summaryrefslogtreecommitdiff
path: root/lang/python23
diff options
context:
space:
mode:
authordrochner <drochner>2005-02-04 15:39:04 +0000
committerdrochner <drochner>2005-02-04 15:39:04 +0000
commitb67460318fe4f08f848e8ab2e2b91975200573ef (patch)
treebb81caac418a09c508af5743525a8ab16d197547 /lang/python23
parentbc156edaf5bf3d3ab6cdb1a4c07f281d41d46b4a (diff)
downloadpkgsrc-b67460318fe4f08f848e8ab2e2b91975200573ef.tar.gz
apply the security fix from
http://www.python.org/security/PSF-2005-001/ This disables hierarchical object lookups in SimpleXMLRPCServer. Unfortunately, this breaks some applications (eg kenosis). Don't shoot me for this. bump PKGREVISION
Diffstat (limited to 'lang/python23')
-rw-r--r--lang/python23/Makefile4
-rw-r--r--lang/python23/distinfo3
-rw-r--r--lang/python23/patches/patch-an82
3 files changed, 86 insertions, 3 deletions
diff --git a/lang/python23/Makefile b/lang/python23/Makefile
index 2359bb926eb..d4df1c8ac4e 100644
--- a/lang/python23/Makefile
+++ b/lang/python23/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.25 2005/01/30 12:44:40 jmmv Exp $
+# $NetBSD: Makefile,v 1.26 2005/02/04 15:39:04 drochner Exp $
#
PKGNAME= python23-2.3.4
-PKGREVISION= 6
+PKGREVISION= 7
CONFLICTS+= python-[0-9]*
diff --git a/lang/python23/distinfo b/lang/python23/distinfo
index 3dc3e64a915..d08841cf599 100644
--- a/lang/python23/distinfo
+++ b/lang/python23/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.24 2005/01/19 17:45:34 tv Exp $
+$NetBSD: distinfo,v 1.25 2005/02/04 15:39:04 drochner Exp $
SHA1 (Python-2.3.4.tgz) = 7d47431febec704e766b57f12a1a5030bb2d03c3
Size (Python-2.3.4.tgz) = 8502738 bytes
@@ -10,6 +10,7 @@ SHA1 (patch-af) = d23d42d5d5fc31aeaf1fca89448873cc4179ccf6
SHA1 (patch-ah) = 21d64c6f6a9f0ccf13b5439859b05e193b0338b0
SHA1 (patch-al) = d9b35c19e31edea1442b742aeeaa1b37f64d0d67
SHA1 (patch-am) = df5c858b32a9a5aa118c84f6742f9d3547c0c7f3
+SHA1 (patch-an) = dea3d89818a937ad47a72d6a21b806d258a973c2
SHA1 (patch-bb) = 7c6fe21b6328dddce2a079b0a1c7ae0bee817bae
SHA1 (patch-ca) = 95f5a515fe3dafd75d077e0591e88a34447152ff
SHA1 (patch-cb) = 301205b29db1ca60f06b2dc0423f5f911eabcd18
diff --git a/lang/python23/patches/patch-an b/lang/python23/patches/patch-an
new file mode 100644
index 00000000000..a0822ac0372
--- /dev/null
+++ b/lang/python23/patches/patch-an
@@ -0,0 +1,82 @@
+$NetBSD: patch-an,v 1.3 2005/02/04 15:39:04 drochner Exp $
+
+--- Lib/SimpleXMLRPCServer.py.orig 2003-06-29 06:19:37.000000000 +0200
++++ Lib/SimpleXMLRPCServer.py
+@@ -107,14 +107,22 @@ import sys
+ import types
+ import os
+
+-def resolve_dotted_attribute(obj, attr):
++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+ """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+
+ Resolves a dotted attribute name to an object. Raises
+ an AttributeError if any attribute in the chain starts with a '_'.
++
++ If the optional allow_dotted_names argument is false, dots are not
++ supported and this function operates similar to getattr(obj, attr).
+ """
+
+- for i in attr.split('.'):
++ if allow_dotted_names:
++ attrs = attr.split('.')
++ else:
++ attrs = [attr]
++
++ for i in attrs:
+ if i.startswith('_'):
+ raise AttributeError(
+ 'attempt to access private attribute "%s"' % i
+@@ -156,7 +164,7 @@ class SimpleXMLRPCDispatcher:
+ self.funcs = {}
+ self.instance = None
+
+- def register_instance(self, instance):
++ def register_instance(self, instance, allow_dotted_names=False):
+ """Registers an instance to respond to XML-RPC requests.
+
+ Only one instance can be installed at a time.
+@@ -174,9 +182,23 @@ class SimpleXMLRPCDispatcher:
+
+ If a registered function matches a XML-RPC request, then it
+ will be called instead of the registered instance.
++
++ If the optional allow_dotted_names argument is true and the
++ instance does not have a _dispatch method, method names
++ containing dots are supported and resolved, as long as none of
++ the name segments start with an '_'.
++
++ *** SECURITY WARNING: ***
++
++ Enabling the allow_dotted_names options allows intruders
++ to access your module's global variables and may allow
++ intruders to execute arbitrary code on your machine. Only
++ use this option on a secure, closed network.
++
+ """
+
+ self.instance = instance
++ self.allow_dotted_names = allow_dotted_names
+
+ def register_function(self, function, name = None):
+ """Registers a function to respond to XML-RPC requests.
+@@ -295,7 +317,8 @@ class SimpleXMLRPCDispatcher:
+ try:
+ method = resolve_dotted_attribute(
+ self.instance,
+- method_name
++ method_name,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass
+@@ -374,7 +397,8 @@ class SimpleXMLRPCDispatcher:
+ try:
+ func = resolve_dotted_attribute(
+ self.instance,
+- method
++ method,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass