[PATCH 0/2] Misc Fixes

[PATCH 0/2] Misc Fixes

[nitin.a.kamble]

From: Nitin A Kamble <nitin.a.kamble@intel.com>

The following changes since commit 35f20c5aacc9b23affe0380e8451ccc41cbc1799:

  eglibc: Tighten LICENSE Fields (2011-07-19 17:34:21 +0100)

are available in the git repository at:
  git://git.pokylinux.org/poky-contrib nitin/misc
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=nitin/misc

Nitin A Kamble (2):
  python: fix security vulnerability
  glib-2.0: fix a compilation issue due to dtrace

 meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb      |    1 -
 meta/recipes-core/glib-2.0/glib.inc                |    2 +-
 meta/recipes-devtools/python/python.inc            |    2 +-
 .../python/python/security_issue_2254_fix.patch    |  184 ++++++++++++++++++++
 meta/recipes-devtools/python/python_2.6.6.bb       |    3 +-
 5 files changed, 188 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch

-- 
1.7.6

[PATCH 1/2] python: fix security vulnerability

[nitin.a.kamble]

From: Nitin A Kamble <nitin.a.kamble@intel.com>

This Fixes bug: [Yocto #1254]

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1015

Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
  now collapsed within the url properly before looking in cgi_directories.

Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
---
 meta/recipes-devtools/python/python.inc            |    2 +-
 .../python/python/security_issue_2254_fix.patch    |  184 ++++++++++++++++++++
 meta/recipes-devtools/python/python_2.6.6.bb       |    3 +-
 3 files changed, 187 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch

diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 25a458e..a6cc917 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
 LICENSE = "PSF"
 SECTION = "devel/python"
 # bump this on every change in contrib/python/generate-manifest-2.6.py
-INC_PR = "nk2"
+INC_PR = "r2"
 
 DEFAULT_PREFERENCE = "-26"
 
diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
new file mode 100644
index 0000000..0d2274a
--- /dev/null
+++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
@@ -0,0 +1,184 @@
+UpstreamStatus: Backport
+http://svn.python.org/view?view=revision&revision=71303
+
+Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
+  now collapsed within the url properly before looking in cgi_directories.
+Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 
+2011/07/19
+
+Index: Python-2.6.6/Lib/CGIHTTPServer.py
+===================================================================
+--- Python-2.6.6.orig/Lib/CGIHTTPServer.py
++++ Python-2.6.6/Lib/CGIHTTPServer.py
+@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+             return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
+ 
+     def is_cgi(self):
+-        """Test whether self.path corresponds to a CGI script,
+-        and return a boolean.
++        """Test whether self.path corresponds to a CGI script.
+ 
+-        This function sets self.cgi_info to a tuple (dir, rest)
+-        when it returns True, where dir is the directory part before
+-        the CGI script name.  Note that rest begins with a
+-        slash if it is not empty.
+-
+-        The default implementation tests whether the path
+-        begins with one of the strings in the list
+-        self.cgi_directories (and the next character is a '/'
+-        or the end of the string).
++        Returns True and updates the cgi_info attribute to the tuple
++        (dir, rest) if self.path requires running a CGI script.
++        Returns False otherwise.
++
++        The default implementation tests whether the normalized url
++        path begins with one of the strings in self.cgi_directories
++        (and the next character is a '/' or the end of the string).
+         """
+-
+-        path = self.path
+-
+-        for x in self.cgi_directories:
+-            i = len(x)
+-            if path[:i] == x and (not path[i:] or path[i] == '/'):
+-                self.cgi_info = path[:i], path[i+1:]
+-                return True
++        splitpath = _url_collapse_path_split(self.path)
++        if splitpath[0] in self.cgi_directories:
++            self.cgi_info = splitpath
++            return True
+         return False
+ 
+     cgi_directories = ['/cgi-bin', '/htbin']
+@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+                 self.log_message("CGI script exited OK")
+ 
+ 
++# TODO(gregory.p.smith): Move this into an appropriate library.
++def _url_collapse_path_split(path):
++    """
++    Given a URL path, remove extra '/'s and '.' path elements and collapse
++    any '..' references.
++
++    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
++
++    Returns: A tuple of (head, tail) where tail is everything after the final /
++    and head is everything before it.  Head will always start with a '/' and,
++    if it contains anything else, never have a trailing '/'.
++
++    Raises: IndexError if too many '..' occur within the path.
++    """
++    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
++    # path semantics rather than local operating system semantics.
++    path_parts = []
++    for part in path.split('/'):
++        if part == '.':
++            path_parts.append('')
++        else:
++            path_parts.append(part)
++    # Filter out blank non trailing parts before consuming the '..'.
++    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
++    if path_parts:
++        tail_part = path_parts.pop()
++    else:
++        tail_part = ''
++    head_parts = []
++    for part in path_parts:
++        if part == '..':
++            head_parts.pop()
++        else:
++            head_parts.append(part)
++    if tail_part and tail_part == '..':
++        head_parts.pop()
++        tail_part = ''
++    return ('/' + '/'.join(head_parts), tail_part)
++
++
+ nobody = None
+ 
+ def nobody_uid():
+Index: Python-2.6.6/Lib/test/test_httpservers.py
+===================================================================
+--- Python-2.6.6.orig/Lib/test/test_httpservers.py
++++ Python-2.6.6/Lib/test/test_httpservers.py
+@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
+ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+ from SimpleHTTPServer import SimpleHTTPRequestHandler
+ from CGIHTTPServer import CGIHTTPRequestHandler
++import CGIHTTPServer
+ 
+ import os
+ import sys
+@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
+         finally:
+             BaseTestCase.tearDown(self)
+ 
++    def test_url_collapse_path_split(self):
++        test_vectors = {
++            '': ('/', ''),
++            '..': IndexError,
++            '/.//..': IndexError,
++            '/': ('/', ''),
++            '//': ('/', ''),
++            '/\\': ('/', '\\'),
++            '/.//': ('/', ''),
++            'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
++            '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
++            'a': ('/', 'a'),
++            '/a': ('/', 'a'),
++            '//a': ('/', 'a'),
++            './a': ('/', 'a'),
++            './C:/': ('/C:', ''),
++            '/a/b': ('/a', 'b'),
++            '/a/b/': ('/a/b', ''),
++            '/a/b/c/..': ('/a/b', ''),
++            '/a/b/c/../d': ('/a/b', 'd'),
++            '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
++            '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
++            '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
++            '../a/b/c/../d/e/.././././..//f': IndexError,
++            '/a/b/c/../d/e/../../../f': ('/a', 'f'),
++            '/a/b/c/../d/e/../../../../f': ('/', 'f'),
++            '/a/b/c/../d/e/../../../../../f': IndexError,
++            '/a/b/c/../d/e/../../../../f/..': ('/', ''),
++        }
++        for path, expected in test_vectors.iteritems():
++            if isinstance(expected, type) and issubclass(expected, Exception):
++                self.assertRaises(expected,
++                                  CGIHTTPServer._url_collapse_path_split, path)
++            else:
++                actual = CGIHTTPServer._url_collapse_path_split(path)
++                self.assertEquals(expected, actual,
++                                  msg='path = %r\nGot:    %r\nWanted: %r' % (
++                                  path, actual, expected))
++
+     def test_headers_and_content(self):
+         res = self.request('/cgi-bin/file1.py')
+         self.assertEquals(('Hello World\n', 'text/html', 200), \
+@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
+         self.assertEquals(('Hello World\n', 'text/html', 200), \
+              (res.read(), res.getheader('Content-type'), res.status))
+ 
++    def test_no_leading_slash(self):
++        # http://bugs.python.org/issue2254
++        res = self.request('cgi-bin/file1.py')
++        self.assertEquals(('Hello World\n', 'text/html', 200),
++             (res.read(), res.getheader('Content-type'), res.status))
++
+ 
+ def test_main(verbose=None):
+     cwd = os.getcwd()
+Index: Python-2.6.6/Misc/NEWS
+===================================================================
+--- Python-2.6.6.orig/Misc/NEWS
++++ Python-2.6.6/Misc/NEWS
+@@ -137,6 +137,9 @@ C-API
+ Library
+ -------
+ 
++- Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
++  now collapsed within the url properly before looking in cgi_directories.
++
+ - Issue #8447: Make distutils.sysconfig follow symlinks in the path to
+   the interpreter executable.  This fixes a failure of test_httpservers
+   on OS X.
diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb
index 800ba04..d5e7d22 100644
--- a/meta/recipes-devtools/python/python_2.6.6.bb
+++ b/meta/recipes-devtools/python/python_2.6.6.bb
@@ -1,7 +1,7 @@
 require python.inc
 DEPENDS = "python-native db gdbm openssl readline sqlite3 zlib"
 DEPENDS_sharprom = "python-native db readline zlib gdbm openssl"
-PR = "${INC_PR}.8"
+PR = "${INC_PR}.9"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=38fdd546420fab09ac6bd3d8a1c83eb6"
 
