From 89649c26a70cf788be10bb7803523d286b61224b Mon Sep 17 00:00:00 2001
From: drochner <drochner@pkgsrc.org>
Date: Mon, 28 Mar 2011 16:00:06 +0000
Subject: fix a security issue, using patches from upstream: stricter redirect
 handling in urllib, to prevent redirects to eg "file://" URLs (CVE-2011-1521)
 bump PKGREV

---
 lang/python26/patches/patch-cb | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 lang/python26/patches/patch-cb

(limited to 'lang/python26/patches/patch-cb')

diff --git a/lang/python26/patches/patch-cb b/lang/python26/patches/patch-cb
new file mode 100644
index 00000000000..1af34378a99
--- /dev/null
+++ b/lang/python26/patches/patch-cb
@@ -0,0 +1,21 @@
+$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $
+
+Issue #11662 (CVE-2011-1521)
+
+--- Lib/urllib2.py.orig	2011-03-28 15:17:02.000000000 +0000
++++ Lib/urllib2.py
+@@ -578,6 +578,14 @@ class HTTPRedirectHandler(BaseHandler):
+ 
+         newurl = urlparse.urljoin(req.get_full_url(), newurl)
+ 
++        # For security reasons we do not allow redirects to protocols
++        # other than HTTP, HTTPS or FTP.
++        newurl_lower = newurl.lower()
++        if not (newurl_lower.startswith('http://') or
++                newurl_lower.startswith('https://') or
++		newurl_lower.startswith('ftp://')):
++            return
++
+         # XXX Probably want to forget about the state of the current
+         # request, although that might interact poorly with other
+         # handlers that also use handler-specific request attributes
-- 
cgit v1.2.3