rpms/python-cherrypy/EL-4 cherrypy-2.2.1-security-sessionfilter.patch, NONE, 1.1 python-cherrypy.spec, 1.7, 1.8

[Toshio くらとみ (toshio)]

Author: toshio

Update of /cvs/pkgs/rpms/python-cherrypy/EL-4
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12297

Modified Files:
	python-cherrypy.spec 
Added Files:
	cherrypy-2.2.1-security-sessionfilter.patch 
Log Message:
* Sun Jan  6 2008 Toshio Kuratomi <toshio at fedoraproject.org> 2.2.1-8
- Fix a security bug with a backport of http://www.cherrypy.org/changeset/1775
- Include the egginfo files as well as the python files.


cherrypy-2.2.1-security-sessionfilter.patch:

--- NEW FILE cherrypy-2.2.1-security-sessionfilter.patch ---
diff -up CherryPy-2.2.1/cherrypy/filters/sessionfilter.py.sessionfix CherryPy-2.2.1/cherrypy/filters/sessionfilter.py
--- CherryPy-2.2.1/cherrypy/filters/sessionfilter.py.sessionfix	2008-01-06 08:54:39.000000000 -0800
+++ CherryPy-2.2.1/cherrypy/filters/sessionfilter.py	2008-01-06 08:55:31.000000000 -0800
@@ -326,6 +326,8 @@ class FileStorage:
             raise SessionStoragePathNotConfiguredError()
         fileName = self.SESSION_PREFIX + id
         file_path = os.path.join(storage_path, fileName)
+        if not os.path.normpath(filePath).startswith(storagePath):
+            raise cherrypy.HTTPError(400, "Invalid session id in cookie.")
         return file_path
     
     def _lock_file(self, path):


Index: python-cherrypy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/python-cherrypy/EL-4/python-cherrypy.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- python-cherrypy.spec	11 Dec 2007 22:29:44 -0000	1.7
+++ python-cherrypy.spec	6 Jan 2008 19:13:47 -0000	1.8
@@ -2,15 +2,17 @@
 
 Name:           python-cherrypy
 Version:        2.2.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        A pythonic, object-oriented web development framework
 Group:          Development/Libraries
 License:        BSD
 URL:            http://www.cherrypy.org/
 Source0:        http://dl.sf.net/cherrypy/CherryPy-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Patch0:         python-cherrypy-tutorial-doc.patch
-Patch1:         python-cherrypy-regression-test.patch
+Patch0:         %{name}-tutorial-doc.patch
+Patch1:         %{name}-regression-test.patch
+Patch2:         %{name}-%{version}-EINTR.patch
+Patch3:         cherrypy-2.2.1-security-sessionfilter.patch
 
 BuildArch:      noarch
 
@@ -25,7 +27,10 @@
 %setup -q -n CherryPy-%{version}
 %patch0
 %patch1
+%patch2
+%patch3 -p1
 
+%{__sed} -i 's/\r//' CHANGELOG.txt README.txt CHERRYPYTEAM.txt cherrypy/tutorial/README.txt
 
 %build
 %{__python} setup.py build
@@ -45,18 +50,17 @@
 %defattr(-,root,root,-)
 %doc CHANGELOG.txt CHERRYPYTEAM.txt README.txt
 %doc cherrypy/tutorial
-%dir %{python_sitelib}/cherrypy
-%dir %{python_sitelib}/cherrypy/lib
-%dir %{python_sitelib}/cherrypy/lib/filter
-%{python_sitelib}/cherrypy/favicon.ico
-%{python_sitelib}/cherrypy/*.py*
-%{python_sitelib}/cherrypy/lib/*.py*
-%{python_sitelib}/cherrypy/lib/filter/*.py*
-%{python_sitelib}/cherrypy/filters/*.py*
+%{python_sitelib}/*
 
 %changelog
-* Tue Dec 11 2007 Luke Macken <lmacken at redhat.com> 2.2.1-7
-- Update our patches for 2.2.1
+* Sun Jan  6 2008 Toshio Kuratomi <toshio at fedoraproject.org> 2.2.1-8
+- Fix a security bug with a backport of http://www.cherrypy.org/changeset/1775
+- Include the egginfo files as well as the python files.
+
+* Sat Nov  3 2007 Luke Macken <lmacken at redhat.com> 2.2.1-7
+- Apply backported fix from http://www.cherrypy.org/changeset/1766
+  to improve CherryPy's SIGSTOP/SIGCONT handling (Bug #364911).
+  Thanks to Nils Philippsen for the patch.
 
 * Mon Feb 19 2007 Luke Macken <lmacken at redhat.com> 2.2.1-6
 - Disable regression tests until we can figure out why they