 DISTRO_SRC_URI ?= "file://sitecustomize.py"
@@ -18,6 +18,7 @@ SRC_URI = "\
   file://99-ignore-optimization-flag.patch \
   ${DISTRO_SRC_URI} \
   file://multilib.patch \
+  file://security_issue_2254_fix.patch \
 "
 
 SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"
-- 
1.7.6

[PATCH 2/2] glib-2.0: fix a compilation issue due to dtrace

[nitin.a.kamble]

From: Nitin A Kamble <nitin.a.kamble@intel.com>

Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
---
 meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb |    1 -
 meta/recipes-core/glib-2.0/glib.inc           |    2 +-
 2 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
index a2e609f..7d095c1 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
@@ -19,4 +19,3 @@ SRC_URI[md5sum] = "789e7520f71c6a4bf08bc683ec764d24"
 SRC_URI[sha256sum] = "222f3055d6c413417b50901008c654865e5a311c73f0ae918b0a9978d1f9466f"
 
 BBCLASSEXTEND = "native"
-
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index e25db3d..9768284 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -25,7 +25,7 @@ inherit autotools pkgconfig gettext
 
 S = "${WORKDIR}/glib-${PV}"
 
-EXTRA_OECONF = "--disable-debug --enable-included-printf=no"
+EXTRA_OECONF = "--disable-debug --enable-included-printf=no --enable-dtrace=no"
 EXTRA_OECONF_virtclass-native = ""
 EXTRA_OECONF_linuxstdbase = "--enable-included-printf=no"
 
-- 
1.7.6

Re: [PATCH 2/2] glib-2.0: fix a compilation issue due to dtrace

[Koen Kooi]

Op 21 jul. 2011, om 11:29 heeft nitin.a.kamble@intel.com het volgende geschreven:

> From: Nitin A Kamble <nitin.a.kamble@intel.com>
> 
> Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
> ---
> meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb |    1 -
> meta/recipes-core/glib-2.0/glib.inc           |    2 +-
> 2 files changed, 1 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> index a2e609f..7d095c1 100644
> --- a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> @@ -19,4 +19,3 @@ SRC_URI[md5sum] = "789e7520f71c6a4bf08bc683ec764d24"
> SRC_URI[sha256sum] = "222f3055d6c413417b50901008c654865e5a311c73f0ae918b0a9978d1f9466f"
> 
> BBCLASSEXTEND = "native"
> -


Missing PR bump

> diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
> index e25db3d..9768284 100644
> --- a/meta/recipes-core/glib-2.0/glib.inc
> +++ b/meta/recipes-core/glib-2.0/glib.inc
> @@ -25,7 +25,7 @@ inherit autotools pkgconfig gettext
> 
> S = "${WORKDIR}/glib-${PV}"
> 
> -EXTRA_OECONF = "--disable-debug --enable-included-printf=no"
> +EXTRA_OECONF = "--disable-debug --enable-included-printf=no --enable-dtrace=no"
> EXTRA_OECONF_virtclass-native = ""
> EXTRA_OECONF_linuxstdbase = "--enable-included-printf=no"
> 
> -- 
> 1.7.6
> 
> 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core

Re: [PATCH 2/2] glib-2.0: fix a compilation issue due to dtrace

[Phil Blundell]

On Thu, 2011-07-21 at 02:29 -0700, nitin.a.kamble@intel.com wrote:
> From: Nitin A Kamble <nitin.a.kamble@intel.com>
> 
> Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>

Could you add some text to the commit message explaining what the
compilation issue was and under what circumstances it occurred?  It
might also be good to know why bumping PR isn't necessary.

Also:

> diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> index a2e609f..7d095c1 100644
> --- a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> @@ -19,4 +19,3 @@ SRC_URI[md5sum] = "789e7520f71c6a4bf08bc683ec764d24"
>  SRC_URI[sha256sum] = "222f3055d6c413417b50901008c654865e5a311c73f0ae918b0a9978d1f9466f"
>  
>  BBCLASSEXTEND = "native"
> -

... I guess this part of the patch can be omitted.

p.

