author: Edwin Groothuis <edwin@FreeBSD.org> 2003-08-24 12:40:03 +0000
committer: Edwin Groothuis <edwin@FreeBSD.org> 2003-08-24 12:40:03 +0000
commit: 51fcfef1ce264fe5801dac34e9bb598340f8d535 (patch)
tree: 1ffeada73054dcea1ddc5c8a507ea28e9c8b45f6 /devel/viewvc
parent: 095a0e53f5d6fd10c8f5c9bda7df08466f18baf4 (diff)
download: ports-51fcfef1ce264fe5801dac34e9bb598340f8d535.tar.gz
ports-51fcfef1ce264fe5801dac34e9bb598340f8d535.zip
5 files changed, 117 insertions, 9 deletions
diff --git a/devel/viewvc/Makefile b/devel/viewvc/Makefile
index d45725cad75f..ba1267d87a00 100644
--- a/devel/viewvc/Makefile
+++ b/devel/viewvc/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	viewcvs
 PORTVERSION=	0.9.2
+PORTREVISION=	1
 CATEGORIES=	devel python
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
@@ -19,17 +20,12 @@ NO_BUILD=	yes
 PKGMESSAGE=	${WRKDIR}/pkg-message
 INSTDIR?=	${PORTNAME}-${PORTVERSION}
 PLIST_SUB=	INSTDIR=${INSTDIR}
-FORBIDDEN=	"due to cross-site scripting vulnerabilities"
 
 do-install:
 	@ cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install
 
 post-install:
 	@ ${SED} -e "s:%%INSTDIR%%:${PREFIX}/${INSTDIR}:g" pkg-message >${PKGMESSAGE}
-.if !defined(BATCH)
-	@ ${ECHO}
 	@ ${CAT} ${PKGMESSAGE}
-	@ ${ECHO}
-.endif
 
 .include <bsd.port.mk>
diff --git a/devel/viewvc/files/patch-lib::viewcvs.py b/devel/viewvc/files/patch-lib::viewcvs.py
new file mode 100644
index 000000000000..0e1123ec43a1
--- /dev/null
+++ b/devel/viewvc/files/patch-lib::viewcvs.py
@@ -0,0 +1,91 @@
+--- lib/viewcvs.py.orig        Tue Jan 15 10:35:55 2002
++++ lib/viewcvs.py     Fri Apr 25 19:18:22 2003
+@@ -174,6 +174,10 @@
+     # parse the query params into a dictionary (and use defaults)
+     query_dict = default_settings.copy()
+     for name, values in cgi.parse().items():
++      # validate the parameter
++      _validate_param(name, values[0])
++
++      # if we're here, then the parameter is okay
+       query_dict[name] = values[0]
+ 
+     # set up query strings, prefixed by question marks and ampersands
+@@ -228,6 +232,77 @@
+     self.branch = branch
+     self.taginfo = taginfo
+ 
++
++def _validate_param(name, value):
++  """Validate whether the given value is acceptable for the param name.
++
++  If the value is not allowed, then an error response is generated, and
++  this function throws an exception. Otherwise, it simply returns None.
++  """
++
++  try:
++    validator = _legal_params[name]
++  except KeyError:
++    error('An illegal parameter name ("%s") was passed.' % cgi.escape(name))
++
++  # is the validator a regex?
++  if hasattr(validator, 'match'):
++    if not validator.match(value):
++      error('An illegal value ("%s") was passed as a parameter.' %
++            cgi.escape(value))
++    return
++
++  # the validator must be a function
++  validator(value)
++
++def _validate_cvsroot(value):
++  if not cfg.general.cvs_roots.has_key(value):
++    error('The CVS root "%s" is unknown.' % cgi.escape(value))
++
++def _validate_regex(value):
++  # hmm. there isn't anything that we can do here.
++
++  ### we need to watch the flow of these parameters through the system
++  ### to ensure they don't hit the page unescaped. otherwise, these
++  ### parameters could constitute a CSS attack.
++  pass
++
++# obvious things here. note that we don't need uppercase for alpha.
++_re_validate_alpha = re.compile('^[a-z]+$')
++_re_validate_number = re.compile('^[0-9]+$')
++
++# when comparing two revs, we sometimes construct REV:SYMBOL, so ':' is needed
++_re_validate_revnum = re.compile('^[-_.a-zA-Z0-9:]+$')
++
++# it appears that RFC 2045 also says these chars are legal: !#$%&'*+^{|}~`
++# but woah... I'll just leave them out for now
++_re_validate_mimetype = re.compile('^[-_.a-zA-Z0-9/]+$')
++
++# the legal query parameters and their validation functions
++_legal_params = {
++  'cvsroot'       : _validate_cvsroot,
++  'search'        : _validate_regex,
++
++  'hideattic'     : _re_validate_number,
++  'sortby'        : _re_validate_alpha,
++  'sortdir'       : _re_validate_alpha,
++  'logsort'       : _re_validate_alpha,
++  'diff_format'   : _re_validate_alpha,
++  'only_with_tag' : _re_validate_revnum,
++  'dir_pagestart' : _re_validate_number,
++  'log_pagestart' : _re_validate_number,
++  'hidecvsroot'   : _re_validate_number,
++  'annotate'      : _re_validate_revnum,
++  'graph'         : _re_validate_revnum,
++  'makeimage'     : _re_validate_number,
++  'tarball'       : _re_validate_number,
++  'r1'            : _re_validate_revnum,
++  'tr1'           : _re_validate_revnum,
++  'r2'            : _re_validate_revnum,
++  'tr2'           : _re_validate_revnum,
++  'rev'           : _re_validate_revnum,
++  'content-type'  : _re_validate_mimetype,
++  }
+ 
+ class LogEntry:
+   "Hold state for each revision entry in an 'rlog' output."
diff --git a/devel/viewvc/files/patch-aa b/devel/viewvc/files/patch-viewcvs-install
index f6924c80db22..aeab05b698ff 100644
--- a/devel/viewvc/files/patch-aa
+++ b/devel/viewvc/files/patch-viewcvs-install
@@ -1,5 +1,5 @@
---- viewcvs-install.orig	Fri Dec 21 20:59:45 2001
-+++ viewcvs-install	Mon Dec 24 02:16:56 2001
+--- viewcvs-install.orig	Fri Dec 21 03:59:45 2001
++++ viewcvs-install	Sun Aug 24 05:38:29 2003
 @@ -51,7 +51,7 @@
  """ % version
  
