Date: Wednesday, June 8, 2011 @ 09:07:37 Author: stephane Revision: 126873
preparing 2.7.2, rc1 release Modified: python2/trunk/PKGBUILD Deleted: python2/trunk/CVE-2011-1521.patch python2/trunk/python-2.7.1-fix-decimal-in-turkish-locale.patch --------------------------------------------------+ CVE-2011-1521.patch | 98 --------------------- PKGBUILD | 20 ---- python-2.7.1-fix-decimal-in-turkish-locale.patch | 48 ---------- 3 files changed, 4 insertions(+), 162 deletions(-) Deleted: CVE-2011-1521.patch =================================================================== --- CVE-2011-1521.patch 2011-06-08 12:45:12 UTC (rev 126872) +++ CVE-2011-1521.patch 2011-06-08 13:07:37 UTC (rev 126873) @@ -1,98 +0,0 @@ -diff -Naur Python-2.7.1.ori/Lib/test/test_urllib2.py Python-2.7.1/Lib/test/test_urllib2.py ---- Python-2.7.1.ori/Lib/test/test_urllib2.py 2010-11-21 21:04:33.000000000 -0800 -+++ Python-2.7.1/Lib/test/test_urllib2.py 2011-04-15 05:02:13.278853672 -0700 -@@ -969,6 +969,27 @@ - self.assertEqual(count, - urllib2.HTTPRedirectHandler.max_redirections) - -+ def test_invalid_redirect(self): -+ from_url = "http://example.com/a.html" -+ valid_schemes = ['http', 'https', 'ftp'] -+ invalid_schemes = ['file', 'imap', 'ldap'] -+ schemeless_url = "example.com/b.html" -+ h = urllib2.HTTPRedirectHandler() -+ o = h.parent = MockOpener() -+ req = Request(from_url) -+ -+ for scheme in invalid_schemes: -+ invalid_url = scheme + '://' + schemeless_url -+ self.assertRaises(urllib2.HTTPError, h.http_error_302, -+ req, MockFile(), 302, "Security Loophole", -+ MockHeaders({"location": invalid_url})) -+ -+ for scheme in valid_schemes: -+ valid_url = scheme + '://' + schemeless_url -+ h.http_error_302(req, MockFile(), 302, "That's fine", -+ MockHeaders({"location": valid_url})) -+ self.assertEqual(o.req.get_full_url(), valid_url) -+ - def test_cookie_redirect(self): - # cookies shouldn't leak into redirected requests - from cookielib import CookieJar -diff -Naur Python-2.7.1.ori/Lib/test/test_urllib.py Python-2.7.1/Lib/test/test_urllib.py ---- Python-2.7.1.ori/Lib/test/test_urllib.py 2010-11-21 05:34:58.000000000 -0800 -+++ Python-2.7.1/Lib/test/test_urllib.py 2011-04-15 05:02:13.278853672 -0700 -@@ -161,6 +161,20 @@ - finally: - self.unfakehttp() - -+ def test_invalid_redirect(self): -+ # urlopen() should raise IOError for many error codes. -+ self.fakehttp("""HTTP/1.1 302 Found -+Date: Wed, 02 Jan 2008 03:03:54 GMT -+Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e -+Location: file:README -+Connection: close -+Content-Type: text/html; charset=iso-8859-1 -+""") -+ try: -+ self.assertRaises(IOError, urllib.urlopen, "http://python.org/") -+ finally: -+ self.unfakehttp() -+ - def test_empty_socket(self): - # urlopen() raises IOError if the underlying socket does not send any - # data. (#1680230) -diff -Naur Python-2.7.1.ori/Lib/urllib2.py Python-2.7.1/Lib/urllib2.py ---- Python-2.7.1.ori/Lib/urllib2.py 2010-11-20 03:24:08.000000000 -0800 -+++ Python-2.7.1/Lib/urllib2.py 2011-04-15 05:02:13.278853672 -0700 -@@ -579,6 +579,17 @@ - - newurl = urlparse.urljoin(req.get_full_url(), newurl) - -+ # For security reasons we do not allow redirects to protocols -+ # other than HTTP, HTTPS or FTP. -+ newurl_lower = newurl.lower() -+ if not (newurl_lower.startswith('http://') or -+ newurl_lower.startswith('https://') or -+ newurl_lower.startswith('ftp://')): -+ raise HTTPError(newurl, code, -+ msg + " - Redirection to url '%s' is not allowed" % -+ newurl, -+ headers, fp) -+ - # XXX Probably want to forget about the state of the current - # request, although that might interact poorly with other - # handlers that also use handler-specific request attributes -diff -Naur Python-2.7.1.ori/Lib/urllib.py Python-2.7.1/Lib/urllib.py ---- Python-2.7.1.ori/Lib/urllib.py 2010-11-21 21:04:33.000000000 -0800 -+++ Python-2.7.1/Lib/urllib.py 2011-04-15 05:02:13.278853672 -0700 -@@ -644,6 +644,18 @@ - fp.close() - # In case the server sent a relative URL, join with original: - newurl = basejoin(self.type + ":" + url, newurl) -+ -+ # For security reasons we do not allow redirects to protocols -+ # other than HTTP, HTTPS or FTP. -+ newurl_lower = newurl.lower() -+ if not (newurl_lower.startswith('http://') or -+ newurl_lower.startswith('https://') or -+ newurl_lower.startswith('ftp://')): -+ raise IOError('redirect error', errcode, -+ errmsg + " - Redirection to url '%s' is not allowed" % -+ newurl, -+ headers) -+ - return self.open(newurl) - - def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): Modified: PKGBUILD =================================================================== --- PKGBUILD 2011-06-08 12:45:12 UTC (rev 126872) +++ PKGBUILD 2011-06-08 13:07:37 UTC (rev 126873) @@ -4,8 +4,8 @@ # Contributer: Jason Chu <ja...@archlinux.org> pkgname=python2 -pkgver=2.7.1 -pkgrel=9 +pkgver=2.7.2rc1 +pkgrel=1 _pybasever=2.7 pkgdesc="A high-level scripting language" arch=('i686' 'x86_64') @@ -16,13 +16,9 @@ optdepends=('tk: for IDLE') conflicts=('python<3') options=('!makeflags') -source=(http://www.python.org/ftp/python/${pkgver}/Python-${pkgver}.tar.bz2 - CVE-2011-1521.patch - python-2.7.1-fix-decimal-in-turkish-locale.patch +source=(http://www.python.org/ftp/python/${pkgver%rc?}/Python-${pkgver}.tar.bz2 python-2.7-db51.patch) -sha1sums=('fbe1894322ff91b80726e269c97454f4129fc2a3' - '31cdc76092d0f598289aaeb18e492874c981904d' - 'baf470682ae7d2b55caaa173696d08d3f468a569' +sha1sums=('656bfce75c7e674b2a05c16e1ab9225bf3023326' '9667a2a2f8594902b352793e649f78696a77bd13') build() { @@ -30,14 +26,6 @@ patch -Np1 -i ../python-2.7-db51.patch - # Fix urllib Security Vulnerability - # http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html - patch -Np1 -i ../CVE-2011-1521.patch - - # Fix "import decimal" in the Turkish locale - # cf : https://bugzilla.redhat.com/show_bug.cgi?id=694928 - patch -Np1 -i ../python-2.7.1-fix-decimal-in-turkish-locale.patch - # Temporary workaround for FS#22322 # See http://bugs.python.org/issue10835 for upstream report sed -i "/progname =/s/python/python${_pybasever}/" Python/pythonrun.c Deleted: python-2.7.1-fix-decimal-in-turkish-locale.patch =================================================================== --- python-2.7.1-fix-decimal-in-turkish-locale.patch 2011-06-08 12:45:12 UTC (rev 126872) +++ python-2.7.1-fix-decimal-in-turkish-locale.patch 2011-06-08 13:07:37 UTC (rev 126873) @@ -1,48 +0,0 @@ -diff -up Python-2.7.1/Lib/decimal.py.fix-decimal-in-turkish-locale Python-2.7.1/Lib/decimal.py ---- Python-2.7.1/Lib/decimal.py.fix-decimal-in-turkish-locale 2010-07-08 17:22:54.000000000 -0400 -+++ Python-2.7.1/Lib/decimal.py 2011-04-12 11:30:40.850350842 -0400 -@@ -1720,8 +1720,6 @@ class Decimal(object): - # here self was representable to begin with; return unchanged - return Decimal(self) - -- _pick_rounding_function = {} -- - # for each of the rounding functions below: - # self is a finite, nonzero Decimal - # prec is an integer satisfying 0 <= prec < len(self._int) -@@ -1788,6 +1786,17 @@ class Decimal(object): - else: - return -self._round_down(prec) - -+ _pick_rounding_function = dict( -+ ROUND_DOWN = '_round_down', -+ ROUND_UP = '_round_up', -+ ROUND_HALF_UP = '_round_half_up', -+ ROUND_HALF_DOWN = '_round_half_down', -+ ROUND_HALF_EVEN = '_round_half_even', -+ ROUND_CEILING = '_round_ceiling', -+ ROUND_FLOOR = '_round_floor', -+ ROUND_05UP = '_round_05up', -+ ) -+ - def fma(self, other, third, context=None): - """Fused multiply-add. - -@@ -3705,18 +3714,6 @@ _numbers.Number.register(Decimal) - - ##### Context class ####################################################### - -- --# get rounding method function: --rounding_functions = [name for name in Decimal.__dict__.keys() -- if name.startswith('_round_')] --for name in rounding_functions: -- # name is like _round_half_even, goes to the global ROUND_HALF_EVEN value. -- globalname = name[1:].upper() -- val = globals()[globalname] -- Decimal._pick_rounding_function[val] = name -- --del name, val, globalname, rounding_functions -- - class _ContextManager(object): - """Context manager class to support localcontext().