diff options
| author | he <he@pkgsrc.org> | 2014-07-04 11:37:13 +0000 |
|---|---|---|
| committer | he <he@pkgsrc.org> | 2014-07-04 11:37:13 +0000 |
| commit | d4c95036d41b11d461c4ec6c7f41d7db51c29ce8 (patch) | |
| tree | 9800320704e89a4602f63b8f2e5a88e08b13a14b /lang | |
| parent | 57dba58d38510117377910c9d7cb5110a63ca40f (diff) | |
| download | pkgsrc-d4c95036d41b11d461c4ec6c7f41d7db51c29ce8.tar.gz | |
Apply fix for directory traversal vulnerability, ref.
http://bugs.python.org/issue21766
Bump PKGREVISION.
Diffstat (limited to 'lang')
| -rw-r--r-- | lang/python34/Makefile | 3 | ||||
| -rw-r--r-- | lang/python34/distinfo | 5 | ||||
| -rw-r--r-- | lang/python34/patches/patch-Lib_http_server.py | 16 | ||||
| -rw-r--r-- | lang/python34/patches/patch-Lib_test_test__httpservers.py | 19 | ||||
| -rw-r--r-- | lang/python34/patches/patch-Misc_NEWS | 17 |
5 files changed, 58 insertions, 2 deletions
diff --git a/lang/python34/Makefile b/lang/python34/Makefile index eb1984b4b5f..3cee30441d9 100644 --- a/lang/python34/Makefile +++ b/lang/python34/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.5 2014/05/20 09:13:37 wiz Exp $ +# $NetBSD: Makefile,v 1.6 2014/07/04 11:37:13 he Exp $ .include "dist.mk" PKGNAME= python34-${PY_DISTVERSION} +PKGREVISION= 1 CATEGORIES= lang python MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/lang/python34/distinfo b/lang/python34/distinfo index 99b54e3a2a3..96705eb02e2 100644 --- a/lang/python34/distinfo +++ b/lang/python34/distinfo @@ -1,9 +1,12 @@ -$NetBSD: distinfo,v 1.12 2014/06/01 13:48:42 wiz Exp $ +$NetBSD: distinfo,v 1.13 2014/07/04 11:37:13 he Exp $ SHA1 (Python-3.4.1.tar.xz) = 143e098efe7ee7bec8a4904ec4b322f28a067a03 RMD160 (Python-3.4.1.tar.xz) = 276fda8bd4ef515da83645ddd5f01eb0f68522a5 Size (Python-3.4.1.tar.xz) = 14125788 bytes SHA1 (patch-Lib_distutils_unixccompiler.py) = 39cb8d1e1e3e76e2b6b5dbc1a6b5e0815300b2ce +SHA1 (patch-Lib_http_server.py) = 152f8059224baae8f5b3beb11fc5c7a541f1a462 +SHA1 (patch-Lib_test_test__httpservers.py) = 80ff2a699bbfd22853a216383b8c5bf4f0ba4800 +SHA1 (patch-Misc_NEWS) = 1e215b3e681f69410ebfd29bd8cc2ef7a4c03c2b SHA1 (patch-Modules___multiprocessing_multiprocessing.c) = 1aa9efb2ed4357451969eb3a2c9a9780d86110d9 SHA1 (patch-aa) = 14359f8d0527eff08073c0aea60dfe8961d9255d SHA1 (patch-ah) = b3a1363f6d210f855f3769650e3891b0df5c531d diff --git a/lang/python34/patches/patch-Lib_http_server.py b/lang/python34/patches/patch-Lib_http_server.py new file mode 100644 index 00000000000..1fc056d172d --- /dev/null +++ b/lang/python34/patches/patch-Lib_http_server.py @@ -0,0 +1,16 @@ +$NetBSD: patch-Lib_http_server.py,v 1.1 2014/07/04 11:37:13 he Exp $ + +Apply fix for directory traversal vulnerability, ref. +http://bugs.python.org/issue21766 + +--- Lib/http/server.py.orig 2014-05-19 05:19:38.000000000 +0000 ++++ Lib/http/server.py +@@ -977,7 +977,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRe + (and the next character is a '/' or the end of the string). + + """ +- collapsed_path = _url_collapse_path(self.path) ++ collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path)) + dir_sep = collapsed_path.find('/', 1) + head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] + if head in self.cgi_directories: diff --git a/lang/python34/patches/patch-Lib_test_test__httpservers.py b/lang/python34/patches/patch-Lib_test_test__httpservers.py new file mode 100644 index 00000000000..27a4bfda2f6 --- /dev/null +++ b/lang/python34/patches/patch-Lib_test_test__httpservers.py @@ -0,0 +1,19 @@ +$NetBSD: patch-Lib_test_test__httpservers.py,v 1.1 2014/07/04 11:37:13 he Exp $ + +Add test case for directory traversal vulnerability fix, ref. +http://bugs.python.org/issue21766 + +--- Lib/test/test_httpservers.py.orig 2014-05-19 05:19:38.000000000 +0000 ++++ Lib/test/test_httpservers.py +@@ -485,6 +485,11 @@ class CGIHTTPServerTestCase(BaseTestCase + (res.read(), res.getheader('Content-type'), res.status)) + self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) + ++ def test_urlquote_decoding_in_cgi_check(self): ++ res = self.request('/cgi-bin%2ffile1.py') ++ self.assertEqual((b'Hello World\n', 'text/html', 200), ++ (res.read(), res.getheader('Content-type'), res.status)) ++ + + class SocketlessRequestHandler(SimpleHTTPRequestHandler): + def __init__(self): diff --git a/lang/python34/patches/patch-Misc_NEWS b/lang/python34/patches/patch-Misc_NEWS new file mode 100644 index 00000000000..ffacc163a58 --- /dev/null +++ b/lang/python34/patches/patch-Misc_NEWS @@ -0,0 +1,17 @@ +$NetBSD: patch-Misc_NEWS,v 1.1 2014/07/04 11:37:13 he Exp $ + +Note we have fix for directory traversal vulnerability, ref. +http://bugs.python.org/issue21766 + +--- Misc/NEWS.orig 2014-05-19 05:19:39.000000000 +0000 ++++ Misc/NEWS +@@ -93,6 +93,9 @@ Core and Builtins + Library + ------- + ++- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths ++ before checking for a CGI script at that path. ++ + - Issue #21088: Bugfix for curses.window.addch() regression in 3.4.0. + In porting to Argument Clinic, the first two arguments were reversed. + |