pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2004Q4]: pkgsrc/lang Pullup ticket 289 - requested by Matthias...
details: https://anonhg.NetBSD.org/pkgsrc/rev/ac882c08d541
branches: pkgsrc-2004Q4
changeset: 485904:ac882c08d541
user: salo <salo%pkgsrc.org@localhost>
date: Wed Feb 16 14:00:08 2005 +0000
description:
Pullup ticket 289 - requested by Matthias Drochner
security fix for python
Patches hand-rolled, based on the following commit:
Module Name: pkgsrc
Committed By: drochner
Date: Fri Feb 4 15:39:04 UTC 2005
Modified Files:
pkgsrc/lang/python22: Makefile distinfo
pkgsrc/lang/python23: Makefile distinfo
pkgsrc/lang/python23-nth: Makefile
pkgsrc/lang/python24: Makefile distinfo
Added Files:
pkgsrc/lang/python22/patches: patch-an
pkgsrc/lang/python23/patches: patch-an
pkgsrc/lang/python24/patches: patch-an
Log Message:
apply the security fix from
http://www.python.org/security/PSF-2005-001/
This disables hierarchical object lookups in SimpleXMLRPCServer.
Unfortunately, this breaks some applications (eg kenosis). Don't
shoot me for this.
bump PKGREVISION
diffstat:
lang/python22-pth/Makefile | 4 +-
lang/python22-pth/distinfo | 3 +-
lang/python22-pth/patches/patch-an | 70 ++++++++++++++++++++++++++++++++
lang/python22/Makefile | 4 +-
lang/python22/distinfo | 3 +-
lang/python22/patches/patch-an | 70 ++++++++++++++++++++++++++++++++
lang/python23-pth/distinfo | 3 +-
lang/python23-pth/patches/patch-an | 82 ++++++++++++++++++++++++++++++++++++++
lang/python23/Makefile.common | 4 +-
lang/python23/distinfo | 3 +-
lang/python23/patches/patch-an | 82 ++++++++++++++++++++++++++++++++++++++
lang/python24-pth/Makefile | 3 +-
lang/python24-pth/distinfo | 3 +-
lang/python24-pth/patches/patch-an | 82 ++++++++++++++++++++++++++++++++++++++
lang/python24/Makefile | 3 +-
lang/python24/distinfo | 3 +-
lang/python24/patches/patch-an | 82 ++++++++++++++++++++++++++++++++++++++
17 files changed, 490 insertions(+), 14 deletions(-)
diffs (truncated from 656 to 300 lines):
diff -r 7f4fe6996508 -r ac882c08d541 lang/python22-pth/Makefile
--- a/lang/python22-pth/Makefile Tue Feb 15 23:06:16 2005 +0000
+++ b/lang/python22-pth/Makefile Wed Feb 16 14:00:08 2005 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.14 2004/08/29 10:44:19 recht Exp $
+# $NetBSD: Makefile,v 1.14.4.1 2005/02/16 14:00:08 salo Exp $
#
PKGNAME= python22-pth-2.2.3
-PKGREVISION= 3
+PKGREVISION= 5
PTHREAD_OPTS= require
.include "../../mk/pthread.buildlink3.mk"
diff -r 7f4fe6996508 -r ac882c08d541 lang/python22-pth/distinfo
--- a/lang/python22-pth/distinfo Tue Feb 15 23:06:16 2005 +0000
+++ b/lang/python22-pth/distinfo Wed Feb 16 14:00:08 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2004/08/29 10:44:19 recht Exp $
+$NetBSD: distinfo,v 1.6.4.1 2005/02/16 14:00:08 salo Exp $
SHA1 (Python-2.2.3.tgz) = 177d587e77e0eaa14131ab0d0d0b470777de4400
Size (Python-2.2.3.tgz) = 6709556 bytes
@@ -10,6 +10,7 @@
SHA1 (patch-ah) = b1ef2e68cc8037f38e46007c6c65389e91a429fd
