wok-current rev 10975
Up: python to 2.7.2.
| author | Christopher Rogers <slaxemulator@gmail.com> |
|---|---|
| date | Wed Oct 12 12:47:24 2011 +0000 (2011-10-12) |
| parents | f5b1d838898b |
| children | 5b985a3d5093 |
| files | python-dev/receipt python/receipt python/stuff/CVE-2011-1521.patch |
line diff
1.1 --- a/python-dev/receipt Wed Oct 12 12:42:58 2011 +0000 1.2 +++ b/python-dev/receipt Wed Oct 12 12:47:24 2011 +0000 1.3 @@ -1,7 +1,7 @@ 1.4 # SliTaz package receipt. 1.5 1.6 PACKAGE="python-dev" 1.7 -VERSION="2.7.1" 1.8 +VERSION="2.7.2" 1.9 CATEGORY="development" 1.10 SHORT_DESC="The Python programming language devel files." 1.11 MAINTAINER="pankso@slitaz.org"
2.1 --- a/python/receipt Wed Oct 12 12:42:58 2011 +0000 2.2 +++ b/python/receipt Wed Oct 12 12:47:24 2011 +0000 2.3 @@ -1,7 +1,7 @@ 2.4 # SliTaz package receipt. 2.5 2.6 PACKAGE="python" 2.7 -VERSION="2.7.1" 2.8 +VERSION="2.7.2" 2.9 CATEGORY="development" 2.10 SHORT_DESC="The Python programming language." 2.11 MAINTAINER="pankso@slitaz.org" 2.12 @@ -17,9 +17,11 @@ 2.13 compile_rules() 2.14 { 2.15 cd $src 2.16 - # Fix urllib Security Vulnerability 2.17 - # http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html 2.18 - patch -Np1 -i $stuff/CVE-2011-1521.patch 2.19 + # Temporary workaround for FS#22322 2.20 + # See http://bugs.python.org/issue10835 for upstream report 2.21 + sed -i "/progname =/s/python/python${_pybasever}/" Python/pythonrun.c 2.22 + # Enable built-in SQLite3 module to load extensions (fix FS#22122) 2.23 + sed -i "/SQLITE_OMIT_LOAD_EXTENSION/d" setup.py 2.24 ./configure \ 2.25 --enable-shared \ 2.26 --build=$HOST_SYSTEM \
3.1 --- a/python/stuff/CVE-2011-1521.patch Wed Oct 12 12:42:58 2011 +0000 3.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 3.3 @@ -1,98 +0,0 @@ 3.4 -diff -Naur Python-2.7.1.ori/Lib/test/test_urllib2.py Python-2.7.1/Lib/test/test_urllib2.py 3.5 ---- Python-2.7.1.ori/Lib/test/test_urllib2.py 2010-11-21 21:04:33.000000000 -0800 3.6 -+++ Python-2.7.1/Lib/test/test_urllib2.py 2011-04-15 05:02:13.278853672 -0700 3.7 -@@ -969,6 +969,27 @@ 3.8 - self.assertEqual(count, 3.9 - urllib2.HTTPRedirectHandler.max_redirections) 3.10 - 3.11 -+ def test_invalid_redirect(self): 3.12 -+ from_url = "http://example.com/a.html" 3.13 -+ valid_schemes = ['http', 'https', 'ftp'] 3.14 -+ invalid_schemes = ['file', 'imap', 'ldap'] 3.15 -+ schemeless_url = "example.com/b.html" 3.16 -+ h = urllib2.HTTPRedirectHandler() 3.17 -+ o = h.parent = MockOpener() 3.18 -+ req = Request(from_url) 3.19 -+ 3.20 -+ for scheme in invalid_schemes: 3.21 -+ invalid_url = scheme + '://' + schemeless_url 3.22 -+ self.assertRaises(urllib2.HTTPError, h.http_error_302, 3.23 -+ req, MockFile(), 302, "Security Loophole", 3.24 -+ MockHeaders({"location": invalid_url})) 3.25 -+ 3.26 -+ for scheme in valid_schemes: 3.27 -+ valid_url = scheme + '://' + schemeless_url 3.28 -+ h.http_error_302(req, MockFile(), 302, "That's fine", 3.29 -+ MockHeaders({"location": valid_url})) 3.30 -+ self.assertEqual(o.req.get_full_url(), valid_url) 3.31 -+ 