fix a security issue, using patches from upstream:

stricter redirect handling in urllib, to prevent redirects to eg
"file://" URLs (CVE-2011-1521)
bump PKGREV

4 files changed, 55 insertions, 2 deletions

diff --git a/lang/python27/Makefile b/lang/python27/Makefile
index 501afbb517f..8850863e1d6 100644
--- a/lang/python27/Makefile
+++ b/lang/python27/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.1.1.1 2011/02/22 08:51:58 obache Exp $
+# $NetBSD: Makefile,v 1.2 2011/03/28 16:00:07 drochner Exp $
 
 .include "dist.mk"
 
 PKGNAME=	python27-${PY_DISTVERSION}
+PKGREVISION=	1
 CATEGORIES=	lang python
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
diff --git a/lang/python27/distinfo b/lang/python27/distinfo
index 389bd9588bb..61781de4f68 100644
--- a/lang/python27/distinfo
+++ b/lang/python27/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.2 2011/02/22 10:50:37 adam Exp $
+$NetBSD: distinfo,v 1.3 2011/03/28 16:00:07 drochner Exp $
 
 SHA1 (Python-2.7.1.tar.bz2) = fbe1894322ff91b80726e269c97454f4129fc2a3
 RMD160 (Python-2.7.1.tar.bz2) = 3ce59305f6cd3fb320a53771d0ea01ec0687005f
@@ -16,3 +16,5 @@ SHA1 (patch-au) = 700dc128833af755f3ea08c4db79c127453b12e6
 SHA1 (patch-av) = a14eaf4d5db6fc3b79ed896fbfcc34ca98051af2
 SHA1 (patch-aw) = 15652e241f371a22c7300f46771825ea74514fa0
 SHA1 (patch-ax) = b3a69107d3abbc8476ce79fb05aa8c9f293896a2
+SHA1 (patch-ca) = aa0ad5a9dff1cd7c1c456aa6371733727ac1425b
+SHA1 (patch-cb) = f8fa30bb9aae0ef02c187d1d6db176bac731381e
diff --git a/lang/python27/patches/patch-ca b/lang/python27/patches/patch-ca
new file mode 100644
index 00000000000..457474d629a
--- /dev/null
+++ b/lang/python27/patches/patch-ca
@@ -0,0 +1,29 @@
+$NetBSD: patch-ca,v 1.1 2011/03/28 16:00:07 drochner Exp $
+
+Issue #11662 (CVE-2011-1521)
+
+--- Lib/urllib.py.orig	2007-03-14 08:27:57.000000000 +0000
++++ Lib/urllib.py
+@@ -638,10 +638,20 @@ class FancyURLopener(URLopener):
+             newurl = headers['uri']
+         else:
+             return
+-        void = fp.read()
+-        fp.close()
++
+         # In case the server sent a relative URL, join with original:
+         newurl = basejoin(self.type + ":" + url, newurl)
++
++        # For security reasons we do not allow redirects to protocols
++        # other than HTTP, HTTPS or FTP.
++        newurl_lower = newurl.lower()
++        if not (newurl_lower.startswith('http://') or
++                newurl_lower.startswith('https://') or
++		newurl_lower.startswith('ftp://')):
++            return
++
++        void = fp.read()
++        fp.close()
+         return self.open(newurl)
+ 
+     def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
diff --git a/lang/python27/patches/patch-cb b/lang/python27/patches/patch-cb
new file mode 100644
index 00000000000..1af34378a99
--- /dev/null
+++ b/lang/python27/patches/patch-cb
@@ -0,0 +1,21 @@
+$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $
+
+Issue #11662 (CVE-2011-1521)
+
+--- Lib/urllib2.py.orig	2011-03-28 15:17:02.000000000 +0000
++++ Lib/urllib2.py
+@@ -578,6 +578,14 @@ class HTTPRedirectHandler(BaseHandler):
+ 
+         newurl = urlparse.urljoin(req.get_full_url(), newurl)
+ 
++        # For security reasons we do not allow redirects to protocols
++        # other than HTTP, HTTPS or FTP.
++        newurl_lower = newurl.lower()
++        if not (newurl_lower.startswith('http://') or
++                newurl_lower.startswith('https://') or
++		newurl_lower.startswith('ftp://')):
++            return
++
+         # XXX Probably want to forget about the state of the current
+         # request, although that might interact poorly with other
+         # handlers that also use handler-specific request attributes