subject:"\[arch\-commits\] Commit in python\/trunk \(CVE\-2011\-1521.patch PKGBUILD\)"

[arch-commits] Commit in python/trunk (CVE-2011-1521.patch PKGBUILD)

2011-06-09 Thread Stéphane Gaudreault

Date: Thursday, June 9, 2011 @ 16:25:11
  Author: stephane
Revision: 127024

preparing 3.2.1, rc1 release

Modified:
  python/trunk/PKGBUILD
Deleted:
  python/trunk/CVE-2011-1521.patch

-+
 CVE-2011-1521.patch |  134 --
 PKGBUILD|   15 +
 2 files changed, 5 insertions(+), 144 deletions(-)

Deleted: CVE-2011-1521.patch
===
--- CVE-2011-1521.patch 2011-06-09 16:17:36 UTC (rev 127023)
+++ CVE-2011-1521.patch 2011-06-09 20:25:11 UTC (rev 127024)
@@ -1,134 +0,0 @@
-diff -Naur Python-3.2.ori/Doc/library/urllib.request.rst 
Python-3.2/Doc/library/urllib.request.rst
 Python-3.2.ori/Doc/library/urllib.request.rst  2011-02-11 
03:25:47.0 -0800
-+++ Python-3.2/Doc/library/urllib.request.rst  2011-04-15 03:49:02.778745379 
-0700
-@@ -650,6 +650,10 @@
-is the case, :exc:`HTTPError` is raised.  See :rfc:`2616` for details of 
the
-precise meanings of the various redirection codes.
- 
-+   An :class:`HTTPError` exception raised as a security consideration if the
-+   HTTPRedirectHandler is presented with a redirected url which is not an 
HTTP,
-+   HTTPS or FTP url.
-+
- 
- .. method:: HTTPRedirectHandler.redirect_request(req, fp, code, msg, hdrs, 
newurl)
- 
-diff -Naur Python-3.2.ori/Lib/test/test_urllib2.py 
Python-3.2/Lib/test/test_urllib2.py
 Python-3.2.ori/Lib/test/test_urllib2.py2011-02-11 03:25:47.0 
-0800
-+++ Python-3.2/Lib/test/test_urllib2.py2011-04-15 03:50:29.705417290 
-0700
-@@ -8,6 +8,7 @@
- 
- import urllib.request
- from urllib.request import Request, OpenerDirector
-+import urllib.error
- 
- # XXX
- # Request
-@@ -1029,6 +1030,29 @@
- self.assertEqual(count,
-  
urllib.request.HTTPRedirectHandler.max_redirections)
- 
-+
-+def test_invalid_redirect(self):
-+from_url = "http://example.com/a.html";
-+valid_schemes = ['http','https','ftp']
-+invalid_schemes = ['file','imap','ldap']
-+schemeless_url = "example.com/b.html"
-+h = urllib.request.HTTPRedirectHandler()
-+o = h.parent = MockOpener()
-+req = Request(from_url)
-+req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT
-+
-+for scheme in invalid_schemes:
-+invalid_url = scheme + '://' + schemeless_url
-+self.assertRaises(urllib.error.HTTPError, h.http_error_302,
-+req, MockFile(), 302, "Security Loophole",
-+MockHeaders({"location": invalid_url}))
-+
-+for scheme in valid_schemes:
-+valid_url = scheme + '://' + schemeless_url
-+h.http_error_302(req, MockFile(), 302, "That's fine",
-+MockHeaders({"location": valid_url}))
-+self.assertEqual(o.req.get_full_url(), valid_url)
-+
- def test_cookie_redirect(self):
- # cookies shouldn't leak into redirected requests
- from http.cookiejar import CookieJar
-diff -Naur Python-3.2.ori/Lib/test/test_urllib.py 
Python-3.2/Lib/test/test_urllib.py
 Python-3.2.ori/Lib/test/test_urllib.py 2010-12-17 09:35:56.0 
-0800
-+++ Python-3.2/Lib/test/test_urllib.py 2011-04-15 03:49:02.778745379 -0700
-@@ -2,6 +2,7 @@
- 
- import urllib.parse
- import urllib.request
-+import urllib.error
- import http.client
- import email.message
- import io
-@@ -198,6 +199,21 @@
- finally:
- self.unfakehttp()
- 
-+def test_invalid_redirect(self):
-+# urlopen() should raise IOError for many error codes.
-+self.fakehttp(b'''HTTP/1.1 302 Found
-+Date: Wed, 02 Jan 2008 03:03:54 GMT
-+Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e
-+Location: file://guidocomputer.athome.com:/python/license
-+Connection: close
-+Content-Type: text/html; charset=iso-8859-1
-+''')
-+try:
-+self.assertRaises(urllib.error.HTTPError, urlopen,
-+  "http://python.org/";)
-+finally:
-+self.unfakehttp()
-+
- def test_empty_socket(self):
- # urlopen() raises IOError if the underlying socket does not send any
- # data. (#1680230)
-diff -Naur Python-3.2.ori/Lib/urllib/request.py 
Python-3.2/Lib/urllib/request.py
 Python-3.2.ori/Lib/urllib/request.py   2011-02-11 03:25:47.0 
-0800
-+++ Python-3.2/Lib/urllib/request.py   2011-04-15 03:49:02.778745379 -0700
-@@ -545,6 +545,17 @@
- 
- # fix a possible malformed URL
- urlparts = urlparse(newurl)
-+
-+# For security reasons we don't allow redirection to anything other
-+# than http, https or ftp.
-+
-+if not urlparts.scheme in ('http', 'https', 'ftp'):
-+raise HTTPError(newurl, code,
-+msg +
-+" - Redirection to url '%s' is not allowed" %
-+newurl,
-+