SHA1 (patch-ai) = ae1d8a7886604f9e973f4430f9c673a575452170
SHA1 (patch-aj) = ccf82a79c38f848d31f5193b561be5a44481fedc
+SHA1 (patch-an) = 8e5b93bc65bb6d271e8e111949f715f7234f4371
SHA1 (patch-ba) = 5e47b2e75ea40682216e42fbf8b971432836afdc
SHA1 (patch-bb) = 389c439e8031257ca997455e10c8bd327b14638a
SHA1 (patch-bc) = 9fbe77ff35519a290ef1f70fcaa72a60009a36a1
diff -r 7f4fe6996508 -r ac882c08d541 lang/python22-pth/patches/patch-an
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python22-pth/patches/patch-an Wed Feb 16 14:00:08 2005 +0000
@@ -0,0 +1,70 @@
+$NetBSD: patch-an,v 1.1.2.1 2005/02/16 14:00:08 salo Exp $
+
+--- Lib/SimpleXMLRPCServer.py.orig 2001-09-29 06:54:33.000000000 +0200
++++ Lib/SimpleXMLRPCServer.py
+@@ -161,7 +161,8 @@ class SimpleXMLRPCRequestHandler(BaseHTT
+ try:
+ func = _resolve_dotted_attribute(
+ self.server.instance,
+- method
++ method,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass
+@@ -178,11 +179,20 @@ class SimpleXMLRPCRequestHandler(BaseHTT
+ BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size)
+
+
+-def _resolve_dotted_attribute(obj, attr):
++def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+ """Resolves a dotted attribute name to an object. Raises
+ an AttributeError if any attribute in the chain starts with a '_'.
++
++ If the optional allow_dotted_names argument is false, dots are not
++ supported and this function operates similar to getattr(obj, attr).
+ """
+- for i in attr.split('.'):
++
++ if allow_dotted_names:
++ attrs = attr.split('.')
++ else:
++ attrs = [attr]
++
++ for i in attrs:
+ if i.startswith('_'):
+ raise AttributeError(
+ 'attempt to access private attribute "%s"' % i
+@@ -206,7 +216,7 @@ class SimpleXMLRPCServer(SocketServer.TC
+ self.instance = None
+ SocketServer.TCPServer.__init__(self, addr, requestHandler)
+
+- def register_instance(self, instance):
++ def register_instance(self, instance, allow_dotted_names=False):
+ """Registers an instance to respond to XML-RPC requests.
+
+ Only one instance can be installed at a time.
+@@ -225,9 +235,23 @@ class SimpleXMLRPCServer(SocketServer.TC
+
+ If a registered function matches a XML-RPC request, then it
+ will be called instead of the registered instance.
++
++ If the optional allow_dotted_names argument is true and the
++ instance does not have a _dispatch method, method names
++ containing dots are supported and resolved, as long as none of
++ the name segments start with an '_'.
++
++ *** SECURITY WARNING: ***
++
++ Enabling the allow_dotted_names options allows intruders
++ to access your module's global variables and may allow
++ intruders to execute arbitrary code on your machine. Only
++ use this option on a secure, closed network.
++
+ """
+
+ self.instance = instance
++ self.allow_dotted_names = allow_dotted_names
+
+ def register_function(self, function, name = None):
+ """Registers a function to respond to XML-RPC requests.
