diff options
author | salo <salo@pkgsrc.org> | 2005-02-16 14:00:08 +0000 |
---|---|---|
committer | salo <salo@pkgsrc.org> | 2005-02-16 14:00:08 +0000 |
commit | 4fbc06192846bfb627708f1a350ab3999bd15cd4 (patch) | |
tree | cf92f7987ce7683b49c2136c1f9305b2d395b7eb | |
parent | c2e263525b52c640854bf3e968b2c4396f545756 (diff) | |
download | pkgsrc-4fbc06192846bfb627708f1a350ab3999bd15cd4.tar.gz |
Pullup ticket 289 - requested by Matthias Drochner
security fix for python
Patches hand-rolled, based on the following commit:
Module Name: pkgsrc
Committed By: drochner
Date: Fri Feb 4 15:39:04 UTC 2005
Modified Files:
pkgsrc/lang/python22: Makefile distinfo
pkgsrc/lang/python23: Makefile distinfo
pkgsrc/lang/python23-nth: Makefile
pkgsrc/lang/python24: Makefile distinfo
Added Files:
pkgsrc/lang/python22/patches: patch-an
pkgsrc/lang/python23/patches: patch-an
pkgsrc/lang/python24/patches: patch-an
Log Message:
apply the security fix from
http://www.python.org/security/PSF-2005-001/
This disables hierarchical object lookups in SimpleXMLRPCServer.
Unfortunately, this breaks some applications (eg kenosis). Don't
shoot me for this.
bump PKGREVISION
-rw-r--r-- | lang/python22-pth/Makefile | 4 | ||||
-rw-r--r-- | lang/python22-pth/distinfo | 3 | ||||
-rw-r--r-- | lang/python22-pth/patches/patch-an | 70 | ||||
-rw-r--r-- | lang/python22/Makefile | 4 | ||||
-rw-r--r-- | lang/python22/distinfo | 3 | ||||
-rw-r--r-- | lang/python22/patches/patch-an | 70 | ||||
-rw-r--r-- | lang/python23-pth/distinfo | 3 | ||||
-rw-r--r-- | lang/python23-pth/patches/patch-an | 82 | ||||
-rw-r--r-- | lang/python23/Makefile.common | 4 | ||||
-rw-r--r-- | lang/python23/distinfo | 3 | ||||
-rw-r--r-- | lang/python23/patches/patch-an | 82 | ||||
-rw-r--r-- | lang/python24-pth/Makefile | 3 | ||||
-rw-r--r-- | lang/python24-pth/distinfo | 3 | ||||
-rw-r--r-- | lang/python24-pth/patches/patch-an | 82 | ||||
-rw-r--r-- | lang/python24/Makefile | 3 | ||||
-rw-r--r-- | lang/python24/distinfo | 3 | ||||
-rw-r--r-- | lang/python24/patches/patch-an | 82 |
17 files changed, 490 insertions, 14 deletions
diff --git a/lang/python22-pth/Makefile b/lang/python22-pth/Makefile index 009527bcdd7..f2858bf9b6c 100644 --- a/lang/python22-pth/Makefile +++ b/lang/python22-pth/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.14 2004/08/29 10:44:19 recht Exp $ +# $NetBSD: Makefile,v 1.14.4.1 2005/02/16 14:00:08 salo Exp $ # PKGNAME= python22-pth-2.2.3 -PKGREVISION= 3 +PKGREVISION= 5 PTHREAD_OPTS= require .include "../../mk/pthread.buildlink3.mk" diff --git a/lang/python22-pth/distinfo b/lang/python22-pth/distinfo index 58d7cb6588d..bf546cb068a 100644 --- a/lang/python22-pth/distinfo +++ b/lang/python22-pth/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.6 2004/08/29 10:44:19 recht Exp $ +$NetBSD: distinfo,v 1.6.4.1 2005/02/16 14:00:08 salo Exp $ SHA1 (Python-2.2.3.tgz) = 177d587e77e0eaa14131ab0d0d0b470777de4400 Size (Python-2.2.3.tgz) = 6709556 bytes @@ -10,6 +10,7 @@ SHA1 (patch-ag) = 46ce7c0e3dfdeb971a253bdcbbdd19b10a78c6c2 SHA1 (patch-ah) = b1ef2e68cc8037f38e46007c6c65389e91a429fd SHA1 (patch-ai) = ae1d8a7886604f9e973f4430f9c673a575452170 SHA1 (patch-aj) = ccf82a79c38f848d31f5193b561be5a44481fedc +SHA1 (patch-an) = 8e5b93bc65bb6d271e8e111949f715f7234f4371 SHA1 (patch-ba) = 5e47b2e75ea40682216e42fbf8b971432836afdc SHA1 (patch-bb) = 389c439e8031257ca997455e10c8bd327b14638a SHA1 (patch-bc) = 9fbe77ff35519a290ef1f70fcaa72a60009a36a1 diff --git a/lang/python22-pth/patches/patch-an b/lang/python22-pth/patches/patch-an new file mode 100644 index 00000000000..7bf11030471 --- /dev/null +++ b/lang/python22-pth/patches/patch-an @@ -0,0 +1,70 @@ +$NetBSD: patch-an,v 1.1.2.1 2005/02/16 14:00:08 salo Exp $ + +--- Lib/SimpleXMLRPCServer.py.orig 2001-09-29 06:54:33.000000000 +0200 ++++ Lib/SimpleXMLRPCServer.py +@@ -161,7 +161,8 @@ class SimpleXMLRPCRequestHandler(BaseHTT + try: + func = _resolve_dotted_attribute( + self.server.instance, +- method ++ method, ++ self.allow_dotted_names + ) + except AttributeError: + pass +@@ -178,11 +179,20 @@ class SimpleXMLRPCRequestHandler(BaseHTT + BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size) + + +-def _resolve_dotted_attribute(obj, attr): ++def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True): + """Resolves a dotted attribute name to an object. Raises + an AttributeError if any attribute in the chain starts with a '_'. ++ ++ If the optional allow_dotted_names argument is false, dots are not ++ supported and this function operates similar to getattr(obj, attr). + """ +- for i in attr.split('.'): ++ ++ if allow_dotted_names: ++ attrs = attr.split('.') ++ else: ++ attrs = [attr] ++ ++ for i in attrs: + if i.startswith('_'): + raise AttributeError( + 'attempt to access private attribute "%s"' % i +@@ -206,7 +216,7 @@ class SimpleXMLRPCServer(SocketServer.TC + self.instance = None + SocketServer.TCPServer.__init__(self, addr, requestHandler) + +- def register_instance(self, instance): ++ def register_instance(self, instance, allow_dotted_names=False): + """Registers an instance to respond to XML-RPC requests. + + Only one instance can be installed at a time. +@@ -225,9 +235,23 @@ class SimpleXMLRPCServer(SocketServer.TC + + If a registered function matches a XML-RPC request, then it + will be called instead of the registered instance. ++ ++ If the optional allow_dotted_names argument is true and the ++ instance does not have a _dispatch method, method names ++ containing dots are supported and resolved, as long as none of ++ the name segments start with an '_'. ++ ++ *** SECURITY WARNING: *** ++ ++ Enabling the allow_dotted_names options allows intruders ++ to access your module's global variables and may allow ++ intruders to execute arbitrary code on your machine. Only ++ use this option on a secure, closed network. ++ + """ + + self.instance = instance ++ self.allow_dotted_names = allow_dotted_names + + def register_function(self, function, name = None): + """Registers a function to respond to XML-RPC requests. diff --git a/lang/python22/Makefile b/lang/python22/Makefile index 678e1ffe4a4..3e33b01a4a9 100644 --- a/lang/python22/Makefile +++ b/lang/python22/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.22 2004/08/29 10:44:19 recht Exp $ +# $NetBSD: Makefile,v 1.22.4.1 2005/02/16 14:00:08 salo Exp $ # PKGNAME= python22-2.2.3 -PKGREVISION= 2 +PKGREVISION= 5 CONFIGURE_ARGS+= --without-threads diff --git a/lang/python22/distinfo b/lang/python22/distinfo index 7cbee90ecec..adbb6a71a59 100644 --- a/lang/python22/distinfo +++ b/lang/python22/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.12 2004/08/29 10:44:19 recht Exp $ +$NetBSD: distinfo,v 1.12.4.1 2005/02/16 14:00:08 salo Exp $ SHA1 (Python-2.2.3.tgz) = 177d587e77e0eaa14131ab0d0d0b470777de4400 Size (Python-2.2.3.tgz) = 6709556 bytes @@ -7,5 +7,6 @@ SHA1 (patch-ab) = aa06824d9f595a24aaddc96c83f31646f522ab09 SHA1 (patch-ae) = aefeec78e25631a6e9e2aa047dce12c9c522715e SHA1 (patch-af) = a2b23859941766319f638e40c49b5af3f504ef52 SHA1 (patch-ai) = 02f530a08fd8b61a696ae43ddabd7e86e4af7727 +SHA1 (patch-an) = 8e5b93bc65bb6d271e8e111949f715f7234f4371 SHA1 (patch-bb) = 389c439e8031257ca997455e10c8bd327b14638a SHA1 (patch-bc) = 9fbe77ff35519a290ef1f70fcaa72a60009a36a1 diff --git a/lang/python22/patches/patch-an b/lang/python22/patches/patch-an new file mode 100644 index 00000000000..3b29882050a --- /dev/null +++ b/lang/python22/patches/patch-an @@ -0,0 +1,70 @@ +$NetBSD: patch-an,v 1.1.2.2 2005/02/16 14:00:08 salo Exp $ + +--- Lib/SimpleXMLRPCServer.py.orig 2001-09-29 06:54:33.000000000 +0200 ++++ Lib/SimpleXMLRPCServer.py +@@ -161,7 +161,8 @@ class SimpleXMLRPCRequestHandler(BaseHTT + try: + func = _resolve_dotted_attribute( + self.server.instance, +- method ++ method, ++ self.allow_dotted_names + ) + except AttributeError: + pass +@@ -178,11 +179,20 @@ class SimpleXMLRPCRequestHandler(BaseHTT + BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size) + + +-def _resolve_dotted_attribute(obj, attr): ++def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True): + """Resolves a dotted attribute name to an object. Raises + an AttributeError if any attribute in the chain starts with a '_'. ++ ++ If the optional allow_dotted_names argument is false, dots are not ++ supported and this function operates similar to getattr(obj, attr). + """ +- for i in attr.split('.'): ++ ++ if allow_dotted_names: ++ attrs = attr.split('.') ++ else: ++ attrs = [attr] ++ ++ for i in attrs: + if i.startswith('_'): + raise AttributeError( + 'attempt to access private attribute "%s"' % i +@@ -206,7 +216,7 @@ class SimpleXMLRPCServer(SocketServer.TC + self.instance = None + SocketServer.TCPServer.__init__(self, addr, requestHandler) + +- def register_instance(self, instance): ++ def register_instance(self, instance, allow_dotted_names=False): + """Registers an instance to respond to XML-RPC requests. + + Only one instance can be installed at a time. +@@ -225,9 +235,23 @@ class SimpleXMLRPCServer(SocketServer.TC + + If a registered function matches a XML-RPC request, then it + will be called instead of the registered instance. ++ ++ If the optional allow_dotted_names argument is true and the ++ instance does not have a _dispatch method, method names ++ containing dots are supported and resolved, as long as none of ++ the name segments start with an '_'. ++ ++ *** SECURITY WARNING: *** ++ ++ Enabling the allow_dotted_names options allows intruders ++ to access your module's global variables and may allow ++ intruders to execute arbitrary code on your machine. Only ++ use this option on a secure, closed network. ++ + """ + + self.instance = instance ++ self.allow_dotted_names = allow_dotted_names + + def register_function(self, function, name = None): + """Registers a function to respond to XML-RPC requests. diff --git a/lang/python23-pth/distinfo b/lang/python23-pth/distinfo index 0265ae66477..2297f7aec9e 100644 --- a/lang/python23-pth/distinfo +++ b/lang/python23-pth/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.19 2004/11/28 13:33:20 recht Exp $ +$NetBSD: distinfo,v 1.19.2.1 2005/02/16 14:00:08 salo Exp $ SHA1 (Python-2.3.4.tgz) = 7d47431febec704e766b57f12a1a5030bb2d03c3 Size (Python-2.3.4.tgz) = 8502738 bytes @@ -10,6 +10,7 @@ SHA1 (patch-af) = d23d42d5d5fc31aeaf1fca89448873cc4179ccf6 SHA1 (patch-ah) = f9a46bfe82acec594cf44afd43f359a5248edadb SHA1 (patch-al) = 72c155d28675c10e30a0b13f33f6d1a52457ee47 SHA1 (patch-am) = eda4c6161b4237e1281cc6b82b26c5195444dcff +SHA1 (patch-an) = dea3d89818a937ad47a72d6a21b806d258a973c2 SHA1 (patch-ba) = dd8f89952d7f40c9a979e362758775f093e047bc SHA1 (patch-bb) = 7c6fe21b6328dddce2a079b0a1c7ae0bee817bae SHA1 (patch-ca) = 95f5a515fe3dafd75d077e0591e88a34447152ff diff --git a/lang/python23-pth/patches/patch-an b/lang/python23-pth/patches/patch-an new file mode 100644 index 00000000000..b0c29a81d64 --- /dev/null +++ b/lang/python23-pth/patches/patch-an @@ -0,0 +1,82 @@ +$NetBSD: patch-an,v 1.2.6.1 2005/02/16 14:00:08 salo Exp $ + +--- Lib/SimpleXMLRPCServer.py.orig 2003-06-29 06:19:37.000000000 +0200 ++++ Lib/SimpleXMLRPCServer.py +@@ -107,14 +107,22 @@ import sys + import types + import os + +-def resolve_dotted_attribute(obj, attr): ++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): + """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d + + Resolves a dotted attribute name to an object. Raises + an AttributeError if any attribute in the chain starts with a '_'. ++ ++ If the optional allow_dotted_names argument is false, dots are not ++ supported and this function operates similar to getattr(obj, attr). + """ + +- for i in attr.split('.'): ++ if allow_dotted_names: ++ attrs = attr.split('.') ++ else: ++ attrs = [attr] ++ ++ for i in attrs: + if i.startswith('_'): + raise AttributeError( + 'attempt to access private attribute "%s"' % i +@@ -156,7 +164,7 @@ class SimpleXMLRPCDispatcher: + self.funcs = {} + self.instance = None + +- def register_instance(self, instance): ++ def register_instance(self, instance, allow_dotted_names=False): + """Registers an instance to respond to XML-RPC requests. + + Only one instance can be installed at a time. +@@ -174,9 +182,23 @@ class SimpleXMLRPCDispatcher: + + If a registered function matches a XML-RPC request, then it + will be called instead of the registered instance. ++ ++ If the optional allow_dotted_names argument is true and the ++ instance does not have a _dispatch method, method names ++ containing dots are supported and resolved, as long as none of ++ the name segments start with an '_'. ++ ++ *** SECURITY WARNING: *** ++ ++ Enabling the allow_dotted_names options allows intruders ++ to access your module's global variables and may allow ++ intruders to execute arbitrary code on your machine. Only ++ use this option on a secure, closed network. ++ + """ + + self.instance = instance ++ self.allow_dotted_names = allow_dotted_names + + def register_function(self, function, name = None): + """Registers a function to respond to XML-RPC requests. +@@ -295,7 +317,8 @@ class SimpleXMLRPCDispatcher: + try: + method = resolve_dotted_attribute( + self.instance, +- method_name ++ method_name, ++ self.allow_dotted_names + ) + except AttributeError: + pass +@@ -374,7 +397,8 @@ class SimpleXMLRPCDispatcher: + try: + func = resolve_dotted_attribute( + self.instance, +- method ++ method, ++ self.allow_dotted_names + ) + except AttributeError: + pass diff --git a/lang/python23/Makefile.common b/lang/python23/Makefile.common index c1c979ea9bf..3c88a267bf4 100644 --- a/lang/python23/Makefile.common +++ b/lang/python23/Makefile.common @@ -1,8 +1,8 @@ -# $NetBSD: Makefile.common,v 1.22 2004/12/19 05:34:07 grant Exp $ +# $NetBSD: Makefile.common,v 1.22.2.1 2005/02/16 14:00:08 salo Exp $ # DISTNAME= Python-2.3.4 -PKGREVISION= 3 +PKGREVISION= 7 CATEGORIES= lang python MASTER_SITES= ftp://ftp.python.org/pub/python/2.3.4/ EXTRACT_SUFX= .tgz diff --git a/lang/python23/distinfo b/lang/python23/distinfo index 4f99222d71d..a476146a232 100644 --- a/lang/python23/distinfo +++ b/lang/python23/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.21 2004/11/28 13:33:19 recht Exp $ +$NetBSD: distinfo,v 1.21.2.1 2005/02/16 14:00:08 salo Exp $ SHA1 (Python-2.3.4.tgz) = 7d47431febec704e766b57f12a1a5030bb2d03c3 Size (Python-2.3.4.tgz) = 8502738 bytes @@ -10,6 +10,7 @@ SHA1 (patch-af) = d23d42d5d5fc31aeaf1fca89448873cc4179ccf6 SHA1 (patch-ah) = f9a46bfe82acec594cf44afd43f359a5248edadb SHA1 (patch-al) = af2c7c23a7aec7e305edb0ef41456c5247b87405 SHA1 (patch-am) = df5c858b32a9a5aa118c84f6742f9d3547c0c7f3 +SHA1 (patch-an) = dea3d89818a937ad47a72d6a21b806d258a973c2 SHA1 (patch-bb) = 7c6fe21b6328dddce2a079b0a1c7ae0bee817bae SHA1 (patch-ca) = 95f5a515fe3dafd75d077e0591e88a34447152ff SHA1 (patch-cb) = 301205b29db1ca60f06b2dc0423f5f911eabcd18 diff --git a/lang/python23/patches/patch-an b/lang/python23/patches/patch-an new file mode 100644 index 00000000000..b0c29a81d64 --- /dev/null +++ b/lang/python23/patches/patch-an @@ -0,0 +1,82 @@ +$NetBSD: patch-an,v 1.2.6.1 2005/02/16 14:00:08 salo Exp $ + +--- Lib/SimpleXMLRPCServer.py.orig 2003-06-29 06:19:37.000000000 +0200 ++++ Lib/SimpleXMLRPCServer.py +@@ -107,14 +107,22 @@ import sys + import types + import os + +-def resolve_dotted_attribute(obj, attr): ++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): + """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d + + Resolves a dotted attribute name to an object. Raises + an AttributeError if any attribute in the chain starts with a '_'. ++ ++ If the optional allow_dotted_names argument is false, dots are not ++ supported and this function operates similar to getattr(obj, attr). + """ + +- for i in attr.split('.'): ++ if allow_dotted_names: ++ attrs = attr.split('.') ++ else: ++ attrs = [attr] ++ ++ for i in attrs: + if i.startswith('_'): + raise AttributeError( + 'attempt to access private attribute "%s"' % i +@@ -156,7 +164,7 @@ class SimpleXMLRPCDispatcher: + self.funcs = {} + self.instance = None + +- def register_instance(self, instance): ++ def register_instance(self, instance, allow_dotted_names=False): + """Registers an instance to respond to XML-RPC requests. + + Only one instance can be installed at a time. +@@ -174,9 +182,23 @@ class SimpleXMLRPCDispatcher: + + If a registered function matches a XML-RPC request, then it + will be called instead of the registered instance. ++ ++ If the optional allow_dotted_names argument is true and the ++ instance does not have a _dispatch method, method names ++ containing dots are supported and resolved, as long as none of ++ the name segments start with an '_'. ++ ++ *** SECURITY WARNING: *** ++ ++ Enabling the allow_dotted_names options allows intruders ++ to access your module's global variables and may allow ++ intruders to execute arbitrary code on your machine. Only ++ use this option on a secure, closed network. ++ + """ + + self.instance = instance ++ self.allow_dotted_names = allow_dotted_names + + def register_function(self, function, name = None): + """Registers a function to respond to XML-RPC requests. +@@ -295,7 +317,8 @@ class SimpleXMLRPCDispatcher: + try: + method = resolve_dotted_attribute( + self.instance, +- method_name ++ method_name, ++ self.allow_dotted_names + ) + except AttributeError: + pass +@@ -374,7 +397,8 @@ class SimpleXMLRPCDispatcher: + try: + func = resolve_dotted_attribute( + self.instance, +- method ++ method, ++ self.allow_dotted_names + ) + except AttributeError: + pass diff --git a/lang/python24-pth/Makefile b/lang/python24-pth/Makefile index d28f4f3f165..0191817e992 100644 --- a/lang/python24-pth/Makefile +++ b/lang/python24-pth/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.1.1.1 2004/12/05 23:28:53 recht Exp $ +# $NetBSD: Makefile,v 1.1.1.1.2.1 2005/02/16 14:00:09 salo Exp $ # PKGNAME= python24-pth-2.4 +PKGREVISION= 4 PTHREAD_OPTS= require .include "../../mk/pthread.buildlink3.mk" diff --git a/lang/python24-pth/distinfo b/lang/python24-pth/distinfo index 