[arch-commits] Commit in python2/trunk (3 files)
Date: Wednesday, September 20, 2017 @ 01:29:04 Author: felixonmars Revision: 305883 upgpkg: python2 2.7.14-1 Modified: python2/trunk/PKGBUILD Deleted: python2/trunk/bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch python2/trunk/bpo-30714-alpn-changes-for-openssl-1.1.0f.patch ---+ PKGBUILD | 16 - bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch | 28 bpo-30714-alpn-changes-for-openssl-1.1.0f.patch | 51 3 files changed, 3 insertions(+), 92 deletions(-) Modified: PKGBUILD === --- PKGBUILD2017-09-19 22:05:37 UTC (rev 305882) +++ PKGBUILD2017-09-20 01:29:04 UTC (rev 305883) @@ -5,8 +5,8 @@ # Contributor: Jason Chupkgname=python2 -pkgver=2.7.13 -pkgrel=4 +pkgver=2.7.14 +pkgrel=1 _pybasever=2.7 pkgdesc="A high-level scripting language" arch=('i686' 'x86_64') @@ -20,13 +20,9 @@ 'python2-pip') conflicts=('python<3') source=("https://www.python.org/ftp/python/${pkgver%rc?}/Python-${pkgver}.tar.xz"{,.asc} -bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch -bpo-30714-alpn-changes-for-openssl-1.1.0f.patch descr_ref.patch fix-profile-task.patch) -sha512sums=('f37c9a28ce129d01e63c84d7db627a06402854578f62d17927334ea21ede318e04bbf66e890e3f47c85333e6b19f6e5581fb3f3e27efd24be27017d1b6529c4b' +sha512sums=('78310b0be6388ffa15f29a80afb9ab3c03a572cb094e9da00cfe391afadb51696e41f592eb658d6a31a2f422fdac8a55214a382cbb8cfb43d4a127d5b35ea7f9' 'SKIP' - '115c40c36f2f18474244c758472c6b670a576d8f0289d9add005af1ed23d368738eed09fe2123df38ed5111c37ce31d998ae3db2eeff29fc5ac3065f8ea25211' - 'b32c2a0f17b3d19720187b68606024886c6b8008b7c61feaf4fe7b26b4547fddc71a2f191f87557d5fe613d06a8bc79ce5f724681a3090559fc34a032ccbf61a' '2e16eb23eb402dbe921c09bce99b400c10939114b4a1ded0e94a744d8cb66427947bc8d07c4fb054f9fe0906d10d1da509fc2273fd136225c0f019cc43dd045d' '5d7b47bfa9f13cf5fb827546189d823033278f96866366fca5257aaf819c92ffb26e2116426c84ab78d9ae3178eebb591fa4b2f22cfc2725e3e3e795fdb5c2b6') validpgpkeys=('C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF') # Benjamin Peterson @@ -60,12 +56,6 @@ # Workaround asdl_c.py/makeopcodetargets.py errors after we touched the shebangs touch Include/Python-ast.h Python/Python-ast.c Python/opcode_targets.h - # https://bugs.python.org/issue29697 - patch -Np1 -i ../bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch - - # https://bugs.python.org/issue30714 - patch -Np1 -i ../bpo-30714-alpn-changes-for-openssl-1.1.0f.patch - # FS#48761 # http://bugs.python.org/issue25750 patch -Np1 -i ../descr_ref.patch Deleted: bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch === --- bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch 2017-09-19 22:05:37 UTC (rev 305882) +++ bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch 2017-09-20 01:29:04 UTC (rev 305883) @@ -1,28 +0,0 @@ -From f1a696efd6ca674579e25de29ec4053ff5a5ade1 Mon Sep 17 00:00:00 2001 -From: Donald Stufft -Date: Thu, 2 Mar 2017 12:37:07 -0500 -Subject: [PATCH] bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-399) - - Modules/_ssl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Modules/_ssl.c b/Modules/_ssl.c -index a92710077cc..4fff16f6f49 100644 a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) - options |= SSL_OP_NO_SSLv3; - SSL_CTX_set_options(self->ctx, options); - --#ifndef OPENSSL_NO_ECDH -+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1) - /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use -prime256v1 by default. This is Apache mod_ssl's initialization -policy, so we should be safe. OpenSSL 1.1 has