3.32 - def test_cookie_redirect(self): 3.33 - # cookies shouldn't leak into redirected requests 3.34 - from cookielib import CookieJar 3.35 -diff -Naur Python-2.7.1.ori/Lib/test/test_urllib.py Python-2.7.1/Lib/test/test_urllib.py 3.36 ---- Python-2.7.1.ori/Lib/test/test_urllib.py 2010-11-21 05:34:58.000000000 -0800 3.37 -+++ Python-2.7.1/Lib/test/test_urllib.py 2011-04-15 05:02:13.278853672 -0700 3.38 -@@ -161,6 +161,20 @@ 3.39 - finally: 3.40 - self.unfakehttp() 3.41 - 3.42 -+ def test_invalid_redirect(self): 3.43 -+ # urlopen() should raise IOError for many error codes. 3.44 -+ self.fakehttp("""HTTP/1.1 302 Found 3.45 -+Date: Wed, 02 Jan 2008 03:03:54 GMT 3.46 -+Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e 3.47 -+Location: file:README 3.48 -+Connection: close 3.49 -+Content-Type: text/html; charset=iso-8859-1 3.50 -+""") 3.51 -+ try: 3.52 -+ self.assertRaises(IOError, urllib.urlopen, "http://python.org/") 3.53 -+ finally: 3.54 -+ self.unfakehttp() 3.55 -+ 3.56 - def test_empty_socket(self): 3.57 - # urlopen() raises IOError if the underlying socket does not send any 3.58 - # data. (#1680230) 3.59 -diff -Naur Python-2.7.1.ori/Lib/urllib2.py Python-2.7.1/Lib/urllib2.py 3.60 ---- Python-2.7.1.ori/Lib/urllib2.py 2010-11-20 03:24:08.000000000 -0800 3.61 -+++ Python-2.7.1/Lib/urllib2.py 2011-04-15 05:02:13.278853672 -0700 3.62 -@@ -579,6 +579,17 @@ 3.63 - 3.64 - newurl = urlparse.urljoin(req.get_full_url(), newurl) 3.65 - 3.66 -+ # For security reasons we do not allow redirects to protocols 3.67 -+ # other than HTTP, HTTPS or FTP. 3.68 -+ newurl_lower = newurl.lower() 3.69 -+ if not (newurl_lower.startswith('http://') or 3.70 -+ newurl_lower.startswith('https://') or 3.71 -+ newurl_lower.startswith('ftp://')): 3.72 -+ raise HTTPError(newurl, code, 3.73 -+ msg + " - Redirection to url '%s' is not allowed" % 3.74 -+ newurl, 3.75 -+ headers, fp) 3.76 -+ 3.77 - # XXX Probably want to forget about the state of the current 3.78 - # request, although that might interact poorly with other 3.79 - # handlers that also use handler-specific request attributes 3.80 -diff -Naur Python-2.7.1.ori/Lib/urllib.py Python-2.7.1/Lib/urllib.py 3.81 ---- Python-2.7.1.ori/Lib/urllib.py 2010-11-21 21:04:33.000000000 -0800 3.82 -+++ Python-2.7.1/Lib/urllib.py 2011-04-15 05:02:13.278853672 -0700 3.83 -@@ -644,6 +644,18 @@ 3.84 - fp.close() 3.85 - # In case the server sent a relative URL, join with original: 3.86 - newurl = basejoin(self.type + ":" + url, newurl) 3.87 -+ 3.88 -+ # For security reasons we do not allow redirects to protocols 3.89 -+ # other than HTTP, HTTPS or FTP. 3.90 -+ newurl_lower = newurl.lower() 3.91 -+ if not (newurl_lower.startswith('http://') or 3.92 -+ newurl_lower.startswith('https://') or 3.93 -+ newurl_lower.startswith('ftp://')): 3.94 -+ raise IOError('redirect error', errcode, 3.95 -+ errmsg + " - Redirection to url '%s' is not allowed" % 3.96 -+ newurl, 3.97 -+ headers) 3.98 -+ 3.99 - return self.open(newurl) 3.100 - 3.101 - def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):