Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=13aa58328c928a6dfbb37888f3b6f97eda6552b9
commit 13aa58328c928a6dfbb37888f3b6f97eda6552b9 Author: VMiklos <[EMAIL PROTECTED]> Date: Wed Sep 5 15:43:36 2007 +0200 python-2.5.1-5-i686 added insecure_pathnames.diff closes #2382 diff --git a/source/devel/python/FrugalBuild b/source/devel/python/FrugalBuild index 162d4e7..510a818 100644 --- a/source/devel/python/FrugalBuild +++ b/source/devel/python/FrugalBuild @@ -4,7 +4,7 @@ pkgname=python pkgver=2.5.1 shortpkgver=2.5 # 2.3 if $pkgver=2.3.4 -pkgrel=4 +pkgrel=5 pkgdesc="A high-level scripting language" url="http://www.python.org"; depends=('glibc' 'db>=4.6.18' 'bzip2' 'gdbm' 'openssl' 'glib2') @@ -14,8 +14,9 @@ archs=('i686' 'x86_64' 'ppc') options=('scriptlet') up2date="lynx -dump $url/download/|grep current|sed 's/.*n \(.*\)\. .*/\1/;q'" source=(http://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.bz2 \ - Python-2.4.1-gdbm-1.patch) -signatures=(http://www.python.org/download/releases/$pkgver/Python-$pkgver.tar.bz2.asc '') + Python-2.4.1-gdbm-1.patch \ + insecure_pathnames.diff) +signatures=($source.asc '' '') subpkgs=("$pkgname-tools") subdescs=("Optional development tools to extending Python") diff --git a/source/devel/python/insecure_pathnames.diff b/source/devel/python/insecure_pathnames.diff new file mode 100644 index 0000000..8af2c3a --- /dev/null +++ b/source/devel/python/insecure_pathnames.diff @@ -0,0 +1,69 @@ +From: http://bugs.python.org/file8339/insecure_pathnames.diff + +Index: Lib/tarfile.py +=================================================================== +--- a/Lib/tarfile.py (revision 57571) ++++ b/Lib/tarfile.py (working copy) +@@ -340,6 +340,9 @@ + class ExtractError(TarError): + """General exception for extract errors.""" + pass ++class SecurityError(ExtractError): ++ """Exception for insecure pathnames.""" ++ pass + class ReadError(TarError): + """Exception for unreadble tar archives.""" + pass +@@ -2006,12 +2009,13 @@ + + self.members.append(tarinfo) + +- def extractall(self, path=".", members=None): ++ def extractall(self, path=".", members=None, check_paths=True): + """Extract all members from the archive to the current working + directory and set owner, modification time and permissions on + directories afterwards. `path' specifies a different directory + to extract to. `members' is optional and must be a subset of the +- list returned by getmembers(). ++ list returned by getmembers(). If `check_paths' is True insecure ++ pathnames are not extracted. + """ + directories = [] + +@@ -2019,6 +2023,20 @@ + members = self + + for tarinfo in members: ++ if check_paths: ++ try: ++ self._check_path(tarinfo.name) ++ if tarinfo.islnk(): ++ self._check_path(tarinfo.linkname) ++ if tarinfo.issym(): ++ self._check_path(os.path.join(tarinfo.name, tarinfo.linkname)) ++ except SecurityError, e: ++ if self.errorlevel > 1: ++ raise ++ else: ++ self._dbg(1, "tarfile: %s" % e) ++ continue ++ + if tarinfo.isdir(): + # Extract directory with a safe mode, so that + # all files below can be extracted as well. +@@ -2329,6 +2347,15 @@ + #-------------------------------------------------------------------------- + # Little helper methods: + ++ def _check_path(self, path): ++ """Raise an SecurityError if `path' is an insecure pathname. ++ """ ++ path = normpath(path) ++ if path.startswith("/"): ++ raise SecurityError("found insecure absolute path %r" % path) ++ if path.startswith("../"): ++ raise SecurityError("found insecure relative path %r" % path) ++ + def _getmember(self, name, tarinfo=None): + """Find an archive member by name from bottom to top. + If tarinfo is given, it is used as the starting point. _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