Re: [PATCH 2/2] glib-2.0: fix a compilation issue due to dtrace

[Kamble, Nitin A]

> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org
> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of
> Phil Blundell
> Sent: Thursday, July 21, 2011 9:00 AM
> To: Patches and discussions about the oe-core layer
> Subject: Re: [OE-core] [PATCH 2/2] glib-2.0: fix a compilation issue
> due to dtrace
> 
> On Thu, 2011-07-21 at 02:29 -0700, nitin.a.kamble@intel.com wrote:
> > From: Nitin A Kamble <nitin.a.kamble@intel.com>
> >
> > Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
> 
> Could you add some text to the commit message explaining what the
> compilation issue was and under what circumstances it occurred?  It
> might also be good to know why bumping PR isn't necessary.
> 
Phil,
  I felt the PR bump was not necessary, as it was fixing the compilation issue. I will add more information to the commit and resend it.

> Also:
> 
> > diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> > index a2e609f..7d095c1 100644
> > --- a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> > +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> > @@ -19,4 +19,3 @@ SRC_URI[md5sum] =
> "789e7520f71c6a4bf08bc683ec764d24"
> >  SRC_URI[sha256sum] =
> "222f3055d6c413417b50901008c654865e5a311c73f0ae918b0a9978d1f9466f"
> >
> >  BBCLASSEXTEND = "native"
> > -
> 
> ... I guess this part of the patch can be omitted.

Noted down.

Thanks,
Nitin

> 
> p.
> 
> 
> 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core

Re: [PATCH 1/2] python: fix security vulnerability

[Khem Raj]

On Thu, Jul 21, 2011 at 2:29 AM,  <nitin.a.kamble@intel.com> wrote:
> From: Nitin A Kamble <nitin.a.kamble@intel.com>
>
> This Fixes bug: [Yocto #1254]
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1015
>
> Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
>  now collapsed within the url properly before looking in cgi_directories.
>
> Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
> ---
>  meta/recipes-devtools/python/python.inc            |    2 +-
>  .../python/python/security_issue_2254_fix.patch    |  184 ++++++++++++++++++++
>  meta/recipes-devtools/python/python_2.6.6.bb       |    3 +-
>  3 files changed, 187 insertions(+), 2 deletions(-)
>  create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch
>
> diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
> index 25a458e..a6cc917 100644
> --- a/meta/recipes-devtools/python/python.inc
> +++ b/meta/recipes-devtools/python/python.inc
> @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
>  LICENSE = "PSF"
>  SECTION = "devel/python"
>  # bump this on every change in contrib/python/generate-manifest-2.6.py
> -INC_PR = "nk2"
> +INC_PR = "r2"
>
>  DEFAULT_PREFERENCE = "-26"
>
> diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
> new file mode 100644
> index 0000000..0d2274a
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
> @@ -0,0 +1,184 @@
> +UpstreamStatus: Backport

This should be Upstream-Status I guess to match other patches that
said there are few more anomalies

meta/recipes-devtools/dosfstools/dosfstools/dosfstools-2.10-kernel-2.6.patch:
"Upstream Status"
meta/recipes-devtools/btrfs-tools/btrfs-tools/fix_use_of_gcc.patch:UpstreamStatus:
Pending
meta/recipes-devtools/elfutils/elfutils/fix_for_gcc-4.7.patch:UpstreamStatus:
pending


