diff options
author | tron <tron@pkgsrc.org> | 2011-02-28 22:35:53 +0000 |
---|---|---|
committer | tron <tron@pkgsrc.org> | 2011-02-28 22:35:53 +0000 |
commit | 23b0e69ff8c5c978ea0fe239e6bead05222dedc3 (patch) | |
tree | b9b80d484ca95b16536b5a9780e571c4860d899c /lang/python26 | |
parent | b1b44effe61dff34ea5e1267a9f84e7edfa37cef (diff) | |
download | pkgsrc-23b0e69ff8c5c978ea0fe239e6bead05222dedc3.tar.gz |
Add fix for the information disclosure vulnerability reported in SA43463
taken from the Python SVN repository.
Diffstat (limited to 'lang/python26')
-rw-r--r-- | lang/python26/Makefile | 4 | ||||
-rw-r--r-- | lang/python26/distinfo | 3 | ||||
-rw-r--r-- | lang/python26/patches/patch-SA43463 | 96 |
3 files changed, 100 insertions, 3 deletions
diff --git a/lang/python26/Makefile b/lang/python26/Makefile index 7464c3c00c6..327823b1267 100644 --- a/lang/python26/Makefile +++ b/lang/python26/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.33 2011/01/03 12:13:21 adam Exp $ +# $NetBSD: Makefile,v 1.34 2011/02/28 22:35:53 tron Exp $ .include "dist.mk" PKGNAME= python26-${PY_DISTVERSION} -PKGREVISION= 5 +PKGREVISION= 6 CATEGORIES= lang python MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/lang/python26/distinfo b/lang/python26/distinfo index 63bacce4f5b..d569112c756 100644 --- a/lang/python26/distinfo +++ b/lang/python26/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.31 2011/02/05 09:34:04 hiramatsu Exp $ +$NetBSD: distinfo,v 1.32 2011/02/28 22:35:53 tron Exp $ SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50 RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912 Size (Python-2.6.6.tar.bz2) = 11080872 bytes +SHA1 (patch-SA43463) = a0285ce9eb1d994bb05cd54812f3fc9cb678fe7f SHA1 (patch-aa) = 0528fc5da76d5f1d19586ea3dda1acd09a4b0113 SHA1 (patch-ab) = b47aa9d18a7c1a99ac8cc8b29c64867443f303e5 SHA1 (patch-ac) = 57c88d47f82630e67bcd27ab61bf4362035da2f2 diff --git a/lang/python26/patches/patch-SA43463 b/lang/python26/patches/patch-SA43463 new file mode 100644 index 00000000000..05d22171035 --- /dev/null +++ b/lang/python26/patches/patch-SA43463 @@ -0,0 +1,96 @@ +$NetBSD: patch-SA43463,v 1.1 2011/02/28 22:35:53 tron Exp $ + +Fix information disclosure vulnerability reported in SA43463. +Patch taken from the Python SVN repository: + +http://svn.python.org/view?view=revision&revision=71303 + +--- Lib/CGIHTTPServer.py.orig 2009-11-11 17:24:53.000000000 +0000 ++++ Lib/CGIHTTPServer.py 2011-02-28 22:16:27.000000000 +0000 +@@ -70,27 +70,20 @@ + return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self) + + def is_cgi(self): +- """Test whether self.path corresponds to a CGI script, +- and return a boolean. ++ """Test whether self.path corresponds to a CGI script. + +- This function sets self.cgi_info to a tuple (dir, rest) +- when it returns True, where dir is the directory part before +- the CGI script name. Note that rest begins with a +- slash if it is not empty. +- +- The default implementation tests whether the path +- begins with one of the strings in the list +- self.cgi_directories (and the next character is a '/' +- or the end of the string). ++ Returns True and updates the cgi_info attribute to the tuple ++ (dir, rest) if self.path requires running a CGI script. ++ Returns False otherwise. ++ ++ The default implementation tests whether the normalized url ++ path begins with one of the strings in self.cgi_directories ++ (and the next character is a '/' or the end of the string). + """ +- +- path = self.path +- +- for x in self.cgi_directories: +- i = len(x) +- if path[:i] == x and (not path[i:] or path[i] == '/'): +- self.cgi_info = path[:i], path[i+1:] +- return True ++ splitpath = _url_collapse_path_split(self.path) ++ if splitpath[0] in self.cgi_directories: ++ self.cgi_info = splitpath ++ return True + return False + + cgi_directories = ['/cgi-bin', '/htbin'] +@@ -299,6 +292,46 @@ + self.log_message("CGI script exited OK") + + ++# TODO(gregory.p.smith): Move this into an appropriate library. ++def _url_collapse_path_split(path): ++ """ ++ Given a URL path, remove extra '/'s and '.' path elements and collapse ++ any '..' references. ++ ++ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths. ++ ++ Returns: A tuple of (head, tail) where tail is everything after the final / ++ and head is everything before it. Head will always start with a '/' and, ++ if it contains anything else, never have a trailing '/'. ++ ++ Raises: IndexError if too many '..' occur within the path. ++ """ ++ # Similar to os.path.split(os.path.normpath(path)) but specific to URL ++ # path semantics rather than local operating system semantics. ++ path_parts = [] ++ for part in path.split('/'): ++ if part == '.': ++ path_parts.append('') ++ else: ++ path_parts.append(part) ++ # Filter out blank non trailing parts before consuming the '..'. ++ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:] ++ if path_parts: ++ tail_part = path_parts.pop() ++ else: ++ tail_part = '' ++ head_parts = [] ++ for part in path_parts: ++ if part == '..': ++ head_parts.pop() ++ else: ++ head_parts.append(part) ++ if tail_part and tail_part == '..': ++ head_parts.pop() ++ tail_part = '' ++ return ('/' + '/'.join(head_parts), tail_part) ++ ++ + nobody = None + + def nobody_uid(): |