head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.8
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.6
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.4
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.2
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2011Q1:1.1.0.2
	pkgsrc-2011Q1-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2011.06.04.03.58.58;	author obache;	state dead;
branches;
next	1.1;

1.1
date	2011.03.28.16.00.07;	author drochner;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update python26 to 2.6.7.
(CVE-2011-1521 had been fixed in pkgsrc).

What's New in Python 2.6.7?
===========================

*Release date: 2011-06-03*

*NOTE: Python 2.6 is in security-fix-only mode.  No non-security bug fixes are
 allowed.  Python 2.6.7 and beyond will be source only releases.*

* No changes since 2.6.7rc2.


What's New in Python 2.6.7 rc 2?
================================

*Release date: 2011-05-20*

*NOTE: Python 2.6 is in security-fix-only mode.  No non-security bug fixes are
 allowed.  Python 2.6.7 and beyond will be source only releases.*


Library
-------

- Issue #11662: Make urllib and urllib2 ignore redirections if the
  scheme is not HTTP, HTTPS or FTP (CVE-2011-1521).

- Issue #11442: Add a charset parameter to the Content-type in SimpleHTTPServer
  to avoid XSS attacks.


What's New in Python 2.6.7 rc 1?
================================

*Release date: 2011-05-06*

Library
-------

- Issue #9129: smtpd.py is vulnerable to DoS attacks deriving from missing
  error handling when accepting a new connection.
@
text
@$NetBSD: patch-ca,v 1.1 2011/03/28 16:00:07 drochner Exp $

Issue #11662 (CVE-2011-1521)

--- Lib/urllib.py.orig	2007-03-14 08:27:57.000000000 +0000
+++ Lib/urllib.py
@@@@ -638,10 +638,20 @@@@ class FancyURLopener(URLopener):
             newurl = headers['uri']
         else:
             return
-        void = fp.read()
-        fp.close()
+
         # In case the server sent a relative URL, join with original:
         newurl = basejoin(self.type + ":" + url, newurl)
+
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP, HTTPS or FTP.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://') or
+		newurl_lower.startswith('ftp://')):
+            return
+
+        void = fp.read()
+        fp.close()
         return self.open(newurl)
 
     def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
@


1.1
log
@fix a security issue, using patches from upstream:
stricter redirect handling in urllib, to prevent redirects to eg
"file://" URLs (CVE-2011-1521)
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@