it enabled by default. - */ --#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1) -+#if defined(SSL_CTX_set_ecdh_auto) - SSL_CTX_set_ecdh_auto(self->ctx, 1); - #else - { Deleted: bpo-30714-alpn-changes-for-openssl-1.1.0f.patch === --- bpo-30714-alpn-changes-for-openssl-1.1.0f.patch 2017-09-19 22:05:37 UTC (rev 305882) +++ bpo-30714-alpn-changes-for-openssl-1.1.0f.patch 2017-09-20 01:29:04 UTC (rev 305883) @@ -1,51 +0,0 @@ -From 0e396a20c3137244b1774bd14a0cb03921ff326d Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Tue, 20 Jun 2017 18:28:38 +0200 -Subject: [PATCH] bpo-30714: ALPN changes for OpenSSL 1.1.0f - -OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client -could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that. -The most
[arch-commits] Commit in python2/trunk (3 files)
Date: Sunday, July 2, 2017 @ 22:41:05 Author: foutrelis Revision: 299559 upgpkg: python2 2.7.13-3 Fix support for elliptic curves other than prime256v1. Added: python2/trunk/bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch python2/trunk/bpo-30714-alpn-changes-for-openssl-1.1.0f.patch Modified: python2/trunk/PKGBUILD ---+ PKGBUILD | 14 +++- bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch | 28 bpo-30714-alpn-changes-for-openssl-1.1.0f.patch | 51 3 files changed, 91 insertions(+), 2 deletions(-) Modified: PKGBUILD === --- PKGBUILD2017-07-02 20:07:09 UTC (rev 299558) +++ PKGBUILD2017-07-02 22:41:05 UTC (rev 299559) @@ -6,7 +6,7 @@ pkgname=python2 pkgver=2.7.13 -pkgrel=2 +pkgrel=3 _pybasever=2.7 pkgdesc="A high-level scripting language" arch=('i686' 'x86_64') @@ -20,9 +20,13 @@ 'python2-pip') conflicts=('python<3') source=("https://www.python.org/ftp/python/${pkgver%rc?}/Python-${pkgver}.tar.xz"{,.asc} +bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch +bpo-30714-alpn-changes-for-openssl-1.1.0f.patch descr_ref.patch) sha1sums=('18a8f30a0356c751b8d0ea6f76e764cab13ee046' 'SKIP' + 'cb503cdbee806382db1ddad4de5ae1390ff6bb9f' + 'fb888fc23761976616da0b735c702c23f8707771' '8cc6ac63e909063eb16bbdabc0f0eac7d24ff0c1') validpgpkeys=('C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF') # Benjamin Peterson @@ -55,9 +59,15 @@ # Workaround asdl_c.py/makeopcodetargets.py errors after we touched the shebangs touch Include/Python-ast.h Python/Python-ast.c Python/opcode_targets.h + # https://bugs.python.org/issue29697 + patch -Np1 -i ../bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch + + # https://bugs.python.org/issue30714 + patch -Np1 -i ../bpo-30714-alpn-changes-for-openssl-1.1.0f.patch + # FS#48761 # http://bugs.python.org/issue25750 - patch -p1 -i ../descr_ref.patch + patch -Np1 -i ../descr_ref.patch } build() { Added: bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch === --- bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch (rev 0) +++ bpo-29697-don-t-use-openssl-1.0-fallback-on-1.1.patch 2017-07-02 22:41:05 UTC (rev 299559) @@ -0,0 +1,28 @@ +From f1a696efd6ca674579e25de29ec4053ff5a5ade1 Mon Sep 17 00:00:00 2001 +From: Donald Stufft+Date: Thu, 2 Mar 2017 12:37:07 -0500 +Subject: [PATCH] bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-399) + +--- + Modules/_ssl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index a92710077cc..4fff16f6f49 100644 +--- a/Modules/_ssl.c b/Modules/_ssl.c +@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) + options |= SSL_OP_NO_SSLv3; + SSL_CTX_set_options(self->ctx, options); + +-#ifndef OPENSSL_NO_ECDH ++#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1) + /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use +prime256v1 by default. This is Apache mod_ssl's initialization +policy, so we should be safe. OpenSSL 1.1 has it enabled by default. + */ +-#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1) ++#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(self->ctx, 1); + #else + { Added: bpo-30714-alpn-changes-for-openssl-1.1.0f.patch === --- bpo-30714-alpn-changes-for-openssl-1.1.0f.patch (rev 0) +++ bpo-30714-alpn-changes-for-openssl-1.1.0f.patch 2017-07-02 22:41:05 UTC (rev 299559) @@ -0,0 +1,51 @@ +From 0e396a20c3137244b1774bd14a0cb03921ff326d Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 20 Jun 2017 18:28:38 +0200 +Subject: [PATCH] bpo-30714: ALPN changes for OpenSSL 1.1.0f + +OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client +could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that. +The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN +callback can pretend to not been set. + +See https://github.com/openssl/openssl/pull/3158 for more details + +Signed-off-by: Christian Heimes +--- + Doc/library/ssl.rst | 5 +++-- + Lib/test/test_ssl.py | 5 +++-- + Misc/NEWS| 3 +++ + 3 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst +index 729a239a1ba..b51b9c6e396 100644 +--- a/Doc/library/ssl.rst b/Doc/library/ssl.rst +@@ -1447,8 +1447,9 @@ to speed up repeated connections from the same clients. +This method will raise
[arch-commits] Commit in python2/trunk (3 files)
Date: Saturday, April 14, 2012 @ 19:25:58 Author: stephane Revision: 156165 delete patch that are no longer needed Deleted: python2/trunk/13156-revert-tls-changeset-subinterpreter.patch python2/trunk/gdbm-magic-values.patch python2/trunk/linux2.patch -+ 13156-revert-tls-changeset-subinterpreter.patch | 61 -- gdbm-magic-values.patch | 12 linux2.patch| 23 3 files changed, 96 deletions(-) Deleted: 13156-revert-tls-changeset-subinterpreter.patch === --- 13156-revert-tls-changeset-subinterpreter.patch 2012-04-14 23:22:06 UTC (rev 156164) +++ 13156-revert-tls-changeset-subinterpreter.patch 2012-04-14 23:25:58 UTC (rev 156165) @@ -1,61 +0,0 @@ - -# HG changeset patch -# User Charles-François Natali neolo...@free.fr -# Date 1318446474 -7200 -# Node ID ee4fe16d9b4822457ad855ea6c44e65030166304 -# Parent f6feed6ec3f9b024cecd0fd587595c403f55624f -Issue #13156: revert changeset f6feed6ec3f9, which was only relevant for native -TLS implementations, and fails with the ad-hoc TLS implementation when a thread -doesn't have an auto thread state (e.g. a thread created outside of Python -calling into a subinterpreter). - -diff --git a/Include/pystate.h b/Include/pystate.h a/Include/pystate.h -+++ b/Include/pystate.h -@@ -111,7 +111,6 @@ PyAPI_FUNC(void) PyThreadState_Clear(PyT - PyAPI_FUNC(void) PyThreadState_Delete(PyThreadState *); - #ifdef WITH_THREAD - PyAPI_FUNC(void) PyThreadState_DeleteCurrent(void); --PyAPI_FUNC(void) _PyGILState_Reinit(void); - #endif - - PyAPI_FUNC(PyThreadState *) PyThreadState_Get(void); -diff --git a/Modules/signalmodule.c b/Modules/signalmodule.c a/Modules/signalmodule.c -+++ b/Modules/signalmodule.c -@@ -976,7 +976,6 @@ void - PyOS_AfterFork(void) - { - #ifdef WITH_THREAD --_PyGILState_Reinit(); - PyEval_ReInitThreads(); - main_thread = PyThread_get_thread_ident(); - main_pid = getpid(); -diff --git a/Python/pystate.c b/Python/pystate.c a/Python/pystate.c -+++ b/Python/pystate.c -@@ -537,23 +537,6 @@ void - autoInterpreterState = NULL; - } - --/* Reset the TLS key - called by PyOS_AfterFork. -- * This should not be necessary, but some - buggy - pthread implementations -- * don't flush TLS on fork, see issue #10517. -- */ --void --_PyGILState_Reinit(void) --{ --PyThreadState *tstate = PyGILState_GetThisThreadState(); --PyThread_delete_key(autoTLSkey); --if ((autoTLSkey = PyThread_create_key()) == -1) --Py_FatalError(Could not allocate TLS entry); -- --/* re-associate the current thread state with the new key */ --if (PyThread_set_key_value(autoTLSkey, (void *)tstate) 0) --Py_FatalError(Couldn't create autoTLSkey mapping); --} -- - /* When a thread state is created for a thread by some mechanism other than -PyGILState_Ensure, it's important that the GILState machinery knows about -it so it doesn't try to create another thread state for the thread (this is - Deleted: gdbm-magic-values.patch === --- gdbm-magic-values.patch 2012-04-14 23:22:06 UTC (rev 156164) +++ gdbm-magic-values.patch 2012-04-14 23:25:58 UTC (rev 156165) @@ -1,12 +0,0 @@ -diff -up Python-2.7.2/Lib/whichdb.py.gdbm-1.9-magic Python-2.7.2/Lib/whichdb.py Python-2.7.2/Lib/whichdb.py.gdbm-1.9-magic 2011-06-11 11:46:26.0 -0400 -+++ Python-2.7.2/Lib/whichdb.py2011-09-30 15:45:21.778872290 -0400 -@@ -91,7 +91,7 @@ def whichdb(filename): - return - - # Check for GNU dbm --if magic == 0x13579ace: -+if magic in (0x13579ace, 0x13579acd, 0x13579acf): - return gdbm - - # Check for old Berkeley db hash file format v2 Deleted: linux2.patch === --- linux2.patch2012-04-14 23:22:06 UTC (rev 156164) +++ linux2.patch2012-04-14 23:25:58 UTC (rev 156165) @@ -1,23 +0,0 @@ -http://hg.python.org/cpython/rev/c816479f6aaf/ -diff --git a/configure b/configure a/configure -+++ b/configure -@@ -2995,6 +2995,7 @@ then - MACHDEP=$ac_md_system$ac_md_release - - case $MACHDEP in -+ linux*) MACHDEP=linux2;; - cygwin*) MACHDEP=cygwin;; - darwin*) MACHDEP=darwin;; - atheos*) MACHDEP=atheos;; -diff --git a/configure.in b/configure.in a/configure.in -+++ b/configure.in -@@ -293,6 +293,7 @@ then - MACHDEP=$ac_md_system$ac_md_release - - case $MACHDEP in -+ linux*) MACHDEP=linux2;; - cygwin*) MACHDEP=cygwin;; - darwin*) MACHDEP=darwin;; - atheos*) MACHDEP=atheos;;
[arch-commits] Commit in python2/trunk (3 files)
Date: Tuesday, January 31, 2012 @ 08:38:55 Author: stephane Revision: 148408 upgpkg: python2 2.7.2-5 Fix upstream issue #13156: revert changeset f6feed6ec3f9, which was only relevant for native TLS implementations, and fails with the ad-hoc TLS implementation when a thread doesn't have an auto thread state (e.g. a thread created outside of Python calling into a subinterpreter). Added: python2/trunk/13156-revert-tls-changeset-subinterpreter.patch Modified: python2/trunk/PKGBUILD python2/trunk/gdbm-magic-values.patch -+ 13156-revert-tls-changeset-subinterpreter.patch | 61 ++ PKGBUILD| 11 ++- gdbm-magic-values.patch |1 3 files changed, 69 insertions(+), 4 deletions(-) Added: 13156-revert-tls-changeset-subinterpreter.patch === --- 13156-revert-tls-changeset-subinterpreter.patch (rev 0) +++ 13156-revert-tls-changeset-subinterpreter.patch 2012-01-31 13:38:55 UTC (rev 148408) @@ -0,0 +1,61 @@ + +# HG changeset patch +# User Charles-François Natali neolo...