ports/77079: Update port: lang/python22 Security update PSF-2005-001
Marcus Grando
marcus at corp.grupos.com.br
Thu Feb 3 22:30:22 UTC 2005
>Number: 77079
>Category: ports
>Synopsis: Update port: lang/python22 Security update PSF-2005-001
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 03 22:30:20 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Marcus Grando
>Release: FreeBSD 4.11-STABLE i386
>Organization:
Grupos Internet S/A
>Environment:
System: FreeBSD corp.grupos.com.br 4.11-STABLE FreeBSD 4.11-STABLE #40: Fri Jan 28 13:42:33 BRST 2005 root at corp.grupos.com.br:/usr/obj/usr/src/sys/CORP i386
>Description:
Update port: lang/python22 Security update PSF-2005-001
+ Add patch from python.org
Please see:
http://www.python.org/security/PSF-2005-001/
Please update vuxml
>How-To-Repeat:
>Fix:
--- python22.patch begins here ---
diff -ruN python22.old/Makefile python22/Makefile
--- python22.old/Makefile Tue Nov 16 01:01:47 2004
+++ python22/Makefile Thu Feb 3 20:07:58 2005
@@ -7,7 +7,7 @@
PORTNAME= python
PORTVERSION= 2.2.3
-PORTREVISION= 6
+PORTREVISION= 7
CATEGORIES= lang python ipv6
MASTER_SITES= ${PYTHON_MASTER_SITES}
MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}
diff -ruN python22.old/files/patch-Lib::SimpleXMLRPCServer.py python22/files/patch-Lib::SimpleXMLRPCServer.py
--- python22.old/files/patch-Lib::SimpleXMLRPCServer.py Wed Dec 31 21:00:00 1969
+++ python22/files/patch-Lib::SimpleXMLRPCServer.py Thu Feb 3 20:07:42 2005
@@ -0,0 +1,68 @@
+--- Lib/SimpleXMLRPCServer.py.orig Sat Sep 29 01:54:33 2001
++++ Lib/SimpleXMLRPCServer.py Thu Feb 3 20:07:10 2005
+@@ -161,7 +161,8 @@
+ try:
+ func = _resolve_dotted_attribute(
+ self.server.instance,
+- method
++ method,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass
+@@ -178,11 +179,20 @@
+ BaseHTTPServer.BaseHTTPRequestHandler.log_request(self, code, size)
+
+
+-def _resolve_dotted_attribute(obj, attr):
++def _resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+ """Resolves a dotted attribute name to an object. Raises
+ an AttributeError if any attribute in the chain starts with a '_'.
++
++ If the optional allow_dotted_names argument is false, dots are not
++ supported and this function operates similar to getattr(obj, attr).
+ """
+- for i in attr.split('.'):
++
++ if allow_dotted_names:
++ attrs = attr.split('.')
++ else:
++ attrs = [attr]
++
++ for i in attrs:
+ if i.startswith('_'):
+ raise AttributeError(
+ 'attempt to access private attribute "%s"' % i
+@@ -206,7 +216,7 @@
+ self.instance = None
+ SocketServer.TCPServer.__init__(self, addr, requestHandler)
+
+- def register_instance(self, instance):
++ def register_instance(self, instance, allow_dotted_names=False):
+ """Registers an instance to respond to XML-RPC requests.
+
+ Only one instance can be installed at a time.
+@@ -225,9 +235,23 @@
+
+ If a registered function matches a XML-RPC request, then it
+ will be called instead of the registered instance.
++
++ If the optional allow_dotted_names argument is true and the
++ instance does not have a _dispatch method, method names
++ containing dots are supported and resolved, as long as none of
++ the name segments start with an '_'.
++
++ *** SECURITY WARNING: ***
++
++ Enabling the allow_dotted_names options allows intruders
++ to access your module's global variables and may allow
++ intruders to execute arbitrary code on your machine. Only
++ use this option on a secure, closed network.
++
+ """
+
+ self.instance = instance
++ self.allow_dotted_names = allow_dotted_names
+
+ def register_function(self, function, name = None):
+ """Registers a function to respond to XML-RPC requests.
--- python22.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list