[Python-modules-commits] r21877 - in packages/python-tornado/trunk/debian/patches (2 files)
yoh at users.alioth.debian.org
yoh at users.alioth.debian.org
Tue May 22 23:38:23 UTC 2012
Date: Tuesday, May 22, 2012 @ 23:38:22
Author: yoh
Revision: 21877
Adding a patch from Julian adopted from upstream's GIT
Added:
packages/python-tornado/trunk/debian/patches/CVE-2012-2374.patch
Modified:
packages/python-tornado/trunk/debian/patches/series
Added: packages/python-tornado/trunk/debian/patches/CVE-2012-2374.patch
===================================================================
--- packages/python-tornado/trunk/debian/patches/CVE-2012-2374.patch (rev 0)
+++ packages/python-tornado/trunk/debian/patches/CVE-2012-2374.patch 2012-05-22 23:38:22 UTC (rev 21877)
@@ -0,0 +1,15 @@
+Description: fix CVE-2012-2374
+Applied-Upstream: 2.2.1
+Origin: https://github.com/facebook/tornado/commit/1ae91f6d58e6257e0ab49d295d8741ce1727bdb7
+Author: Julian Taylor <jtaylor at ubuntu.com>
+--- a/tornado/web.py
++++ b/tornado/web.py
+@@ -258,7 +258,7 @@
+ # If \n is allowed into the header, it is possible to inject
+ # additional headers or split the request. Also cap length to
+ # prevent obviously erroneous values.
+- if len(value) > 4000 or re.match(b(r"[\x00-\x1f]"), value):
++ if len(value) > 4000 or re.search(b(r"[\x00-\x1f]"), value):
+ raise ValueError("Unsafe header value %r", value)
+ return value
+
Modified: packages/python-tornado/trunk/debian/patches/series
===================================================================
--- packages/python-tornado/trunk/debian/patches/series 2012-05-22 17:56:59 UTC (rev 21876)
+++ packages/python-tornado/trunk/debian/patches/series 2012-05-22 23:38:22 UTC (rev 21877)
@@ -1,2 +1,3 @@
ignore-ca-certificates.patch
certs-path.patch
+CVE-2012-2374.patch
More information about the Python-modules-commits
mailing list