Apply fix for directory traversal vulnerability, ref. http://bugs.python.org/issue21766 Bump PKGREVISION.diff -r1.5 -r1.6 pkgsrc/lang/python34/Makefile
(he)
@@ -1,18 +1,19 @@ | @@ -1,18 +1,19 @@ | |||
1 | # $NetBSD: Makefile,v 1.5 2014/05/20 09:13:37 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.6 2014/07/04 11:37:13 he Exp $ | |
2 | 2 | |||
3 | .include "dist.mk" | 3 | .include "dist.mk" | |
4 | 4 | |||
5 | PKGNAME= python34-${PY_DISTVERSION} | 5 | PKGNAME= python34-${PY_DISTVERSION} | |
6 | PKGREVISION= 1 | |||
6 | CATEGORIES= lang python | 7 | CATEGORIES= lang python | |
7 | 8 | |||
8 | MAINTAINER= pkgsrc-users@NetBSD.org | 9 | MAINTAINER= pkgsrc-users@NetBSD.org | |
9 | HOMEPAGE= http://www.python.org/ | 10 | HOMEPAGE= http://www.python.org/ | |
10 | COMMENT= Interpreted, interactive, object-oriented programming language | 11 | COMMENT= Interpreted, interactive, object-oriented programming language | |
11 | LICENSE= python-software-foundation | 12 | LICENSE= python-software-foundation | |
12 | 13 | |||
13 | CONFLICTS+= python-[0-9]* | 14 | CONFLICTS+= python-[0-9]* | |
14 | 15 | |||
15 | PLIST_AWK+= -f ${PKGSRCDIR}/lang/python/plist-python.awk | 16 | PLIST_AWK+= -f ${PKGSRCDIR}/lang/python/plist-python.awk | |
16 | PLIST_AWK_ENV+= PYTHON_SOABI="cpython-34" | 17 | PLIST_AWK_ENV+= PYTHON_SOABI="cpython-34" | |
17 | PRINT_PLIST_AWK+= /^[^@]/ && /[^\/]+\.py[co]$$/ { | 18 | PRINT_PLIST_AWK+= /^[^@]/ && /[^\/]+\.py[co]$$/ { | |
18 | PRINT_PLIST_AWK+= gsub(/__pycache__\//, "") | 19 | PRINT_PLIST_AWK+= gsub(/__pycache__\//, "") |
@@ -1,16 +1,19 @@ | @@ -1,16 +1,19 @@ | |||
1 | $NetBSD: distinfo,v 1.12 2014/06/01 13:48:42 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.13 2014/07/04 11:37:13 he Exp $ | |
2 | 2 | |||
3 | SHA1 (Python-3.4.1.tar.xz) = 143e098efe7ee7bec8a4904ec4b322f28a067a03 | 3 | SHA1 (Python-3.4.1.tar.xz) = 143e098efe7ee7bec8a4904ec4b322f28a067a03 | |
4 | RMD160 (Python-3.4.1.tar.xz) = 276fda8bd4ef515da83645ddd5f01eb0f68522a5 | 4 | RMD160 (Python-3.4.1.tar.xz) = 276fda8bd4ef515da83645ddd5f01eb0f68522a5 | |
5 | Size (Python-3.4.1.tar.xz) = 14125788 bytes | 5 | Size (Python-3.4.1.tar.xz) = 14125788 bytes | |
6 | SHA1 (patch-Lib_distutils_unixccompiler.py) = 39cb8d1e1e3e76e2b6b5dbc1a6b5e0815300b2ce | 6 | SHA1 (patch-Lib_distutils_unixccompiler.py) = 39cb8d1e1e3e76e2b6b5dbc1a6b5e0815300b2ce | |
7 | SHA1 (patch-Lib_http_server.py) = 152f8059224baae8f5b3beb11fc5c7a541f1a462 | |||
8 | SHA1 (patch-Lib_test_test__httpservers.py) = 80ff2a699bbfd22853a216383b8c5bf4f0ba4800 | |||
9 | SHA1 (patch-Misc_NEWS) = 1e215b3e681f69410ebfd29bd8cc2ef7a4c03c2b | |||
7 | SHA1 (patch-Modules___multiprocessing_multiprocessing.c) = 1aa9efb2ed4357451969eb3a2c9a9780d86110d9 | 10 | SHA1 (patch-Modules___multiprocessing_multiprocessing.c) = 1aa9efb2ed4357451969eb3a2c9a9780d86110d9 | |
8 | SHA1 (patch-aa) = 14359f8d0527eff08073c0aea60dfe8961d9255d | 11 | SHA1 (patch-aa) = 14359f8d0527eff08073c0aea60dfe8961d9255d | |