@free.fr +# Date 1318446474 -7200 +# Node ID ee4fe16d9b4822457ad855ea6c44e65030166304 +# Parent f6feed6ec3f9b024cecd0fd587595c403f55624f +Issue #13156: revert changeset f6feed6ec3f9, which was only relevant for native +TLS implementations, and fails with the ad-hoc TLS implementation when a thread +doesn't have an auto thread state (e.g. a thread created outside of Python +calling into a subinterpreter). + +diff --git a/Include/pystate.h b/Include/pystate.h +--- a/Include/pystate.h b/Include/pystate.h +@@ -111,7 +111,6 @@ PyAPI_FUNC(void) PyThreadState_Clear(PyT + PyAPI_FUNC(void) PyThreadState_Delete(PyThreadState *); + #ifdef WITH_THREAD + PyAPI_FUNC(void) PyThreadState_DeleteCurrent(void); +-PyAPI_FUNC(void) _PyGILState_Reinit(void); + #endif + + PyAPI_FUNC(PyThreadState *) PyThreadState_Get(void); +diff --git a/Modules/signalmodule.c b/Modules/signalmodule.c +--- a/Modules/signalmodule.c b/Modules/signalmodule.c +@@ -976,7 +976,6 @@ void + PyOS_AfterFork(void) + { + #ifdef WITH_THREAD +-_PyGILState_Reinit(); + PyEval_ReInitThreads(); + main_thread = PyThread_get_thread_ident(); + main_pid = getpid(); +diff --git a/Python/pystate.c b/Python/pystate.c +--- a/Python/pystate.c b/Python/pystate.c +@@ -537,23 +537,6 @@ void + autoInterpreterState = NULL; + } + +-/* Reset the TLS key - called by PyOS_AfterFork. +- * This should not be necessary, but some - buggy - pthread implementations +- * don't flush TLS on fork, see issue #10517. +- */ +-void +-_PyGILState_Reinit(void) +-{ +-PyThreadState *tstate = PyGILState_GetThisThreadState(); +-PyThread_delete_key(autoTLSkey); +-if ((autoTLSkey = PyThread_create_key()) == -1) +-Py_FatalError(Could not allocate TLS entry); +- +-/* re-associate the current thread state with the new key */ +-if (PyThread_set_key_value(autoTLSkey, (void *)tstate) 0) +-Py_FatalError(Couldn't create autoTLSkey mapping); +-} +- + /* When a thread state is created for a thread by some mechanism other than +PyGILState_Ensure, it's important that the GILState machinery knows about +it so it doesn't try to create another thread state for the thread (this is + Modified: PKGBUILD === --- PKGBUILD2012-01-31 13:31:47 UTC (rev 148407) +++ PKGBUILD2012-01-31 13:38:55 UTC (rev 148408) @@ -5,7 +5,7 @@ pkgname=python2 pkgver=2.7.2 -pkgrel=4 +pkgrel=5 _pybasever=2.7 pkgdesc=A high-level scripting language arch=('i686' 'x86_64') @@ -18,10 +18,12 @@ options=('!makeflags') source=(http://www.python.org/ftp/python/${pkgver%rc?}/Python-${pkgver}.tar.xz linux2.patch -gdbm-magic-values.patch) +gdbm-magic-values.patch +13156-revert-tls-changeset-subinterpreter.patch) sha1sums=('56700044141402dc35e7a0a24aa7ffda1a8c1a53' '937c06190899a491d662c7918658313e7640070e' - '0f4cd9508c9ace620a829a688a9285e0480b5fb5') + 'ede2c991b1a91eec5a01cc2d3a11231f17d750ae' + 'd61fa2b8efd1d08a2ee8a9aed434dc94b8297d6b') build() { cd ${srcdir}/Python-${pkgver} @@ -44,6 +46,9 @@ # http://bugs.python.org/issue13007 patch -Np1 -i ../gdbm-magic-values.patch + # http://bugs.python.org/issue13156 + patch -Np1 -i ../13156-revert-tls-changeset-subinterpreter.patch + # Ensure that we are using the system copy of various libraries (expat, zlib and libffi), # rather than copies shipped in the tarball rm -r Modules/expat Modified: gdbm-magic-values.patch === --- gdbm-magic-values.patch 2012-01-31 13:31:47 UTC (rev 148407) +++ gdbm-magic-values.patch 2012-01-31 13:38:55 UTC (rev 148408) @@ -10,4 +10,3 @@
[arch-commits] Commit in python2/trunk (3 files)
