Merge the patch for http://secunia.com/advisories/43463/ from the

copy in python26.

3 files changed, 90 insertions, 3 deletions

diff --git a/lang/python25/Makefile b/lang/python25/Makefile
index 06e19b17381..3180cd52704 100644
--- a/lang/python25/Makefile
+++ b/lang/python25/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.29 2011/02/28 14:52:54 wiz Exp $
+# $NetBSD: Makefile,v 1.30 2011/03/06 03:24:11 dholland Exp $
 
 .include "dist.mk"
 
 PKGNAME=	python25-${PY_DISTVERSION}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	lang python
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
diff --git a/lang/python25/distinfo b/lang/python25/distinfo
index f98caa303ca..301c75648b1 100644
--- a/lang/python25/distinfo
+++ b/lang/python25/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.13 2010/04/07 14:57:49 gdt Exp $
+$NetBSD: distinfo,v 1.14 2011/03/06 03:24:11 dholland Exp $
 
 SHA1 (Python-2.5.5.tar.bz2) = dcf1abd94a1ab4155dcd3668cca42c5bfc81159f
 RMD160 (Python-2.5.5.tar.bz2) = 4754238d415142466778560d989582464385654c
 Size (Python-2.5.5.tar.bz2) = 9822917 bytes
+SHA1 (patch-SA43463) = df776e171f1794bae52b6e98bc71ae63734b7693
 SHA1 (patch-aa) = d44e67645dc86ff14f5daf5705de02c6f330cc48
 SHA1 (patch-ab) = d35025df83e70d129f9fbcd277652b0eea83b026
 SHA1 (patch-ac) = 4de5b8dc20b41dc3bb4acd38011ef59570318d3f
diff --git a/lang/python25/patches/patch-SA43463 b/lang/python25/patches/patch-SA43463
new file mode 100644
index 00000000000..103083a069d
--- /dev/null
+++ b/lang/python25/patches/patch-SA43463
@@ -0,0 +1,86 @@
+$NetBSD: patch-SA43463,v 1.1 2011/03/06 03:24:11 dholland Exp $
+
+Fix information disclosure vulnerability reported in SA43463.
+Original patch taken from the Python SVN repository:
+
+http://svn.python.org/view?view=revision&revision=71303
+
+and backported to the python25 version.
+
+--- Lib/CGIHTTPServer.py.orig	2007-04-25 06:42:41.000000000 +0000
++++ Lib/CGIHTTPServer.py
+@@ -76,20 +76,15 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+         CGI script, None if not.  Note that rest begins with a
+         slash if it is not empty.
+ 
+-        The default implementation tests whether the path
+-        begins with one of the strings in the list
+-        self.cgi_directories (and the next character is a '/'
+-        or the end of the string).
+-
++        The default implementation tests whether the normalized url
++        path begins with one of the strings in self.cgi_directories
++        (and the next character is a '/' or the end of the string).
+         """
+ 
+-        path = self.path
+-
+-        for x in self.cgi_directories:
+-            i = len(x)
+-            if path[:i] == x and (not path[i:] or path[i] == '/'):
+-                self.cgi_info = path[:i], path[i+1:]
+-                return True
++        splitpath = _url_collapse_path_split(self.path)
++        if splitpath[0] in self.cgi_directories:
++            self.cgi_info = splitpath
++            return True
+         return False
+ 
+     cgi_directories = ['/cgi-bin', '/htbin']
+@@ -326,6 +321,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+                 self.log_message("CGI script exited OK")
+ 
+ 
++# TODO(gregory.p.smith): Move this into an appropriate library.
++def _url_collapse_path_split(path):
++    """
++    Given a URL path, remove extra '/'s and '.' path elements and collapse
++    any '..' references.
++
++    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
++
++    Returns: A tuple of (head, tail) where tail is everything after the final /
++    and head is everything before it.  Head will always start with a '/' and,
++    if it contains anything else, never have a trailing '/'.
++
++    Raises: IndexError if too many '..' occur within the path.
++    """
++    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
++    # path semantics rather than local operating system semantics.
++    path_parts = []
++    for part in path.split('/'):
++        if part == '.':
++            path_parts.append('')
++        else:
++            path_parts.append(part)
++    # Filter out blank non trailing parts before consuming the '..'.
++    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
++    if path_parts:
++        tail_part = path_parts.pop()
++    else:
++        tail_part = ''
++    head_parts = []
++    for part in path_parts:
++        if part == '..':
++            head_parts.pop()
++        else:
++            head_parts.append(part)
++    if tail_part and tail_part == '..':
++        head_parts.pop()
++        tail_part = ''
++    return ('/' + '/'.join(head_parts), tail_part)
++
++
+ nobody = None
+ 
+ def nobody_uid():