wok-6.x rev 9619
Up: py3k to 3.2. Added CVE-2011-1521 security fix. Also added pyconfig.h to py3k so python3 works. Nothing depends on this package yet so updating it will not cause any problems.
author | Christopher Rogers <slaxemulator@gmail.com> |
---|---|
date | Mon Apr 18 15:39:33 2011 +0000 (2011-04-18) |
parents | 3946902dd99c |
children | b29f64cae621 |
files | py3k-dev/receipt py3k/receipt py3k/stuff/CVE-2011-1521.patch |
line diff
1.1 --- a/py3k-dev/receipt Sun Apr 17 20:36:34 2011 +0000 1.2 +++ b/py3k-dev/receipt Mon Apr 18 15:39:33 2011 +0000 1.3 @@ -1,10 +1,11 @@ 1.4 # SliTaz package receipt. 1.5 1.6 PACKAGE="py3k-dev" 1.7 -VERSION="3.1.3" 1.8 +VERSION="3.2" 1.9 CATEGORY="development" 1.10 SHORT_DESC="The Python programming language devel files." 1.11 MAINTAINER="pankso@slitaz.org" 1.12 +DEPENDS="py3k" 1.13 WANTED="py3k" 1.14 SOURCE="Python" 1.15 WEB_SITE="http://www.python.org/" 1.16 @@ -16,5 +17,8 @@ 1.17 cp -a $_pkg/usr/include $fs/usr 1.18 cp -a $_pkg/usr/bin/*-config $fs/usr/bin 1.19 chmod 755 $fs/usr/bin/*-config 1.20 + # in py3k package now 1.21 + python_version=${VERSION:0:3} 1.22 + rm $fs/usr/include/python${python_version}m/pyconfig.h 1.23 } 1.24
2.1 --- a/py3k/receipt Sun Apr 17 20:36:34 2011 +0000 2.2 +++ b/py3k/receipt Mon Apr 18 15:39:33 2011 +0000 2.3 @@ -1,23 +1,22 @@ 2.4 # SliTaz package receipt. 2.5 2.6 PACKAGE="py3k" 2.7 -VERSION="3.1.3" 2.8 +VERSION="3.2" 2.9 CATEGORY="development" 2.10 SHORT_DESC="The Python 3000 programming language." 2.11 MAINTAINER="pascal.bellard@slitaz.org" 2.12 SOURCE="Python" 2.13 -DEPENDS="openssl ncurses bzlib readline sqlite zlib xorg-libXss ncursesw gdbm \ 2.14 +DEPENDS="openssl bzlib readline sqlite zlib xorg-libXss ncursesw gdbm \ 2.15 tk xorg-libXext" 2.16 -BUILD_DEPENDS="readline-dev openssl openssl-dev ncurses ncurses-dev 2.17 - gdbm-dev" 2.18 TARBALL="$SOURCE-$VERSION.tar.bz2" 2.19 -WEB_SITE="http://www.python.org/download/releases/3.0/" 2.20 +WEB_SITE="http://www.python.org/download/releases/3.2/" 2.21 WGET_URL="http://www.python.org/ftp/python/$VERSION/$TARBALL" 2.22 2.23 # Rules to configure and make the package. 2.24 compile_rules() 2.25 { 2.26 cd $src 2.27 + patch -Np1 -i $stuff/CVE-2011-1521.patch 2.28 ./configure --enable-shared --with-ncurses \ 2.29 --prefix=/usr --infodir=/usr/share/info \ 2.30 --mandir=/usr/share/man $CONFIGURE_ARGS && 2.31 @@ -28,9 +27,13 @@ 2.32 # Rules to gen a SliTaz package suitable for Tazpkg. 2.33 genpkg_rules() 2.34 { 2.35 - mkdir -p $fs/usr 2.36 + python_version=${VERSION:0:3} 2.37 + mkdir -p $fs/usr/include/python${python_version}m 2.38 cp -a $_pkg/usr/bin $fs/usr 2.39 cp -a $_pkg/usr/lib $fs/usr 2.40 + # needed for python3 to work 2.41 + cp -a $_pkg/usr/include/python${python_version}m/pyconfig.h \ 2.42 + $fs/usr/include/python${python_version}m 2.43 rm -f $fs/usr/bin/*-config 2.44 } 2.45
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/py3k/stuff/CVE-2011-1521.patch Mon Apr 18 15:39:33 2011 +0000 3.3 @@ -0,0 +1,134 @@ 3.4 +diff -Naur Python-3.2.ori/Doc/library/urllib.request.rst Python-3.2/Doc/library/urllib.request.rst 3.5 +--- Python-3.2.ori/Doc/library/urllib.request.rst 2011-02-11 03:25:47.000000000 -0800 3.6 ++++ Python-3.2/Doc/library/urllib.request.rst 2011-04-15 03:49:02.778745379 -0700 3.7 +@@ -650,6 +650,10 @@ 3.8 + is the case, :exc:`HTTPError` is raised. See :rfc:`2616` for details of the 3.9 + precise meanings of the various redirection codes. 3.10 + 3.11 ++ An :class:`HTTPError` exception raised as a security consideration if the 3.12 ++ HTTPRedirectHandler is presented with a redirected url which is not an HTTP, 3.13 ++ HTTPS or FTP url. 3.14 ++ 3.15 + 3.16 + .. method:: HTTPRedirectHandler.redirect_request(req, fp, code, msg, hdrs, newurl) 3.17 + 3.18 +diff -Naur Python-3.2.ori/Lib/test/test_urllib2.py Python-3.2/Lib/test/test_urllib2.py 3.19 +--- Python-3.2.ori/Lib/test/test_urllib2.py 2011-02-11 03:25:47.000000000 -0800 3.20 ++++ Python-3.2/Lib/test/test_urllib2.py 2011-04-15 03:50:29.705417290 -0700 3.21 +@@ -8,6 +8,7 @@ 3.22 + 3.23 + import urllib.request 3.24 + from urllib.request import Request, OpenerDirector 3.25 ++import urllib.error 3.26 + 3.27 + # XXX 3.28 + # Request 3.29 +@@ -1029,6 +1030,29 @@ 3.30 + self.assertEqual(count, 3.31 + urllib.request.HTTPRedirectHandler.max_redirections) 3.32 + 3.33 ++ 3.34 ++ def test_invalid_redirect(self): 3.35 ++ from_url = "http://example.com/a.html" 3.36 ++ valid_schemes = ['http','https','ftp'] 3.37 ++ invalid_schemes = ['file','imap','ldap'] 3.38 ++ schemeless_url = "example.com/b.html" 3.39 ++ h = urllib.request.HTTPRedirectHandler() 3.40 ++ o = h.parent = MockOpener() 3.41 ++ req = Request(from_url) 3.42 ++ req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT 3.43 ++ 3.44 ++ for scheme in invalid_schemes: 3.45 ++ invalid_url = scheme + '://' + schemeless_url 3.46 ++ self.assertRaises(urllib.error.HTTPError, h.http_error_302, 3.47 ++ req, MockFile(), 302, "Security Loophole", 3.48 ++ MockHeaders({"location": invalid_url})) 3.49 ++ 3.50 ++ for scheme in valid_schemes: 3.51 ++ valid_url = scheme + '://' + schemeless_url 3.52 ++ h.http_error_302(req, MockFile(), 302, "That's fine", 3.53 ++ MockHeaders({"location": valid_url})) 3.54 ++ self.assertEqual(o.req.get_full_url(), valid_url) 3.55 ++ 3.56 + def test_cookie_redirect(self): 3.57 + # cookies shouldn't leak into redirected requests 3.58 + from http.cookiejar import CookieJar 3.59 +diff -Naur Python-3.2.ori/Lib/test/test_urllib.py Python-3.2/Lib/test/test_urllib.py 3.60 +--- Python-3.2.ori/Lib/test/test_urllib.py 2010-12-17 09:35:56.000000000 -0800 3.61 ++++ Python-3.2/Lib/test/test_urllib.py 2011-04-15 03:49:02.778745379 -0700 3.62 +@@ -2,6 +2,7 @@ 3.63 + 3.64 + import urllib.parse 3.65 + import urllib.request 3.66 ++import urllib.error 3.67 + import http.client 3.68 + import email.message 3.69 + import io 3.70 +@@ -198,6 +199,21 @@ 3.71 + finally: 3.72 + self.unfakehttp() 3.73 + 3.74 ++ def test_invalid_redirect(self): 3.75 ++ # urlopen() should raise IOError for many error codes. 3.76 ++ self.fakehttp(b'''HTTP/1.1 302 Found 3.77 ++Date: Wed, 02 Jan 2008 03:03:54 GMT 3.78 ++Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e 3.79 ++Location: file://guidocomputer.athome.com:/python/license 3.80 ++Connection: close 3.81 ++Content-Type: text/html; charset=iso-8859-1 3.82 ++''') 3.83 ++ try: 3.84 ++ self.assertRaises(urllib.error.HTTPError, urlopen, 3.85 ++ "http://python.org/") 3.86 ++ finally: 3.87 ++ self.unfakehttp() 3.88 ++ 3.89 + def test_empty_socket(self): 3.90 + # urlopen() raises IOError if the underlying socket does not send any 3.91 + # data. (#1680230) 3.92 +diff -Naur Python-3.2.ori/Lib/urllib/request.py Python-3.2/Lib/urllib/request.py 3.93 +--- Python-3.2.ori/Lib/urllib/request.py 2011-02-11 03:25:47.000000000 -0800 3.94 ++++ Python-3.2/Lib/urllib/request.py 2011-04-15 03:49:02.778745379 -0700 3.95 +@@ -545,6 +545,17 @@ 3.96 + 3.97 + # fix a possible malformed URL 3.98 + urlparts = urlparse(newurl) 3.99 ++ 3.100 ++ # For security reasons we don't allow redirection to anything other 3.101 ++ # than http, https or ftp. 3.102 ++ 3.103 ++ if not urlparts.scheme in ('http', 'https', 'ftp'): 3.104 ++ raise HTTPError(newurl, code, 3.105 ++ msg + 3.106 ++ " - Redirection to url '%s' is not allowed" % 3.107 ++ newurl, 3.108 ++ headers, fp) 3.109 ++ 3.110 + if not urlparts.path: 3.111 + urlparts = list(urlparts) 3.112 + urlparts[2] = "/" 3.113 +@@ -1897,8 +1908,24 @@ 3.114 + return 3.115 + void = fp.read() 3.116 + fp.close() 3.117 ++ 3.118 + # In case the server sent a relative URL, join with original: 3.119 + newurl = urljoin(self.type + ":" + url, newurl) 3.120 ++ 3.121 ++ urlparts = urlparse(newurl) 3.122 ++ 3.123 ++ # For security reasons, we don't allow redirection to anything other 3.124 ++ # than http, https and ftp. 3.125 ++ 3.126 ++ # We are using newer HTTPError with older redirect_internal method 3.127 ++ # This older method will get deprecated in 3.3 3.128 ++ 3.129 ++ if not urlparts.scheme in ('http', 'https', 'ftp'): 3.130 ++ raise HTTPError(newurl, errcode, 3.131 ++ errmsg + 3.132 ++ " Redirection to url '%s' is not allowed." % newurl, 3.133 ++ headers, fp) 3.134 ++ 3.135 + return self.open(newurl) 3.136 + 3.137 + def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):