> +http://svn.python.org/view?view=revision&revision=71303
> +
> +Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
> +  now collapsed within the url properly before looking in cgi_directories.
> +Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com>
> +2011/07/19
> +
> +Index: Python-2.6.6/Lib/CGIHTTPServer.py
> +===================================================================
> +--- Python-2.6.6.orig/Lib/CGIHTTPServer.py
> ++++ Python-2.6.6/Lib/CGIHTTPServer.py
> +@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
> +             return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
> +
> +     def is_cgi(self):
> +-        """Test whether self.path corresponds to a CGI script,
> +-        and return a boolean.
> ++        """Test whether self.path corresponds to a CGI script.
> +
> +-        This function sets self.cgi_info to a tuple (dir, rest)
> +-        when it returns True, where dir is the directory part before
> +-        the CGI script name.  Note that rest begins with a
> +-        slash if it is not empty.
> +-
> +-        The default implementation tests whether the path
> +-        begins with one of the strings in the list
> +-        self.cgi_directories (and the next character is a '/'
> +-        or the end of the string).
> ++        Returns True and updates the cgi_info attribute to the tuple
> ++        (dir, rest) if self.path requires running a CGI script.
> ++        Returns False otherwise.
> ++
> ++        The default implementation tests whether the normalized url
> ++        path begins with one of the strings in self.cgi_directories
> ++        (and the next character is a '/' or the end of the string).
> +         """
> +-
> +-        path = self.path
> +-
> +-        for x in self.cgi_directories:
> +-            i = len(x)
> +-            if path[:i] == x and (not path[i:] or path[i] == '/'):
> +-                self.cgi_info = path[:i], path[i+1:]
> +-                return True
> ++        splitpath = _url_collapse_path_split(self.path)
> ++        if splitpath[0] in self.cgi_directories:
> ++            self.cgi_info = splitpath
> ++            return True
> +         return False
> +
> +     cgi_directories = ['/cgi-bin', '/htbin']
> +@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
> +                 self.log_message("CGI script exited OK")
> +
> +
> ++# TODO(gregory.p.smith): Move this into an appropriate library.
> ++def _url_collapse_path_split(path):
> ++    """
> ++    Given a URL path, remove extra '/'s and '.' path elements and collapse
> ++    any '..' references.
> ++
> ++    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
> ++
> ++    Returns: A tuple of (head, tail) where tail is everything after the final /
> ++    and head is everything before it.  Head will always start with a '/' and,
> ++    if it contains anything else, never have a trailing '/'.
> ++
> ++    Raises: IndexError if too many '..' occur within the path.
> ++    """
> ++    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
> ++    # path semantics rather than local operating system semantics.
> ++    path_parts = []
> ++    for part in path.split('/'):
> ++        if part == '.':
> ++            path_parts.append('')
> ++        else:
> ++            path_parts.append(part)
> ++    # Filter out blank non trailing parts before consuming the '..'.
> ++    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
> ++    if path_parts:
> ++        tail_part = path_parts.pop()
> ++    else:
> ++        tail_part = ''
> ++    head_parts = []
> ++    for part in path_parts:
> ++        if part == '..':
> ++            head_parts.pop()
> ++        else:
> ++            head_parts.append(part)
> ++    if tail_part and tail_part == '..':
> ++        head_parts.pop()
> ++        tail_part = ''
> ++    return ('/' + '/'.join(head_parts), tail_part)
> ++
> ++
> + nobody = None
> +
> + def nobody_uid():
> +Index: Python-2.6.6/Lib/test/test_httpservers.py
> +===================================================================
> +--- Python-2.6.6.orig/Lib/test/test_httpservers.py
> ++++ Python-2.6.6/Lib/test/test_httpservers.py
> +@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
> + from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
> + from SimpleHTTPServer import SimpleHTTPRequestHandler
> + from CGIHTTPServer import CGIHTTPRequestHandler
> ++import CGIHTTPServer
> +
> + import os
> + import sys
> +@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
> +         finally:
> +             BaseTestCase.tearDown(self)
> +
> ++    def test_url_collapse_path_split(self):
> ++        test_vectors = {
> ++            '': ('/', ''),
> ++            '..': IndexError,
> ++            '/.//..': IndexError,
> ++            '/': ('/', ''),
> ++            '//': ('/', ''),
> ++            '/\\': ('/', '\\'),
> ++            '/.//': ('/', ''),
> ++            'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
> ++            '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
> ++            'a': ('/', 'a'),
> ++            '/a': ('/', 'a'),
> ++            '//a': ('/', 'a'),
> ++            './a': ('/', 'a'),
> ++            './C:/': ('/C:', ''),
> ++            '/a/b': ('/a', 'b'),
> ++            '/a/b/': ('/a/b', ''),
> ++            '/a/b/c/..': ('/a/b', ''),
> ++            '/a/b/c/../d': ('/a/b', 'd'),
> ++            '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
> ++            '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
> ++            '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
> ++            '../a/b/c/../d/e/.././././..//f': IndexError,
> ++            '/a/b/c/../d/e/../../../f': ('/a', 'f'),
> ++            '/a/b/c/../d/e/../../../../f': ('/', 'f'),
> ++            '/a/b/c/../d/e/../../../../../f': IndexError,
> ++            '/a/b/c/../d/e/../../../../f/..': ('/', ''),
> ++        }
> ++        for path, expected in test_vectors.iteritems():
> ++            if isinstance(expected, type) and issubclass(expected, Exception):
> ++                self.assertRaises(expected,
> ++                                  CGIHTTPServer._url_collapse_path_split, path)
> ++            else:
> ++                actual = CGIHTTPServer._url_collapse_path_split(path)
> ++                self.assertEquals(expected, actual,
> ++                                  msg='path = %r\nGot:    %r\nWanted: %r' % (
> ++                                  path, actual, expected))
> ++
> +     def test_headers_and_content(self):
> +         res = self.request('/cgi-bin/file1.py')
> +         self.assertEquals(('Hello World\n', 'text/html', 200), \
> +@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
> +         self.assertEquals(('Hello World\n', 'text/html', 200), \
> +              (res.read(), res.getheader('Content-type'), res.status))
> +
> ++    def test_no_leading_slash(self):
> ++        # http://bugs.python.org/issue2254
> ++        res = self.request('cgi-bin/file1.py')
> ++        self.assertEquals(('Hello World\n', 'text/html', 200),
> ++             (res.read(), res.getheader('Content-type'), res.status))
> ++
> +
> + def test_main(verbose=None):
> +     cwd = os.getcwd()
> +Index: Python-2.6.6/Misc/NEWS
> +===================================================================
> +--- Python-2.6.6.orig/Misc/NEWS
> ++++ Python-2.6.6/Misc/NEWS
> +@@ -137,6 +137,9 @@ C-API
> + Library
> + -------
> +
> ++- Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
> ++  now collapsed within the url properly before looking in cgi_directories.
> ++
> + - Issue #8447: Make distutils.sysconfig follow symlinks in the path to
> +   the interpreter executable.  This fixes a failure of test_httpservers
> +   on OS X.
> diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb
> index 800ba04..d5e7d22 100644
> --- a/meta/recipes-devtools/python/python_2.6.6.bb
> +++ b/meta/recipes-devtools/python/python_2.6.6.bb
> @@ -1,7 +1,7 @@
>  require python.inc
>  DEPENDS = "python-native db gdbm openssl readline sqlite3 zlib"
>  DEPENDS_sharprom = "python-native db readline zlib gdbm openssl"
> -PR = "${INC_PR}.8"
> +PR = "${INC_PR}.9"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=38fdd546420fab09ac6bd3d8a1c83eb6"
>
>  DISTRO_SRC_URI ?= "file://sitecustomize.py"
> @@ -18,6 +18,7 @@ SRC_URI = "\
>   file://99-ignore-optimization-flag.patch \
>   ${DISTRO_SRC_URI} \
>   file://multilib.patch \
> +  file://security_issue_2254_fix.patch \
>  "
>
>  SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"
> --
> 1.7.6
>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
>

