diff options
| author | he <he@pkgsrc.org> | 2014-07-02 08:22:02 +0000 |
|---|---|---|
| committer | he <he@pkgsrc.org> | 2014-07-02 08:22:02 +0000 |
| commit | fcb008f88809a54cf4043fb21ef45dcab5bfe5fb (patch) | |
| tree | de24905e84b0cc8cacbb771ab6c5efeadcc857c0 /lang/python27 | |
| parent | 62325cde4365633561d06456815ae3f8de2d4c49 (diff) | |
| download | pkgsrc-fcb008f88809a54cf4043fb21ef45dcab5bfe5fb.tar.gz | |
Apply a fix for directory-traversal vulnerability, ref.
http://bugs.python.org/issue21766
Bump PKGREVISION.
Diffstat (limited to 'lang/python27')
| -rw-r--r-- | lang/python27/distinfo | 6 | ||||
| -rw-r--r-- | lang/python27/patches/patch-Lib_CGIHTTPServer.py | 16 | ||||
| -rw-r--r-- | lang/python27/patches/patch-Lib_test_test__httpservers.py | 19 | ||||
| -rw-r--r-- | lang/python27/patches/patch-Misc_NEWS | 21 |
4 files changed, 54 insertions, 8 deletions
diff --git a/lang/python27/distinfo b/lang/python27/distinfo index 5cc8f1c3f47..8fee3aa256b 100644 --- a/lang/python27/distinfo +++ b/lang/python27/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.42 2014/06/11 05:55:58 richard Exp $ +$NetBSD: distinfo,v 1.43 2014/07/02 08:22:02 he Exp $ SHA1 (Python-2.7.7.tar.xz) = 5f82557cac5abf18d1df6f8bb2029aa335b321f4 RMD160 (Python-2.7.7.tar.xz) = 988da9490e8d66a2456accdce5dbe9ba875d5a18 @@ -6,12 +6,14 @@ Size (Python-2.7.7.tar.xz) = 10496500 bytes SHA1 (patch-Include_node.h) = 673d148b625711ac47e4bfeb0f5b0d5b31f94d7e SHA1 (patch-Include_pyerrors.h) = 3eba043c83b1d1df4918524f7b53047a6ed372ae SHA1 (patch-Include_pyport.h) = 3f21c910cf7f002184d2b054a1a362e4a98a218f +SHA1 (patch-Lib_CGIHTTPServer.py) = 533ab07f23b5bcbb13c9bc8e49b056f0a95768a4 SHA1 (patch-Lib_distutils_unixccompiler.py) = 39b967dc2ae648143d5841f22602a21063b4d5ea SHA1 (patch-Lib_poplib.py) = 5d7f64b028abd2fd43651f27a7f2ce7efe5b0859 SHA1 (patch-Lib_smtplib.py) = f1118bbc53b4e292eb9a28ef3ef10eb4aa553bc3 +SHA1 (patch-Lib_test_test__httpservers.py) = b3c85c74bdd42b736882a92f807392abf3bb4fbd SHA1 (patch-Lib_test_test__poplib.py) = 1bdef76b687d042272e35c08521d4244d2c7fbe1 SHA1 (patch-Lib_test_test_smtplib.py) = 9e8a7f826c7d0f493746718b49fc27ac97c2cbb1 -SHA1 (patch-Misc_NEWS) = 773d71d171a4d4e915297f723a37f5c5e5ef2bd4 +SHA1 (patch-Misc_NEWS) = c9171e10227567750db8e11881aca305cd8c3a42 SHA1 (patch-Modules___ssl.c) = aaddaea5bcd6c84d3d896c7c37f710933b8228bc SHA1 (patch-Modules_getpath.c) = f68b38eb90f974b67ceab3922ce7f92eb77f25c3 SHA1 (patch-aa) = 990e4025bb6a37715e1f5df1831499f0ab08acfa diff --git a/lang/python27/patches/patch-Lib_CGIHTTPServer.py b/lang/python27/patches/patch-Lib_CGIHTTPServer.py new file mode 100644 index 00000000000..ba26695ea1b --- /dev/null +++ b/lang/python27/patches/patch-Lib_CGIHTTPServer.py @@ -0,0 +1,16 @@ +$NetBSD: patch-Lib_CGIHTTPServer.py,v 1.1 2014/07/02 08:22:02 he Exp $ + +Fix for directory-traversal vulnerability, ref. +http://bugs.python.org/issue21766 + +--- Lib/CGIHTTPServer.py.orig 2014-06-09 11:29:36.000000000 +0000 ++++ Lib/CGIHTTPServer.py +@@ -84,7 +84,7 @@ class CGIHTTPRequestHandler(SimpleHTTPSe + path begins with one of the strings in self.cgi_directories + (and the next character is a '/' or the end of the string). + """ +- collapsed_path = _url_collapse_path(self.path) ++ collapsed_path = _url_collapse_path(urllib.unquote(self.path)) + dir_sep = collapsed_path.find('/', 1) + head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] + if head in self.cgi_directories: diff --git a/lang/python27/patches/patch-Lib_test_test__httpservers.py b/lang/python27/patches/patch-Lib_test_test__httpservers.py new file mode 100644 index 00000000000..125ba711de0 --- /dev/null +++ b/lang/python27/patches/patch-Lib_test_test__httpservers.py @@ -0,0 +1,19 @@ +$NetBSD: patch-Lib_test_test__httpservers.py,v 1.1 2014/07/02 08:22:02 he Exp $ + +Test case for directory traversal vulnerability, ref. +http://bugs.python.org/issue21766 + +--- Lib/test/test_httpservers.py.orig 2014-06-09 11:29:38.000000000 +0000 ++++ Lib/test/test_httpservers.py +@@ -510,6 +510,11 @@ class CGIHTTPServerTestCase(BaseTestCase + (res.read(), res.getheader('Content-type'), res.status)) + self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) + ++ def test_urlquote_decoding_in_cgi_check(self): ++ res = self.request('/cgi-bin%2ffile1.py') ++ self.assertEqual((b'Hello World\n', 'text/html', 200), ++ (res.read(), res.getheader('Content-type'), res.status)) ++ + + class SimpleHTTPRequestHandlerTestCase(unittest.TestCase): + """ Test url parsing """ diff --git a/lang/python27/patches/patch-Misc_NEWS b/lang/python27/patches/patch-Misc_NEWS index 4e738c28153..ceeaeb19672 100644 --- a/lang/python27/patches/patch-Misc_NEWS +++ b/lang/python27/patches/patch-Misc_NEWS @@ -1,11 +1,20 @@ -$NetBSD: patch-Misc_NEWS,v 1.3 2014/06/09 17:58:31 he Exp $ +$NetBSD: patch-Misc_NEWS,v 1.4 2014/07/02 08:22:02 he Exp $ -Apply a fix for CVE-2013-1752 for the SMTP and Pop parts. -From http://bugs.python.org/issue16042 and issue16041. - ---- Misc/NEWS.orig 2014-06-09 11:29:34.000000000 +0000 +Note added fixes. + +--- Misc/NEWS.orig 2014-05-31 18:58:39.000000000 +0000 +++ Misc/NEWS -@@ -585,6 +585,13 @@ Library +@@ -63,6 +63,9 @@ Core and Builtins + Library + ------- + ++- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths ++ before checking for a CGI script at that path. ++ + - Issue #10744: Fix PEP 3118 format strings on ctypes objects with a nontrivial + shape. + +@@ -585,6 +588,13 @@ Library prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen. |