- update to 2.7.8
* bugfix-only release, dozens of bugs fixed * fixes CVE-2014-4650 directory traversal in CGIHTTPServer * fixes CVE-2014-7185 (bnc#898572) potential buffer overflow in buffer() - dropped upstreamed CVE-2014-4650-CGIHTTPserver-traversal.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=167
This commit is contained in:
Jan Matejek
Git OBS Bridge
parent
13e614b70b
commit
ad45ed7669
@ -1,35 +0,0 @@
|
||||
|
||||
# HG changeset patch
|
||||
# User Benjamin Peterson <benjamin@python.org>
|
||||
# Date 1402796189 25200
|
||||
# Node ID b4bab078876811c7d95231d08aa6fa7142fdda66
|
||||
# Parent bb8b0c7fefd0c5ed99b3f336178a4f9554a1d0ef
|
||||
url unquote the path before checking if it refers to a CGI script (closes #21766)
|
||||
|
||||
diff --git a/Lib/CGIHTTPServer.py b/Lib/CGIHTTPServer.py
|
||||
--- a/Lib/CGIHTTPServer.py
|
||||
+++ b/Lib/CGIHTTPServer.py
|
||||
@@ -84,7 +84,7 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
|
||||
path begins with one of the strings in self.cgi_directories
|
||||
(and the next character is a '/' or the end of the string).
|
||||
"""
|
||||
- collapsed_path = _url_collapse_path(self.path)
|
||||
+ collapsed_path = _url_collapse_path(urllib.unquote(self.path))
|
||||
dir_sep = collapsed_path.find('/', 1)
|
||||
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
|
||||
if head in self.cgi_directories:
|
||||
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
|
||||
--- a/Lib/test/test_httpservers.py
|
||||
+++ b/Lib/test/test_httpservers.py
|
||||
@@ -510,6 +510,11 @@ class CGIHTTPServerTestCase(BaseTestCase
|
||||
(res.read(), res.getheader('Content-type'), res.status))
|
||||
self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
|
||||
|
||||
+ def test_urlquote_decoding_in_cgi_check(self):
|
||||
+ res = self.request('/cgi-bin%2ffile1.py')
|
||||
+ self.assertEqual((b'Hello World\n', 'text/html', 200),
|
||||
+ (res.read(), res.getheader('Content-type'), res.status))
|
||||
+
|
||||
|
||||
class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
|
||||
""" Test url parsing """
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:2983e3cd089b30c50e2b2234f07c2ac4fb8a5df230ab8f2e1133a1d8b208da78
|
||||
size 10496500
|
||||
@ -1,17 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.0.22 (GNU/Linux)
|
||||
|
||||
iQIcBAABAgAGBQJTiinXAAoJEATDZ8IYrdT/rp4P/Rnl1l4O3LgrL+F96ASNqzRJ
|
||||
b2lxcgEzbiuSCxYTsHrNb8nElcl2XozkDb3IOGT9s2dpl0NobcrYkQ5ia0/Tk6XP
|
||||
mJ4B99mIiFJfAssBBIZglG6I2xiJHaV/XNzZj6NIvGrvyyeuW8GqOOG1KDME4UyQ
|
||||
JRqnozC0O1YNzaHmppDjRaKea9ualmmLiAC3N2J6svtB97AkKrUsxFPdqLso776T
|
||||
119ZlZ6MEQx5hs8YgJ+J62gBKzkP/m2yiSu0tf36QUxsYISWlbwjyvqS6cuzRNjl
|
||||
VXlXyKTq7RcU/10VvLYENnA0U5dXIFKZv4BWCj/4wHmujEz2DenwziXUVb38ot+K
|
||||
bAXk9OMUVHzzFwny0pLbQxFXOAXopUx3qtcwXSiOoaK72VxqhKqLH/UP6rL7n3tn
|
||||
Un4wpNYA6pd3O4dZVIbZ3IjfueTasGdKdX6DxLjlvD916w0+zeiYZeohCe/HeT93
|
||||
+Yp4tibpexHPqgln+6/M17Oj8ungqyuD6Y91mPyfOhr8FoPK1z/NyLQit8f97Mkl
|
||||
OJkqOfqoNfOxPPuP1oiN4rb4EttkmFtJ45BOsfsksXDF9IIDKwonOSxDbeTekW8Z
|
||||
RGg2FKXFsnOSpH+NcEkPizY5vsYB7DUH7NB992ovZmUUmUuAS6n0wNyiUqwtQN60
