Add a patch from PSF-2005-001 which fixes SimpleXMLRPCServer

vulnerability.

PR:		77078
Submitted by:	Marcus Grando <marcus@corp.grupos.com.br>
Security:	CAN-2005-0089
Security:	http://www.vuxml.org/freebsd/6afa87d3-764b-11d9-b0e7-0000e249a0a2.html
Security:	SimpleXMLRPCServer.py allows unrestricted traversal

2 files changed, 126 insertions, 0 deletions

diff --git a/lang/python24/Makefile b/lang/python24/Makefile
index 0fafbcb85066..8cbd19756eb4 100644
--- a/lang/python24/Makefile
+++ b/lang/python24/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	python
 PORTVERSION=	2.4
+PORTREVISION=	1
 CATEGORIES=	lang python ipv6
 MASTER_SITES=	${PYTHON_MASTER_SITES}
 MASTER_SITE_SUBDIR=	${PYTHON_MASTER_SITE_SUBDIR}
diff --git a/lang/python24/files/patch-Lib::SimpleXMLRPCServer.py b/lang/python24/files/patch-Lib::SimpleXMLRPCServer.py
new file mode 100644
index 000000000000..54b8b4523f4e
--- /dev/null
+++ b/lang/python24/files/patch-Lib::SimpleXMLRPCServer.py
@@ -0,0 +1,125 @@
+Index: Lib/SimpleXMLRPCServer.py
+===================================================================
+RCS file: /cvsroot/python/python/dist/src/Lib/SimpleXMLRPCServer.py,v
+retrieving revision 1.7.8.1
+diff -c -r1.7.8.1 SimpleXMLRPCServer.py
+*** Lib/SimpleXMLRPCServer.py	3 Oct 2004 23:23:00 -0000	1.7.8.1
+--- Lib/SimpleXMLRPCServer.py	3 Feb 2005 05:33:55 -0000
+***************
+*** 107,120 ****
+  import types
+  import os
+  
+! def resolve_dotted_attribute(obj, attr):
+      """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+  
+      Resolves a dotted attribute name to an object.  Raises
+      an AttributeError if any attribute in the chain starts with a '_'.
+      """
+  
+!     for i in attr.split('.'):
+          if i.startswith('_'):
+              raise AttributeError(
+                  'attempt to access private attribute "%s"' % i
+--- 107,128 ----
+  import types
+  import os
+  
+! def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+      """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+  
+      Resolves a dotted attribute name to an object.  Raises
+      an AttributeError if any attribute in the chain starts with a '_'.
++ 
++     If the optional allow_dotted_names argument is false, dots are not
++     supported and this function operates similar to getattr(obj, attr).
+      """
+  
+!     if allow_dotted_names:
+!         attrs = attr.split('.')
+!     else:
+!         attrs = [attr]
+! 
+!     for i in attrs:
+          if i.startswith('_'):
+              raise AttributeError(
+                  'attempt to access private attribute "%s"' % i
+***************
+*** 156,162 ****
+          self.funcs = {}
+          self.instance = None
+  
+!     def register_instance(self, instance):
+          """Registers an instance to respond to XML-RPC requests.
+  
+          Only one instance can be installed at a time.
+--- 164,170 ----
+          self.funcs = {}
+          self.instance = None
+  
+!     def register_instance(self, instance, allow_dotted_names=False):
+          """Registers an instance to respond to XML-RPC requests.
+  
+          Only one instance can be installed at a time.
+***************
+*** 174,182 ****
+--- 182,204 ----
+  
+          If a registered function matches a XML-RPC request, then it
+          will be called instead of the registered instance.
++ 
++         If the optional allow_dotted_names argument is true and the
++         instance does not have a _dispatch method, method names
++         containing dots are supported and resolved, as long as none of
++         the name segments start with an '_'.
++ 
++             *** SECURITY WARNING: ***
++ 
++             Enabling the allow_dotted_names options allows intruders
++             to access your module's global variables and may allow
++             intruders to execute arbitrary code on your machine.  Only
++             use this option on a secure, closed network.
++ 
+          """
+  
+          self.instance = instance
++         self.allow_dotted_names = allow_dotted_names
+  
+      def register_function(self, function, name = None):
+          """Registers a function to respond to XML-RPC requests.
+***************
+*** 295,301 ****
+                  try:
+                      method = resolve_dotted_attribute(
+                                  self.instance,
+!                                 method_name
+                                  )
+                  except AttributeError:
+                      pass
+--- 317,324 ----
+                  try:
+                      method = resolve_dotted_attribute(
+                                  self.instance,
+!                                 method_name,
+!                                 self.allow_dotted_names
+                                  )
+                  except AttributeError:
+                      pass
+***************
+*** 374,380 ****
+                      try:
+                          func = resolve_dotted_attribute(
+                              self.instance,
+!                             method
+                              )
+                      except AttributeError:
+                          pass
+--- 397,404 ----
+                      try:
+                          func = resolve_dotted_attribute(
+                              self.instance,
+!                             method,
+!                             self.allow_dotted_names
+                              )
+                      except AttributeError:
+                          pass