[PATCH 0/2] Misc Fixes

[nitin.a.kamble]

From: Nitin A Kamble <nitin.a.kamble@intel.com>

The following changes since commit 8bd302b16dbd708fb9446fdc534ac64d873a34f5:

  glib-2.0: fix a compilation issue due to dtrace (2011-07-21 14:01:33 -0700)

are available in the git repository at:
  git://git.pokylinux.org/poky-contrib nitin/misc
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=nitin/misc

Nitin A Kamble (2):
  python: fix security vulnerability
  fix Upstream-Status line for few patches

 .../btrfs-tools/btrfs-tools/fix_use_of_gcc.patch   |    2 +-
 .../dosfstools/dosfstools-2.10-kernel-2.6.patch    |    2 +-
 .../elfutils/elfutils/fix_for_gcc-4.7.patch        |    2 +-
 meta/recipes-devtools/python/python.inc            |    2 +-
 .../python/python/security_issue_2254_fix.patch    |  184 ++++++++++++++++++++
 meta/recipes-devtools/python/python_2.6.6.bb       |    3 +-
 6 files changed, 190 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch

-- 
1.7.6

Re: [PATCH 1/2] python: fix security vulnerability

[Kamble, Nitin A]

> devtools/python/python/security_issue_2254_fix.patch
> > @@ -0,0 +1,184 @@
> > +UpstreamStatus: Backport
> 
> This should be Upstream-Status I guess to match other patches that
> said there are few more anomalies
> 
> meta/recipes-devtools/dosfstools/dosfstools/dosfstools-2.10-kernel-
> 2.6.patch:
> "Upstream Status"
> meta/recipes-devtools/btrfs-tools/btrfs-
> tools/fix_use_of_gcc.patch:UpstreamStatus:
> Pending
> meta/recipes-devtools/elfutils/elfutils/fix_for_gcc-
> 4.7.patch:UpstreamStatus:
> pending
> 

Thanks Khem for catching these. I have sending fixes for these.

