head	1.2;
access;
symbols
	pkgsrc-2015Q1:1.1.0.36
	pkgsrc-2015Q1-base:1.1
	pkgsrc-2014Q4:1.1.0.34
	pkgsrc-2014Q4-base:1.1
	pkgsrc-2014Q3:1.1.0.32
	pkgsrc-2014Q3-base:1.1
	pkgsrc-2014Q2:1.1.0.30
	pkgsrc-2014Q2-base:1.1
	pkgsrc-2014Q1:1.1.0.28
	pkgsrc-2014Q1-base:1.1
	pkgsrc-2013Q4:1.1.0.26
	pkgsrc-2013Q4-base:1.1
	pkgsrc-2013Q3:1.1.0.24
	pkgsrc-2013Q3-base:1.1
	pkgsrc-2013Q2:1.1.0.22
	pkgsrc-2013Q2-base:1.1
	pkgsrc-2013Q1:1.1.0.20
	pkgsrc-2013Q1-base:1.1
	pkgsrc-2012Q4:1.1.0.18
	pkgsrc-2012Q4-base:1.1
	pkgsrc-2012Q3:1.1.0.16
	pkgsrc-2012Q3-base:1.1
	pkgsrc-2012Q2:1.1.0.14
	pkgsrc-2012Q2-base:1.1
	pkgsrc-2012Q1:1.1.0.12
	pkgsrc-2012Q1-base:1.1
	pkgsrc-2011Q4:1.1.0.10
	pkgsrc-2011Q4-base:1.1
	pkgsrc-2011Q3:1.1.0.8
	pkgsrc-2011Q3-base:1.1
	pkgsrc-2011Q2:1.1.0.6
	pkgsrc-2011Q2-base:1.1
	pkgsrc-2011Q1:1.1.0.4
	pkgsrc-2011Q1-base:1.1
	pkgsrc-2010Q4:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2015.04.13.23.12.44;	author rodent;	state dead;
branches;
next	1.1;
commitid	NgZhNHAKgraV6uhy;

1.1
date	2011.02.28.22.35.53;	author tron;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2011.02.28.22.35.53;	author sbd;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2011.03.01.10.04.22;	author sbd;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Removing python26. EOL'd quite some ago and discussed a couple times on
tech-pkg@@ and pkgsrc-users@@.
@
text
@$NetBSD: patch-SA43463,v 1.1 2011/02/28 22:35:53 tron Exp $

Fix information disclosure vulnerability reported in SA43463.
Patch taken from the Python SVN repository:

http://svn.python.org/view?view=revision&revision=71303

--- Lib/CGIHTTPServer.py.orig	2009-11-11 17:24:53.000000000 +0000
+++ Lib/CGIHTTPServer.py	2011-02-28 22:16:27.000000000 +0000
@@@@ -70,27 +70,20 @@@@
             return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
 
     def is_cgi(self):
-        """Test whether self.path corresponds to a CGI script,
-        and return a boolean.
+        """Test whether self.path corresponds to a CGI script.
 
-        This function sets self.cgi_info to a tuple (dir, rest)
-        when it returns True, where dir is the directory part before
-        the CGI script name.  Note that rest begins with a
-        slash if it is not empty.
-
-        The default implementation tests whether the path
-        begins with one of the strings in the list
-        self.cgi_directories (and the next character is a '/'
-        or the end of the string).
+        Returns True and updates the cgi_info attribute to the tuple
+        (dir, rest) if self.path requires running a CGI script.
+        Returns False otherwise.
+
+        The default implementation tests whether the normalized url
+        path begins with one of the strings in self.cgi_directories
+        (and the next character is a '/' or the end of the string).
         """
-
-        path = self.path
-
-        for x in self.cgi_directories:
-            i = len(x)
-            if path[:i] == x and (not path[i:] or path[i] == '/'):
-                self.cgi_info = path[:i], path[i+1:]
-                return True
+        splitpath = _url_collapse_path_split(self.path)
+        if splitpath[0] in self.cgi_directories:
+            self.cgi_info = splitpath
+            return True
         return False
 
     cgi_directories = ['/cgi-bin', '/htbin']
@@@@ -299,6 +292,46 @@@@
                 self.log_message("CGI script exited OK")
 
