summaryrefslogtreecommitdiff
path: root/extra/python2
diff options
context:
space:
mode:
authorroot <root@rshg047.dnsready.net>2011-04-16 13:48:38 +0000
committerroot <root@rshg047.dnsready.net>2011-04-16 13:48:38 +0000
commitec549f64c923643d4b13dd7d364e080840ae3e29 (patch)
treecb680711dd6875847036bbd555f4c2539e433690 /extra/python2
parent5d3c3e85c503dae5753d1b7e92b7cdc3b3a2b34b (diff)
Sat Apr 16 13:48:38 UTC 2011
Diffstat (limited to 'extra/python2')
-rw-r--r--extra/python2/CVE-2011-1521.patch98
-rw-r--r--extra/python2/PKGBUILD22
-rw-r--r--extra/python2/python-2.7-db51.patch42
3 files changed, 154 insertions, 8 deletions
diff --git a/extra/python2/CVE-2011-1521.patch b/extra/python2/CVE-2011-1521.patch
new file mode 100644
index 000000000..d68ec3323
--- /dev/null
+++ b/extra/python2/CVE-2011-1521.patch
@@ -0,0 +1,98 @@
+diff -Naur Python-2.7.1.ori/Lib/test/test_urllib2.py Python-2.7.1/Lib/test/test_urllib2.py
+--- Python-2.7.1.ori/Lib/test/test_urllib2.py 2010-11-21 21:04:33.000000000 -0800
++++ Python-2.7.1/Lib/test/test_urllib2.py 2011-04-15 05:02:13.278853672 -0700
+@@ -969,6 +969,27 @@
+ self.assertEqual(count,
+ urllib2.HTTPRedirectHandler.max_redirections)
+
++ def test_invalid_redirect(self):
++ from_url = "http://example.com/a.html"
++ valid_schemes = ['http', 'https', 'ftp']
++ invalid_schemes = ['file', 'imap', 'ldap']
++ schemeless_url = "example.com/b.html"
++ h = urllib2.HTTPRedirectHandler()
++ o = h.parent = MockOpener()
++ req = Request(from_url)
++
++ for scheme in invalid_schemes:
++ invalid_url = scheme + '://' + schemeless_url
++ self.assertRaises(urllib2.HTTPError, h.http_error_302,
++ req, MockFile(), 302, "Security Loophole",
++ MockHeaders({"location": invalid_url}))
++
++ for scheme in valid_schemes:
++ valid_url = scheme + '://' + schemeless_url
++ h.http_error_302(req, MockFile(), 302, "That's fine",
++ MockHeaders({"location": valid_url}))
++ self.assertEqual(o.req.get_full_url(), valid_url)
++
+ def test_cookie_redirect(self):
+ # cookies shouldn't leak into redirected requests
+ from cookielib import CookieJar
+diff -Naur Python-2.7.1.ori/Lib/test/test_urllib.py Python-2.7.1/Lib/test/test_urllib.py
+--- Python-2.7.1.ori/Lib/test/test_urllib.py 2010-11-21 05:34:58.000000000 -0800
++++ Python-2.7.1/Lib/test/test_urllib.py 2011-04-15 05:02:13.278853672 -0700
+@@ -161,6 +161,20 @@
+ finally:
+ self.unfakehttp()
+
++ def test_invalid_redirect(self):
++ # urlopen() should raise IOError for many error codes.
++ self.fakehttp("""HTTP/1.1 302 Found
++Date: Wed, 02 Jan 2008 03:03:54 GMT
++Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e
++Location: file:README
++Connection: close
++Content-Type: text/html; charset=iso-8859-1
++""")
++ try:
++ self.assertRaises(IOError, urllib.urlopen, "http://python.org/")
++ finally:
++ self.unfakehttp()
++
+ def test_empty_socket(self):
+ # urlopen() raises IOError if the underlying socket does not send any
+ # data. (#1680230)
+diff -Naur Python-2.7.1.ori/Lib/urllib2.py Python-2.7.1/Lib/urllib2.py
+--- Python-2.7.1.ori/Lib/urllib2.py 2010-11-20 03:24:08.000000000 -0800
++++ Python-2.7.1/Lib/urllib2.py 2011-04-15 05:02:13.278853672 -0700
+@@ -579,6 +579,17 @@
+
+ newurl = urlparse.urljoin(req.get_full_url(), newurl)
+
++ # For security reasons we do not allow redirects to protocols
++ # other than HTTP, HTTPS or FTP.
++ newurl_lower = newurl.lower()
++ if not (newurl_lower.startswith('http://') or
++ newurl_lower.startswith('https://') or
++ newurl_lower.startswith('ftp://')):
++ raise HTTPError(newurl, code,
++ msg + " - Redirection to url '%s' is not allowed" %
++ newurl,
++ headers, fp)
++
+ # XXX Probably want to forget about the state of the current
+ # request, although that might interact poorly with other
+ # handlers that also use handler-specific request attributes
+diff -Naur Python-2.7.1.ori/Lib/urllib.py Python-2.7.1/Lib/urllib.py
+--- Python-2.7.1.ori/Lib/urllib.py 2010-11-21 21:04:33.000000000 -0800
++++ Python-2.7.1/Lib/urllib.py 2011-04-15 05:02:13.278853672 -0700
+@@ -644,6 +644,18 @@
+ fp.close()
+ # In case the server sent a relative URL, join with original:
+ newurl = basejoin(self.type + ":" + url, newurl)
++
++ # For security reasons we do not allow redirects to protocols
++ # other than HTTP, HTTPS or FTP.
