diff --git a/extra/python/CVE-2011-1521.patch b/extra/python/CVE-2011-1521.patch deleted file mode 100644 index 91f4946c4..000000000 --- a/extra/python/CVE-2011-1521.patch +++ /dev/null @@ -1,134 +0,0 @@ -diff -Naur Python-3.2.ori/Doc/library/urllib.request.rst Python-3.2/Doc/library/urllib.request.rst ---- Python-3.2.ori/Doc/library/urllib.request.rst 2011-02-11 03:25:47.000000000 -0800 -+++ Python-3.2/Doc/library/urllib.request.rst 2011-04-15 03:49:02.778745379 -0700 -@@ -650,6 +650,10 @@ - is the case, :exc:`HTTPError` is raised. See :rfc:`2616` for details of the - precise meanings of the various redirection codes. - -+ An :class:`HTTPError` exception raised as a security consideration if the -+ HTTPRedirectHandler is presented with a redirected url which is not an HTTP, -+ HTTPS or FTP url. -+ - - .. method:: HTTPRedirectHandler.redirect_request(req, fp, code, msg, hdrs, newurl) - -diff -Naur Python-3.2.ori/Lib/test/test_urllib2.py Python-3.2/Lib/test/test_urllib2.py ---- Python-3.2.ori/Lib/test/test_urllib2.py 2011-02-11 03:25:47.000000000 -0800 -+++ Python-3.2/Lib/test/test_urllib2.py 2011-04-15 03:50:29.705417290 -0700 -@@ -8,6 +8,7 @@ - - import urllib.request - from urllib.request import Request, OpenerDirector -+import urllib.error - - # XXX - # Request -@@ -1029,6 +1030,29 @@ - self.assertEqual(count, - urllib.request.HTTPRedirectHandler.max_redirections) - -+ -+ def test_invalid_redirect(self): -+ from_url = "http://example.com/a.html" -+ valid_schemes = ['http','https','ftp'] -+ invalid_schemes = ['file','imap','ldap'] -+ schemeless_url = "example.com/b.html" -+ h = urllib.request.HTTPRedirectHandler() -+ o = h.parent = MockOpener() -+ req = Request(from_url) -+ req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT -+ -+ for scheme in invalid_schemes: -+ invalid_url = scheme + '://' + schemeless_url -+ self.assertRaises(urllib.error.HTTPError, h.http_error_302, -+ req, MockFile(), 302, "Security Loophole", -+ MockHeaders({"location": invalid_url})) -+ -+ for scheme in valid_schemes: -+ valid_url = scheme + '://' + schemeless_url -+ h.http_error_302(req, MockFile(), 302, "That's fine", -+ MockHeaders({"location": valid_url})) -+ self.assertEqual(o.req.get_full_url(), valid_url) -+ - def test_cookie_redirect(self): - # cookies shouldn't leak into redirected requests - from http.cookiejar import CookieJar -diff -Naur Python-3.2.ori/Lib/test/test_urllib.py Python-3.2/Lib/test/test_urllib.py ---- Python-3.2.ori/Lib/test/test_urllib.py 2010-12-17 09:35:56.000000000 -0800 -+++ Python-3.2/Lib/test/test_urllib.py 2011-04-15 03:49:02.778745379 -0700 -@@ -2,6 +2,7 @@ - - import urllib.parse - import urllib.request -+import urllib.error - import http.client - import email.message - import io -@@ -198,6 +199,21 @@ - finally: - self.unfakehttp() - -+ def test_invalid_redirect(self): -+ # urlopen() should raise IOError for many error codes. -+ self.fakehttp(b'''HTTP/1.1 302 Found -+Date: Wed, 02 Jan 2008 03:03:54 GMT -+Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e -+Location: file://guidocomputer.athome.com:/python/license -+Connection: close -+Content-Type: text/html; charset=iso-8859-1 -+''') -+ try: -+ self.assertRaises(urllib.error.HTTPError, urlopen, -+ "http://python.org/") -+ finally: -+ self.unfakehttp() -+ - def test_empty_socket(self): - # urlopen() raises IOError if the underlying socket does not send any - # data. (#1680230) -diff -Naur Python-3.2.ori/Lib/urllib/request.py Python-3.2/Lib/urllib/request.py ---- Python-3.2.ori/Lib/urllib/request.py 2011-02-11 03:25:47.000000000 -0800 -+++ Python-3.2/Lib/urllib/request.py 2011-04-15 03:49:02.778745379 -0700 -@@ -545,6 +545,17 @@ - - # fix a possible malformed URL - urlparts = urlparse(newurl) -+ -+ # For security reasons we don't allow redirection to anything other -+ # than http, https or ftp. -+ -+ if not urlparts.scheme in ('http', 'https', 'ftp'): -+ raise HTTPError(newurl, code, -+ msg + -+ " - Redirection to url '%s' is not allowed" % -+ newurl, -+ headers, fp) -+ - if not urlparts.path: - urlparts = list(urlparts) - urlparts[2] = "/" -@@ -1897,8 +1908,24 @@ - return - void = fp.read() - fp.close() -+ - # In case the server sent a relative URL, join with original: - newurl = urljoin(self.type + ":" + url, newurl) -+ -+ urlparts = urlparse(newurl) -+ -+ # For security reasons, we don't allow redirection to anything other -+ # than http, https and ftp. -+ -+ # We are using newer HTTPError with older redirect_internal method -+ # This older method will get deprecated in 3.3 -+ -+ if not urlparts.scheme in ('http', 'https', 'ftp'): -+ raise HTTPError(newurl, errcode, -+ errmsg + -+ " Redirection to url '%s' is not allowed." % newurl, -+ headers, fp) -+ - return self.open(newurl) - - def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/extra/python/PKGBUILD b/extra/python/PKGBUILD index 01dc1a8ff..abfca6c96 100644 --- a/extra/python/PKGBUILD +++ b/extra/python/PKGBUILD @@ -1,17 +1,17 @@ -# $Id: PKGBUILD 119805 2011-04-15 11:51:39Z stephane $ +# $Id: PKGBUILD 131166 2011-07-11 13:06:25Z stephane $ # Maintainer: Stéphane Gaudreault # Maintainer: Allan McRae -# Contributer: Jason Chu +# Contributor: Jason Chu -# PlugApps: Kevin Mihelich +# ALARM: Kevin Mihelich # - removed valgrind from makedepends, can't build it for ARM # - removed --with-valgrind from configure line plugrel=1 pkgname=python -pkgver=3.2 -pkgrel=2 +pkgver=3.2.1 +pkgrel=1 _pybasever=3.2 pkgdesc="Next generation of the python high-level scripting language" arch=('i686' 'x86_64') @@ -19,27 +19,25 @@ license=('custom') url="http://www.python.org/" depends=('expat' 'bzip2' 'gdbm' 'openssl' 'libffi' 'zlib') makedepends=('tk' 'sqlite3') -optdepends=('tk: for tkinter') +optdepends=('tk: for tkinter' 'sqlite3') provides=('python3') replaces=('python3') options=('!makeflags') -source=(http://www.python.org/ftp/python/${_pybasever}/Python-${pkgver}.tar.xz - CVE-2011-1521.patch) -sha1sums=('55a3a9d39f31563370d0c494373bb6d38e4d1a00' - '561161ce5ae3a91254352c09a33e3e4434444e14') +source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz) +sha1sums=('ab5cf4a4c21abe590dea87473a1dee6820699d79') + build() { cd "${srcdir}/Python-${pkgver}" + # FS#23997 + sed -i -e "s|^#.* /usr/local/bin/python|#!/usr/bin/python|" Lib/cgi.py + # Ensure that we are using the system copy of various libraries (expat, zlib and libffi), # rather than copies shipped in the tarball rm -r Modules/expat rm -r Modules/zlib rm -r Modules/_ctypes/{darwin,libffi}* - # urllib Security Vulnerability - # http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html - patch -Np1 -i ../CVE-2011-1521.patch - ./configure --prefix=/usr \ --enable-shared \ --with-threads \ @@ -74,7 +72,7 @@ package() { "${pkgdir}/usr/lib/python${_pybasever}/config-${_pybasever}mu/libpython${_pybasever}mu.so" # Clean-up reference to build directory - sed -i "s#$srcdir/Python-${pkgver}:##" "$pkgdir/usr/lib/python${_pybasever}/config-${_pybasever}mu/Makefile" + sed -i "s|$srcdir/Python-${pkgver}:||" "$pkgdir/usr/lib/python${_pybasever}/config-${_pybasever}mu/Makefile" # License install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"