fix a security issue, using patches from upstream:

stricter redirect handling in urllib, to prevent redirects to eg "file://" URLs (CVE-2011-1521) bump PKGREV
author: drochner <drochner@pkgsrc.org> 2011-03-28 16:00:06 +0000
committer: drochner <drochner@pkgsrc.org> 2011-03-28 16:00:06 +0000
commit: 89649c26a70cf788be10bb7803523d286b61224b (patch)
tree: 80b79a15340010793a3fb18455bb870d15c9fae0 /lang/python26/patches/patch-cb
parent: 0f2ea06e1a2092cf4453b384c7a75cfa967eb9eb (diff)
download: pkgsrc-89649c26a70cf788be10bb7803523d286b61224b.tar.gz
1 files changed, 21 insertions, 0 deletions
diff --git a/lang/python26/patches/patch-cb b/lang/python26/patches/patch-cb
new file mode 100644
index 00000000000..1af34378a99
--- /dev/null
+++ b/lang/python26/patches/patch-cb
@@ -0,0 +1,21 @@
+$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $
+
+Issue #11662 (CVE-2011-1521)
+
+--- Lib/urllib2.py.orig	2011-03-28 15:17:02.000000000 +0000
++++ Lib/urllib2.py
+@@ -578,6 +578,14 @@ class HTTPRedirectHandler(BaseHandler):
+ 
+         newurl = urlparse.urljoin(req.get_full_url(), newurl)
+ 
++        # For security reasons we do not allow redirects to protocols
++        # other than HTTP, HTTPS or FTP.
++        newurl_lower = newurl.lower()
++        if not (newurl_lower.startswith('http://') or
++                newurl_lower.startswith('https://') or
++		newurl_lower.startswith('ftp://')):
++            return
++
+         # XXX Probably want to forget about the state of the current
+         # request, although that might interact poorly with other
+         # handlers that also use handler-specific request attributes
author	drochner <drochner@pkgsrc.org>	2011-03-28 16:00:06 +0000
committer	drochner <drochner@pkgsrc.org>	2011-03-28 16:00:06 +0000
commit	89649c26a70cf788be10bb7803523d286b61224b (patch)
tree	80b79a15340010793a3fb18455bb870d15c9fae0 /lang/python26/patches/patch-cb
parent	0f2ea06e1a2092cf4453b384c7a75cfa967eb9eb (diff)
download	pkgsrc-89649c26a70cf788be10bb7803523d286b61224b.tar.gz