head 1.4; access; symbols pkgsrc-2013Q2:1.4.0.44 pkgsrc-2013Q2-base:1.4 pkgsrc-2012Q4:1.4.0.42 pkgsrc-2012Q4-base:1.4 pkgsrc-2011Q4:1.4.0.40 pkgsrc-2011Q4-base:1.4 pkgsrc-2011Q2:1.4.0.38 pkgsrc-2011Q2-base:1.4 pkgsrc-2009Q4:1.4.0.36 pkgsrc-2009Q4-base:1.4 pkgsrc-2008Q4:1.4.0.34 pkgsrc-2008Q4-base:1.4 pkgsrc-2008Q3:1.4.0.32 pkgsrc-2008Q3-base:1.4 cube-native-xorg:1.4.0.30 cube-native-xorg-base:1.4 pkgsrc-2008Q2:1.4.0.28 pkgsrc-2008Q2-base:1.4 pkgsrc-2008Q1:1.4.0.26 pkgsrc-2008Q1-base:1.4 pkgsrc-2007Q4:1.4.0.24 pkgsrc-2007Q4-base:1.4 pkgsrc-2007Q3:1.4.0.22 pkgsrc-2007Q3-base:1.4 pkgsrc-2007Q2:1.4.0.20 pkgsrc-2007Q2-base:1.4 pkgsrc-2007Q1:1.4.0.18 pkgsrc-2007Q1-base:1.4 pkgsrc-2006Q4:1.4.0.16 pkgsrc-2006Q4-base:1.4 pkgsrc-2006Q3:1.4.0.14 pkgsrc-2006Q3-base:1.4 pkgsrc-2006Q2:1.4.0.12 pkgsrc-2006Q2-base:1.4 pkgsrc-2006Q1:1.4.0.10 pkgsrc-2006Q1-base:1.4 pkgsrc-2005Q4:1.4.0.8 pkgsrc-2005Q4-base:1.4 pkgsrc-2005Q3:1.4.0.6 pkgsrc-2005Q3-base:1.4 pkgsrc-2005Q2:1.4.0.4 pkgsrc-2005Q2-base:1.4 pkgsrc-2005Q1:1.4.0.2 pkgsrc-2005Q1-base:1.4 pkgsrc-2004Q4:1.2.0.6 pkgsrc-2004Q4-base:1.2 pkgsrc-2004Q3:1.2.0.4 pkgsrc-2004Q3-base:1.2 pkgsrc-2004Q2:1.2.0.2 pkgsrc-2004Q2-base:1.2; locks; strict; comment @# @; 1.4 date 2005.02.15.12.25.07; author drochner; state dead; branches; next 1.3; 1.3 date 2005.02.04.15.39.04; author drochner; state Exp; branches; next 1.2; 1.2 date 2004.06.02.12.29.28; author recht; state dead; branches 1.2.6.1; next 1.1; 1.1 date 2004.05.12.15.19.49; author recht; state Exp; branches; next ; 1.2.6.1 date 2005.02.16.14.00.08; author salo; state Exp; branches; next ; desc @@ 1.4 log @update to 2.3.5 This is a bug-fix release. It contains the fix for http://www.python.org/security/PSF-2005-001/ which we added in 2.3.4nb7. @ text @$NetBSD: patch-an,v 1.3 2005/02/04 15:39:04 drochner Exp $ --- Lib/SimpleXMLRPCServer.py.orig 2003-06-29 06:19:37.000000000 +0200 +++ Lib/SimpleXMLRPCServer.py @@@@ -107,14 +107,22 @@@@ import sys import types import os -def resolve_dotted_attribute(obj, attr): +def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d Resolves a dotted attribute name to an object. Raises an AttributeError if any attribute in the chain starts with a '_'. + + If the optional allow_dotted_names argument is false, dots are not + supported and this function operates similar to getattr(obj, attr). """ - for i in attr.split('.'): + if allow_dotted_names: + attrs = attr.split('.') + else: + attrs = [attr] + + for i in attrs: if i.startswith('_'): raise AttributeError( 'attempt to access private attribute "%s"' % i @@@@ -156,7 +164,7 @@@@ class SimpleXMLRPCDispatcher: self.funcs = {} self.instance = None - def register_instance(self, instance): + def register_instance(self, instance, allow_dotted_names=False): """Registers an instance to respond to XML-RPC requests. Only one instance can be installed at a time. @@@@ -174,9 +182,23 @@@@ class SimpleXMLRPCDispatcher: If a registered function matches a XML-RPC request, then it will be called instead of the registered instance. + + If the optional allow_dotted_names argument is true and the + instance does not have a _dispatch method, method names + containing dots are supported and resolved, as long as none of + the name segments start with an '_'. + + *** SECURITY WARNING: *** + + Enabling the allow_dotted_names options allows intruders + to access your module's global variables and may allow + intruders to execute arbitrary code on your machine. Only + use this option on a secure, closed network. + """ self.instance = instance + self.allow_dotted_names = allow_dotted_names def register_function(self, function, name = None): """Registers a function to respond to XML-RPC requests. @@@@ -295,7 +317,8 @@@@ class SimpleXMLRPCDispatcher: try: method = resolve_dotted_attribute( self.instance, - method_name + method_name, + self.allow_dotted_names ) except AttributeError: pass @@@@ -374,7 +397,8 @@@@ class SimpleXMLRPCDispatcher: try: func = resolve_dotted_attribute( self.instance, - method + method, + self.allow_dotted_names ) except AttributeError: pass @ 1.3 log @apply the security fix from http://www.python.org/security/PSF-2005-001/ This disables hierarchical object lookups in SimpleXMLRPCServer. Unfortunately, this breaks some applications (eg kenosis). Don't shoot me for this. bump PKGREVISION @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @Update to 2.3.4 This is a bug-fix release for Python 2.3 that fixes a number of bugs, including a couple of weakref bugs and a bug in pickle version 2. There are also a number of fixes to the standard library, and some build fixes - see the release notes ( http://www.python.org/2.3.4/NEWS.html ) for details. @ text @d1 1 a1 1 $NetBSD: patch-an,v 1.1 2004/05/12 15:19:49 recht Exp $ d3 80 a82 65 diff -u python/dist/src/Objects/weakrefobject.c:1.13.6.1 python/dist/src/Objects/weakrefobject.c:1.13.6.3 --- Objects/weakrefobject.c:1.13.6.1 Thu Nov 20 14:13:51 2003 +++ Objects/weakrefobject.c Wed Feb 4 15:13:43 2004 @@@@ -624,20 +624,29 @@@@ } list = GET_WEAKREFS_LISTPTR(ob); get_basic_refs(*list, &ref, &proxy); - if (callback == NULL || callback == Py_None) + if (callback == Py_None) + callback = NULL; + if (callback == NULL) /* return existing weak reference if it exists */ result = ref; if (result != NULL) - Py_XINCREF(result); + Py_INCREF(result); else { + /* Note: new_weakref() can trigger cyclic GC, so the weakref + list on ob can be mutated. This means that the ref and + proxy pointers we got back earlier may have been collected, + so we need to compute these values again before we use + them. */ result = new_weakref(ob, callback); if (result != NULL) { if (callback == NULL) { insert_head(result, list); } else { - PyWeakReference *prev = (proxy == NULL) ? ref : proxy; + PyWeakReference *prev; + get_basic_refs(*list, &ref, &proxy); + prev = (proxy == NULL) ? ref : proxy; if (prev == NULL) insert_head(result, list); else @@@@ -664,12 +673,19 @@@@ } list = GET_WEAKREFS_LISTPTR(ob); get_basic_refs(*list, &ref, &proxy); + if (callback == Py_None) + callback = NULL; if (callback == NULL) /* attempt to return an existing weak reference if it exists */ result = proxy; if (result != NULL) - Py_XINCREF(result); + Py_INCREF(result); else { + /* Note: new_weakref() can trigger cyclic GC, so the weakref + list on ob can be mutated. This means that the ref and + proxy pointers we got back earlier may have been collected, + so we need to compute these values again before we use + them. */ result = new_weakref(ob, callback); if (result != NULL) { PyWeakReference *prev; @@@@ -678,6 +694,7 @@@@ result->ob_type = &_PyWeakref_CallableProxyType; else result->ob_type = &_PyWeakref_ProxyType; + get_basic_refs(*list, &ref, &proxy); if (callback == NULL) prev = ref; else @ 1.2.6.1 log @Pullup ticket 289 - requested by Matthias Drochner security