Nitin

Re: [PATCH 0/2] Misc Fixes

[Saul Wold]

On 07/21/2011 02:08 PM, nitin.a.kamble@intel.com wrote:
> From: Nitin A Kamble<nitin.a.kamble@intel.com>
>
> The following changes since commit 8bd302b16dbd708fb9446fdc534ac64d873a34f5:
>
>    glib-2.0: fix a compilation issue due to dtrace (2011-07-21 14:01:33 -0700)
>
> are available in the git repository at:
>    git://git.pokylinux.org/poky-contrib nitin/misc
>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=nitin/misc
>
> Nitin A Kamble (2):
>    python: fix security vulnerability
>    fix Upstream-Status line for few patches
>
>   .../btrfs-tools/btrfs-tools/fix_use_of_gcc.patch   |    2 +-
>   .../dosfstools/dosfstools-2.10-kernel-2.6.patch    |    2 +-
>   .../elfutils/elfutils/fix_for_gcc-4.7.patch        |    2 +-
>   meta/recipes-devtools/python/python.inc            |    2 +-
>   .../python/python/security_issue_2254_fix.patch    |  184 ++++++++++++++++++++
>   meta/recipes-devtools/python/python_2.6.6.bb       |    3 +-
>   6 files changed, 190 insertions(+), 5 deletions(-)
>   create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch
>

Merged into OE-Core

Thanks
	Sau!

[PATCH 0/2] Misc fixes

[Paul Eggleton]

A fix for the patch error backtrace as well as removing PRIORITY from
the recently upgraded hdparm recipe.

The following changes since commit a0f5dd25a37fe3b8664c2133e80b6214559f93f6:

  package_rpm.bbclass: Add support for filenames with spaces (2012-01-17 16:20:46 +0000)

are available in the git repository at:
  git://git.openembedded.org/openembedded-core-contrib paule/fixes11
  http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=paule/fixes11

Paul Eggleton (2):
  classes/patch: avoid backtrace when patch does not apply
  hdparm: remove PRIORITY

 meta/classes/patch.bbclass                  |    5 ++++-
 meta/lib/oe/patch.py                        |   10 +++++-----
 meta/recipes-extended/hdparm/hdparm_9.37.bb |    1 -
 3 files changed, 9 insertions(+), 7 deletions(-)

-- 
1.7.5.4

[PATCH 0/2] Misc Fixes

[nitin.a.kamble]

From: Nitin A Kamble <nitin.a.kamble@intel.com>

Misc Fixes. These are tested on 64bit fedora 17 alpha system for qemux86 machine

Nitin

The following changes since commit b8f45af0c477b23b85ea8eb02f3c9e46a666a422:

  mklibs-native: fix for gcc-4.7 (2012-04-12 15:25:04 -0700)

are available in the git repository at:
  git://git.pokylinux.org/poky-contrib nitin/bugfixes
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=nitin/bugfixes

Nitin A Kamble (2):
  eglibc: fix perl path in target scripts on fedora 17 alpha
  eglibc: clean up the common code from 2.1[35] versions

 meta/recipes-core/eglibc/eglibc.inc     |    2 ++
 meta/recipes-core/eglibc/eglibc_2.13.bb |    5 +----
 meta/recipes-core/eglibc/eglibc_2.15.bb |    4 +---
 3 files changed, 4 insertions(+), 7 deletions(-)

-- 
1.7.7

[PATCH 0/2] Misc fixes

[nitin.a.kamble]

From: Nitin A Kamble <nitin.a.kamble@intel.com>

This fixes are for issues discovered with gcc-4.7 & eglibc-2.15

Nitin

The following changes since commit c84c6bc074e0fdeaebce99152cdb4b1e7e92543d:

  tcmode-default: make eglibc 2.15 as the default libc (2012-04-26 12:49:25 -0700)

are available in the git repository at:
  git://git.pokylinux.org/poky-contrib nitin/misc
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=nitin/misc

