wok-current rev 10975

Up: python to 2.7.2.
author Christopher Rogers <slaxemulator@gmail.com>
date Wed Oct 12 12:47:24 2011 +0000 (2011-10-12)
parents f5b1d838898b
children 5b985a3d5093
files python-dev/receipt python/receipt python/stuff/CVE-2011-1521.patch
line diff
     1.1 --- a/python-dev/receipt	Wed Oct 12 12:42:58 2011 +0000
     1.2 +++ b/python-dev/receipt	Wed Oct 12 12:47:24 2011 +0000
     1.3 @@ -1,7 +1,7 @@
     1.4  # SliTaz package receipt.
     1.5  
     1.6  PACKAGE="python-dev"
     1.7 -VERSION="2.7.1"
     1.8 +VERSION="2.7.2"
     1.9  CATEGORY="development"
    1.10  SHORT_DESC="The Python programming language devel files."
    1.11  MAINTAINER="pankso@slitaz.org"
     2.1 --- a/python/receipt	Wed Oct 12 12:42:58 2011 +0000
     2.2 +++ b/python/receipt	Wed Oct 12 12:47:24 2011 +0000
     2.3 @@ -1,7 +1,7 @@
     2.4  # SliTaz package receipt.
     2.5  
     2.6  PACKAGE="python"
     2.7 -VERSION="2.7.1"
     2.8 +VERSION="2.7.2"
     2.9  CATEGORY="development"
    2.10  SHORT_DESC="The Python programming language."
    2.11  MAINTAINER="pankso@slitaz.org"
    2.12 @@ -17,9 +17,11 @@
    2.13  compile_rules()
    2.14  {
    2.15  	cd $src
    2.16 -	# Fix urllib Security Vulnerability
    2.17 -	# http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html
    2.18 -	patch -Np1 -i $stuff/CVE-2011-1521.patch
    2.19 +	# Temporary workaround for FS#22322
    2.20 +	# See http://bugs.python.org/issue10835 for upstream report
    2.21 +	sed -i "/progname =/s/python/python${_pybasever}/" Python/pythonrun.c
    2.22 +	# Enable built-in SQLite3 module to load extensions (fix FS#22122)
    2.23 +	sed -i "/SQLITE_OMIT_LOAD_EXTENSION/d" setup.py
    2.24  	./configure \
    2.25  		--enable-shared \
    2.26  		--build=$HOST_SYSTEM \
     3.1 --- a/python/stuff/CVE-2011-1521.patch	Wed Oct 12 12:42:58 2011 +0000
     3.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.3 @@ -1,98 +0,0 @@
     3.4 -diff -Naur Python-2.7.1.ori/Lib/test/test_urllib2.py Python-2.7.1/Lib/test/test_urllib2.py
     3.5 ---- Python-2.7.1.ori/Lib/test/test_urllib2.py	2010-11-21 21:04:33.000000000 -0800
     3.6 -+++ Python-2.7.1/Lib/test/test_urllib2.py	2011-04-15 05:02:13.278853672 -0700
     3.7 -@@ -969,6 +969,27 @@
     3.8 -             self.assertEqual(count,
     3.9 -                              urllib2.HTTPRedirectHandler.max_redirections)
    3.10 - 
    3.11 -+    def test_invalid_redirect(self):
    3.12 -+        from_url = "http://example.com/a.html"
    3.13 -+        valid_schemes = ['http', 'https', 'ftp']
    3.14 -+        invalid_schemes = ['file', 'imap', 'ldap']
    3.15 -+        schemeless_url = "example.com/b.html"
    3.16 -+        h = urllib2.HTTPRedirectHandler()
    3.17 -+        o = h.parent = MockOpener()
    3.18 -+        req = Request(from_url)
    3.19 -+
    3.20 -+        for scheme in invalid_schemes:
    3.21 -+            invalid_url = scheme + '://' + schemeless_url
    3.22 -+            self.assertRaises(urllib2.HTTPError, h.http_error_302,
    3.23 -+                              req, MockFile(), 302, "Security Loophole",
    3.24 -+                              MockHeaders({"location": invalid_url}))
    3.25 -+
    3.26 -+        for scheme in valid_schemes:
    3.27 -+            valid_url = scheme + '://' + schemeless_url
    3.28 -+            h.http_error_302(req, MockFile(), 302, "That's fine",
    3.29 -+                MockHeaders({"location": valid_url}))
    3.30 -+            self.assertEqual(o.req.get_full_url(), valid_url)
    3.31 -+
    3.32 -     def test_cookie_redirect(self):
    3.33 -         # cookies shouldn't leak into redirected requests
    3.34 -         from cookielib import CookieJar
    3.35 -diff -Naur Python-2.7.1.ori/Lib/test/test_urllib.py Python-2.7.1/Lib/test/test_urllib.py
    3.36 ---- Python-2.7.1.ori/Lib/test/test_urllib.py	2010-11-21 05:34:58.000000000 -0800
    3.37 -+++ Python-2.7.1/Lib/test/test_urllib.py	2011-04-15 05:02:13.278853672 -0700
    3.38 -@@ -161,6 +161,20 @@
    3.39 -         finally:
    3.40 -             self.unfakehttp()
    3.41 - 
    3.42 -+    def test_invalid_redirect(self):
    3.43 -+        # urlopen() should raise IOError for many error codes.
