update flexget to resolve security issues (#4571)

* update flexget - update flexget to fix security issues * workaround to avoid double log entries * fix service_postinst for DSM5 - avoid use of install command that is not available on DSM<6
SynoCommunity · Apr 23, 2021 · 50b3ca2 · 50b3ca2
1 parent bcfa582
commit 50b3ca2
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 52 deletions.
diff --git a/spk/flexget/Makefile b/spk/flexget/Makefile
@@ -1,6 +1,6 @@
 SPK_NAME = flexget
-SPK_VERS = 3.1.79
-SPK_REV = 7
+SPK_VERS = 3.1.110
+SPK_REV = 8
 SPK_ICON = src/${SPK_NAME}.png
 
 BUILD_DEPENDS = cross/python3 cross/setuptools cross/pip cross/wheel
@@ -10,8 +10,7 @@ SPK_DEPENDS = "python3>=3.7.7"
 MAINTAINER = manowark
 DESCRIPTION = FlexGet is a multipurpose automation tool for content like torrents, nzbs, podcasts, comics, series, movies, etc. It can use different kinds of sources like RSS-feeds, html pages, csv files, search engines and there are even plugins for sites that do not provide any kind of useful feeds.
 DISPLAY_NAME = FlexGet
-CHANGELOG = "Update FlexGet to version 3.1.79 which now runs on Python 3."
-RELOAD_UI = yes
+CHANGELOG = "Update FlexGet to version 3.1.110. Includes security update for CVE-2019-20477 and CVE-2020-28493."
 STARTABLE = yes
 
 HOMEPAGE = https://flexget.com/

diff --git a/spk/flexget/src/requirements.txt b/spk/flexget/src/requirements.txt
@@ -1,55 +1,65 @@
-# This file is a copy of the https://github.com/Flexget/Flexget/blob/v3.1.80/requirements.txt file.
+# This file is a copy of the https://raw.githubusercontent.com/Flexget/Flexget/v3.1.110/requirements.txt file
+# including the https://raw.githubusercontent.com/Flexget/Flexget/v3.1.110/requirements.in
 # Additionally added the flexget and the transmissionrpc packages.
-aniso8601==1.2.1
-apscheduler==3.5.0
+# plumbum and rpyc packages are adjusted as the proposed versions are not accepted.
+aniso8601==9.0.1
+apscheduler==3.7.0
+attrs==20.3.0
 babelfish==0.5.5
-beautifulsoup4==4.8.2
-certifi==2017.4.17
-chardet==3.0.3
-cheroot==8.2.1
-cherrypy==18.4.0
-click==6.7
-colorama==0.4.4
+beautifulsoup4==4.9.3
+brotli==1.0.9
+certifi==2020.12.5
+chardet==4.0.0
+cheroot==8.5.2
+cherrypy==18.6.0
+click==7.1.2
 colorclass==2.2.0
-feedparser==5.2.1
-flask==1.0.2
-flask-compress==1.4.0
-flask-cors==3.0.2
-flask-login==0.4.0
-flask-restful==0.3.6
+feedparser==6.0.2
+flask==1.1.2
+flask-compress==1.9.0
+flask-cors==3.0.10
+flask-login==0.5.0
+flask-restful==0.3.8
 flask-restx==0.2.0
-flexget==3.1.80
-guessit==3.1.0
-html5lib==0.999999999
-idna==2.8
-itsdangerous==0.24
-jaraco.functools==2.0
-jinja2==2.10.1
-jsonschema==2.6.0
+flexget==3.1.110
+guessit==3.2.0
+html5lib==1.1
+idna==2.10
+itsdangerous==1.1.0
+jaraco.classes==3.2.1
+jaraco.collections==3.2.0
+jaraco.functools==3.2.1
+jaraco.text==3.5.0
+jinja2==2.11.3
+jsonschema==3.2.0
 loguru==0.5.3
 markupsafe==1.1.1
-more-itertools==7.2.0
-plumbum==1.6.3
-portend==2.6
+more-itertools==8.7.0
+#plumbum==1.7.0
+plumbum==1.6.9
+portend==2.7.1
 progressbar==2.5
 pynzb==0.1.0
 pyparsing==2.4.7
+pyrsistent==0.17.3
 pyrss2gen==1.1
-python-dateutil==2.6.1
-pytz==2017.2
-pyyaml==5.1.2
-rebulk==2.0.0
-requests==2.24.0
-rpyc==4.0.1
-six==1.13.0
-soupsieve==1.9.5
-sqlalchemy==1.3.11
-tempora==1.8
+python-dateutil==2.8.1
+pytz==2021.1
+pyyaml==5.4.1
+rebulk==3.0.1
+requests==2.25.1
+#rpyc==4.1.5
+rpyc==4.1.2
+sgmllib3k==1.0.0
+six==1.15.0
+soupsieve==2.2
+sqlalchemy==1.3.23
+tempora==4.0.1
 terminaltables==3.1.0
 transmissionrpc==0.11
-tzlocal==1.4
-urllib3==1.25.11
+tzlocal==2.1
+urllib3==1.26.3
 webencodings==0.5.1
-werkzeug==0.15.6
+werkzeug==1.0.1
 zc.lockfile==2.0
-zxcvbn-python==4.4.15
+zxcvbn-python==4.4.24
diff --git a/spk/flexget/src/service-setup.sh b/spk/flexget/src/service-setup.sh
@@ -2,13 +2,20 @@ PYTHON_DIR="/var/packages/python3/target/bin"
 VIRTUALENV="${PYTHON_DIR}/python3 -m venv"
 PATH="${SYNOPKG_PKGDEST}/env/bin:${SYNOPKG_PKGDEST}/bin:${PYTHON_DIR}:${PATH}"
 
-CONFIG_FILE="${SYNOPKG_PKGDEST}/var/config.yml"
+CONFIG_FILE="${SYNOPKG_PKGVAR}/config.yml"
 
-SERVICE_COMMAND="${SYNOPKG_PKGDEST}/env/bin/flexget -c ${CONFIG_FILE} --logfile ${LOG_FILE} daemon start"
+# flexget always writes the logfile flexget.log in the folder of the config file.
+# this is the same file as defined by the variable LOG_FILE.
+# if the parameter --logfile is not used or specifies the same logfile, then
+# all log file entries are doubled (seems to be an old bug in flexget daemon mode).
+# with "--logfile ${SYNOPKG_PKGVAR}/daemon.log", logs are written once to both files (flexget.log and daemon.log).
+# we could use "--logfile /dev/null" to avoid double log entries, but with this we might loose 
+# logs that are only written to the file specified with --logfile.
+SERVICE_COMMAND="${SYNOPKG_PKGDEST}/env/bin/flexget -c ${CONFIG_FILE} --logfile ${SYNOPKG_PKGVAR}/daemon.log daemon start"
 SVC_BACKGROUND=y
 SVC_WRITE_PID=y
-SVC_CWD="${SYNOPKG_PKGDEST}/var/"
-HOME="${SYNOPKG_PKGDEST}/var/"
+SVC_CWD="${SYNOPKG_PKGVAR}/"
+HOME="${SYNOPKG_PKGVAR}/"
 
 service_postinst ()
 {
@@ -19,8 +26,8 @@ service_postinst ()
     wheelhouse=${SYNOPKG_PKGDEST}/share/wheelhouse
     ${SYNOPKG_PKGDEST}/env/bin/pip install --no-deps --no-index --force-reinstall --find-links ${wheelhouse} ${wheelhouse}/*.whl
 
-    # Copying "config.yml" file to the "var/" folder
-    install -m 755 -d ${SYNOPKG_PKGDEST}/var
-    install -m 644 ${SYNOPKG_PKGDEST}/share/config.yml ${SYNOPKG_PKGDEST}/var
+    # Copy "config.yml" file to the "var/" folder
+    mkdir -p ${SYNOPKG_PKGVAR}
+    cp -f ${SYNOPKG_PKGDEST}/share/config.yml ${SYNOPKG_PKGVAR}/
 }