Nitin A Kamble (2):
  eglibc: package mtrace separately
  tcl: fix target recipe build issue on older distros

 meta/recipes-core/eglibc/eglibc-package.inc        |    8 ++-
 meta/recipes-core/eglibc/eglibc_2.13.bb            |    2 +-
 meta/recipes-core/eglibc/eglibc_2.15.bb            |    2 +-
 .../tcl/fix_issue_with_old_distro_glibc.patch      |  109 ++++++++++++++++++++
 meta/recipes-devtools/tcltk/tcl_8.5.11.bb          |    5 +-
 5 files changed, 121 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-devtools/tcltk/tcl/fix_issue_with_old_distro_glibc.patch

-- 
1.7.7

Re: [PATCH 0/2] Misc fixes

[Saul Wold]

On 04/26/2012 03:53 PM, nitin.a.kamble@intel.com wrote:
> From: Nitin A Kamble<nitin.a.kamble@intel.com>
>
> This fixes are for issues discovered with gcc-4.7&  eglibc-2.15
>
> Nitin
>
> The following changes since commit c84c6bc074e0fdeaebce99152cdb4b1e7e92543d:
>
>    tcmode-default: make eglibc 2.15 as the default libc (2012-04-26 12:49:25 -0700)
>
> are available in the git repository at:
>    git://git.pokylinux.org/poky-contrib nitin/misc
>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=nitin/misc
>
> Nitin A Kamble (2):
>    eglibc: package mtrace separately
This needs a comment update and check that it really installs to the 
*-sdk images.

>    tcl: fix target recipe build issue on older distros
>
Merged TCL to OE-Core

Thanks
	Sau!

>   meta/recipes-core/eglibc/eglibc-package.inc        |    8 ++-
>   meta/recipes-core/eglibc/eglibc_2.13.bb            |    2 +-
>   meta/recipes-core/eglibc/eglibc_2.15.bb            |    2 +-
>   .../tcl/fix_issue_with_old_distro_glibc.patch      |  109 ++++++++++++++++++++
>   meta/recipes-devtools/tcltk/tcl_8.5.11.bb          |    5 +-
>   5 files changed, 121 insertions(+), 5 deletions(-)
>   create mode 100644 meta/recipes-devtools/tcltk/tcl/fix_issue_with_old_distro_glibc.patch
>

[PATCH 0/2] Misc fixes

[nitin.a.kamble]

From: Nitin A Kamble <nitin.a.kamble@intel.com>

Here are few misc fixes:
Nitin

The following changes since commit d4e265661517f8dd4e1648fdc56bac5973f986f6:

  poky.conf: Change WARNS -> ERRORS (2012-05-16 07:35:20 +0100)

are available in the git repository at:
  git://git.pokylinux.org/poky-contrib nitin/work
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=nitin/work

Nitin A Kamble (2):
  eglibc: package mtrace separately
  gcc: fix DEPENDS to avoid a build issue

 meta/recipes-core/eglibc/eglibc-package.inc      |    7 ++++++-
 meta/recipes-core/eglibc/eglibc_2.13.bb          |    2 +-
 meta/recipes-core/eglibc/eglibc_2.15.bb          |    2 +-
 meta/recipes-core/tasks/task-core-tools-debug.bb |    1 +
 meta/recipes-devtools/gcc/gcc-4.7.inc            |    4 ++--
 5 files changed, 11 insertions(+), 5 deletions(-)

-- 
1.7.7

[PATCH 0/2] Misc fixes

[Khem Raj]

clang finds couple of more issues to weed out

The following changes since commit d1d55041e38b12d40f896834b56475ea19a6047f:

  sstate: Ensure installation directory is empty before execution (2017-03-22 10:12:10 +0000)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib kraj/pu
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=kraj/pu

Khem Raj (2):
  db: Fix atomic function namespace clash with clang builtins
  libvorbis: Contain gcc specific compiler flags using configure option

 .../libvorbis/0001-configure-Check-for-clang.patch | 56 ++++++++++++++++++++++
 .../libvorbis/libvorbis_1.3.5.bb                   |  4 +-
 ...me-local-__atomic_compare_exchange-to-avo.patch | 45 +++++++++++++++++
 meta/recipes-support/db/db_5.3.28.bb               |  1 +
 4 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libvorbis/libvorbis/0001-configure-Check-for-clang.patch
 create mode 100644 meta/recipes-support/db/db/0001-atomic-Rename-local-__atomic_compare_exchange-to-avo.patch

-- 
2.12.1