summaryrefslogtreecommitdiff
path: root/lang/python24
diff options
context:
space:
mode:
authordrochner <drochner@pkgsrc.org>2005-02-04 15:39:04 +0000
committerdrochner <drochner@pkgsrc.org>2005-02-04 15:39:04 +0000
commit2cefade65dfa20af03311fa62c7573af7e7b57ed (patch)
treebb81caac418a09c508af5743525a8ab16d197547 /lang/python24
parent409fbf659392d95538bcfa6ea686d43ee8aee92c (diff)
downloadpkgsrc-2cefade65dfa20af03311fa62c7573af7e7b57ed.tar.gz
apply the security fix from
http://www.python.org/security/PSF-2005-001/ This disables hierarchical object lookups in SimpleXMLRPCServer. Unfortunately, this breaks some applications (eg kenosis). Don't shoot me for this. bump PKGREVISION
Diffstat (limited to 'lang/python24')
-rw-r--r--lang/python24/Makefile4
-rw-r--r--lang/python24/distinfo3
-rw-r--r--lang/python24/patches/patch-an82
3 files changed, 86 insertions, 3 deletions
diff --git a/lang/python24/Makefile b/lang/python24/Makefile
index 6395b62fa5a..a795f1f23fe 100644
--- a/lang/python24/Makefile
+++ b/lang/python24/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.3 2005/01/30 12:44:40 jmmv Exp $
+# $NetBSD: Makefile,v 1.4 2005/02/04 15:39:04 drochner Exp $
#
DISTNAME= Python-2.4
PKGNAME= python24-2.4
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= lang python
MASTER_SITES= ftp://ftp.python.org/pub/python/2.4/
EXTRACT_SUFX= .tar.bz2
diff --git a/lang/python24/distinfo b/lang/python24/distinfo
index 635519ed2e9..f724663028e 100644
--- a/lang/python24/distinfo
+++ b/lang/python24/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.5 2005/01/24 21:46:33 tv Exp $
+$NetBSD: distinfo,v 1.6 2005/02/04 15:39:04 drochner Exp $
SHA1 (Python-2.4.tar.bz2) = 80c06f491a4b2a629e868540150faf22c5d0e41e
Size (Python-2.4.tar.bz2) = 7840762 bytes
@@ -15,3 +15,4 @@ SHA1 (patch-aj) = e471737ade95423039661b475f2dd0fc27aa9dac
SHA1 (patch-ak) = f2e1d4087a94490bd3589a8c829ec72e04f31f72
SHA1 (patch-al) = 2cd3088f1d8b4e827c89fa75c2f7663f842451af
SHA1 (patch-am) = aa71ec2f9cc8f434ff38b19df23b5dd433e13e5a
+SHA1 (patch-an) = 02222a16fb6b5eac69098e8c310f62bb75fa559b
diff --git a/lang/python24/patches/patch-an b/lang/python24/patches/patch-an
new file mode 100644
index 00000000000..00cf610e3ac
--- /dev/null
+++ b/lang/python24/patches/patch-an
@@ -0,0 +1,82 @@
+$NetBSD: patch-an,v 1.1 2005/02/04 15:39:04 drochner Exp $
+
+--- Lib/SimpleXMLRPCServer.py.orig 2004-10-04 01:21:44.000000000 +0200
++++ Lib/SimpleXMLRPCServer.py
+@@ -106,14 +106,22 @@ import BaseHTTPServer
+ import sys
+ import os
+
+-def resolve_dotted_attribute(obj, attr):
++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+ """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+
+ Resolves a dotted attribute name to an object. Raises
+ an AttributeError if any attribute in the chain starts with a '_'.
++
++ If the optional allow_dotted_names argument is false, dots are not
++ supported and this function operates similar to getattr(obj, attr).
+ """
+
+- for i in attr.split('.'):
++ if allow_dotted_names:
++ attrs = attr.split('.')
++ else:
++ attrs = [attr]
++
++ for i in attrs:
+ if i.startswith('_'):
+ raise AttributeError(
+ 'attempt to access private attribute "%s"' % i
+@@ -155,7 +163,7 @@ class SimpleXMLRPCDispatcher:
+ self.funcs = {}
+ self.instance = None
+
+- def register_instance(self, instance):
++ def register_instance(self, instance, allow_dotted_names=False):
+ """Registers an instance to respond to XML-RPC requests.
+
+ Only one instance can be installed at a time.
+@@ -173,9 +181,23 @@ class SimpleXMLRPCDispatcher:
+
+ If a registered function matches a XML-RPC request, then it
+ will be called instead of the registered instance.
++
++ If the optional allow_dotted_names argument is true and the
++ instance does not have a _dispatch method, method names
++ containing dots are supported and resolved, as long as none of
++ the name segments start with an '_'.
++
++ *** SECURITY WARNING: ***
++
++ Enabling the allow_dotted_names options allows intruders
++ to access your module's global variables and may allow
++ intruders to execute arbitrary code on your machine. Only
++ use this option on a secure, closed network.
++
+ """
+
+ self.instance = instance
++ self.allow_dotted_names = allow_dotted_names
+
+ def register_function(self, function, name = None):
+ """Registers a function to respond to XML-RPC requests.
+@@ -294,7 +316,8 @@ class SimpleXMLRPCDispatcher:
+ try:
+ method = resolve_dotted_attribute(
+ self.instance,
+- method_name
++ method_name,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass
+@@ -373,7 +396,8 @@ class SimpleXMLRPCDispatcher:
+ try:
+ func = resolve_dotted_attribute(
+ self.instance,
+- method
++ method,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass