pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/lang apply the security fix from



details:   https://anonhg.NetBSD.org/pkgsrc/rev/cacbc987fa4c
branches:  trunk
changeset: 488582:cacbc987fa4c
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Fri Feb 04 15:39:04 2005 +0000

description:
apply the security fix from
http://www.python.org/security/PSF-2005-001/
This disables hierarchical object lookups in SimpleXMLRPCServer.
Unfortunately, this breaks some applications (eg kenosis). Don't
shoot me for this.
bump PKGREVISION

diffstat:

 lang/python22/Makefile         |   4 +-
 lang/python22/distinfo         |   3 +-
 lang/python22/patches/patch-an |  70 +++++++++++++++++++++++++++++++++++
 lang/python23-nth/Makefile     |   4 +-
 lang/python23/Makefile         |   4 +-
 lang/python23/distinfo         |   3 +-
 lang/python23/patches/patch-an |  82 ++++++++++++++++++++++++++++++++++++++++++
 lang/python24/Makefile         |   4 +-
 lang/python24/distinfo         |   3 +-
 lang/python24/patches/patch-an |  82 ++++++++++++++++++++++++++++++++++++++++++
 10 files changed, 248 insertions(+), 11 deletions(-)

diffs (truncated from 351 to 300 lines):

diff -r bdeaca9808f9 -r cacbc987fa4c lang/python22/Makefile
--- a/lang/python22/Makefile    Fri Feb 04 15:33:43 2005 +0000
+++ b/lang/python22/Makefile    Fri Feb 04 15:39:04 2005 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.25 2005/01/30 12:44:39 jmmv Exp $
+# $NetBSD: Makefile,v 1.26 2005/02/04 15:39:04 drochner Exp $
 #
 
 DISTNAME=      Python-2.2.3
 PKGNAME=       python22-2.2.3
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    lang python
 MASTER_SITES=  ftp://ftp.python.org/pub/python/2.2.3/
 EXTRACT_SUFX=  .tgz
diff -r bdeaca9808f9 -r cacbc987fa4c lang/python22/distinfo
--- a/lang/python22/distinfo    Fri Feb 04 15:33:43 2005 +0000
+++ b/lang/python22/distinfo    Fri Feb 04 15:39:04 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.13 2005/01/24 21:43:40 tv Exp $
+$NetBSD: distinfo,v 1.14 2005/02/04 15:39:04 drochner Exp $
 
 SHA1 (Python-2.2.3.tgz) = 177d587e77e0eaa14131ab0d0d0b470777de4400
 Size (Python-2.2.3.tgz) = 6709556 bytes
@@ -8,5 +8,6 @@
 SHA1 (patch-af) = a2b23859941766319f638e40c49b5af3f504ef52
 SHA1 (patch-ai) = 02f530a08fd8b61a696ae43ddabd7e86e4af7727
 SHA1 (patch-al) = e114392656703cfda734d3a9ae0072a9fbcc8123
+SHA1 (patch-an) = 8e5b93bc65bb6d271e8e111949f715f7234f4371
 SHA1 (patch-bb) = 389c439e8031257ca997455e10c8bd327b14638a
 SHA1 (patch-bc) = 9fbe77ff35519a290ef1f70fcaa72a60009a36a1
diff -r bdeaca9808f9 -r cacbc987fa4c lang/python22/patches/patch-an
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python22/patches/patch-an    Fri Feb 04 15:39:04 2005 +0000
@@ -0,0 +1,70 @@
+$NetBSD: patch-an,v 1.1 2005/02/04 15:39:04 drochner Exp $
+
+--- Lib/SimpleXMLRPCServer.py.orig     2001-09-29 06:54:33.000000000 +0200
++++ Lib/SimpleXMLRPCServer.py
+@@ -161,7 +161,8 @@ class SimpleXMLRPCRequestHandler(BaseHTT
+                     try:
+                         func = _resolve_dotted_attribute(
+                             self.server.instance,
+-                            method
++                            method,
++                            self.allow_dotted_names
+                             )
+                     except AttributeError:
+                         pass
+@@ -178,11 +179,20 @@ class SimpleXMLRPCRequestHandler(BaseHTT
+             BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size)
+ 
+ 
+-def _resolve_dotted_attribute(obj, attr):
++def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+     """Resolves a dotted attribute name to an object.  Raises
+     an AttributeError if any attribute in the chain starts with a '_'.
++
++    If the optional allow_dotted_names argument is false, dots are not
++    supported and this function operates similar to getattr(obj, attr).
+     """
+-    for i in attr.split('.'):
++
++    if allow_dotted_names:
++        attrs = attr.split('.')
++    else:
++        attrs = [attr]
++
++    for i in attrs:
+         if i.startswith('_'):
+             raise AttributeError(
+                 'attempt to access private attribute "%s"' % i
+@@ -206,7 +216,7 @@ class SimpleXMLRPCServer(SocketServer.TC
+         self.instance = None
+         SocketServer.TCPServer.__init__(self, addr, requestHandler)
+ 
+-    def register_instance(self, instance):
++    def register_instance(self, instance, allow_dotted_names=False):
+         """Registers an instance to respond to XML-RPC requests.
+ 
+         Only one instance can be installed at a time.
+@@ -225,9 +235,23 @@ class SimpleXMLRPCServer(SocketServer.TC
+ 
+         If a registered function matches a XML-RPC request, then it
+         will be called instead of the registered instance.
++
++        If the optional allow_dotted_names argument is true and the
++        instance does not have a _dispatch method, method names
++        containing dots are supported and resolved, as long as none of
++        the name segments start with an '_'.
++
++            *** SECURITY WARNING: ***
++
++            Enabling the allow_dotted_names options allows intruders
++            to access your module's global variables and may allow
++            intruders to execute arbitrary code on your machine.  Only
++            use this option on a secure, closed network.
++
+         """
+ 
+         self.instance = instance
++        self.allow_dotted_names = allow_dotted_names
+ 
+     def register_function(self, function, name = None):
+         """Registers a function to respond to XML-RPC requests.
diff -r bdeaca9808f9 -r cacbc987fa4c lang/python23-nth/Makefile
--- a/lang/python23-nth/Makefile        Fri Feb 04 15:33:43 2005 +0000
+++ b/lang/python23-nth/Makefile        Fri Feb 04 15:39:04 2005 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.2 2005/01/30 12:44:40 jmmv Exp $
+# $NetBSD: Makefile,v 1.3 2005/02/04 15:39:04 drochner Exp $
 #
 
 PKGNAME=       python23-nth-2.3.4
-PKGREVISION=   1
+PKGREVISION=   2
 
 CONFLICTS+=    python-[0-9]*
 
diff -r bdeaca9808f9 -r cacbc987fa4c lang/python23/Makefile
--- a/lang/python23/Makefile    Fri Feb 04 15:33:43 2005 +0000
+++ b/lang/python23/Makefile    Fri Feb 04 15:39:04 2005 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.25 2005/01/30 12:44:40 jmmv Exp $
+# $NetBSD: Makefile,v 1.26 2005/02/04 15:39:04 drochner Exp $
 #
 
 PKGNAME=       python23-2.3.4
-PKGREVISION=   6
+PKGREVISION=   7
 
 CONFLICTS+=    python-[0-9]*
 
diff -r bdeaca9808f9 -r cacbc987fa4c lang/python23/distinfo
--- a/lang/python23/distinfo    Fri Feb 04 15:33:43 2005 +0000
+++ b/lang/python23/distinfo    Fri Feb 04 15:39:04 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.24 2005/01/19 17:45:34 tv Exp $
+$NetBSD: distinfo,v 1.25 2005/02/04 15:39:04 drochner Exp $
 
 SHA1 (Python-2.3.4.tgz) = 7d47431febec704e766b57f12a1a5030bb2d03c3
 Size (Python-2.3.4.tgz) = 8502738 bytes
@@ -10,6 +10,7 @@
 SHA1 (patch-ah) = 21d64c6f6a9f0ccf13b5439859b05e193b0338b0
 SHA1 (patch-al) = d9b35c19e31edea1442b742aeeaa1b37f64d0d67
 SHA1 (patch-am) = df5c858b32a9a5aa118c84f6742f9d3547c0c7f3
+SHA1 (patch-an) = dea3d89818a937ad47a72d6a21b806d258a973c2
 SHA1 (patch-bb) = 7c6fe21b6328dddce2a079b0a1c7ae0bee817bae
 SHA1 (patch-ca) = 95f5a515fe3dafd75d077e0591e88a34447152ff
 SHA1 (patch-cb) = 301205b29db1ca60f06b2dc0423f5f911eabcd18
diff -r bdeaca9808f9 -r cacbc987fa4c lang/python23/patches/patch-an
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python23/patches/patch-an    Fri Feb 04 15:39:04 2005 +0000
@@ -0,0 +1,82 @@
+$NetBSD: patch-an,v 1.3 2005/02/04 15:39:04 drochner Exp $
+
+--- Lib/SimpleXMLRPCServer.py.orig     2003-06-29 06:19:37.000000000 +0200
++++ Lib/SimpleXMLRPCServer.py
+@@ -107,14 +107,22 @@ import sys
+ import types
+ import os
+ 
+-def resolve_dotted_attribute(obj, attr):
++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+     """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+ 
+     Resolves a dotted attribute name to an object.  Raises
+     an AttributeError if any attribute in the chain starts with a '_'.
++
++    If the optional allow_dotted_names argument is false, dots are not
++    supported and this function operates similar to getattr(obj, attr).
+     """
+ 
+-    for i in attr.split('.'):
++    if allow_dotted_names:
++        attrs = attr.split('.')
++    else:
++        attrs = [attr]
++
++    for i in attrs:
+         if i.startswith('_'):
+             raise AttributeError(
+                 'attempt to access private attribute "%s"' % i
+@@ -156,7 +164,7 @@ class SimpleXMLRPCDispatcher:
+         self.funcs = {}
+         self.instance = None
+ 
+-    def register_instance(self, instance):
++    def register_instance(self, instance, allow_dotted_names=False):
+         """Registers an instance to respond to XML-RPC requests.
+ 
+         Only one instance can be installed at a time.
+@@ -174,9 +182,23 @@ class SimpleXMLRPCDispatcher:
+ 
+         If a registered function matches a XML-RPC request, then it
+         will be called instead of the registered instance.
++
++        If the optional allow_dotted_names argument is true and the
++        instance does not have a _dispatch method, method names
++        containing dots are supported and resolved, as long as none of
++        the name segments start with an '_'.
++
++            *** SECURITY WARNING: ***
++
++            Enabling the allow_dotted_names options allows intruders
++            to access your module's global variables and may allow
++            intruders to execute arbitrary code on your machine.  Only
++            use this option on a secure, closed network.
++
+         """
+ 
+         self.instance = instance
++        self.allow_dotted_names = allow_dotted_names
+ 
+     def register_function(self, function, name = None):
+         """Registers a function to respond to XML-RPC requests.
+@@ -295,7 +317,8 @@ class SimpleXMLRPCDispatcher:
+                 try:
+                     method = resolve_dotted_attribute(
+                                 self.instance,
+-                                method_name
++                                method_name,
++                                self.allow_dotted_names
+                                 )
+                 except AttributeError:
+                     pass
+@@ -374,7 +397,8 @@ class SimpleXMLRPCDispatcher:
+                     try:
+                         func = resolve_dotted_attribute(
+                             self.instance,
+-                            method
++                            method,
++                            self.allow_dotted_names
+                             )
+                     except AttributeError:
+                         pass
diff -r bdeaca9808f9 -r cacbc987fa4c lang/python24/Makefile
--- a/lang/python24/Makefile    Fri Feb 04 15:33:43 2005 +0000
+++ b/lang/python24/Makefile    Fri Feb 04 15:39:04 2005 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.3 2005/01/30 12:44:40 jmmv Exp $
+# $NetBSD: Makefile,v 1.4 2005/02/04 15:39:04 drochner Exp $
 #
 
 DISTNAME=      Python-2.4
 PKGNAME=       python24-2.4
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    lang python
 MASTER_SITES=  ftp://ftp.python.org/pub/python/2.4/
 EXTRACT_SUFX=  .tar.bz2
diff -r bdeaca9808f9 -r cacbc987fa4c lang/python24/distinfo
--- a/lang/python24/distinfo    Fri Feb 04 15:33:43 2005 +0000
+++ b/lang/python24/distinfo    Fri Feb 04 15:39:04 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.5 2005/01/24 21:46:33 tv Exp $
+$NetBSD: distinfo,v 1.6 2005/02/04 15:39:04 drochner Exp $
 
 SHA1 (Python-2.4.tar.bz2) = 80c06f491a4b2a629e868540150faf22c5d0e41e
 Size (Python-2.4.tar.bz2) = 7840762 bytes
@@ -15,3 +15,4 @@
 SHA1 (patch-ak) = f2e1d4087a94490bd3589a8c829ec72e04f31f72
 SHA1 (patch-al) = 2cd3088f1d8b4e827c89fa75c2f7663f842451af
 SHA1 (patch-am) = aa71ec2f9cc8f434ff38b19df23b5dd433e13e5a
+SHA1 (patch-an) = 02222a16fb6b5eac69098e8c310f62bb75fa559b
diff -r bdeaca9808f9 -r cacbc987fa4c lang/python24/patches/patch-an
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-an    Fri Feb 04 15:39:04 2005 +0000
@@ -0,0 +1,82 @@
+$NetBSD: patch-an,v 1.1 2005/02/04 15:39:04 drochner Exp $
+
+--- Lib/SimpleXMLRPCServer.py.orig     2004-10-04 01:21:44.000000000 +0200
++++ Lib/SimpleXMLRPCServer.py
+@@ -106,14 +106,22 @@ import BaseHTTPServer
+ import sys
+ import os
+ 
+-def resolve_dotted_attribute(obj, attr):
++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+     """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+ 
+     Resolves a dotted attribute name to an object.  Raises
+     an AttributeError if any attribute in the chain starts with a '_'.
++
++    If the optional allow_dotted_names argument is false, dots are not
++    supported and this function operates similar to getattr(obj, attr).
+     """
+ 
+-    for i in attr.split('.'):
++    if allow_dotted_names:
++        attrs = attr.split('.')
++    else:
++        attrs = [attr]
++
++    for i in attrs:
+         if i.startswith('_'):
+             raise AttributeError(
+                 'attempt to access private attribute "%s"' % i
+@@ -155,7 +163,7 @@ class SimpleXMLRPCDispatcher:
+         self.funcs = {}



Home | Main Index | Thread Index | Old Index