summaryrefslogtreecommitdiff
path: root/lang
diff options
context:
space:
mode:
authortron <tron@pkgsrc.org>2011-02-28 22:35:53 +0000
committertron <tron@pkgsrc.org>2011-02-28 22:35:53 +0000
commit23b0e69ff8c5c978ea0fe239e6bead05222dedc3 (patch)
treeb9b80d484ca95b16536b5a9780e571c4860d899c /lang
parentb1b44effe61dff34ea5e1267a9f84e7edfa37cef (diff)
downloadpkgsrc-23b0e69ff8c5c978ea0fe239e6bead05222dedc3.tar.gz
Add fix for the information disclosure vulnerability reported in SA43463
taken from the Python SVN repository.
Diffstat (limited to 'lang')
-rw-r--r--lang/python26/Makefile4
-rw-r--r--lang/python26/distinfo3
-rw-r--r--lang/python26/patches/patch-SA4346396
3 files changed, 100 insertions, 3 deletions
diff --git a/lang/python26/Makefile b/lang/python26/Makefile
index 7464c3c00c6..327823b1267 100644
--- a/lang/python26/Makefile
+++ b/lang/python26/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.33 2011/01/03 12:13:21 adam Exp $
+# $NetBSD: Makefile,v 1.34 2011/02/28 22:35:53 tron Exp $
.include "dist.mk"
PKGNAME= python26-${PY_DISTVERSION}
-PKGREVISION= 5
+PKGREVISION= 6
CATEGORIES= lang python
MAINTAINER= pkgsrc-users@NetBSD.org
diff --git a/lang/python26/distinfo b/lang/python26/distinfo
index 63bacce4f5b..d569112c756 100644
--- a/lang/python26/distinfo
+++ b/lang/python26/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.31 2011/02/05 09:34:04 hiramatsu Exp $
+$NetBSD: distinfo,v 1.32 2011/02/28 22:35:53 tron Exp $
SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50
RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912
Size (Python-2.6.6.tar.bz2) = 11080872 bytes
+SHA1 (patch-SA43463) = a0285ce9eb1d994bb05cd54812f3fc9cb678fe7f
SHA1 (patch-aa) = 0528fc5da76d5f1d19586ea3dda1acd09a4b0113
SHA1 (patch-ab) = b47aa9d18a7c1a99ac8cc8b29c64867443f303e5
SHA1 (patch-ac) = 57c88d47f82630e67bcd27ab61bf4362035da2f2
diff --git a/lang/python26/patches/patch-SA43463 b/lang/python26/patches/patch-SA43463
new file mode 100644
index 00000000000..05d22171035
--- /dev/null
+++ b/lang/python26/patches/patch-SA43463
@@ -0,0 +1,96 @@
+$NetBSD: patch-SA43463,v 1.1 2011/02/28 22:35:53 tron Exp $
+
+Fix information disclosure vulnerability reported in SA43463.
+Patch taken from the Python SVN repository:
+
+http://svn.python.org/view?view=revision&revision=71303
+
+--- Lib/CGIHTTPServer.py.orig 2009-11-11 17:24:53.000000000 +0000
++++ Lib/CGIHTTPServer.py 2011-02-28 22:16:27.000000000 +0000
+@@ -70,27 +70,20 @@
+ return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
+
+ def is_cgi(self):
+- """Test whether self.path corresponds to a CGI script,
+- and return a boolean.
++ """Test whether self.path corresponds to a CGI script.
+
+- This function sets self.cgi_info to a tuple (dir, rest)
+- when it returns True, where dir is the directory part before
+- the CGI script name. Note that rest begins with a
+- slash if it is not empty.
+-
+- The default implementation tests whether the path
+- begins with one of the strings in the list
+- self.cgi_directories (and the next character is a '/'
+- or the end of the string).
++ Returns True and updates the cgi_info attribute to the tuple
++ (dir, rest) if self.path requires running a CGI script.
++ Returns False otherwise.
++
++ The default implementation tests whether the normalized url
++ path begins with one of the strings in self.cgi_directories
++ (and the next character is a '/' or the end of the string).
+ """
+-
+- path = self.path
+-
+- for x in self.cgi_directories:
+- i = len(x)
+- if path[:i] == x and (not path[i:] or path[i] == '/'):
+- self.cgi_info = path[:i], path[i+1:]
+- return True
++ splitpath = _url_collapse_path_split(self.path)
++ if splitpath[0] in self.cgi_directories:
++ self.cgi_info = splitpath
++ return True
+ return False
+
+ cgi_directories = ['/cgi-bin', '/htbin']
+@@ -299,6 +292,46 @@
+ self.log_message("CGI script exited OK")
+
+
++# TODO(gregory.p.smith): Move this into an appropriate library.
++def _url_collapse_path_split(path):
++ """
++ Given a URL path, remove extra '/'s and '.' path elements and collapse
++ any '..' references.
++
++ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
++
++ Returns: A tuple of (head, tail) where tail is everything after the final /
++ and head is everything before it. Head will always start with a '/' and,
++ if it contains anything else, never have a trailing '/'.
++
++ Raises: IndexError if too many '..' occur within the path.
++ """
++ # Similar to os.path.split(os.path.normpath(path)) but specific to URL
++ # path semantics rather than local operating system semantics.
++ path_parts = []
++ for part in path.split('/'):
++ if part == '.':
++ path_parts.append('')
++ else:
++ path_parts.append(part)
++ # Filter out blank non trailing parts before consuming the '..'.
++ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
++ if path_parts:
++ tail_part = path_parts.pop()
++ else:
++ tail_part = ''
++ head_parts = []
++ for part in path_parts:
++ if part == '..':
++ head_parts.pop()
++ else:
++ head_parts.append(part)
++ if tail_part and tail_part == '..':
++ head_parts.pop()
++ tail_part = ''
++ return ('/' + '/'.join(head_parts), tail_part)
++
++
+ nobody = None
+
+ def nobody_uid():