diff -r 7f4fe6996508 -r ac882c08d541 lang/python22/Makefile
--- a/lang/python22/Makefile Tue Feb 15 23:06:16 2005 +0000
+++ b/lang/python22/Makefile Wed Feb 16 14:00:08 2005 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.22 2004/08/29 10:44:19 recht Exp $
+# $NetBSD: Makefile,v 1.22.4.1 2005/02/16 14:00:08 salo Exp $
#
PKGNAME= python22-2.2.3
-PKGREVISION= 2
+PKGREVISION= 5
CONFIGURE_ARGS+= --without-threads
diff -r 7f4fe6996508 -r ac882c08d541 lang/python22/distinfo
--- a/lang/python22/distinfo Tue Feb 15 23:06:16 2005 +0000
+++ b/lang/python22/distinfo Wed Feb 16 14:00:08 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.12 2004/08/29 10:44:19 recht Exp $
+$NetBSD: distinfo,v 1.12.4.1 2005/02/16 14:00:08 salo Exp $
SHA1 (Python-2.2.3.tgz) = 177d587e77e0eaa14131ab0d0d0b470777de4400
Size (Python-2.2.3.tgz) = 6709556 bytes
@@ -7,5 +7,6 @@
SHA1 (patch-ae) = aefeec78e25631a6e9e2aa047dce12c9c522715e
SHA1 (patch-af) = a2b23859941766319f638e40c49b5af3f504ef52
SHA1 (patch-ai) = 02f530a08fd8b61a696ae43ddabd7e86e4af7727
+SHA1 (patch-an) = 8e5b93bc65bb6d271e8e111949f715f7234f4371
SHA1 (patch-bb) = 389c439e8031257ca997455e10c8bd327b14638a
SHA1 (patch-bc) = 9fbe77ff35519a290ef1f70fcaa72a60009a36a1
diff -r 7f4fe6996508 -r ac882c08d541 lang/python22/patches/patch-an
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python22/patches/patch-an Wed Feb 16 14:00:08 2005 +0000
@@ -0,0 +1,70 @@
+$NetBSD: patch-an,v 1.1.2.2 2005/02/16 14:00:08 salo Exp $
+
+--- Lib/SimpleXMLRPCServer.py.orig 2001-09-29 06:54:33.000000000 +0200
++++ Lib/SimpleXMLRPCServer.py
+@@ -161,7 +161,8 @@ class SimpleXMLRPCRequestHandler(BaseHTT
+ try:
+ func = _resolve_dotted_attribute(
+ self.server.instance,
+- method
++ method,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass
+@@ -178,11 +179,20 @@ class SimpleXMLRPCRequestHandler(BaseHTT
+ BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size)
+
+
+-def _resolve_dotted_attribute(obj, attr):
++def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+ """Resolves a dotted attribute name to an object. Raises
+ an AttributeError if any attribute in the chain starts with a '_'.
++
++ If the optional allow_dotted_names argument is false, dots are not
++ supported and this function operates similar to getattr(obj, attr).
+ """
+- for i in attr.split('.'):
++
++ if allow_dotted_names:
++ attrs = attr.split('.')
++ else:
++ attrs = [attr]
++
++ for i in attrs:
+ if i.startswith('_'):
+ raise AttributeError(
+ 'attempt to access private attribute "%s"' % i
+@@ -206,7 +216,7 @@ class SimpleXMLRPCServer(SocketServer.TC
+ self.instance = None
+ SocketServer.TCPServer.__init__(self, addr, requestHandler)
+
+- def register_instance(self, instance):
++ def register_instance(self, instance, allow_dotted_names=False):
+ """Registers an instance to respond to XML-RPC requests.
+
+ Only one instance can be installed at a time.
+@@ -225,9 +235,23 @@ class SimpleXMLRPCServer(SocketServer.TC
+
+ If a registered function matches a XML-RPC request, then it
+ will be called instead of the registered instance.
++
++ If the optional allow_dotted_names argument is true and the
++ instance does not have a _dispatch method, method names
++ containing dots are supported and resolved, as long as none of
++ the name segments start with an '_'.
++
++ *** SECURITY WARNING: ***
++
++ Enabling the allow_dotted_names options allows intruders
++ to access your module's global variables and may allow
++ intruders to execute arbitrary code on your machine. Only
++ use this option on a secure, closed network.
