Date: Thu, 3 Feb 2005 20:20:35 -0200 (BRST) From: Marcus Grando <marcus@corp.grupos.com.br> To: FreeBSD-gnats-submit@FreeBSD.org Cc: perky@FreeBSD.org Subject: ports/77079: Update port: lang/python22 Security update PSF-2005-001 Message-ID: <20050203222035.10E7520A5C@corp.grupos.com.br> Resent-Message-ID: <200502032230.j13MULQB036371@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 77079 >Category: ports >Synopsis: Update port: lang/python22 Security update PSF-2005-001 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Feb 03 22:30:20 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Marcus Grando >Release: FreeBSD 4.11-STABLE i386 >Organization: Grupos Internet S/A >Environment: System: FreeBSD corp.grupos.com.br 4.11-STABLE FreeBSD 4.11-STABLE #40: Fri Jan 28 13:42:33 BRST 2005 root@corp.grupos.com.br:/usr/obj/usr/src/sys/CORP i386 >Description: Update port: lang/python22 Security update PSF-2005-001 + Add patch from python.org Please see: http://www.python.org/security/PSF-2005-001/ Please update vuxml >How-To-Repeat: >Fix: --- python22.patch begins here --- diff -ruN python22.old/Makefile python22/Makefile --- python22.old/Makefile Tue Nov 16 01:01:47 2004 +++ python22/Makefile Thu Feb 3 20:07:58 2005 @@ -7,7 +7,7 @@ PORTNAME= python PORTVERSION= 2.2.3 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= lang python ipv6 MASTER_SITES= ${PYTHON_MASTER_SITES} MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR} diff -ruN python22.old/files/patch-Lib::SimpleXMLRPCServer.py python22/files/patch-Lib::SimpleXMLRPCServer.py --- python22.old/files/patch-Lib::SimpleXMLRPCServer.py Wed Dec 31 21:00:00 1969 +++ python22/files/patch-Lib::SimpleXMLRPCServer.py Thu Feb 3 20:07:42 2005 @@ -0,0 +1,68 @@ +--- Lib/SimpleXMLRPCServer.py.orig Sat Sep 29 01:54:33 2001 ++++ Lib/SimpleXMLRPCServer.py Thu Feb 3 20:07:10 2005 +@@ -161,7 +161,8 @@ + try: + func = _resolve_dotted_attribute( + self.server.instance, +- method ++ method, ++ self.allow_dotted_names + ) + except AttributeError: + pass +@@ -178,11 +179,20 @@ + BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size) + + +-def _resolve_dotted_attribute(obj, attr): ++def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True): + """Resolves a dotted attribute name to an object. Raises + an AttributeError if any attribute in the chain starts with a '_'. ++ ++ If the optional allow_dotted_names argument is false, dots are not ++ supported and this function operates similar to getattr(obj, attr). + """ +- for i in attr.split('.'): ++ ++ if allow_dotted_names: ++ attrs = attr.split('.') ++ else: ++ attrs = [attr] ++ ++ for i in attrs: + if i.startswith('_'): + raise AttributeError( + 'attempt to access private attribute "%s"' % i +@@ -206,7 +216,7 @@ + self.instance = None + SocketServer.TCPServer.__init__(self, addr, requestHandler) + +- def register_instance(self, instance): ++ def register_instance(self, instance, allow_dotted_names=False): + """Registers an instance to respond to XML-RPC requests. + + Only one instance can be installed at a time. +@@ -225,9 +235,23 @@ + + If a registered function matches a XML-RPC request, then it + will be called instead of the registered instance. ++ ++ If the optional allow_dotted_names argument is true and the ++ instance does not have a _dispatch method, method names ++ containing dots are supported and resolved, as long as none of ++ the name segments start with an '_'. ++ ++ *** SECURITY WARNING: *** ++ ++ Enabling the allow_dotted_names options allows intruders ++ to access your module's global variables and may allow ++ intruders to execute arbitrary code on your machine. Only ++ use this option on a secure, closed network. ++ + """ + + self.instance = instance ++ self.allow_dotted_names = allow_dotted_names + + def register_function(self, function, name = None): + """Registers a function to respond to XML-RPC requests. --- python22.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050203222035.10E7520A5C>