kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge the patch for http://secunia.com/advisories/43463/ from the

Browse source 
copy in python26.
This commit is contained in:
dholland 2011-03-06 03:24:11 +00:00
parent 7a007d5dc5
commit afabde83fa
3 changed files with 90 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lang/python25/Makefile
View file

@ -1,9 +1,9 @@
# $NetBSD: Makefile,v 1.29 2011/02/28 14:52:54 wiz Exp $
# $NetBSD: Makefile,v 1.30 2011/03/06 03:24:11 dholland Exp $
.include "dist.mk"
PKGNAME= python25-${PY_DISTVERSION}
PKGREVISION= 1
PKGREVISION= 2
CATEGORIES= lang python
MAINTAINER= pkgsrc-users@NetBSD.org

3
lang/python25/distinfo
View file

@ -1,8 +1,9 @@
$NetBSD: distinfo,v 1.13 2010/04/07 14:57:49 gdt Exp $
$NetBSD: distinfo,v 1.14 2011/03/06 03:24:11 dholland Exp $
SHA1 (Python-2.5.5.tar.bz2) = dcf1abd94a1ab4155dcd3668cca42c5bfc81159f
RMD160 (Python-2.5.5.tar.bz2) = 4754238d415142466778560d989582464385654c
Size (Python-2.5.5.tar.bz2) = 9822917 bytes
SHA1 (patch-SA43463) = df776e171f1794bae52b6e98bc71ae63734b7693
SHA1 (patch-aa) = d44e67645dc86ff14f5daf5705de02c6f330cc48
SHA1 (patch-ab) = d35025df83e70d129f9fbcd277652b0eea83b026
SHA1 (patch-ac) = 4de5b8dc20b41dc3bb4acd38011ef59570318d3f

86
lang/python25/patches/patch-SA43463 Normal file
View file

@ -0,0 +1,86 @@
$NetBSD: patch-SA43463,v 1.1 2011/03/06 03:24:11 dholland Exp $
Fix information disclosure vulnerability reported in SA43463.
Original patch taken from the Python SVN repository:
http://svn.python.org/view?view=revision&revision=71303
and backported to the python25 version.
--- Lib/CGIHTTPServer.py.orig 2007-04-25 06:42:41.000000000 +0000
+++ Lib/CGIHTTPServer.py
@@ -76,20 +76,15 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
CGI script, None if not. Note that rest begins with a
slash if it is not empty.
- The default implementation tests whether the path
- begins with one of the strings in the list
- self.cgi_directories (and the next character is a '/'
- or the end of the string).
-
+ The default implementation tests whether the normalized url
+ path begins with one of the strings in self.cgi_directories
+ (and the next character is a '/' or the end of the string).
"""
- path = self.path
-
- for x in self.cgi_directories:
- i = len(x)
- if path[:i] == x and (not path[i:] or path[i] == '/'):
- self.cgi_info = path[:i], path[i+1:]
- return True
+ splitpath = _url_collapse_path_split(self.path)
+ if splitpath[0] in self.cgi_directories:
+ self.cgi_info = splitpath
+ return True
return False
cgi_directories = ['/cgi-bin', '/htbin']
@@ -326,6 +321,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
self.log_message("CGI script exited OK")
+# TODO(gregory.p.smith): Move this into an appropriate library.
+def _url_collapse_path_split(path):
+ """
+ Given a URL path, remove extra '/'s and '.' path elements and collapse
+ any '..' references.
+
+ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
+
+ Returns: A tuple of (head, tail) where tail is everything after the final /
+ and head is everything before it. Head will always start with a '/' and,
+ if it contains anything else, never have a trailing '/'.
+
+ Raises: IndexError if too many '..' occur within the path.
+ """
+ # Similar to os.path.split(os.path.normpath(path)) but specific to URL
+ # path semantics rather than local operating system semantics.
+ path_parts = []
+ for part in path.split('/'):
+ if part == '.':
+ path_parts.append('')
+ else:
+ path_parts.append(part)
+ # Filter out blank non trailing parts before consuming the '..'.
+ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
+ if path_parts:
+ tail_part = path_parts.pop()
+ else:
+ tail_part = ''
+ head_parts = []
+ for part in path_parts:
+ if part == '..':
+ head_parts.pop()
+ else:
+ head_parts.append(part)
+ if tail_part and tail_part == '..':
+ head_parts.pop()
+ tail_part = ''
+ return ('/' + '/'.join(head_parts), tail_part)
+
+
nobody = None
def nobody_uid():