    3.44 -+        self.fakehttp("""HTTP/1.1 302 Found
    3.45 -+Date: Wed, 02 Jan 2008 03:03:54 GMT
    3.46 -+Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e
    3.47 -+Location: file:README
    3.48 -+Connection: close
    3.49 -+Content-Type: text/html; charset=iso-8859-1
    3.50 -+""")
    3.51 -+        try:
    3.52 -+            self.assertRaises(IOError, urllib.urlopen, "http://python.org/")
    3.53 -+        finally:
    3.54 -+            self.unfakehttp()
    3.55 -+
    3.56 -     def test_empty_socket(self):
    3.57 -         # urlopen() raises IOError if the underlying socket does not send any
    3.58 -         # data. (#1680230)
    3.59 -diff -Naur Python-2.7.1.ori/Lib/urllib2.py Python-2.7.1/Lib/urllib2.py
    3.60 ---- Python-2.7.1.ori/Lib/urllib2.py	2010-11-20 03:24:08.000000000 -0800
    3.61 -+++ Python-2.7.1/Lib/urllib2.py	2011-04-15 05:02:13.278853672 -0700
    3.62 -@@ -579,6 +579,17 @@
    3.63 - 
    3.64 -         newurl = urlparse.urljoin(req.get_full_url(), newurl)
    3.65 - 
    3.66 -+        # For security reasons we do not allow redirects to protocols
    3.67 -+        # other than HTTP, HTTPS or FTP.
    3.68 -+        newurl_lower = newurl.lower()
    3.69 -+        if not (newurl_lower.startswith('http://') or
    3.70 -+                newurl_lower.startswith('https://') or
    3.71 -+                newurl_lower.startswith('ftp://')):
    3.72 -+            raise HTTPError(newurl, code,
    3.73 -+                            msg + " - Redirection to url '%s' is not allowed" %
    3.74 -+                            newurl,
    3.75 -+                            headers, fp)
    3.76 -+
    3.77 -         # XXX Probably want to forget about the state of the current
    3.78 -         # request, although that might interact poorly with other
    3.79 -         # handlers that also use handler-specific request attributes
    3.80 -diff -Naur Python-2.7.1.ori/Lib/urllib.py Python-2.7.1/Lib/urllib.py
    3.81 ---- Python-2.7.1.ori/Lib/urllib.py	2010-11-21 21:04:33.000000000 -0800
    3.82 -+++ Python-2.7.1/Lib/urllib.py	2011-04-15 05:02:13.278853672 -0700
    3.83 -@@ -644,6 +644,18 @@
    3.84 -         fp.close()
    3.85 -         # In case the server sent a relative URL, join with original:
    3.86 -         newurl = basejoin(self.type + ":" + url, newurl)
    3.87 -+
    3.88 -+        # For security reasons we do not allow redirects to protocols
    3.89 -+        # other than HTTP, HTTPS or FTP.
    3.90 -+        newurl_lower = newurl.lower()
    3.91 -+        if not (newurl_lower.startswith('http://') or
    3.92 -+                newurl_lower.startswith('https://') or
    3.93 -+                newurl_lower.startswith('ftp://')):
    3.94 -+            raise IOError('redirect error', errcode,
    3.95 -+                          errmsg + " - Redirection to url '%s' is not allowed" %
    3.96 -+                          newurl,
    3.97 -+                          headers)
    3.98 -+
    3.99 -         return self.open(newurl)
   3.100 - 
   3.101 -     def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):