Date: Thu, 3 Feb 2005 20:19:26 -0200 (BRST) From: Marcus Grando <marcus@corp.grupos.com.br> To: FreeBSD-gnats-submit@FreeBSD.org Cc: perky@FreeBSD.org Subject: ports/77078: Update port: lang/python Security update PSF-2005-001 Message-ID: <20050203221926.8F38020A25@corp.grupos.com.br> Resent-Message-ID: <200502032220.j13MKGeB036020@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 77078 >Category: ports >Synopsis: Update port: lang/python Security update PSF-2005-001 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Feb 03 22:20:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Marcus Grando >Release: FreeBSD 4.11-STABLE i386 >Organization: Grupos Internet S/A >Environment: System: FreeBSD corp.grupos.com.br 4.11-STABLE FreeBSD 4.11-STABLE #40: Fri Jan 28 13:42:33 BRST 2005 root@corp.grupos.com.br:/usr/obj/usr/src/sys/CORP i386 >Description: Update port: lang/python Security update PSF-2005-001 + Add patch from python.org Please see: http://www.python.org/security/PSF-2005-001/ Please update vuxml >How-To-Repeat: >Fix: --- python.patch begins here --- diff -ruN python.old/Makefile python/Makefile --- python.old/Makefile Tue Dec 7 00:53:11 2004 +++ python/Makefile Thu Feb 3 19:54:54 2005 @@ -7,6 +7,7 @@ PORTNAME= python PORTVERSION= 2.4 +PORTREVISION= 1 CATEGORIES= lang python ipv6 MASTER_SITES= ${PYTHON_MASTER_SITES} MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR} diff -ruN python.old/files/patch-Lib::SimpleXMLRPCServer.py python/files/patch-Lib::SimpleXMLRPCServer.py --- python.old/files/patch-Lib::SimpleXMLRPCServer.py Wed Dec 31 21:00:00 1969 +++ python/files/patch-Lib::SimpleXMLRPCServer.py Thu Feb 3 20:00:13 2005 @@ -0,0 +1,80 @@ +--- Lib/SimpleXMLRPCServer.py.orig Sun Oct 3 20:21:44 2004 ++++ Lib/SimpleXMLRPCServer.py Thu Feb 3 19:59:20 2005 +@@ -106,14 +106,22 @@ + import sys + import os + +-def resolve_dotted_attribute(obj, attr): ++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): + """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d + + Resolves a dotted attribute name to an object. Raises + an AttributeError if any attribute in the chain starts with a '_'. ++ ++ If the optional allow_dotted_names argument is false, dots are not ++ supported and this function operates similar to getattr(obj, attr). + """ + +- for i in attr.split('.'): ++ if allow_dotted_names: ++ attrs = attr.split('.') ++ else: ++ attrs = [attr] ++ ++ for i in attrs: + if i.startswith('_'): + raise AttributeError( + 'attempt to access private attribute "%s"' % i +@@ -155,7 +163,7 @@ + self.funcs = {} + self.instance = None + +- def register_instance(self, instance): ++ def register_instance(self, instance, allow_dotted_names=False): + """Registers an instance to respond to XML-RPC requests. + + Only one instance can be installed at a time. +@@ -173,9 +181,23 @@ + + If a registered function matches a XML-RPC request, then it + will be called instead of the registered instance. ++ ++ If the optional allow_dotted_names argument is true and the ++ instance does not have a _dispatch method, method names ++ containing dots are supported and resolved, as long as none of ++ the name segments start with an '_'. ++ ++ *** SECURITY WARNING: *** ++ ++ Enabling the allow_dotted_names options allows intruders ++ to access your module's global variables and may allow ++ intruders to execute arbitrary code on your machine. Only ++ use this option on a secure, closed network. ++ + """ + + self.instance = instance ++ self.allow_dotted_names = allow_dotted_names + + def register_function(self, function, name = None): + """Registers a function to respond to XML-RPC requests. +@@ -294,7 +316,8 @@ + try: + method = resolve_dotted_attribute( + self.instance, +- method_name ++ method_name, ++ self.allow_dotted_names + ) + except AttributeError: + pass +@@ -373,7 +396,8 @@ + try: + func = resolve_dotted_attribute( + self.instance, +- method ++ method, ++ self.allow_dotted_names + ) + except AttributeError: + pass --- python.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050203221926.8F38020A25>