aboutsummaryrefslogtreecommitdiffstats
path: root/lang/python24
diff options
context:
space:
mode:
authorperky <perky@FreeBSD.org>2005-02-04 12:13:41 +0800
committerperky <perky@FreeBSD.org>2005-02-04 12:13:41 +0800
commitdafaf3a5ed0bcedd625a6ff3260a607eb65fcce8 (patch)
tree972ca861e93b10de74d8dc2c2d68c79977d3e773 /lang/python24
parentddf64505e18915cb58bd755d7e3f550edf1a4baa (diff)
downloadfreebsd-ports-gnome-dafaf3a5ed0bcedd625a6ff3260a607eb65fcce8.tar.gz
freebsd-ports-gnome-dafaf3a5ed0bcedd625a6ff3260a607eb65fcce8.tar.zst
freebsd-ports-gnome-dafaf3a5ed0bcedd625a6ff3260a607eb65fcce8.zip
Add a patch from PSF-2005-001 which fixes SimpleXMLRPCServer
vulnerability. PR: 77078 Submitted by: Marcus Grando <marcus@corp.grupos.com.br> Security: CAN-2005-0089 Security: http://www.vuxml.org/freebsd/6afa87d3-764b-11d9-b0e7-0000e249a0a2.html Security: SimpleXMLRPCServer.py allows unrestricted traversal
Diffstat (limited to 'lang/python24')
-rw-r--r--lang/python24/Makefile1
-rw-r--r--lang/python24/files/patch-Lib::SimpleXMLRPCServer.py125
2 files changed, 126 insertions, 0 deletions
diff --git a/lang/python24/Makefile b/lang/python24/Makefile
index 0fafbcb85066..8cbd19756eb4 100644
--- a/lang/python24/Makefile
+++ b/lang/python24/Makefile
@@ -7,6 +7,7 @@
PORTNAME= python
PORTVERSION= 2.4
+PORTREVISION= 1
CATEGORIES= lang python ipv6
MASTER_SITES= ${PYTHON_MASTER_SITES}
MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}
diff --git a/lang/python24/files/patch-Lib::SimpleXMLRPCServer.py b/lang/python24/files/patch-Lib::SimpleXMLRPCServer.py
new file mode 100644
index 000000000000..54b8b4523f4e
--- /dev/null
+++ b/lang/python24/files/patch-Lib::SimpleXMLRPCServer.py
@@ -0,0 +1,125 @@
+Index: Lib/SimpleXMLRPCServer.py
+===================================================================
+RCS file: /cvsroot/python/python/dist/src/Lib/SimpleXMLRPCServer.py,v
+retrieving revision 1.7.8.1
+diff -c -r1.7.8.1 SimpleXMLRPCServer.py
+*** Lib/SimpleXMLRPCServer.py 3 Oct 2004 23:23:00 -0000 1.7.8.1
+--- Lib/SimpleXMLRPCServer.py 3 Feb 2005 05:33:55 -0000
+***************
+*** 107,120 ****
+ import types
+ import os
+
+! def resolve_dotted_attribute(obj, attr):
+ """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+
+ Resolves a dotted attribute name to an object. Raises
+ an AttributeError if any attribute in the chain starts with a '_'.
+ """
+
+! for i in attr.split('.'):
+ if i.startswith('_'):
+ raise AttributeError(
+ 'attempt to access private attribute "%s"' % i
+--- 107,128 ----
+ import types
+ import os
+
+! def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+ """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+
+ Resolves a dotted attribute name to an object. Raises
+ an AttributeError if any attribute in the chain starts with a '_'.
++
++ If the optional allow_dotted_names argument is false, dots are not
++ supported and this function operates similar to getattr(obj, attr).
+ """
+
+! if allow_dotted_names:
+! attrs = attr.split('.')
+! else:
+! attrs = [attr]
+!
+! for i in attrs:
+ if i.startswith('_'):
+ raise AttributeError(
+ 'attempt to access private attribute "%s"' % i
+***************
+*** 156,162 ****
+ self.funcs = {}
+ self.instance = None
+
+! def register_instance(self, instance):
+ """Registers an instance to respond to XML-RPC requests.
+
+ Only one instance can be installed at a time.
+--- 164,170 ----
+ self.funcs = {}
+ self.instance = None
+
+! def register_instance(self, instance, allow_dotted_names=False):
+ """Registers an instance to respond to XML-RPC requests.
+
+ Only one instance can be installed at a time.
+***************
+*** 174,182 ****
+--- 182,204 ----
+
+ If a registered function matches a XML-RPC request, then it
+ will be called instead of the registered instance.
++
++ If the optional allow_dotted_names argument is true and the
++ instance does not have a _dispatch method, method names
++ containing dots are supported and resolved, as long as none of
++ the name segments start with an '_'.
++
++ *** SECURITY WARNING: ***
++
++ Enabling the allow_dotted_names options allows intruders
++ to access your module's global variables and may allow
++ intruders to execute arbitrary code on your machine. Only
++ use this option on a secure, closed network.
++
+ """
+
+ self.instance = instance
++ self.allow_dotted_names = allow_dotted_names
+
+ def register_function(self, function, name = None):
+ """Registers a function to respond to XML-RPC requests.
+***************
+*** 295,301 ****
+ try:
+ method = resolve_dotted_attribute(
+ self.instance,
+! method_name
+ )
+ except AttributeError:
+ pass
+--- 317,324 ----
+ try:
+ method = resolve_dotted_attribute(
+ self.instance,
+! method_name,
+! self.allow_dotted_names
+ )
+ except AttributeError:
+ pass
+***************
+*** 374,380 ****
+ try:
+ func = resolve_dotted_attribute(
+ self.instance,
+! method
+ )
+ except AttributeError:
+ pass
+--- 397,404 ----
+ try:
+ func = resolve_dotted_attribute(
+ self.instance,
+! method,
+! self.allow_dotted_names
+ )
+ except AttributeError:
+ pass