Apply fix for directory traversal vulnerability, ref.

http://bugs.python.org/issue21766 Bump PKGREVISION.
author: he <he@pkgsrc.org> 2014-07-04 11:37:13 +0000
committer: he <he@pkgsrc.org> 2014-07-04 11:37:13 +0000
commit: d2ec5e4d68b94c6f9e519d117933bcfbdf0c8b7b (patch)
tree: 9800320704e89a4602f63b8f2e5a88e08b13a14b /lang/python34
parent: d2e2cd823a99f7a816f42ebb5cb9858d3a9e3960 (diff)
download: pkgsrc-d2ec5e4d68b94c6f9e519d117933bcfbdf0c8b7b.tar.gz
5 files changed, 58 insertions, 2 deletions
diff --git a/lang/python34/Makefile b/lang/python34/Makefile
index eb1984b4b5f..3cee30441d9 100644
--- a/lang/python34/Makefile
+++ b/lang/python34/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.5 2014/05/20 09:13:37 wiz Exp $
+# $NetBSD: Makefile,v 1.6 2014/07/04 11:37:13 he Exp $
 
 .include "dist.mk"
 
 PKGNAME=	python34-${PY_DISTVERSION}
+PKGREVISION=	1
 CATEGORIES=	lang python
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
diff --git a/lang/python34/distinfo b/lang/python34/distinfo
index 99b54e3a2a3..96705eb02e2 100644
--- a/lang/python34/distinfo
+++ b/lang/python34/distinfo
@@ -1,9 +1,12 @@
-$NetBSD: distinfo,v 1.12 2014/06/01 13:48:42 wiz Exp $
+$NetBSD: distinfo,v 1.13 2014/07/04 11:37:13 he Exp $
 
 SHA1 (Python-3.4.1.tar.xz) = 143e098efe7ee7bec8a4904ec4b322f28a067a03
 RMD160 (Python-3.4.1.tar.xz) = 276fda8bd4ef515da83645ddd5f01eb0f68522a5
 Size (Python-3.4.1.tar.xz) = 14125788 bytes
 SHA1 (patch-Lib_distutils_unixccompiler.py) = 39cb8d1e1e3e76e2b6b5dbc1a6b5e0815300b2ce
+SHA1 (patch-Lib_http_server.py) = 152f8059224baae8f5b3beb11fc5c7a541f1a462
+SHA1 (patch-Lib_test_test__httpservers.py) = 80ff2a699bbfd22853a216383b8c5bf4f0ba4800
+SHA1 (patch-Misc_NEWS) = 1e215b3e681f69410ebfd29bd8cc2ef7a4c03c2b
 SHA1 (patch-Modules___multiprocessing_multiprocessing.c) = 1aa9efb2ed4357451969eb3a2c9a9780d86110d9
 SHA1 (patch-aa) = 14359f8d0527eff08073c0aea60dfe8961d9255d
 SHA1 (patch-ah) = b3a1363f6d210f855f3769650e3891b0df5c531d
diff --git a/lang/python34/patches/patch-Lib_http_server.py b/lang/python34/patches/patch-Lib_http_server.py
new file mode 100644
index 00000000000..1fc056d172d
--- /dev/null
+++ b/lang/python34/patches/patch-Lib_http_server.py
@@ -0,0 +1,16 @@
+$NetBSD: patch-Lib_http_server.py,v 1.1 2014/07/04 11:37:13 he Exp $
+
+Apply fix for directory traversal vulnerability, ref.
+http://bugs.python.org/issue21766
+
+--- Lib/http/server.py.orig	2014-05-19 05:19:38.000000000 +0000
++++ Lib/http/server.py
+@@ -977,7 +977,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRe
+         (and the next character is a '/' or the end of the string).
+ 
+         """
+-        collapsed_path = _url_collapse_path(self.path)
++        collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path))
+         dir_sep = collapsed_path.find('/', 1)
+         head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
+         if head in self.cgi_directories:
diff --git a/lang/python34/patches/patch-Lib_test_test__httpservers.py b/lang/python34/patches/patch-Lib_test_test__httpservers.py
new file mode 100644
index 00000000000..27a4bfda2f6
--- /dev/null
+++ b/lang/python34/patches/patch-Lib_test_test__httpservers.py
@@ -0,0 +1,19 @@
+$NetBSD: patch-Lib_test_test__httpservers.py,v 1.1 2014/07/04 11:37:13 he Exp $
+
+Add test case for directory traversal vulnerability fix, ref.
+http://bugs.python.org/issue21766
+
+--- Lib/test/test_httpservers.py.orig	2014-05-19 05:19:38.000000000 +0000
++++ Lib/test/test_httpservers.py
+@@ -485,6 +485,11 @@ class CGIHTTPServerTestCase(BaseTestCase
+                 (res.read(), res.getheader('Content-type'), res.status))
+         self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
+ 
++    def test_urlquote_decoding_in_cgi_check(self):
++        res = self.request('/cgi-bin%2ffile1.py')
++        self.assertEqual((b'Hello World\n', 'text/html', 200),
++                (res.read(), res.getheader('Content-type'), res.status))
++
+ 
+ class SocketlessRequestHandler(SimpleHTTPRequestHandler):
+     def __init__(self):
diff --git a/lang/python34/patches/patch-Misc_NEWS b/lang/python34/patches/patch-Misc_NEWS
new file mode 100644
index 00000000000..ffacc163a58
--- /dev/null
+++ b/lang/python34/patches/patch-Misc_NEWS
@@ -0,0 +1,17 @@
+$NetBSD: patch-Misc_NEWS,v 1.1 2014/07/04 11:37:13 he Exp $
+
+Note we have fix for directory traversal vulnerability, ref.
+http://bugs.python.org/issue21766
+
+--- Misc/NEWS.orig	2014-05-19 05:19:39.000000000 +0000
++++ Misc/NEWS
+@@ -93,6 +93,9 @@ Core and Builtins
+ Library
+ -------
+ 
++- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
++  before checking for a CGI script at that path.
++
+ - Issue #21088: Bugfix for curses.window.addch() regression in 3.4.0.
+   In porting to Argument Clinic, the first two arguments were reversed.
+
author	he <he@pkgsrc.org>	2014-07-04 11:37:13 +0000
committer	he <he@pkgsrc.org>	2014-07-04 11:37:13 +0000
commit	d2ec5e4d68b94c6f9e519d117933bcfbdf0c8b7b (patch)
tree	9800320704e89a4602f63b8f2e5a88e08b13a14b /lang/python34
parent	d2e2cd823a99f7a816f42ebb5cb9858d3a9e3960 (diff)
download	pkgsrc-d2ec5e4d68b94c6f9e519d117933bcfbdf0c8b7b.tar.gz