Date: Wednesday, June 8, 2011 @ 09:07:37 Author: stephane Revision: 126873 preparing 2.7.2, rc1 release Modified: python2/trunk/PKGBUILD Deleted: python2/trunk/CVE-2011-1521.patch python2/trunk/python-2.7.1-fix-decimal-in-turkish-locale.patch --+ CVE-2011-1521.patch | 98 - PKGBUILD | 20 python-2.7.1-fix-decimal-in-turkish-locale.patch | 48 -- 3 files changed, 4 insertions(+), 162 deletions(-) Deleted: CVE-2011-1521.patch === --- CVE-2011-1521.patch 2011-06-08 12:45:12 UTC (rev 126872) +++ CVE-2011-1521.patch 2011-06-08 13:07:37 UTC (rev 126873) @@ -1,98 +0,0 @@ -diff -Naur Python-2.7.1.ori/Lib/test/test_urllib2.py Python-2.7.1/Lib/test/test_urllib2.py Python-2.7.1.ori/Lib/test/test_urllib2.py 2010-11-21 21:04:33.0 -0800 -+++ Python-2.7.1/Lib/test/test_urllib2.py 2011-04-15 05:02:13.278853672 -0700 -@@ -969,6 +969,27 @@ - self.assertEqual(count, - urllib2.HTTPRedirectHandler.max_redirections) - -+def test_invalid_redirect(self): -+from_url = http://example.com/a.html; -+valid_schemes = ['http', 'https', 'ftp'] -+invalid_schemes = ['file', 'imap', 'ldap'] -+schemeless_url = example.com/b.html -+h = urllib2.HTTPRedirectHandler() -+o = h.parent = MockOpener() -+req = Request(from_url) -+ -+for scheme in invalid_schemes: -+invalid_url = scheme + '://' + schemeless_url -+self.assertRaises(urllib2.HTTPError, h.http_error_302, -+ req, MockFile(), 302, Security Loophole, -+ MockHeaders({location: invalid_url})) -+ -+for scheme in valid_schemes: -+valid_url = scheme + '://' + schemeless_url -+h.http_error_302(req, MockFile(), 302, That's fine, -+MockHeaders({location: valid_url})) -+self.assertEqual(o.req.get_full_url(), valid_url) -+ - def test_cookie_redirect(self): - # cookies shouldn't leak into redirected requests - from cookielib import CookieJar -diff -Naur Python-2.7.1.ori/Lib/test/test_urllib.py Python-2.7.1/Lib/test/test_urllib.py Python-2.7.1.ori/Lib/test/test_urllib.py 2010-11-21 05:34:58.0 -0800 -+++ Python-2.7.1/Lib/test/test_urllib.py 2011-04-15 05:02:13.278853672 -0700 -@@ -161,6 +161,20 @@ - finally: - self.unfakehttp() - -+def test_invalid_redirect(self): -+# urlopen() should raise IOError for many error codes. -+self.fakehttp(HTTP/1.1 302 Found -+Date: Wed, 02 Jan 2008 03:03:54 GMT -+Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e -+Location: file:README -+Connection: close -+Content-Type: text/html; charset=iso-8859-1 -+) -+try: -+self.assertRaises(IOError, urllib.urlopen, http://python.org/;) -+finally: -+self.unfakehttp() -+ - def test_empty_socket(self): - # urlopen() raises IOError if the underlying socket does not send any - # data. (#1680230) -diff -Naur Python-2.7.1.ori/Lib/urllib2.py Python-2.7.1/Lib/urllib2.py Python-2.7.1.ori/Lib/urllib2.py2010-11-20 03:24:08.0 -0800 -+++ Python-2.7.1/Lib/urllib2.py2011-04-15 05:02:13.278853672 -0700 -@@ -579,6 +579,17 @@ - - newurl = urlparse.urljoin(req.get_full_url(), newurl) - -+# For security reasons we do not allow redirects to protocols -+# other than HTTP, HTTPS or FTP. -+newurl_lower = newurl.lower() -+if not (newurl_lower.startswith('http://') or -+newurl_lower.startswith('https://') or -+newurl_lower.startswith('ftp://')): -+raise HTTPError(newurl, code, -+msg + - Redirection to url '%s' is not allowed % -+newurl, -+headers, fp) -+ - # XXX Probably want to forget about the state of the current - # request, although that might interact poorly with other - # handlers that also use handler-specific request attributes -diff -Naur Python-2.7.1.ori/Lib/urllib.py Python-2.7.1/Lib/urllib.py Python-2.7.1.ori/Lib/urllib.py 2010-11-21 21:04:33.0 -0800 -+++ Python-2.7.1/Lib/urllib.py 2011-04-15 05:02:13.278853672 -0700 -@@ -644,6 +644,18 @@ - fp.close() - # In case the server sent a relative URL, join with original: - newurl = basejoin(self.type + : + url, newurl) -+ -+# For security reasons we do not allow redirects to protocols -+# other than HTTP, HTTPS or FTP. -+newurl_lower = newurl.lower() -+if not (newurl_lower.startswith('http://') or -+newurl_lower.startswith('https://')