diff options
author | drochner <drochner> | 2011-03-28 16:00:06 +0000 |
---|---|---|
committer | drochner <drochner> | 2011-03-28 16:00:06 +0000 |
commit | ee457b1008750ea9d70e84d9fe6e7c8e6475d1f9 (patch) | |
tree | 80b79a15340010793a3fb18455bb870d15c9fae0 /lang/python26/patches | |
parent | 444dab98c1ff51e18ca5197d62e526227dc80dca (diff) | |
download | pkgsrc-ee457b1008750ea9d70e84d9fe6e7c8e6475d1f9.tar.gz |
fix a security issue, using patches from upstream:
stricter redirect handling in urllib, to prevent redirects to eg
"file://" URLs (CVE-2011-1521)
bump PKGREV
Diffstat (limited to 'lang/python26/patches')
-rw-r--r-- | lang/python26/patches/patch-ca | 29 | ||||
-rw-r--r-- | lang/python26/patches/patch-cb | 21 |
2 files changed, 50 insertions, 0 deletions
diff --git a/lang/python26/patches/patch-ca b/lang/python26/patches/patch-ca new file mode 100644 index 00000000000..457474d629a --- /dev/null +++ b/lang/python26/patches/patch-ca @@ -0,0 +1,29 @@ +$NetBSD: patch-ca,v 1.1 2011/03/28 16:00:07 drochner Exp $ + +Issue #11662 (CVE-2011-1521) + +--- Lib/urllib.py.orig 2007-03-14 08:27:57.000000000 +0000 ++++ Lib/urllib.py +@@ -638,10 +638,20 @@ class FancyURLopener(URLopener): + newurl = headers['uri'] + else: + return +- void = fp.read() +- fp.close() ++ + # In case the server sent a relative URL, join with original: + newurl = basejoin(self.type + ":" + url, newurl) ++ ++ # For security reasons we do not allow redirects to protocols ++ # other than HTTP, HTTPS or FTP. ++ newurl_lower = newurl.lower() ++ if not (newurl_lower.startswith('http://') or ++ newurl_lower.startswith('https://') or ++ newurl_lower.startswith('ftp://')): ++ return ++ ++ void = fp.read() ++ fp.close() + return self.open(newurl) + + def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/lang/python26/patches/patch-cb b/lang/python26/patches/patch-cb new file mode 100644 index 00000000000..1af34378a99 --- /dev/null +++ b/lang/python26/patches/patch-cb @@ -0,0 +1,21 @@ +$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $ + +Issue #11662 (CVE-2011-1521) + +--- Lib/urllib2.py.orig 2011-03-28 15:17:02.000000000 +0000 ++++ Lib/urllib2.py +@@ -578,6 +578,14 @@ class HTTPRedirectHandler(BaseHandler): + + newurl = urlparse.urljoin(req.get_full_url(), newurl) + ++ # For security reasons we do not allow redirects to protocols ++ # other than HTTP, HTTPS or FTP. ++ newurl_lower = newurl.lower() ++ if not (newurl_lower.startswith('http://') or ++ newurl_lower.startswith('https://') or ++ newurl_lower.startswith('ftp://')): ++ return ++ + # XXX Probably want to forget about the state of the current + # request, although that might interact poorly with other + # handlers that also use handler-specific request attributes |