|
||||
sFbdz+EXOO6KTcQx0y3z
|
||||
=tcoa
|
||||
-----END PGP SIGNATURE-----
|
||||
3
Python-2.7.8.tar.xz
Normal file
3
Python-2.7.8.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:edde10a0cb7d14e2735e682882d5b287028d1485c456758154c19573db68075a
|
||||
size 10525244
|
||||
17
Python-2.7.8.tar.xz.asc
Normal file
17
Python-2.7.8.tar.xz.asc
Normal file
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.0.22 (GNU/Linux)
|
||||
|
||||
iQIcBAABAgAGBQJTsMzVAAoJEATDZ8IYrdT/CxkQAIfecKxGpMHg9ID5QuwHcYJE
|
||||
GjF9JnassnCdrpHWDqe8+iYJhEPpmbLsVP34ZKeYkvvEh6eBJSUeAw2tL/ok7mIJ
|
||||
yELB4bSYuztLQdh5T5CRSRq409AmDTDauuWDoaXmm9Qg5ydsEEY1YZwWEZwHO2Kb
|
||||
Se8IKfMv0/AYQ9HwHAhaeIABBG9G1oCJUc1gkQTYjxz9+JwruJVrRIKwD4vWysVF
|
||||
FkTshos6QEV0HajAdcJisQ7BcgRyzgw4AKLiMdFFax/2NwaH6E0lqno4vb3E64Od
|
||||
wk6HPJ1qm63bfbxNje4TqCRzO2VJiVxM7KHTr/OUjFJlJLxNIYxMPl0CWMNauWVQ
|
||||
LqpTp12raMWb+OasvBPguEpbg8JSGhFw677+VkI/Vq67kojFRVuR55KHZqtd6RDC
|
||||
V6mGVgl+Z/Pfz9JzWr8qHCuFrfydE2eOHUh5MH2ylcDk5f69WDKxLZeeRzbrPzHj
|
||||
/GCILORil4gWuXFivk3Uk09uiO56ceYcsBYAYuFrT+K45tHsAboPZ8Yt526+lP8Q
|
||||
eVBWApElC/GI5ksp6vbGJfXo3z3xORLSrS2UDuHap7/mBS91E7Hc13BNjt+gjNDO
|
||||
dXxeJWYDk0iVC+HP2igbQPFVGy39BMDD7rDQ2SnoPWbJlJrEeJQULUoRPpk17kTw
|
||||
X9vqhK54dxLgaLR+2MOS
|
||||
=LDrl
|
||||
-----END PGP SIGNATURE-----
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0086dea3641d7b311425339357c52dd2ba5694f0d4d2c9ae1782e898707a8bd6
|
||||
size 4494590
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:6fc5eef11803c9b84aaab30c09c20ffd492f105089fe918e93ec1d65b6b87a6a
|
||||
size 10728634
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:fdc09f1a41744ac664d86241072f9525d2c6edb46919b0c197da0eb3e1ffff7d
|
||||
size 10779787
|
||||
3
python-2.7.8-docs-html.tar.bz2
Normal file
3
python-2.7.8-docs-html.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b1b969be6dab30a1820320340579f6cc5b23c25acdd3e7de0d212574439978bf
|
||||
size 4487849
|
||||
3
python-2.7.8-docs-pdf-a4.tar.bz2
Normal file
3
python-2.7.8-docs-pdf-a4.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1a217af2067e4deda02cbc83a169aa2399dcb4e72465c352ed4e98b9c1a94a18
|
||||
size 10907347
|
||||
3
python-2.7.8-docs-pdf-letter.tar.bz2
Normal file
3
python-2.7.8-docs-pdf-letter.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:3aebf5c70d2e6561093a33ce8c0481dd025e0ac553971579ee5a3a033b78593f
|
||||
size 10961584
|
||||
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 30 15:06:15 UTC 2014 - jmatejek@suse.com
|
||||
|
||||
- update to 2.7.8
|
||||
* bugfix-only release, dozens of bugs fixed
|
||||
* fixes CVE-2014-4650 directory traversal in CGIHTTPServer
|
||||
* fixes CVE-2014-7185 (bnc#898572) potential buffer overflow in buffer()
|
||||
- dropped upstreamed CVE-2014-4650-CGIHTTPserver-traversal.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 23 16:48:38 UTC 2014 - jmatejek@suse.com
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: python-base
|
||||
Version: 2.7.7
|
||||
Version: 2.7.8
|
||||
Release: 0
|
||||
Summary: Python Interpreter base package
|
||||
