ports/77078: Update port: lang/python Security update PSF-2005-001
Marcus Grando
marcus at corp.grupos.com.br
Thu Feb 3 22:20:17 UTC 2005
>Number: 77078
>Category: ports
>Synopsis: Update port: lang/python Security update PSF-2005-001
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 03 22:20:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Marcus Grando
>Release: FreeBSD 4.11-STABLE i386
>Organization:
Grupos Internet S/A
>Environment:
System: FreeBSD corp.grupos.com.br 4.11-STABLE FreeBSD 4.11-STABLE #40: Fri Jan 28 13:42:33 BRST 2005 root at corp.grupos.com.br:/usr/obj/usr/src/sys/CORP i386
>Description:
Update port: lang/python Security update PSF-2005-001
+ Add patch from python.org
Please see:
http://www.python.org/security/PSF-2005-001/
Please update vuxml
>How-To-Repeat:
>Fix:
--- python.patch begins here ---
diff -ruN python.old/Makefile python/Makefile
--- python.old/Makefile Tue Dec 7 00:53:11 2004
+++ python/Makefile Thu Feb 3 19:54:54 2005
@@ -7,6 +7,7 @@
PORTNAME= python
PORTVERSION= 2.4
+PORTREVISION= 1
CATEGORIES= lang python ipv6
MASTER_SITES= ${PYTHON_MASTER_SITES}
MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}
diff -ruN python.old/files/patch-Lib::SimpleXMLRPCServer.py python/files/patch-Lib::SimpleXMLRPCServer.py
--- python.old/files/patch-Lib::SimpleXMLRPCServer.py Wed Dec 31 21:00:00 1969
+++ python/files/patch-Lib::SimpleXMLRPCServer.py Thu Feb 3 20:00:13 2005
@@ -0,0 +1,80 @@
+--- Lib/SimpleXMLRPCServer.py.orig Sun Oct 3 20:21:44 2004
++++ Lib/SimpleXMLRPCServer.py Thu Feb 3 19:59:20 2005
+@@ -106,14 +106,22 @@
+ import sys
+ import os
+
+-def resolve_dotted_attribute(obj, attr):
++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+ """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+
+ Resolves a dotted attribute name to an object. Raises
+ an AttributeError if any attribute in the chain starts with a '_'.
++
++ If the optional allow_dotted_names argument is false, dots are not
++ supported and this function operates similar to getattr(obj, attr).
+ """
+
+- for i in attr.split('.'):
++ if allow_dotted_names:
++ attrs = attr.split('.')
++ else:
++ attrs = [attr]
++
++ for i in attrs:
+ if i.startswith('_'):
+ raise AttributeError(
+ 'attempt to access private attribute "%s"' % i
+@@ -155,7 +163,7 @@
+ self.funcs = {}
+ self.instance = None
+
+- def register_instance(self, instance):
++ def register_instance(self, instance, allow_dotted_names=False):
+ """Registers an instance to respond to XML-RPC requests.
+
+ Only one instance can be installed at a time.
+@@ -173,9 +181,23 @@
+
+ If a registered function matches a XML-RPC request, then it
+ will be called instead of the registered instance.
++
++ If the optional allow_dotted_names argument is true and the
++ instance does not have a _dispatch method, method names
++ containing dots are supported and resolved, as long as none of
++ the name segments start with an '_'.
++
++ *** SECURITY WARNING: ***
++
++ Enabling the allow_dotted_names options allows intruders
++ to access your module's global variables and may allow
++ intruders to execute arbitrary code on your machine. Only
++ use this option on a secure, closed network.
++
+ """
+
+ self.instance = instance
++ self.allow_dotted_names = allow_dotted_names
+
+ def register_function(self, function, name = None):
+ """Registers a function to respond to XML-RPC requests.
+@@ -294,7 +316,8 @@
+ try:
+ method = resolve_dotted_attribute(
+ self.instance,
+- method_name
++ method_name,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass
+@@ -373,7 +396,8 @@
+ try:
+ func = resolve_dotted_attribute(
+ self.instance,
+- method
++ method,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass
--- python.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list