rpms/python-cherrypy/F-8 cherrypy-2.2.1-security-sessionfilter.patch, NONE, 1.1 python-cherrypy.spec, 1.14, 1.15

Toshio くらとみ (toshio) fedora-extras-commits at redhat.com
Sun Jan 6 19:11:12 UTC 2008 

Author: toshio

Update of /cvs/pkgs/rpms/python-cherrypy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11908

Modified Files:
	python-cherrypy.spec 
Added Files:
	cherrypy-2.2.1-security-sessionfilter.patch 
Log Message:
* Sun Jan  6 2008 Toshio Kuratomi <toshio at fedoraproject.org> 2.2.1-8
- Fix a security bug with a backport of http://www.cherrypy.org/changeset/1775
- Include the egginfo files as well as the python files.


cherrypy-2.2.1-security-sessionfilter.patch:

--- NEW FILE cherrypy-2.2.1-security-sessionfilter.patch ---
diff -up CherryPy-2.2.1/cherrypy/filters/sessionfilter.py.sessionfix CherryPy-2.2.1/cherrypy/filters/sessionfilter.py
--- CherryPy-2.2.1/cherrypy/filters/sessionfilter.py.sessionfix	2008-01-06 08:54:39.000000000 -0800
+++ CherryPy-2.2.1/cherrypy/filters/sessionfilter.py	2008-01-06 08:55:31.000000000 -0800
@@ -326,6 +326,8 @@ class FileStorage:
             raise SessionStoragePathNotConfiguredError()
         fileName = self.SESSION_PREFIX + id
         file_path = os.path.join(storage_path, fileName)
+        if not os.path.normpath(filePath).startswith(storagePath):
+            raise cherrypy.HTTPError(400, "Invalid session id in cookie.")
         return file_path
     
     def _lock_file(self, path):


Index: python-cherrypy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/python-cherrypy/F-8/python-cherrypy.spec,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- python-cherrypy.spec	4 Nov 2007 18:51:56 -0000	1.14
+++ python-cherrypy.spec	6 Jan 2008 19:10:26 -0000	1.15
@@ -2,7 +2,7 @@
 
 Name:           python-cherrypy
 Version:        2.2.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        A pythonic, object-oriented web development framework
 Group:          Development/Libraries
 License:        BSD
@@ -12,6 +12,7 @@
 Patch0:         %{name}-tutorial-doc.patch
 Patch1:         %{name}-regression-test.patch
 Patch2:         %{name}-%{version}-EINTR.patch
+Patch3:         cherrypy-2.2.1-security-sessionfilter.patch
 
 BuildArch:      noarch
 
@@ -27,7 +28,9 @@
 %patch0
 %patch1
 %patch2
+%patch3 -p1
 
+%{__sed} -i 's/\r//' CHANGELOG.txt README.txt CHERRYPYTEAM.txt cherrypy/tutorial/README.txt
 
 %build
 %{__python} setup.py build
@@ -47,16 +50,13 @@
 %defattr(-,root,root,-)
 %doc CHANGELOG.txt CHERRYPYTEAM.txt README.txt
 %doc cherrypy/tutorial
-%dir %{python_sitelib}/cherrypy
-%dir %{python_sitelib}/cherrypy/lib
-%dir %{python_sitelib}/cherrypy/lib/filter
-%{python_sitelib}/cherrypy/favicon.ico
-%{python_sitelib}/cherrypy/*.py*
-%{python_sitelib}/cherrypy/lib/*.py*
-%{python_sitelib}/cherrypy/lib/filter/*.py*
-%{python_sitelib}/cherrypy/filters/*.py*
+%{python_sitelib}/*
 
 %changelog
+* Sun Jan  6 2008 Toshio Kuratomi <toshio at fedoraproject.org> 2.2.1-8
+- Fix a security bug with a backport of http://www.cherrypy.org/changeset/1775
+- Include the egginfo files as well as the python files.
+
 * Sat Nov  3 2007 Luke Macken <lmacken at redhat.com> 2.2.1-7
 - Apply backported fix from http://www.cherrypy.org/changeset/1766
   to improve CherryPy's SIGSTOP/SIGCONT handling (Bug #364911).

More information about the fedora-extras-commits mailing list