License: Python-2.0
|
||||
@ -57,8 +57,6 @@ Patch26: xmlrpc_gzip_27.patch
|
||||
# CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib
|
||||
Patch28: smtplib_maxline-2.7.patch
|
||||
Patch29: python-2.7.6-poplib.patch
|
||||
# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer
|
||||
Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch
|
||||
# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere)
|
||||
Patch31: python-2.7.7-mhlib-linkcount.patch
|
||||
# COMMON-PATCH-END
|
||||
@ -153,7 +151,6 @@ other applications.
|
||||
%patch26 -p1
|
||||
%patch28 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
|
||||
# drop Autoconf version requirement
|
||||
|
||||
@ -1,3 +1,8 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 30 15:32:07 UTC 2014 - jmatejek@suse.com
|
||||
|
||||
- update to 2.7.8
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 20 13:46:40 UTC 2014 - jmatejek@suse.com
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@
|
||||
#
|
||||
|
||||
Name: python-doc
|
||||
Version: 2.7.7
|
||||
Version: 2.7.8
|
||||
Release: 0
|
||||
Summary: Additional Package Documentation for Python
|
||||
License: Python-2.0
|
||||
@ -60,8 +60,6 @@ Patch26: xmlrpc_gzip_27.patch
|
||||
# CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib
|
||||
Patch28: smtplib_maxline-2.7.patch
|
||||
Patch29: python-2.7.6-poplib.patch
|
||||
# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer
|
||||
Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch
|
||||
# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere)
|
||||
Patch31: python-2.7.7-mhlib-linkcount.patch
|
||||
# COMMON-PATCH-END
|
||||
@ -110,7 +108,6 @@ Python, and Macintosh Module Reference in PDF format.
|
||||
%patch26 -p1
|
||||
%patch28 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
|
||||
# drop Autoconf version requirement
|
||||
|
||||
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 30 15:27:40 UTC 2014 - jmatejek@suse.com
|
||||
|
||||
- update to 2.7.8
|
||||
* bugfix-only release, dozens of bugs fixed
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 20 13:46:22 UTC 2014 - jmatejek@suse.com
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@
|
||||
#
|
||||
|
||||
Name: python
|
||||
Version: 2.7.7
|
||||
Version: 2.7.8
|
||||
Release: 0
|
||||
Summary: Python Interpreter
|
||||
License: Python-2.0
|
||||
@ -61,8 +61,6 @@ Patch26: xmlrpc_gzip_27.patch
|
||||
# CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib
|
||||
Patch28: smtplib_maxline-2.7.patch
|
||||
Patch29: python-2.7.6-poplib.patch
|
||||
# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer
|
||||
Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch
|
||||
# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere)
|
||||
Patch31: python-2.7.7-mhlib-linkcount.patch
|
||||
# COMMON-PATCH-END
|
||||
@ -187,7 +185,6 @@ implementation of the standard Unix DBM databases.
|
||||
%patch26 -p1
|
||||
%patch28 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
|
||||
# drop Autoconf version requirement
|
||||
|
||||
Loading…
Reference in New Issue
Block a user