Index: head/lang/python33/Makefile =================================================================== --- head/lang/python33/Makefile (revision 427245) +++ head/lang/python33/Makefile (revision 427246) @@ -1,121 +1,121 @@ # $FreeBSD$ PORTNAME= python33 PORTVERSION= ${PYTHON_PORTVERSION} -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= lang python ipv6 MASTER_SITES= PYTHON/ftp/python/${PORTVERSION} DISTNAME= Python-${PORTVERSION} DIST_SUBDIR= python MAINTAINER= python@FreeBSD.org COMMENT= Interpreted object-oriented programming language LICENSE= PSFL DEPRECATED= No longer receives bug fixes, only security updates. Please update to Python 3.5 EXPIRATION_DATE= 2017-09-01 USES= cpe ncurses pathfix pkgconfig readline ssl tar:xz PATHFIX_MAKEFILEIN= Makefile.pre.in USE_LDCONFIG= yes GNU_CONFIGURE= yes CPE_VENDOR= python CPE_PRODUCT= ${CPE_VENDOR} CONFIGURE_ARGS+= --enable-shared CONFIGURE_ENV+= OPT="" # Null out OPT to respect user CFLAGS and remove optimizations INSTALL_TARGET= altinstall # Don't want cloberring of unprefixed files MAKE_ARGS+= INSTALL_SHARED="${INSTALL_LIB}" # Strip shared library MAKE_JOBS_UNSAFE= yes # Parser/pgen build bug. See Issue: 200622, 201974 TEST_TARGET= buildbottest TEST_ARGS= TESTOPTS=-j${MAKE_JOBS_NUMBER} SUB_FILES= pkg-message SUB_LIST= PYTHON_SUFFIX=${PORTVERSION:R:S/.//g} PLIST_SUB= ABI=${ABIFLAGS} \ OSMAJOR=${OSVERSION:C/([0-9]*)[0-9]{5}/\1/} # For plat-freebsd* in pkg-plist. http://bugs.python.org/issue19554 OPTIONS_DEFINE= DEBUG IPV6 LIBFFI NLS PYMALLOC THREADS TSC OPTIONS_DEFAULT= LIBFFI PYMALLOC THREADS OPTIONS_SUB= yes LIBFFI_DESC= Use libffi from ports instead of bundled version NLS_DESC= Enable gettext support for the locale module PYMALLOC_DESC= Enable specialized mallocs TSC_DESC= Enable rocessor timestamp counter profiling DEBUG_CONFIGURE_WITH= pydebug IPV6_CONFIGURE_ENABLE= ipv6 LIBFFI_CONFIGURE_ON= --with-system-ffi LIBFFI_LIB_DEPENDS= libffi.so:devel/libffi # Use CPPFLAGS over CFLAGS due to -I ordering, causing elementtree and pyexpat # to break in Python 2.7, or preprocessor complaints in Python >= 3.3 # Upstream Issue: http://bugs.python.org/issue6299 NLS_USES= gettext NLS_CPPFLAGS= -I${LOCALBASE}/include NLS_LIBS= -L${LOCALBASE}/lib -lintl NLS_CONFIGURE_ENV_OFF= ac_cv_lib_intl_textdomain=no ac_cv_header_libintl_h=no PYMALLOC_CONFIGURE_WITH= pymalloc THREADS_CONFIGURE_WITH= threads THREADS_LDFLAGS= -lpthread TSC_CONFIGURE_WITH= tsc .include "${.CURDIR}/Makefile.version" .include .if ${PORT_OPTIONS:MPYMALLOC} ABIFLAGS:= m${ABIFLAGS} .endif .if ${PORT_OPTIONS:MDEBUG} ABIFLAGS:= d${ABIFLAGS} .endif .if !empty(ABIFLAGS) PLIST_FILES+= bin/python3.3%%ABI%% PLIST_FILES+= bin/python3.3%%ABI%%-config PLIST_FILES+= libdata/pkgconfig/python-3.3%%ABI%%.pc .endif # http://bugs.python.org/issue22521 # http://bugs.python.org/issue23042 .if ${ARCH} == i386 && !${PORT_OPTIONS:MLIBFFI} BROKEN= You must use libffi from ports on i386. Enable the LIBFFI option .endif .if ${ARCH} == sparc64 CFLAGS+= -DPYTHON_DEFAULT_RECURSION_LIMIT=900 .endif # See http://bugs.freebsd.org/115940 and http://bugs.freebsd.org/193650 .if !exists(/usr/bin/ypcat) || defined(WITHOUT_NIS) PLIST_SUB+= NO_NIS="@comment " .else PLIST_SUB+= NO_NIS="" .endif post-patch: .if !exists(/usr/bin/ypcat) || defined(WITHOUT_NIS) @${REINPLACE_CMD} -e 's/disabled_module_list =[^]]*/&, "nis"/' \ ${WRKSRC}/setup.py .endif post-install: .if ! ${PORT_OPTIONS:MDEBUG} ${RM} ${STAGEDIR}${PREFIX}/lib/libpython3.so # Upstream Issue: http://bugs.python.org/issue17975 .endif for i in ${STAGEDIR}${PREFIX}/lib/python3.3/lib-dynload/*.so; do \ ${STRIP_CMD} $$i; done # Strip shared extensions .include Index: head/lang/python33/files/patch-Lib_http_client.py =================================================================== --- head/lang/python33/files/patch-Lib_http_client.py (nonexistent) +++ head/lang/python33/files/patch-Lib_http_client.py (revision 427246) @@ -0,0 +1,76 @@ +Based on and adapted for Python 3.3: https://hg.python.org/cpython/rev/bf3e1c9b80e9 +# HG changeset patch +# User Serhiy Storchaka +# Date 1426151616 -7200 +# Node ID bf3e1c9b80e995311ba932e42200f076e03034c0 +# Parent 2b4a04c3681b1210529eb8a224cc007a0b92a890 +Issue #22928: Disabled HTTP header injections in http.client. +Original patch by Demian Brecht. + +--- Lib/http/client.py.orig 2016-06-30 21:29:02 UTC ++++ Lib/http/client.py +@@ -70,6 +70,7 @@ import email.parser + import email.message + import io + import os ++import re + import socket + import collections + from urllib.parse import urlsplit +@@ -216,6 +217,35 @@ MAXAMOUNT = 1048576 + _MAXLINE = 65536 + _MAXHEADERS = 100 + ++# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2) ++# ++# VCHAR = %x21-7E ++# obs-text = %x80-FF ++# header-field = field-name ":" OWS field-value OWS ++# field-name = token ++# field-value = *( field-content / obs-fold ) ++# field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] ++# field-vchar = VCHAR / obs-text ++# ++# obs-fold = CRLF 1*( SP / HTAB ) ++# ; obsolete line folding ++# ; see Section 3.2.4 ++ ++# token = 1*tchar ++# ++# tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" ++# / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" ++# / DIGIT / ALPHA ++# ; any VCHAR, except delimiters ++# ++# VCHAR defined in http://tools.ietf.org/html/rfc5234#appendix-B.1 ++ ++# the patterns for both name and value are more leniant than RFC ++# definitions to allow for backwards compatibility ++_is_legal_header_name = re.compile(rb'^[^:\s][^:\r\n]*$').match ++_is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search ++ ++ + + class HTTPMessage(email.message.Message): + # XXX The only usage of this method is in +@@ -1035,12 +1065,20 @@ class HTTPConnection: + + if hasattr(header, 'encode'): + header = header.encode('ascii') ++ ++ if not _is_legal_header_name(header): ++ raise ValueError('Invalid header name %r' % (header,)) ++ + values = list(values) + for i, one_value in enumerate(values): + if hasattr(one_value, 'encode'): + values[i] = one_value.encode('latin-1') + elif isinstance(one_value, int): + values[i] = str(one_value).encode('ascii') ++ ++ if _is_illegal_header_value(values[i]): ++ raise ValueError('Invalid header value %r' % (values[i],)) ++ + value = b'\r\n\t'.join(values) + header = header + b': ' + value + self._output(header) Property changes on: head/lang/python33/files/patch-Lib_http_client.py ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/lang/python33/files/patch-Lib_test_test__httplib.py =================================================================== --- head/lang/python33/files/patch-Lib_test_test__httplib.py (nonexistent) +++ head/lang/python33/files/patch-Lib_test_test__httplib.py (revision 427246) @@ -0,0 +1,80 @@ +Based on and adapted for Python 3.3: https://hg.python.org/cpython/rev/bf3e1c9b80e9 +# HG changeset patch +# User Serhiy Storchaka +# Date 1426151616 -7200 +# Node ID bf3e1c9b80e995311ba932e42200f076e03034c0 +# Parent 2b4a04c3681b1210529eb8a224cc007a0b92a890 +Issue #22928: Disabled HTTP header injections in http.client. +Original patch by Demian Brecht. + +--- Lib/test/test_httplib.py.orig 2016-06-30 21:31:29 UTC ++++ Lib/test/test_httplib.py +@@ -134,6 +134,33 @@ class HeaderTests(TestCase): + conn.putheader('Content-length', 42) + self.assertIn(b'Content-length: 42', conn._buffer) + ++ conn.putheader('Foo', ' bar ') ++ self.assertIn(b'Foo: bar ', conn._buffer) ++ conn.putheader('Bar', '\tbaz\t') ++ self.assertIn(b'Bar: \tbaz\t', conn._buffer) ++ conn.putheader('Authorization', 'Bearer mytoken') ++ self.assertIn(b'Authorization: Bearer mytoken', conn._buffer) ++ conn.putheader('IterHeader', 'IterA', 'IterB') ++ self.assertIn(b'IterHeader: IterA\r\n\tIterB', conn._buffer) ++ conn.putheader('LatinHeader', b'\xFF') ++ self.assertIn(b'LatinHeader: \xFF', conn._buffer) ++ conn.putheader('Utf8Header', b'\xc3\x80') ++ self.assertIn(b'Utf8Header: \xc3\x80', conn._buffer) ++ conn.putheader('C1-Control', b'next\x85line') ++ self.assertIn(b'C1-Control: next\x85line', conn._buffer) ++ conn.putheader('Embedded-Fold-Space', 'is\r\n allowed') ++ self.assertIn(b'Embedded-Fold-Space: is\r\n allowed', conn._buffer) ++ conn.putheader('Embedded-Fold-Tab', 'is\r\n\tallowed') ++ self.assertIn(b'Embedded-Fold-Tab: is\r\n\tallowed', conn._buffer) ++ conn.putheader('Key Space', 'value') ++ self.assertIn(b'Key Space: value', conn._buffer) ++ conn.putheader('KeySpace ', 'value') ++ self.assertIn(b'KeySpace : value', conn._buffer) ++ conn.putheader(b'Nonbreak\xa0Space', 'value') ++ self.assertIn(b'Nonbreak\xa0Space: value', conn._buffer) ++ conn.putheader(b'\xa0NonbreakSpace', 'value') ++ self.assertIn(b'\xa0NonbreakSpace: value', conn._buffer) ++ + def test_ipv6host_header(self): + # Default host header on IPv6 transaction should wrapped by [] if + # its actual IPv6 address +@@ -153,6 +180,34 @@ class HeaderTests(TestCase): + conn.request('GET', '/foo') + self.assertTrue(sock.data.startswith(expected)) + ++ def test_invalid_headers(self): ++ conn = client.HTTPConnection('example.com') ++ conn.sock = FakeSocket('') ++ conn.putrequest('GET', '/') ++ ++ # http://tools.ietf.org/html/rfc7230#section-3.2.4, whitespace is no ++ # longer allowed in header names ++ cases = ( ++ (b'Invalid\r\nName', b'ValidValue'), ++ (b'Invalid\rName', b'ValidValue'), ++ (b'Invalid\nName', b'ValidValue'), ++ (b'\r\nInvalidName', b'ValidValue'), ++ (b'\rInvalidName', b'ValidValue'), ++ (b'\nInvalidName', b'ValidValue'), ++ (b' InvalidName', b'ValidValue'), ++ (b'\tInvalidName', b'ValidValue'), ++ (b'Invalid:Name', b'ValidValue'), ++ (b':InvalidName', b'ValidValue'), ++ (b'ValidName', b'Invalid\r\nValue'), ++ (b'ValidName', b'Invalid\rValue'), ++ (b'ValidName', b'Invalid\nValue'), ++ (b'ValidName', b'InvalidValue\r\n'), ++ (b'ValidName', b'InvalidValue\r'), ++ (b'ValidName', b'InvalidValue\n'), ++ ) ++ for name, value in cases: ++ with self.assertRaisesRegex(ValueError, 'Invalid header'): ++ conn.putheader(name, value) + + class BasicTest(TestCase): + def test_status_lines(self): Property changes on: head/lang/python33/files/patch-Lib_test_test__httplib.py ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property