++
+ """
+
+ self.instance = instance
++ self.allow_dotted_names = allow_dotted_names
+
+ def register_function(self, function, name = None):
+ """Registers a function to respond to XML-RPC requests.
diff -r 7f4fe6996508 -r ac882c08d541 lang/python23-pth/distinfo
--- a/lang/python23-pth/distinfo Tue Feb 15 23:06:16 2005 +0000
+++ b/lang/python23-pth/distinfo Wed Feb 16 14:00:08 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.19 2004/11/28 13:33:20 recht Exp $
+$NetBSD: distinfo,v 1.19.2.1 2005/02/16 14:00:08 salo Exp $
SHA1 (Python-2.3.4.tgz) = 7d47431febec704e766b57f12a1a5030bb2d03c3
Size (Python-2.3.4.tgz) = 8502738 bytes
@@ -10,6 +10,7 @@
SHA1 (patch-ah) = f9a46bfe82acec594cf44afd43f359a5248edadb
SHA1 (patch-al) = 72c155d28675c10e30a0b13f33f6d1a52457ee47
SHA1 (patch-am) = eda4c6161b4237e1281cc6b82b26c5195444dcff
+SHA1 (patch-an) = dea3d89818a937ad47a72d6a21b806d258a973c2
SHA1 (patch-ba) = dd8f89952d7f40c9a979e362758775f093e047bc
SHA1 (patch-bb) = 7c6fe21b6328dddce2a079b0a1c7ae0bee817bae
SHA1 (patch-ca) = 95f5a515fe3dafd75d077e0591e88a34447152ff
diff -r 7f4fe6996508 -r ac882c08d541 lang/python23-pth/patches/patch-an
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python23-pth/patches/patch-an Wed Feb 16 14:00:08 2005 +0000
@@ -0,0 +1,82 @@
+$NetBSD: patch-an,v 1.2.6.1 2005/02/16 14:00:08 salo Exp $
+
+--- Lib/SimpleXMLRPCServer.py.orig 2003-06-29 06:19:37.000000000 +0200
++++ Lib/SimpleXMLRPCServer.py
+@@ -107,14 +107,22 @@ import sys
+ import types
+ import os
+
+-def resolve_dotted_attribute(obj, attr):
++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+ """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+
+ Resolves a dotted attribute name to an object. Raises
+ an AttributeError if any attribute in the chain starts with a '_'.
++
++ If the optional allow_dotted_names argument is false, dots are not
++ supported and this function operates similar to getattr(obj, attr).
+ """
+
+- for i in attr.split('.'):
++ if allow_dotted_names:
++ attrs = attr.split('.')
++ else:
++ attrs = [attr]
++
++ for i in attrs:
+ if i.startswith('_'):
+ raise AttributeError(
+ 'attempt to access private attribute "%s"' % i
+@@ -156,7 +164,7 @@ class SimpleXMLRPCDispatcher:
+ self.funcs = {}
+ self.instance = None
+
+- def register_instance(self, instance):
++ def register_instance(self, instance, allow_dotted_names=False):
+ """Registers an instance to respond to XML-RPC requests.
+
+ Only one instance can be installed at a time.
+@@ -174,9 +182,23 @@ class SimpleXMLRPCDispatcher:
+
+ If a registered function matches a XML-RPC request, then it
+ will be called instead of the registered instance.
++
++ If the optional allow_dotted_names argument is true and the
++ instance does not have a _dispatch method, method names
++ containing dots are supported and resolved, as long as none of
++ the name segments start with an '_'.
++
++ *** SECURITY WARNING: ***
++
++ Enabling the allow_dotted_names options allows intruders
++ to access your module's global variables and may allow
++ intruders to execute arbitrary code on your machine. Only
++ use this option on a secure, closed network.
++
+ """
+
+ self.instance = instance
++ self.allow_dotted_names = allow_dotted_names
+
+ def register_function(self, function, name = None):
+ """Registers a function to respond to XML-RPC requests.
+@@ -295,7 +317,8 @@ class SimpleXMLRPCDispatcher:
+ try:
+ method = resolve_dotted_attribute(
+ self.instance,
+- method_name
++ method_name,
++ self.allow_dotted_names
+ )
Home |
Main Index |
Thread Index |
Old Index