fix for python Patches hand-rolled, based on the following commit: Module Name: pkgsrc Committed By: drochner Date: Fri Feb 4 15:39:04 UTC 2005 Modified Files: pkgsrc/lang/python22: Makefile distinfo pkgsrc/lang/python23: Makefile distinfo pkgsrc/lang/python23-nth: Makefile pkgsrc/lang/python24: Makefile distinfo Added Files: pkgsrc/lang/python22/patches: patch-an pkgsrc/lang/python23/patches: patch-an pkgsrc/lang/python24/patches: patch-an Log Message: apply the security fix from http://www.python.org/security/PSF-2005-001/ This disables hierarchical object lookups in SimpleXMLRPCServer. Unfortunately, this breaks some applications (eg kenosis). Don't shoot me for this. bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: patch-an,v 1.3 2005/02/04 15:39:04 drochner Exp $ d3 65 a67 80 --- Lib/SimpleXMLRPCServer.py.orig 2003-06-29 06:19:37.000000000 +0200 +++ Lib/SimpleXMLRPCServer.py @@@@ -107,14 +107,22 @@@@ import sys import types import os -def resolve_dotted_attribute(obj, attr): +def resolve_dotted_attribute(obj, attr, allow_dotted_names=True): """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d Resolves a dotted attribute name to an object. Raises an AttributeError if any attribute in the chain starts with a '_'. + + If the optional allow_dotted_names argument is false, dots are not + supported and this function operates similar to getattr(obj, attr). """ - for i in attr.split('.'): + if allow_dotted_names: + attrs = attr.split('.') + else: + attrs = [attr] + + for i in attrs: if i.startswith('_'): raise AttributeError( 'attempt to access private attribute "%s"' % i @@@@ -156,7 +164,7 @@@@ class SimpleXMLRPCDispatcher: self.funcs = {} self.instance = None - def register_instance(self, instance): + def register_instance(self, instance, allow_dotted_names=False): """Registers an instance to respond to XML-RPC requests. Only one instance can be installed at a time. @@@@ -174,9 +182,23 @@@@ class SimpleXMLRPCDispatcher: If a registered function matches a XML-RPC request, then it will be called instead of the registered instance. + + If the optional allow_dotted_names argument is true and the + instance does not have a _dispatch method, method names + containing dots are supported and resolved, as long as none of + the name segments start with an '_'. + + *** SECURITY WARNING: *** + + Enabling the allow_dotted_names options allows intruders + to access your module's global variables and may allow + intruders to execute arbitrary code on your machine. Only + use this option on a secure, closed network. + """ self.instance = instance + self.allow_dotted_names = allow_dotted_names def register_function(self, function, name = None): """Registers a function to respond to XML-RPC requests. @@@@ -295,7 +317,8 @@@@ class SimpleXMLRPCDispatcher: try: method = resolve_dotted_attribute( self.instance, - method_name + method_name, + self.allow_dotted_names ) except AttributeError: pass @@@@ -374,7 +397,8 @@@@ class SimpleXMLRPCDispatcher: try: func = resolve_dotted_attribute( self.instance, - method + method, + self.allow_dotted_names ) except AttributeError: pass @ 1.1 log @- Merge bugfixes from python 2.3 maintenance branch: o weakref object's garbage collection problem. o save unnecessary startup-time memory allocation of 100KB+ from intobject. via FreeBSD ports - Enable pkgviews installation. Bump PKGREVISION for the bugfixes. @ text @d1 1 a1 1 $NetBSD$ @