diff options
author | drochner <drochner@pkgsrc.org> | 2005-02-04 15:39:04 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2005-02-04 15:39:04 +0000 |
commit | 2cefade65dfa20af03311fa62c7573af7e7b57ed (patch) | |
tree | bb81caac418a09c508af5743525a8ab16d197547 /lang/python23 | |
parent | 409fbf659392d95538bcfa6ea686d43ee8aee92c (diff) | |
download | pkgsrc-2cefade65dfa20af03311fa62c7573af7e7b57ed.tar.gz |
apply the security fix from
http://www.python.org/security/PSF-2005-001/
This disables hierarchical object lookups in SimpleXMLRPCServer.
Unfortunately, this breaks some applications (eg kenosis). Don't
shoot me for this.
bump PKGREVISION
Diffstat (limited to 'lang/python23')
-rw-r--r-- | lang/python23/Makefile | 4 | ||||
-rw-r--r-- | lang/python23/distinfo | 3 | ||||
-rw-r--r-- | lang/python23/patches/patch-an | 82 |
3 files changed, 86 insertions, 3 deletions
diff --git a/lang/python23/Makefile b/lang/python23/Makefile index 2359bb926eb..d4df1c8ac4e 100644 --- a/lang/python23/Makefile +++ b/lang/python23/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.25 2005/01/30 12:44:40 jmmv Exp $ +# $NetBSD: Makefile,v 1.26 2005/02/04 15:39:04 drochner Exp $ # PKGNAME= python23-2.3.4 -PKGREVISION= 6 +PKGREVISION= 7 CONFLICTS+= python-[0-9]* diff --git a/lang/python23/distinfo b/lang/python23/distinfo index 3dc3e64a915..d08841cf599 100644 --- a/lang/python23/distinfo +++ b/lang/python23/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.24 2005/01/19 17:45:34 tv Exp $ +$NetBSD: distinfo,v 1.25 2005/02/04 15:39:04 drochner Exp $ SHA1 (Python-2.3.4.tgz) = 7d47431febec704e766b57f12a1a5030bb2d03c3 Size (Python-2.3.4.tgz) = 8502738 bytes @@ -10,6 +10,7 @@ SHA1 (patch-af) = d23d42d5d5fc31aeaf1fca89448873cc4179ccf6 SHA1 (patch-ah) = 21d64c6f6a9f0ccf13b5439859b05e193b0338b0 SHA1 (patch-al) = d9b35c19e31edea1442b742aeeaa1b37f64d0d67 SHA1 (patch-am) = df5c858b32a9a5aa118c84f6742f9d3547c0c7f3 +SHA1 (patch-an) = dea3d89818a937ad47a72d6a21b806d258a973c2 SHA1 (patch-bb) = 7c6fe21b6328dddce2a079b0a1c7ae0bee817bae SHA1 (patch-ca) = 95f5a515fe3dafd75d077e0591e88a34447152ff SHA1 (patch-cb) = 301205b29db1ca60f06b2dc0423f5f911eabcd18 diff --git a/lang/python23/patches/patch-an b/lang/python23/patches/patch-an new file mode 100644 index 00000000000..a0822ac0372 --- /dev/null +++ b/lang/python23/patches/patch-an @@ -0,0 +1,82 @@ +$NetBSD: patch-an,v 1.3 2005/02/04 15:39:04 drochner Exp $ + +--- Lib/SimpleXMLRPCServer.py.orig 2003-06-29 06:19:37.000000000 +0200 ++++ Lib/SimpleXMLRPCServer.py +@@ -107,14 +107,22 @@ import sys + import types + import os + +-def resolve_dotted_attribute(obj, attr): ++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): + """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d + + Resolves a dotted attribute name to an object. Raises + an AttributeError if any attribute in the chain starts with a '_'. ++ ++ If the optional allow_dotted_names argument is false, dots are not ++ supported and this function operates similar to getattr(obj, attr). + """ + +- for i in attr.split('.'): ++ if allow_dotted_names: ++ attrs = attr.split('.') ++ else: ++ attrs = [attr] ++ ++ for i in attrs: + if i.startswith('_'): + raise AttributeError( + 'attempt to access private attribute "%s"' % i +@@ -156,7 +164,7 @@ class SimpleXMLRPCDispatcher: + self.funcs = {} + self.instance = None + +- def register_instance(self, instance): ++ def register_instance(self, instance, allow_dotted_names=False): + """Registers an instance to respond to XML-RPC requests. + + Only one instance can be installed at a time. +@@ -174,9 +182,23 @@ class SimpleXMLRPCDispatcher: + + If a registered function matches a XML-RPC request, then it + will be called instead of the registered instance. ++ ++ If the optional allow_dotted_names argument is true and the ++ instance does not have a _dispatch method, method names ++ containing dots are supported and resolved, as long as none of ++ the name segments start with an '_'. ++ ++ *** SECURITY WARNING: *** ++ ++ Enabling the allow_dotted_names options allows intruders ++ to access your module's global variables and may allow ++ intruders to execute arbitrary code on your machine. Only ++ use this option on a secure, closed network. ++ + """ + + self.instance = instance ++ self.allow_dotted_names = allow_dotted_names + + def register_function(self, function, name = None): + """Registers a function to respond to XML-RPC requests. +@@ -295,7 +317,8 @@ class SimpleXMLRPCDispatcher: + try: + method = resolve_dotted_attribute( + self.instance, +- method_name ++ method_name, ++ self.allow_dotted_names + ) + except AttributeError: + pass +@@ -374,7 +397,8 @@ class SimpleXMLRPCDispatcher: + try: + func = resolve_dotted_attribute( + self.instance, +- method ++ method, ++ self.allow_dotted_names + ) + except AttributeError: + pass |