.Type[T], default: t.Optional[T] = None + config: t.Dict[str, t.Any], + key: str, + expected_type: t.Type[T], + default: t.Optional[T] = None, ) -> T: value = config.get(key, default) if not isinstance(value, expected_type): From 7541433729027cfd5796f9500ac66ed2354bf3e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Tue, 25 Oct 2022 18:57:12 +0200 Subject: [PATCH 4/4] v14.1.1 (2022-10-25) - [Security] Fix xblock ajax handler vulnerability. (by @regisb) - [Improvement] Use web proxy gzip encoding to improve bandwidth. We observe a 75% size reduction on the LMS dashboard. (by @ghassanmas) --- CHANGELOG.md | 2 ++ tutor/__about__.py | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 479686d..3e8ca58 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ Every user-facing change should have an entry in this changelog. Please respect ## Unreleased +## v14.1.1 (2022-10-25) + - [Deprecation] Tutor is no longer compatible with Python 3.6. (by @regisb) - [Security] Fix xblock ajax handler vulnerability. (by @regisb) - [Improvement] Use web proxy gzip encoding to improve bandwidth. We observe a 75% size reduction on the LMS dashboard. (by @ghassanmas) diff --git a/tutor/__about__.py b/tutor/__about__.py index 6ed2c39..58583af 100644 --- a/tutor/__about__.py +++ b/tutor/__about__.py @@ -2,7 +2,7 @@ import os # Increment this version number to trigger a new release. See # docs/tutor.html#versioning for information on the versioning scheme. -__version__ = "14.1.0" +__version__ = "14.1.1" # The version suffix will be appended to the actual version, separated by a # dash. Use this suffix to differentiate between the actual released version and