@@ -9,6 +9,20 @@
  
  
  ## list of files for installation
+@@ -65,11 +65,11 @@
+     ("cgi/query.cgi", "cgi/query.cgi", 0755, 1, 0, 0),
+     ("standalone.py", "standalone.py", 0755, 1, 0, 0),
+ 
+-    ("cgi/viewcvs.conf.dist", "viewcvs.conf", 0644, 1,
++    ("cgi/viewcvs.conf.dist", "viewcvs.conf.dist", 0644, 1,
+ 	     """Note: If you are upgrading from viewcvs-0.7 or earlier: 
+ The section [text] has been removed from viewcvs.conf.  The functionality
+ went into the new files in subdirectory templates.""", 0),
+-    ("cgi/cvsgraph.conf.dist", "cvsgraph.conf", 0644, 0, 1, 0),
++    ("cgi/cvsgraph.conf.dist", "cvsgraph.conf.dist", 0644, 0, 1, 0),
+ 
+     ("lib/PyFontify.py", "lib/PyFontify.py", 0644, 0, 0, 1),
+     ("lib/blame.py", "lib/blame.py", 0644, 0, 0, 1),
 @@ -192,7 +192,7 @@
      if type(prompt_replace) == type(""):
        print prompt_replace
diff --git a/devel/viewvc/pkg-message b/devel/viewvc/pkg-message
index ac1d1f45867e..c45fbf9165ce 100644
--- a/devel/viewvc/pkg-message
+++ b/devel/viewvc/pkg-message
@@ -3,3 +3,10 @@ you need to do is modify the configuration file, located at
 %%INSTDIR%%/viewcvs.conf, to note where your
 CVSROOT is, and then copy the actual CGI (located at
 %%INSTDIR%%/cgi/viewcvs.cgi) to your cgi-bin.
+Please notice that  configuration files are installed as
+".dist" and must be copied to their actual names prior to
+be edited, e.g.:
+$ cd %%INSTDIR%%
+$ cp viewcvs.conf.dist viewcvs.conf
+$ cp cvsgraph.conf.dist cvsgraph.conf
+It's up to yo to check the ".dist" files after upgrades.
diff --git a/devel/viewvc/pkg-plist b/devel/viewvc/pkg-plist
index 786e2ef62f65..4868e8f043f5 100644
--- a/devel/viewvc/pkg-plist
+++ b/devel/viewvc/pkg-plist
@@ -1,7 +1,7 @@
 %%INSTDIR%%/cgi/query.cgi
 %%INSTDIR%%/cgi/viewcvs.cgi
 %%INSTDIR%%/cvsdbadmin
-%%INSTDIR%%/cvsgraph.conf
+%%INSTDIR%%/cvsgraph.conf.dist
 %%INSTDIR%%/doc/help_dirview.html
 %%INSTDIR%%/doc/help_log.html
 %%INSTDIR%%/doc/help_logtable.html
@@ -57,7 +57,7 @@
 %%INSTDIR%%/templates/log_table.ezt
 %%INSTDIR%%/templates/markup.ezt
 %%INSTDIR%%/templates/query.ezt
-%%INSTDIR%%/viewcvs.conf
+%%INSTDIR%%/viewcvs.conf.dist
 @dirrm %%INSTDIR%%/templates
 @dirrm %%INSTDIR%%/lib
 @dirrm %%INSTDIR%%/doc/images
author	Edwin Groothuis <edwin@FreeBSD.org>	2003-08-24 12:40:03 +0000
committer	Edwin Groothuis <edwin@FreeBSD.org>	2003-08-24 12:40:03 +0000
commit	51fcfef1ce264fe5801dac34e9bb598340f8d535 (patch)
tree	1ffeada73054dcea1ddc5c8a507ea28e9c8b45f6 /devel/viewvc
parent	095a0e53f5d6fd10c8f5c9bda7df08466f18baf4 (diff)
download	ports-51fcfef1ce264fe5801dac34e9bb598340f8d535.tar.gz ports-51fcfef1ce264fe5801dac34e9bb598340f8d535.zip