[arch-commits] Commit in python/trunk (CVE-2011-1521.patch PKGBUILD)

2011-04-15 Thread Stéphane Gaudreault

Date: Friday, April 15, 2011 @ 07:51:39
  Author: stephane
Revision: 119805

upgpkg: python 3.2-2
urllib security vulnerability fixed (CVE-2011-1521), use check() function

Added:
  python/trunk/CVE-2011-1521.patch
Modified:
  python/trunk/PKGBUILD

-+
 CVE-2011-1521.patch |  134 ++
 PKGBUILD|   21 +--
 2 files changed, 148 insertions(+), 7 deletions(-)

Added: CVE-2011-1521.patch
===
--- CVE-2011-1521.patch (rev 0)
+++ CVE-2011-1521.patch 2011-04-15 11:51:39 UTC (rev 119805)
@@ -0,0 +1,134 @@
+diff -Naur Python-3.2.ori/Doc/library/urllib.request.rst 
Python-3.2/Doc/library/urllib.request.rst
+--- Python-3.2.ori/Doc/library/urllib.request.rst  2011-02-11 
03:25:47.0 -0800
 Python-3.2/Doc/library/urllib.request.rst  2011-04-15 03:49:02.778745379 
-0700
+@@ -650,6 +650,10 @@
+is the case, :exc:`HTTPError` is raised.  See :rfc:`2616` for details of 
the
+precise meanings of the various redirection codes.
+ 
++   An :class:`HTTPError` exception raised as a security consideration if the
++   HTTPRedirectHandler is presented with a redirected url which is not an 
HTTP,
++   HTTPS or FTP url.
++
+ 
+ .. method:: HTTPRedirectHandler.redirect_request(req, fp, code, msg, hdrs, 
newurl)
+ 
+diff -Naur Python-3.2.ori/Lib/test/test_urllib2.py 
Python-3.2/Lib/test/test_urllib2.py
+--- Python-3.2.ori/Lib/test/test_urllib2.py2011-02-11 03:25:47.0 
-0800
 Python-3.2/Lib/test/test_urllib2.py2011-04-15 03:50:29.705417290 
-0700
+@@ -8,6 +8,7 @@
+ 
+ import urllib.request
+ from urllib.request import Request, OpenerDirector
++import urllib.error
+ 
+ # XXX
+ # Request
+@@ -1029,6 +1030,29 @@
+ self.assertEqual(count,
+  
urllib.request.HTTPRedirectHandler.max_redirections)
+ 
++
++def test_invalid_redirect(self):
++from_url = "http://example.com/a.html";
++valid_schemes = ['http','https','ftp']
++invalid_schemes = ['file','imap','ldap']
++schemeless_url = "example.com/b.html"
++h = urllib.request.HTTPRedirectHandler()
++o = h.parent = MockOpener()
++req = Request(from_url)
++req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT
++
++for scheme in invalid_schemes:
++invalid_url = scheme + '://' + schemeless_url
++self.assertRaises(urllib.error.HTTPError, h.http_error_302,
++req, MockFile(), 302, "Security Loophole",
++MockHeaders({"location": invalid_url}))
++
++for scheme in valid_schemes:
++valid_url = scheme + '://' + schemeless_url
++h.http_error_302(req, MockFile(), 302, "That's fine",
++MockHeaders({"location": valid_url}))
++self.assertEqual(o.req.get_full_url(), valid_url)
++
+ def test_cookie_redirect(self):
+ # cookies shouldn't leak into redirected requests
+ from http.cookiejar import CookieJar
+diff -Naur Python-3.2.ori/Lib/test/test_urllib.py 
Python-3.2/Lib/test/test_urllib.py
+--- Python-3.2.ori/Lib/test/test_urllib.py 2010-12-17 09:35:56.0 
-0800
 Python-3.2/Lib/test/test_urllib.py 2011-04-15 03:49:02.778745379 -0700
+@@ -2,6 +2,7 @@
+ 
+ import urllib.parse
+ import urllib.request
++import urllib.error
+ import http.client
+ import email.message
+ import io
+@@ -198,6 +199,21 @@
+ finally:
+ self.unfakehttp()
+ 
++def test_invalid_redirect(self):
++# urlopen() should raise IOError for many error codes.
++self.fakehttp(b'''HTTP/1.1 302 Found
++Date: Wed, 02 Jan 2008 03:03:54 GMT
++Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e
++Location: file://guidocomputer.athome.com:/python/license
++Connection: close
++Content-Type: text/html; charset=iso-8859-1
++''')
++try:
++self.assertRaises(urllib.error.HTTPError, urlopen,
++  "http://python.org/";)
++finally:
++self.unfakehttp()
++
+ def test_empty_socket(self):
+ # urlopen() raises IOError if the underlying socket does not send any
+ # data. (#1680230)
+diff -Naur Python-3.2.ori/Lib/urllib/request.py 
Python-3.2/Lib/urllib/request.py
+--- Python-3.2.ori/Lib/urllib/request.py   2011-02-11 03:25:47.0 
-0800
 Python-3.2/Lib/urllib/request.py   2011-04-15 03:49:02.778745379 -0700
+@@ -545,6 +545,17 @@
+ 
+ # fix a possible malformed URL
+ urlparts = urlparse(newurl)
++
++# For security reasons we don't allow redirection to anything other
++# than http, https or ftp.
++
++if not urlparts.scheme in ('http', 'https', 'ftp'):
++raise HTTPError(newurl, code,
++msg +
++" - Redirection to url '%s' is not allowed" %
++

[arch-commits] Commit in python/trunk (CVE-2011-1521.patch PKGBUILD)

[arch-commits] Commit in python/trunk (CVE-2011-1521.patch PKGBUILD)

2 matches

Site Navigation

Mail list logo

Footer information