From de31865cd904108d36595c43e44515624f83341c Mon Sep 17 00:00:00 2001 From: sbd Date: Tue, 1 Mar 2011 10:04:22 +0000 Subject: Pullup ticket #3369 - requested by tron Security patch for "python26" package Revisions pulled up: - lang/python26/Makefile 1.34 - lang/python26/distinfo 1.32 - lang/python26/patches/patch-SA43463 1.1 --- Module Name: pkgsrc Module Name: pkgsrc Committed By: tron Date: Mon Feb 28 22:35:53 UTC 2011 Modified Files: pkgsrc/lang/python26: Makefile distinfo Added Files: pkgsrc/lang/python26/patches: patch-SA43463 Log Message: Add fix for the information disclosure vulnerability reported in SA43463 taken from the Python SVN repository. --- lang/python26/Makefile | 4 +- lang/python26/distinfo | 3 +- lang/python26/patches/patch-SA43463 | 96 +++++++++++++++++++++++++++++++++++++ 3 files changed, 100 insertions(+), 3 deletions(-) create mode 100644 lang/python26/patches/patch-SA43463 diff --git a/lang/python26/Makefile b/lang/python26/Makefile index 7464c3c00c6..ada9f1dc0b2 100644 --- a/lang/python26/Makefile +++ b/lang/python26/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.33 2011/01/03 12:13:21 adam Exp $ +# $NetBSD: Makefile,v 1.33.2.1 2011/03/01 10:04:22 sbd Exp $ .include "dist.mk" PKGNAME= python26-${PY_DISTVERSION} -PKGREVISION= 5 +PKGREVISION= 6 CATEGORIES= lang python MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/lang/python26/distinfo b/lang/python26/distinfo index 7d390728938..3d37710b24f 100644 --- a/lang/python26/distinfo +++ b/lang/python26/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.30 2010/12/25 05:45:15 obache Exp $ +$NetBSD: distinfo,v 1.30.2.1 2011/03/01 10:04:22 sbd Exp $ SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50 RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912 Size (Python-2.6.6.tar.bz2) = 11080872 bytes +SHA1 (patch-SA43463) = a0285ce9eb1d994bb05cd54812f3fc9cb678fe7f SHA1 (patch-aa) = 0528fc5da76d5f1d19586ea3dda1acd09a4b0113 SHA1 (patch-ab) = b47aa9d18a7c1a99ac8cc8b29c64867443f303e5 SHA1 (patch-ac) = 57c88d47f82630e67bcd27ab61bf4362035da2f2 diff --git a/lang/python26/patches/patch-SA43463 b/lang/python26/patches/patch-SA43463 new file mode 100644 index 00000000000..d926fcf10bb --- /dev/null +++ b/lang/python26/patches/patch-SA43463 @@ -0,0 +1,96 @@ +$NetBSD: patch-SA43463,v 1.1.2.2 2011/03/01 10:04:22 sbd Exp $ + +Fix information disclosure vulnerability reported in SA43463. +Patch taken from the Python SVN repository: + +http://svn.python.org/view?view=revision&revision=71303 + +--- Lib/CGIHTTPServer.py.orig 2009-11-11 17:24:53.000000000 +0000 ++++ Lib/CGIHTTPServer.py 2011-02-28 22:16:27.000000000 +0000 +@@ -70,27 +70,20 @@ + return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self) + + def is_cgi(self): +- """Test whether self.path corresponds to a CGI script, +- and return a boolean. ++ """Test whether self.path corresponds to a CGI script. + +- This function sets self.cgi_info to a tuple (dir, rest) +- when it returns True, where dir is the directory part before +- the CGI script name. Note that rest begins with a +- slash if it is not empty. +- +- The default implementation tests whether the path +- begins with one of the strings in the list +- self.cgi_directories (and the next character is a '/' +- or the end of the string). ++ Returns True and updates the cgi_info attribute to the tuple ++ (dir, rest) if self.path requires running a CGI script. ++ Returns False otherwise. ++ ++ The default implementation tests whether the normalized url ++ path begins with one of the strings in self.cgi_directories ++ (and the next character is a '/' or the end of the string). + """ +- +- path = self.path +- +- for x in self.cgi_directories: +- i = len(x) +- if path[:i] == x and (not path[i:] or path[i] == '/'): +- self.cgi_info = path[:i], path[i+1:] +- return True ++ splitpath = _url_collapse_path_split(self.path) ++ if splitpath[0] in self.cgi_directories: ++ self.cgi_info = splitpath ++ return True + return False + + cgi_directories = ['/cgi-bin', '/htbin'] +@@ -299,6 +292,46 @@ + self.log_message("CGI script exited OK") + + ++# TODO(gregory.p.smith): Move this into an appropriate library. ++def _url_collapse_path_split(path): ++ """ ++ Given a URL path, remove extra '/'s and '.' path elements and collapse ++ any '..' references. ++ ++ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths. ++ ++ Returns: A tuple of (head, tail) where tail is everything after the final / ++ and head is everything before it. Head will always start with a '/' and, ++ if it contains anything else, never have a trailing '/'. ++ ++ Raises: IndexError if too many '..' occur within the path. ++ """ ++ # Similar to os.path.split(os.path.normpath(path)) but specific to URL ++ # path semantics rather than local operating system semantics. ++ path_parts = [] ++ for part in path.split('/'): ++ if part == '.': ++ path_parts.append('') ++ else: ++ path_parts.append(part) ++ # Filter out blank non trailing parts before consuming the '..'. ++ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:] ++ if path_parts: ++ tail_part = path_parts.pop() ++ else: ++ tail_part = '' ++ head_parts = [] ++ for part in path_parts: ++ if part == '..': ++ head_parts.pop() ++ else: ++ head_parts.append(part) ++ if tail_part and tail_part == '..': ++ head_parts.pop() ++ tail_part = '' ++ return ('/' + '/'.join(head_parts), tail_part) ++ ++ + nobody = None + + def nobody_uid(): -- cgit v1.2.3