Add fix for the information disclosure vulnerability reported in SA43463

taken from the Python SVN repository.
2011-02-28 22:35:53 +00:00 · 2011-02-28 22:35:53 +00:00 · 23b0e69ff8
commit 23b0e69ff8
parent b1b44effe6
3 changed files with 100 additions and 3 deletions
--- a/lang/python26/Makefile
+++ b/lang/python26/Makefile
@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.33 2011/01/03 12:13:21 adam Exp $
+# $NetBSD: Makefile,v 1.34 2011/02/28 22:35:53 tron Exp $

 .include "dist.mk"

 PKGNAME=	python26-${PY_DISTVERSION}
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	lang python

 MAINTAINER=	pkgsrc-users@NetBSD.org
--- a/lang/python26/distinfo
+++ b/lang/python26/distinfo
@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.31 2011/02/05 09:34:04 hiramatsu Exp $
+$NetBSD: distinfo,v 1.32 2011/02/28 22:35:53 tron Exp $

 SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50
 RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912
 Size (Python-2.6.6.tar.bz2) = 11080872 bytes
+SHA1 (patch-SA43463) = a0285ce9eb1d994bb05cd54812f3fc9cb678fe7f
 SHA1 (patch-aa) = 0528fc5da76d5f1d19586ea3dda1acd09a4b0113
 SHA1 (patch-ab) = b47aa9d18a7c1a99ac8cc8b29c64867443f303e5
 SHA1 (patch-ac) = 57c88d47f82630e67bcd27ab61bf4362035da2f2
--- a/lang/python26/patches/patch-SA43463
+++ b/lang/python26/patches/patch-SA43463
@ -0,0 +1,96 @@
+$NetBSD: patch-SA43463,v 1.1 2011/02/28 22:35:53 tron Exp $
+
+Fix information disclosure vulnerability reported in SA43463.
+Patch taken from the Python SVN repository:
+
+http://svn.python.org/view?view=revision&revision=71303
+
+--- Lib/CGIHTTPServer.py.orig	2009-11-11 17:24:53.000000000 +0000
+++ Lib/CGIHTTPServer.py	2011-02-28 22:16:27.000000000 +0000
+@@ -70,27 +70,20 @@
+             return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
+ 
+     def is_cgi(self):
+-        """Test whether self.path corresponds to a CGI script,
+-        and return a boolean.
+        """Test whether self.path corresponds to a CGI script.
+ 
+-        This function sets self.cgi_info to a tuple (dir, rest)
+-        when it returns True, where dir is the directory part before
+-        the CGI script name.  Note that rest begins with a
+-        slash if it is not empty.
+-
+-        The default implementation tests whether the path
+-        begins with one of the strings in the list
+-        self.cgi_directories (and the next character is a '/'
+-        or the end of the string).
+        Returns True and updates the cgi_info attribute to the tuple
+        (dir, rest) if self.path requires running a CGI script.
+        Returns False otherwise.
+
+        The default implementation tests whether the normalized url
+        path begins with one of the strings in self.cgi_directories
+        (and the next character is a '/' or the end of the string).
+         """
+-
+-        path = self.path
+-
+-        for x in self.cgi_directories:
+-            i = len(x)
+-            if path[:i] == x and (not path[i:] or path[i] == '/'):
+-                self.cgi_info = path[:i], path[i+1:]
+-                return True
+        splitpath = _url_collapse_path_split(self.path)
+        if splitpath[0] in self.cgi_directories:
+            self.cgi_info = splitpath
+            return True
+         return False
+ 
+     cgi_directories = ['/cgi-bin', '/htbin']
+@@ -299,6 +292,46 @@
+                 self.log_message("CGI script exited OK")
+ 
+ 
+# TODO(gregory.p.smith): Move this into an appropriate library.
+def _url_collapse_path_split(path):
+    """
+    Given a URL path, remove extra '/'s and '.' path elements and collapse
+    any '..' references.
+
+    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
+
+    Returns: A tuple of (head, tail) where tail is everything after the final /
+    and head is everything before it.  Head will always start with a '/' and,
+    if it contains anything else, never have a trailing '/'.
+
+    Raises: IndexError if too many '..' occur within the path.
+    """
+    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
+    # path semantics rather than local operating system semantics.
+    path_parts = []
+    for part in path.split('/'):
+        if part == '.':
+            path_parts.append('')
+        else:
+            path_parts.append(part)
+    # Filter out blank non trailing parts before consuming the '..'.
+    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
+    if path_parts:
+        tail_part = path_parts.pop()
+    else:
+        tail_part = ''
+    head_parts = []
+    for part in path_parts:
+        if part == '..':
+            head_parts.pop()
+        else:
+            head_parts.append(part)
+    if tail_part and tail_part == '..':
+        head_parts.pop()
+        tail_part = ''
+    return ('/' + '/'.join(head_parts), tail_part)
+
+
+ nobody = None
+ 
+ def nobody_uid():