 
+# TODO(gregory.p.smith): Move this into an appropriate library.
+def _url_collapse_path_split(path):
+    """
+    Given a URL path, remove extra '/'s and '.' path elements and collapse
+    any '..' references.
+
+    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
+
+    Returns: A tuple of (head, tail) where tail is everything after the final /
+    and head is everything before it.  Head will always start with a '/' and,
+    if it contains anything else, never have a trailing '/'.
+
+    Raises: IndexError if too many '..' occur within the path.
+    """
+    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
+    # path semantics rather than local operating system semantics.
+    path_parts = []
+    for part in path.split('/'):
+        if part == '.':
+            path_parts.append('')
+        else:
+            path_parts.append(part)
+    # Filter out blank non trailing parts before consuming the '..'.
+    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
+    if path_parts:
+        tail_part = path_parts.pop()
+    else:
+        tail_part = ''
+    head_parts = []
+    for part in path_parts:
+        if part == '..':
+            head_parts.pop()
+        else:
+            head_parts.append(part)
+    if tail_part and tail_part == '..':
+        head_parts.pop()
+        tail_part = ''
+    return ('/' + '/'.join(head_parts), tail_part)
+
+
 nobody = None
 
 def nobody_uid():
@


1.1
log
@Add fix for the information disclosure vulnerability reported in SA43463
taken from the Python SVN repository.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-SA43463 was added on branch pkgsrc-2010Q4 on 2011-03-01 10:04:22 +0000
@
text
@d1 96
@


1.1.2.2
log
@Pullup ticket #3369 - requested by tron
Security patch for "python26" package

Revisions pulled up:
- lang/python26/Makefile                                        1.34
- lang/python26/distinfo                                        1.32
- lang/python26/patches/patch-SA43463                           1.1
---
Module Name:	pkgsrc
Module Name:	pkgsrc
Committed By:	tron
Date:		Mon Feb 28 22:35:53 UTC 2011

Modified Files:
	pkgsrc/lang/python26: Makefile distinfo
Added Files:
	pkgsrc/lang/python26/patches: patch-SA43463

Log Message:
Add fix for the information disclosure vulnerability reported in SA43463
taken from the Python SVN repository.
@
text
@a0 96
$NetBSD$

Fix information disclosure vulnerability reported in SA43463.
Patch taken from the Python SVN repository:

http://svn.python.org/view?view=revision&revision=71303

--- Lib/CGIHTTPServer.py.orig	2009-11-11 17:24:53.000000000 +0000
+++ Lib/CGIHTTPServer.py	2011-02-28 22:16:27.000000000 +0000
@@@@ -70,27 +70,20 @@@@
             return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
 
     def is_cgi(self):
-        """Test whether self.path corresponds to a CGI script,
-        and return a boolean.
+        """Test whether self.path corresponds to a CGI script.
 
-        This function sets self.cgi_info to a tuple (dir, rest)
-        when it returns True, where dir is the directory part before
-        the CGI script name.  Note that rest begins with a
-        slash if it is not empty.
-
-        The default implementation tests whether the path
-        begins with one of the strings in the list
-        self.cgi_directories (and the next character is a '/'
-        or the end of the string).
+        Returns True and updates the cgi_info attribute to the tuple
+        (dir, rest) if self.path requires running a CGI script.
+        Returns False otherwise.
+
+        The default implementation tests whether the normalized url
+        path begins with one of the strings in self.cgi_directories
+        (and the next character is a '/' or the end of the string).
         """
-
-        path = self.path
-
-        for x in self.cgi_directories:
-            i = len(x)
-            if path[:i] == x and (not path[i:] or path[i] == '/'):
-                self.cgi_info = path[:i], path[i+1:]
-                return True
+        splitpath = _url_collapse_path_split(self.path)
+        if splitpath[0] in self.cgi_directories:
+            self.cgi_info = splitpath
+            return True
         return False
 
     cgi_directories = ['/cgi-bin', '/htbin']
@@@@ -299,6 +292,46 @@@@
                 self.log_message("CGI script exited OK")
 
 
+# TODO(gregory.p.smith): Move this into an appropriate library.
+def _url_collapse_path_split(path):
+    """
+    Given a URL path, remove extra '/'s and '.' path elements and collapse
+    any '..' references.
+
+    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
+
+    Returns: A tuple of (head, tail) where tail is everything after the final /
+    and head is everything before it.  Head will always start with a '/' and,
+    if it contains anything else, never have a trailing '/'.
+
+    Raises: IndexError if too many '..' occur within the path.
+    """
+    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
+    # path semantics rather than local operating system semantics.
+    path_parts = []
+    for part in path.split('/'):
+        if part == '.':
+            path_parts.append('')
+        else:
+            path_parts.append(part)
+    # Filter out blank non trailing parts before consuming the '..'.
+    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
+    if path_parts:
+        tail_part = path_parts.pop()
+    else:
+        tail_part = ''
+    head_parts = []
+    for part in path_parts:
+        if part == '..':
+            head_parts.pop()
+        else:
+            head_parts.append(part)
+    if tail_part and tail_part == '..':
+        head_parts.pop()
+        tail_part = ''
+    return ('/' + '/'.join(head_parts), tail_part)
+
+
 nobody = None
 
 def nobody_uid():
@