diff options
author | dholland <dholland@pkgsrc.org> | 2011-03-06 03:24:11 +0000 |
---|---|---|
committer | dholland <dholland@pkgsrc.org> | 2011-03-06 03:24:11 +0000 |
commit | afabde83fa45301144c90954cb4aeede9dc9b178 (patch) | |
tree | 96ed27e4ed80476908f2a9921c476d56a432f0d6 /lang/python25 | |
parent | 7a007d5dc55b44c7624ebcfe3b9121b9912aa20a (diff) | |
download | pkgsrc-afabde83fa45301144c90954cb4aeede9dc9b178.tar.gz |
Merge the patch for http://secunia.com/advisories/43463/ from the
copy in python26.
Diffstat (limited to 'lang/python25')
-rw-r--r-- | lang/python25/Makefile | 4 | ||||
-rw-r--r-- | lang/python25/distinfo | 3 | ||||
-rw-r--r-- | lang/python25/patches/patch-SA43463 | 86 |
3 files changed, 90 insertions, 3 deletions
diff --git a/lang/python25/Makefile b/lang/python25/Makefile index 06e19b17381..3180cd52704 100644 --- a/lang/python25/Makefile +++ b/lang/python25/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.29 2011/02/28 14:52:54 wiz Exp $ +# $NetBSD: Makefile,v 1.30 2011/03/06 03:24:11 dholland Exp $ .include "dist.mk" PKGNAME= python25-${PY_DISTVERSION} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= lang python MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/lang/python25/distinfo b/lang/python25/distinfo index f98caa303ca..301c75648b1 100644 --- a/lang/python25/distinfo +++ b/lang/python25/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.13 2010/04/07 14:57:49 gdt Exp $ +$NetBSD: distinfo,v 1.14 2011/03/06 03:24:11 dholland Exp $ SHA1 (Python-2.5.5.tar.bz2) = dcf1abd94a1ab4155dcd3668cca42c5bfc81159f RMD160 (Python-2.5.5.tar.bz2) = 4754238d415142466778560d989582464385654c Size (Python-2.5.5.tar.bz2) = 9822917 bytes +SHA1 (patch-SA43463) = df776e171f1794bae52b6e98bc71ae63734b7693 SHA1 (patch-aa) = d44e67645dc86ff14f5daf5705de02c6f330cc48 SHA1 (patch-ab) = d35025df83e70d129f9fbcd277652b0eea83b026 SHA1 (patch-ac) = 4de5b8dc20b41dc3bb4acd38011ef59570318d3f diff --git a/lang/python25/patches/patch-SA43463 b/lang/python25/patches/patch-SA43463 new file mode 100644 index 00000000000..103083a069d --- /dev/null +++ b/lang/python25/patches/patch-SA43463 @@ -0,0 +1,86 @@ +$NetBSD: patch-SA43463,v 1.1 2011/03/06 03:24:11 dholland Exp $ + +Fix information disclosure vulnerability reported in SA43463. +Original patch taken from the Python SVN repository: + +http://svn.python.org/view?view=revision&revision=71303 + +and backported to the python25 version. + +--- Lib/CGIHTTPServer.py.orig 2007-04-25 06:42:41.000000000 +0000 ++++ Lib/CGIHTTPServer.py +@@ -76,20 +76,15 @@ class CGIHTTPRequestHandler(SimpleHTTPSe + CGI script, None if not. Note that rest begins with a + slash if it is not empty. + +- The default implementation tests whether the path +- begins with one of the strings in the list +- self.cgi_directories (and the next character is a '/' +- or the end of the string). +- ++ The default implementation tests whether the normalized url ++ path begins with one of the strings in self.cgi_directories ++ (and the next character is a '/' or the end of the string). + """ + +- path = self.path +- +- for x in self.cgi_directories: +- i = len(x) +- if path[:i] == x and (not path[i:] or path[i] == '/'): +- self.cgi_info = path[:i], path[i+1:] +- return True ++ splitpath = _url_collapse_path_split(self.path) ++ if splitpath[0] in self.cgi_directories: ++ self.cgi_info = splitpath ++ return True + return False + + cgi_directories = ['/cgi-bin', '/htbin'] +@@ -326,6 +321,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe + self.log_message("CGI script exited OK") + + ++# TODO(gregory.p.smith): Move this into an appropriate library. ++def _url_collapse_path_split(path): ++ """ ++ Given a URL path, remove extra '/'s and '.' path elements and collapse ++ any '..' references. ++ ++ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths. ++ ++ Returns: A tuple of (head, tail) where tail is everything after the final / ++ and head is everything before it. Head will always start with a '/' and, ++ if it contains anything else, never have a trailing '/'. ++ ++ Raises: IndexError if too many '..' occur within the path. ++ """ ++ # Similar to os.path.split(os.path.normpath(path)) but specific to URL ++ # path semantics rather than local operating system semantics. ++ path_parts = [] ++ for part in path.split('/'): ++ if part == '.': ++ path_parts.append('') ++ else: ++ path_parts.append(part) ++ # Filter out blank non trailing parts before consuming the '..'. ++ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:] ++ if path_parts: ++ tail_part = path_parts.pop() ++ else: ++ tail_part = '' ++ head_parts = [] ++ for part in path_parts: ++ if part == '..': ++ head_parts.pop() ++ else: ++ head_parts.append(part) ++ if tail_part and tail_part == '..': ++ head_parts.pop() ++ tail_part = '' ++ return ('/' + '/'.join(head_parts), tail_part) ++ ++ + nobody = None + + def nobody_uid(): |