2179bc3ebb5..af53559dfe3 100644 --- a/lang/python24-pth/distinfo +++ b/lang/python24-pth/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.1.1.1 2004/12/05 23:28:53 recht Exp $ +$NetBSD: distinfo,v 1.1.1.1.2.1 2005/02/16 14:00:09 salo Exp $ SHA1 (Python-2.4.tar.bz2) = 80c06f491a4b2a629e868540150faf22c5d0e41e Size (Python-2.4.tar.bz2) = 7840762 bytes @@ -15,4 +15,5 @@ SHA1 (patch-aj) = e471737ade95423039661b475f2dd0fc27aa9dac SHA1 (patch-ak) = f2e1d4087a94490bd3589a8c829ec72e04f31f72 SHA1 (patch-al) = ebf8e77f67e69f6aec0b6da254e0169198f0ae8f SHA1 (patch-am) = ecb78cf1097531447af7b7fd60166b84b8aef1b4 +SHA1 (patch-an) = 02222a16fb6b5eac69098e8c310f62bb75fa559b SHA1 (patch-ba) = d0f9d225bd3de0a7af098fef05d5b09f8319ce7f diff --git a/lang/python24-pth/patches/patch-an b/lang/python24-pth/patches/patch-an new file mode 100644 index 00000000000..5cc69ea8398 --- /dev/null +++ b/lang/python24-pth/patches/patch-an @@ -0,0 +1,82 @@ +$NetBSD: patch-an,v 1.1.2.1 2005/02/16 14:00:09 salo Exp $ + +--- Lib/SimpleXMLRPCServer.py.orig 2004-10-04 01:21:44.000000000 +0200 ++++ Lib/SimpleXMLRPCServer.py +@@ -106,14 +106,22 @@ import BaseHTTPServer + import sys + import os + +-def resolve_dotted_attribute(obj, attr): ++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): + """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d + + Resolves a dotted attribute name to an object. Raises + an AttributeError if any attribute in the chain starts with a '_'. ++ ++ If the optional allow_dotted_names argument is false, dots are not ++ supported and this function operates similar to getattr(obj, attr). + """ + +- for i in attr.split('.'): ++ if allow_dotted_names: ++ attrs = attr.split('.') ++ else: ++ attrs = [attr] ++ ++ for i in attrs: + if i.startswith('_'): + raise AttributeError( + 'attempt to access private attribute "%s"' % i +@@ -155,7 +163,7 @@ class SimpleXMLRPCDispatcher: + self.funcs = {} + self.instance = None + +- def register_instance(self, instance): ++ def register_instance(self, instance, allow_dotted_names=False): + """Registers an instance to respond to XML-RPC requests. + + Only one instance can be installed at a time. +@@ -173,9 +181,23 @@ class SimpleXMLRPCDispatcher: + + If a registered function matches a XML-RPC request, then it + will be called instead of the registered instance. ++ ++ If the optional allow_dotted_names argument is true and the ++ instance does not have a _dispatch method, method names ++ containing dots are supported and resolved, as long as none of ++ the name segments start with an '_'. ++ ++ *** SECURITY WARNING: *** ++ ++ Enabling the allow_dotted_names options allows intruders ++ to access your module's global variables and may allow ++ intruders to execute arbitrary code on your machine. Only ++ use this option on a secure, closed network. ++ + """ + + self.instance = instance ++ self.allow_dotted_names = allow_dotted_names + + def register_function(self, function, name = None): + """Registers a function to respond to XML-RPC requests. +@@ -294,7 +316,8 @@ class SimpleXMLRPCDispatcher: + try: + method = resolve_dotted_attribute( + self.instance, +- method_name ++ method_name, ++ self.allow_dotted_names + ) + except AttributeError: + pass +@@ -373,7 +396,8 @@ class SimpleXMLRPCDispatcher: + try: + func = resolve_dotted_attribute( + self.instance, +- method ++ method, ++ self.allow_dotted_names + ) + except AttributeError: + pass diff --git a/lang/python24/Makefile b/lang/python24/Makefile index 8861edead69..048bcd7aacb 100644 --- a/lang/python24/Makefile +++ b/lang/python24/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.1.1.1 2004/12/05 23:27:49 recht Exp $ +# $NetBSD: Makefile,v 1.1.1.1.2.1 2005/02/16 14:00:09 salo Exp $ # PKGNAME= python24-2.4 +PKGREVISION= 4 CONFIGURE_ARGS+= --without-threads diff --git a/lang/python24/distinfo b/lang/python24/distinfo index eda9c92b571..5d79538c9b7 100644 --- a/lang/python24/distinfo +++ b/lang/python24/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.3 2004/12/19 05:45:39 grant Exp $ +$NetBSD: distinfo,v 1.3.2.1 2005/02/16 14:00:09 salo Exp $ SHA1 (Python-2.4.tar.bz2) = 80c06f491a4b2a629e868540150faf22c5d0e41e Size (Python-2.4.tar.bz2) = 7840762 bytes @@ -15,3 +15,4 @@ SHA1 (patch-aj) = e471737ade95423039661b475f2dd0fc27aa9dac SHA1 (patch-ak) = f2e1d4087a94490bd3589a8c829ec72e04f31f72 SHA1 (patch-al) = 789a62b0efa9044ea412d6e1ef47c62d9ea0ec1a SHA1 (patch-am) = aa71ec2f9cc8f434ff38b19df23b5dd433e13e5a +SHA1 (patch-an) = 02222a16fb6b5eac69098e8c310f62bb75fa559b diff --git a/lang/python24/patches/patch-an b/lang/python24/patches/patch-an new file mode 100644 index 00000000000..8c12c019d45 --- /dev/null +++ b/lang/python24/patches/patch-an @@ -0,0 +1,82 @@ +$NetBSD: patch-an,v 1.1.2.2 2005/02/16 14:00:09 salo Exp $ + +--- Lib/SimpleXMLRPCServer.py.orig 2004-10-04 01:21:44.000000000 +0200 ++++ Lib/SimpleXMLRPCServer.py +@@ -106,14 +106,22 @@ import BaseHTTPServer + import sys + import os + +-def resolve_dotted_attribute(obj, attr): ++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): + """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d + + Resolves a dotted attribute name to an object. Raises + an AttributeError if any attribute in the chain starts with a '_'. ++ ++ If the optional allow_dotted_names argument is false, dots are not ++ supported and this function operates similar to getattr(obj, attr). + """ + +- for i in attr.split('.'): ++ if allow_dotted_names: ++ attrs = attr.split('.') ++ else: ++ attrs = [attr] ++ ++ for i in attrs: + if i.startswith('_'): + raise AttributeError( + 'attempt to access private attribute "%s"' % i +@@ -155,7 +163,7 @@ class SimpleXMLRPCDispatcher: + self.funcs = {} + self.instance = None + +- def register_instance(self, instance): ++ def register_instance(self, instance, allow_dotted_names=False): + """Registers an instance to respond to XML-RPC requests. + + Only one instance can be installed at a time. +@@ -173,9 +181,23 @@ class SimpleXMLRPCDispatcher: + + If a registered function matches a XML-RPC request, then it + will be called instead of the registered instance. ++ ++ If the optional allow_dotted_names argument is true and the ++ instance does not have a _dispatch method, method names ++ containing dots are supported and resolved, as long as none of ++ the name segments start with an '_'. ++ ++ *** SECURITY WARNING: *** ++ ++ Enabling the allow_dotted_names options allows intruders ++ to access your module's global variables and may allow ++ intruders to execute arbitrary code on your machine. Only ++ use this option on a secure, closed network. ++ + """ + + self.instance = instance ++ self.allow_dotted_names = allow_dotted_names + + def register_function(self, function, name = None): + """Registers a function to respond to XML-RPC requests. +@@ -294,7 +316,8 @@ class SimpleXMLRPCDispatcher: + try: + method = resolve_dotted_attribute( + self.instance, +- method_name ++ method_name, ++ self.allow_dotted_names + ) + except AttributeError: + pass +@@ -373,7 +396,8 @@ class SimpleXMLRPCDispatcher: + try: + func = resolve_dotted_attribute( + self.instance, +- method ++ method, ++ self.allow_dotted_names + ) + except AttributeError: + pass |