9 | SHA1 (patch-ah) = b3a1363f6d210f855f3769650e3891b0df5c531d | 12 | SHA1 (patch-ah) = b3a1363f6d210f855f3769650e3891b0df5c531d | |
10 | SHA1 (patch-al) = 1867e7145d8ab008338461ee6c662d653479443d | 13 | SHA1 (patch-al) = 1867e7145d8ab008338461ee6c662d653479443d | |
11 | SHA1 (patch-am) = 1752a06fec7626af57e85b6cbd9b6cc38b99272f | 14 | SHA1 (patch-am) = 1752a06fec7626af57e85b6cbd9b6cc38b99272f | |
12 | SHA1 (patch-an) = c9b571eb54fdf0b1e93524a6de6780e8c4119221 | 15 | SHA1 (patch-an) = c9b571eb54fdf0b1e93524a6de6780e8c4119221 | |
13 | SHA1 (patch-au) = 6e10e6fc484317447bdeaa833db5df073df98c5b | 16 | SHA1 (patch-au) = 6e10e6fc484317447bdeaa833db5df073df98c5b | |
14 | SHA1 (patch-av) = 9b44f339f65f029b7f17dbc654739a7ae3c12780 | 17 | SHA1 (patch-av) = 9b44f339f65f029b7f17dbc654739a7ae3c12780 | |
15 | SHA1 (patch-aw) = bd290417c265846e238660180e60e76c0f5f696a | 18 | SHA1 (patch-aw) = bd290417c265846e238660180e60e76c0f5f696a | |
16 | SHA1 (patch-xa) = fb81eaa604b4ed7c1b64c3f4731d58a8aee257be | 19 | SHA1 (patch-xa) = fb81eaa604b4ed7c1b64c3f4731d58a8aee257be |
$NetBSD: patch-Lib_http_server.py,v 1.1 2014/07/04 11:37:13 he Exp $
Apply fix for directory traversal vulnerability, ref.
http://bugs.python.org/issue21766
--- Lib/http/server.py.orig 2014-05-19 05:19:38.000000000 +0000
+++ Lib/http/server.py
@@ -977,7 +977,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRe
(and the next character is a '/' or the end of the string).
"""
- collapsed_path = _url_collapse_path(self.path)
+ collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path))
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
$NetBSD: patch-Lib_test_test__httpservers.py,v 1.1 2014/07/04 11:37:13 he Exp $
Add test case for directory traversal vulnerability fix, ref.
http://bugs.python.org/issue21766
--- Lib/test/test_httpservers.py.orig 2014-05-19 05:19:38.000000000 +0000
+++ Lib/test/test_httpservers.py
@@ -485,6 +485,11 @@ class CGIHTTPServerTestCase(BaseTestCase
(res.read(), res.getheader('Content-type'), res.status))
self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
+ def test_urlquote_decoding_in_cgi_check(self):
+ res = self.request('/cgi-bin%2ffile1.py')
+ self.assertEqual((b'Hello World\n', 'text/html', 200),
+ (res.read(), res.getheader('Content-type'), res.status))
+
class SocketlessRequestHandler(SimpleHTTPRequestHandler):
def __init__(self):
$NetBSD: patch-Misc_NEWS,v 1.1 2014/07/04 11:37:13 he Exp $
Note we have fix for directory traversal vulnerability, ref.
http://bugs.python.org/issue21766
--- Misc/NEWS.orig 2014-05-19 05:19:39.000000000 +0000
+++ Misc/NEWS
@@ -93,6 +93,9 @@ Core and Builtins
Library
-------
+- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
+ before checking for a CGI script at that path.
+
- Issue #21088: Bugfix for curses.window.addch() regression in 3.4.0.
In porting to Argument Clinic, the first two arguments were reversed.