security update

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Change Log
 
+## [1.2.65] - 2021-05-04
+### Fixed
+- Important security vulnerability.
+
 ## [1.2.64] - 2021-05-04
 ### Added
 - The `popover trigger` feature.

docassemble_base/docassemble/base/functions.py

@@ -46,6 +46,7 @@
 from unicodedata import normalize
 from collections.abc import Iterable
 from jinja2.runtime import Undefined
+import warnings
 TypeType = type(type(None))
 locale.setlocale(locale.LC_ALL, '')
 contains_volatile = re.compile('^(x\.|x\[|.*\[[ijklmn]\])')
@@ -3341,9 +3342,18 @@ def qr_code(string, width=None, alt_text=None):
         else:
             return('[QR ' + string + ', ' + width + ', ' + str(alt_text) + ']')
 
+def pkg_resources_resource_filename(package_or_requirement, resource_name):
+    with warnings.catch_warnings(record=True) as w:
+        warnings.simplefilter("error")
+        try:
+            result = pkg_resources.resource_filename(package_or_requirement, resource_name)
+        except:
+            return None
+    return result
+
 def standard_template_filename(the_file):
     try:
-        return(pkg_resources.resource_filename(pkg_resources.Requirement.parse('docassemble.base'), "docassemble/base/data/templates/" + str(the_file)))
+        return(pkg_resources_resource_filename(pkg_resources.Requirement.parse('docassemble.base'), "docassemble/base/data/templates/" + str(the_file)))
     except:
         #logmessage("Error retrieving data file\n")
         return(None)
@@ -3366,14 +3376,13 @@ def package_template_filename(the_file, **kwargs):
         if not re.match(r'data/.*', parts[1]):
             parts[1] = 'data/templates/' + parts[1]
         try:
-            return(pkg_resources.resource_filename(pkg_resources.Requirement.parse(parts[0]), re.sub(r'\.', r'/', parts[0]) + '/' + parts[1]))
+            return(pkg_resources_resource_filename(pkg_resources.Requirement.parse(parts[0]), re.sub(r'\.', r'/', parts[0]) + '/' + parts[1]))
         except:
             return(None)
     return(None)
 
 def standard_question_filename(the_file):
-    return(pkg_resources.resource_filename(pkg_resources.Requirement.parse('docassemble.base'), "docassemble/base/data/questions/" + str(the_file)))
-    return(None)
+    return(pkg_resources_resource_filename(pkg_resources.Requirement.parse('docassemble.base'), "docassemble/base/data/questions/" + str(the_file)))
 
 def package_data_filename(the_file):
     #logmessage("package_data_filename with: " + str(the_file))
@@ -3401,7 +3410,7 @@ def package_data_filename(the_file):
                 return None
             return(abs_file.path)
         try:
-            result = pkg_resources.resource_filename(pkg_resources.Requirement.parse(parts[0]), re.sub(r'\.', r'/', parts[0]) + '/' + parts[1])
+            result = pkg_resources_resource_filename(pkg_resources.Requirement.parse(parts[0]), re.sub(r'\.', r'/', parts[0]) + '/' + parts[1])
         except:
             result = None
     #if result is None or not os.path.isfile(result):
@@ -3414,7 +3423,7 @@ def package_question_filename(the_file):
         if not re.match(r'data/.*', parts[1]):
             parts[1] = 'data/questions/' + parts[1]
         try:
-            return(pkg_resources.resource_filename(pkg_resources.Requirement.parse(parts[0]), re.sub(r'\.', r'/', parts[0]) + '/' + parts[1]))
+            return(pkg_resources_resource_filename(pkg_resources.Requirement.parse(parts[0]), re.sub(r'\.', r'/', parts[0]) + '/' + parts[1]))
         except:
             return(None)
     return(None)

docassemble_base/setup.py

@@ -152,7 +152,7 @@ def find_package_data(where='.', package='', exclude=standard_exclude, exclude_d
     "requests-oauthlib==1.3.0",
     "requests-toolbelt==0.9.1",
     "rfc3986==1.4.0",
-    "rsa==4.6",
+    "rsa==4.7",
     "ruamel.yaml==0.16.12",
     "ruamel.yaml.clib==0.2.2",
     "scipy==1.5.4",

docassemble_webapp/setup.py

@@ -186,7 +186,7 @@ def read(fname):
     "retry-decorator==1.1.1",
     "rfc3339==6.2",
     "rfc3986==1.4.0",
-    "rsa==4.6",
+    "rsa==4.7",
     "ruamel.yaml==0.16.12",
     "ruamel.yaml.clib==0.2.2",
     "s3transfer==0.3.3",