++ newurl_lower = newurl.lower()
++ if not (newurl_lower.startswith('http://') or
++ newurl_lower.startswith('https://') or
++ newurl_lower.startswith('ftp://')):
++ raise IOError('redirect error', errcode,
++ errmsg + " - Redirection to url '%s' is not allowed" %
++ newurl,
++ headers)
++
+ return self.open(newurl)
+
+ def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
diff --git a/extra/python2/PKGBUILD b/extra/python2/PKGBUILD
index 2dadb1ec3..af34f960a 100644
--- a/extra/python2/PKGBUILD
+++ b/extra/python2/PKGBUILD
@@ -1,11 +1,11 @@
-# $Id: PKGBUILD 119684 2011-04-13 16:35:24Z stephane $
+# $Id: PKGBUILD 119810 2011-04-15 12:17:53Z stephane $
# Maintainer: Allan McRae <allan@archlinux.org>
# Contributer: Stéphane Gaudreault <stephane@archlinux.org>
# Contributer: Jason Chu <jason@archlinux.org>
pkgname=python2
pkgver=2.7.1
-pkgrel=8
+pkgrel=9
_pybasever=2.7
pkgdesc="A high-level scripting language"
arch=('i686' 'x86_64')
@@ -17,16 +17,22 @@ optdepends=('tk: for IDLE')
conflicts=('python<3')
options=('!makeflags')
source=(http://www.python.org/ftp/python/${pkgver}/Python-${pkgver}.tar.bz2
- python-2.7-db51.diff
- python-2.7.1-fix-decimal-in-turkish-locale.patch)
-md5sums=('aa27bc25725137ba155910bd8e5ddc4f'
- 'd9b8161568ce17a305c1b71e61ccd4b5'
- '5032449f1ff2abfe18d14cc674165b23')
+ CVE-2011-1521.patch
+ python-2.7.1-fix-decimal-in-turkish-locale.patch
+ python-2.7-db51.patch)
+sha1sums=('fbe1894322ff91b80726e269c97454f4129fc2a3'
+ '31cdc76092d0f598289aaeb18e492874c981904d'
+ 'baf470682ae7d2b55caaa173696d08d3f468a569'
+ '9667a2a2f8594902b352793e649f78696a77bd13')
build() {
cd "${srcdir}/Python-${pkgver}"
- patch -Np1 -i ../python-2.7-db51.diff
+ patch -Np1 -i ../python-2.7-db51.patch
+
+ # Fix urllib Security Vulnerability
+ # http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html
+ patch -Np1 -i ../CVE-2011-1521.patch
# Fix "import decimal" in the Turkish locale
# cf : https://bugzilla.redhat.com/show_bug.cgi?id=694928
diff --git a/extra/python2/python-2.7-db51.patch b/extra/python2/python-2.7-db51.patch
new file mode 100644
index 000000000..2da95c375
--- /dev/null
+++ b/extra/python2/python-2.7-db51.patch
@@ -0,0 +1,42 @@
+diff -Naur Python-2.7-orig//Modules/_bsddb.c Python-2.7/Modules/_bsddb.c
+--- Python-2.7-orig//Modules/_bsddb.c 2010-05-10 00:46:46.000000000 +1000
++++ Python-2.7/Modules/_bsddb.c 2010-10-20 13:19:26.436669911 +1000
+@@ -9765,8 +9765,11 @@
+
+ ADD_INT(d, DB_REP_PERMANENT);
+
+-#if (DBVER >= 44)
++#if (DBVER >= 44) && (DBVER <= 48)
+ ADD_INT(d, DB_REP_CONF_NOAUTOINIT);
++#endif
++
++#if (DBVER >= 44)
+ ADD_INT(d, DB_REP_CONF_DELAYCLIENT);
+ ADD_INT(d, DB_REP_CONF_BULK);
+ ADD_INT(d, DB_REP_CONF_NOWAIT);
+diff -Naur Python-2.7-orig//setup.py Python-2.7/setup.py
+--- Python-2.7-orig//setup.py 2010-06-27 22:36:16.000000000 +1000
++++ Python-2.7/setup.py 2010-10-20 13:10:48.256670026 +1000
+@@ -765,7 +765,7 @@
+ # a release. Most open source OSes come with one or more
+ # versions of BerkeleyDB already installed.
+
+- max_db_ver = (4, 8)
++ max_db_ver = (5, 1)
+ min_db_ver = (4, 1)
+ db_setup_debug = False # verbose debug prints from this script?
+
+@@ -787,8 +787,12 @@
+ return True
+
+ def gen_db_minor_ver_nums(major):
+- if major == 4:
++ if major == 5:
+ for x in range(max_db_ver[1]+1):
++ if allow_db_ver((5, x)):
++ yield x
++ if major == 4:
++ for x in range(9):
+ if allow_db_ver((4, x)):
+ yield x
+ elif major == 3: