head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.8
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.6
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.4
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.2
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2011Q1:1.1.0.2
	pkgsrc-2011Q1-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2011.06.04.03.58.58;	author obache;	state dead;
branches;
next	1.1;

1.1
date	2011.03.28.16.00.07;	author drochner;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update python26 to 2.6.7.
(CVE-2011-1521 had been fixed in pkgsrc).

What's New in Python 2.6.7?
===========================

*Release date: 2011-06-03*

*NOTE: Python 2.6 is in security-fix-only mode.  No non-security bug fixes are
 allowed.  Python 2.6.7 and beyond will be source only releases.*

* No changes since 2.6.7rc2.


What's New in Python 2.6.7 rc 2?
================================

*Release date: 2011-05-20*

*NOTE: Python 2.6 is in security-fix-only mode.  No non-security bug fixes are
 allowed.  Python 2.6.7 and beyond will be source only releases.*


Library
-------

- Issue #11662: Make urllib and urllib2 ignore redirections if the
  scheme is not HTTP, HTTPS or FTP (CVE-2011-1521).

- Issue #11442: Add a charset parameter to the Content-type in SimpleHTTPServer
  to avoid XSS attacks.


What's New in Python 2.6.7 rc 1?
================================

*Release date: 2011-05-06*

Library
-------

- Issue #9129: smtpd.py is vulnerable to DoS attacks deriving from missing
  error handling when accepting a new connection.
@
text
@$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $

Issue #11662 (CVE-2011-1521)

--- Lib/urllib2.py.orig	2011-03-28 15:17:02.000000000 +0000
+++ Lib/urllib2.py
@@@@ -578,6 +578,14 @@@@ class HTTPRedirectHandler(BaseHandler):
 
         newurl = urlparse.urljoin(req.get_full_url(), newurl)
 
+        # For security reasons we do not allow redirects to protocols
+        # other than HTTP, HTTPS or FTP.
+        newurl_lower = newurl.lower()
+        if not (newurl_lower.startswith('http://') or
+                newurl_lower.startswith('https://') or
+		newurl_lower.startswith('ftp://')):
+            return
+
         # XXX Probably want to forget about the state of the current
         # request, although that might interact poorly with other
         # handlers that also use handler-specific request attributes
@


1.1
log
@fix a security issue, using patches from upstream:
stricter redirect handling in urllib, to prevent redirects to eg
"file://" URLs (CVE-2011-1521)
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@