diff --git a/cherrypy-2.2.1-security-sessionfilter.patch b/cherrypy-2.2.1-security-sessionfilter.patch new file mode 100644 index 0000000..f523501 --- /dev/null +++ b/cherrypy-2.2.1-security-sessionfilter.patch @@ -0,0 +1,12 @@ +diff -up CherryPy-2.2.1/cherrypy/filters/sessionfilter.py.sessionfix CherryPy-2.2.1/cherrypy/filters/sessionfilter.py +--- CherryPy-2.2.1/cherrypy/filters/sessionfilter.py.sessionfix 2008-01-06 08:54:39.000000000 -0800 ++++ CherryPy-2.2.1/cherrypy/filters/sessionfilter.py 2008-01-06 08:55:31.000000000 -0800 +@@ -326,6 +326,8 @@ class FileStorage: + raise SessionStoragePathNotConfiguredError() + fileName = self.SESSION_PREFIX + id + file_path = os.path.join(storage_path, fileName) ++ if not os.path.normpath(filePath).startswith(storagePath): ++ raise cherrypy.HTTPError(400, "Invalid session id in cookie.") + return file_path + + def _lock_file(self, path): diff --git a/python-cherrypy.spec b/python-cherrypy.spec index 2685449..942a6c8 100644 --- a/python-cherrypy.spec +++ b/python-cherrypy.spec @@ -2,15 +2,17 @@ Name: python-cherrypy Version: 2.2.1 -Release: 6%{?dist} +Release: 8%{?dist} Summary: A pythonic, object-oriented web development framework Group: Development/Libraries License: BSD URL: http://www.cherrypy.org/ Source0: http://dl.sf.net/cherrypy/CherryPy-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Patch0: python-cherrypy-tutorial-doc.patch -Patch1: python-cherrypy-regression-test.patch +Patch0: %{name}-tutorial-doc.patch +Patch1: %{name}-regression-test.patch +Patch2: %{name}-%{version}-EINTR.patch +Patch3: cherrypy-2.2.1-security-sessionfilter.patch BuildArch: noarch @@ -25,7 +27,10 @@ results in smaller source code developed in less time. %setup -q -n CherryPy-%{version} %patch0 %patch1 +%patch2 +%patch3 -p1 +%{__sed} -i 's/\r//' CHANGELOG.txt README.txt CHERRYPYTEAM.txt cherrypy/tutorial/README.txt %build %{__python} setup.py build @@ -45,16 +50,18 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root,-) %doc CHANGELOG.txt CHERRYPYTEAM.txt README.txt %doc cherrypy/tutorial -%dir %{python_sitelib}/cherrypy -%dir %{python_sitelib}/cherrypy/lib -%dir %{python_sitelib}/cherrypy/lib/filter -%{python_sitelib}/cherrypy/favicon.ico -%{python_sitelib}/cherrypy/*.py* -%{python_sitelib}/cherrypy/lib/*.py* -%{python_sitelib}/cherrypy/lib/filter/*.py* -%{python_sitelib}/cherrypy/filters/*.py* +%{python_sitelib}/* %changelog +* Sun Jan 6 2008 Toshio Kuratomi 2.2.1-8 +- Fix a security bug with a backport of http://www.cherrypy.org/changeset/1775 +- Include the egginfo files as well as the python files. + +* Sat Nov 3 2007 Luke Macken 2.2.1-7 +- Apply backported fix from http://www.cherrypy.org/changeset/1766 + to improve CherryPy's SIGSTOP/SIGCONT handling (Bug #364911). + Thanks to Nils Philippsen for the patch. + * Mon Feb 19 2007 Luke Macken 2.2.1-6 - Disable regression tests until we can figure out why they are dying in mock.