From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Feb 3 22:20:17 2005 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08FCD16A4CE for ; Thu, 3 Feb 2005 22:20:17 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 821F343D2F for ; Thu, 3 Feb 2005 22:20:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j13MKGCj036021 for ; Thu, 3 Feb 2005 22:20:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j13MKGeB036020; Thu, 3 Feb 2005 22:20:16 GMT (envelope-from gnats) Resent-Date: Thu, 3 Feb 2005 22:20:16 GMT Resent-Message-Id: <200502032220.j13MKGeB036020@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Marcus Grando Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B24216A4CE; Thu, 3 Feb 2005 22:19:29 +0000 (GMT) Received: from gwmail1.grupos.com.br (gwmail1.grupos.com.br [66.90.64.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id A44DB43D1D; Thu, 3 Feb 2005 22:19:28 +0000 (GMT) (envelope-from root@corp.grupos.com.br) Received: from corp.grupos.com.br (unknown [150.162.166.55]) by gwmail1.grupos.com.br (Postfix) with ESMTP id 5F28D3C63F; Thu, 3 Feb 2005 20:19:27 -0200 (BRST) Received: by corp.grupos.com.br (Postfix, from userid 0) id 8F38020A25; Thu, 3 Feb 2005 20:19:26 -0200 (BRST) Message-Id: <20050203221926.8F38020A25@corp.grupos.com.br> Date: Thu, 3 Feb 2005 20:19:26 -0200 (BRST) From: Marcus Grando To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: perky@FreeBSD.org Subject: ports/77078: Update port: lang/python Security update PSF-2005-001 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Marcus Grando List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2005 22:20:17 -0000 >Number: 77078 >Category: ports >Synopsis: Update port: lang/python Security update PSF-2005-001 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Feb 03 22:20:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Marcus Grando >Release: FreeBSD 4.11-STABLE i386 >Organization: Grupos Internet S/A >Environment: System: FreeBSD corp.grupos.com.br 4.11-STABLE FreeBSD 4.11-STABLE #40: Fri Jan 28 13:42:33 BRST 2005 root@corp.grupos.com.br:/usr/obj/usr/src/sys/CORP i386 >Description: Update port: lang/python Security update PSF-2005-001 + Add patch from python.org Please see: http://www.python.org/security/PSF-2005-001/ Please update vuxml >How-To-Repeat: >Fix: --- python.patch begins here --- diff -ruN python.old/Makefile python/Makefile --- python.old/Makefile Tue Dec 7 00:53:11 2004 +++ python/Makefile Thu Feb 3 19:54:54 2005 @@ -7,6 +7,7 @@ PORTNAME= python PORTVERSION= 2.4 +PORTREVISION= 1 CATEGORIES= lang python ipv6 MASTER_SITES= ${PYTHON_MASTER_SITES} MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR} diff -ruN python.old/files/patch-Lib::SimpleXMLRPCServer.py python/files/patch-Lib::SimpleXMLRPCServer.py --- python.old/files/patch-Lib::SimpleXMLRPCServer.py Wed Dec 31 21:00:00 1969 +++ python/files/patch-Lib::SimpleXMLRPCServer.py Thu Feb 3 20:00:13 2005 @@ -0,0 +1,80 @@ +--- Lib/SimpleXMLRPCServer.py.orig Sun Oct 3 20:21:44 2004 ++++ Lib/SimpleXMLRPCServer.py Thu Feb 3 19:59:20 2005 +@@ -106,14 +106,22 @@ + import sys + import os + +-def resolve_dotted_attribute(obj, attr): ++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): + """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d + + Resolves a dotted attribute name to an object. Raises + an AttributeError if any attribute in the chain starts with a '_'. ++ ++ If the optional allow_dotted_names argument is false, dots are not ++ supported and this function operates similar to getattr(obj, attr). + """ + +- for i in attr.split('.'): ++ if allow_dotted_names: ++ attrs = attr.split('.') ++ else: ++ attrs = [attr] ++ ++ for i in attrs: + if i.startswith('_'): + raise AttributeError( + 'attempt to access private attribute "%s"' % i +@@ -155,7 +163,7 @@ + self.funcs = {} + self.instance = None + +- def register_instance(self, instance): ++ def register_instance(self, instance, allow_dotted_names=False): + """Registers an instance to respond to XML-RPC requests. + + Only one instance can be installed at a time. +@@ -173,9 +181,23 @@ + + If a registered function matches a XML-RPC request, then it + will be called instead of the registered instance. ++ ++ If the optional allow_dotted_names argument is true and the ++ instance does not have a _dispatch method, method names ++ containing dots are supported and resolved, as long as none of ++ the name segments start with an '_'. ++ ++ *** SECURITY WARNING: *** ++ ++ Enabling the allow_dotted_names options allows intruders ++ to access your module's global variables and may allow ++ intruders to execute arbitrary code on your machine. Only ++ use this option on a secure, closed network. ++ + """ + + self.instance = instance ++ self.allow_dotted_names = allow_dotted_names + + def register_function(self, function, name = None): + """Registers a function to respond to XML-RPC requests. +@@ -294,7 +316,8 @@ + try: + method = resolve_dotted_attribute( + self.instance, +- method_name ++ method_name, ++ self.allow_dotted_names + ) + except AttributeError: + pass +@@ -373,7 +396,8 @@ + try: + func = resolve_dotted_attribute( + self.instance, +- method ++ method, ++ self.allow_dotted_names + ) + except AttributeError: + pass --- python.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: