summaryrefslogtreecommitdiffstats
path: root/devel/viewvc
diff options
context:
space:
mode:
Diffstat (limited to 'devel/viewvc')
-rw-r--r--devel/viewvc/Makefile6
-rw-r--r--devel/viewvc/files/patch-lib::viewcvs.py91
-rw-r--r--devel/viewvc/files/patch-viewcvs-install (renamed from devel/viewvc/files/patch-aa)18
-rw-r--r--devel/viewvc/pkg-message7
-rw-r--r--devel/viewvc/pkg-plist4
5 files changed, 117 insertions, 9 deletions
diff --git a/devel/viewvc/Makefile b/devel/viewvc/Makefile
index d45725c..ba1267d 100644
--- a/devel/viewvc/Makefile
+++ b/devel/viewvc/Makefile
@@ -7,6 +7,7 @@
PORTNAME= viewcvs
PORTVERSION= 0.9.2
+PORTREVISION= 1
CATEGORIES= devel python
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
@@ -19,17 +20,12 @@ NO_BUILD= yes
PKGMESSAGE= ${WRKDIR}/pkg-message
INSTDIR?= ${PORTNAME}-${PORTVERSION}
PLIST_SUB= INSTDIR=${INSTDIR}
-FORBIDDEN= "due to cross-site scripting vulnerabilities"
do-install:
@ cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install
post-install:
@ ${SED} -e "s:%%INSTDIR%%:${PREFIX}/${INSTDIR}:g" pkg-message >${PKGMESSAGE}
-.if !defined(BATCH)
- @ ${ECHO}
@ ${CAT} ${PKGMESSAGE}
- @ ${ECHO}
-.endif
.include <bsd.port.mk>
diff --git a/devel/viewvc/files/patch-lib::viewcvs.py b/devel/viewvc/files/patch-lib::viewcvs.py
new file mode 100644
index 0000000..0e1123e
--- /dev/null
+++ b/devel/viewvc/files/patch-lib::viewcvs.py
@@ -0,0 +1,91 @@
+--- lib/viewcvs.py.orig Tue Jan 15 10:35:55 2002
++++ lib/viewcvs.py Fri Apr 25 19:18:22 2003
+@@ -174,6 +174,10 @@
+ # parse the query params into a dictionary (and use defaults)
+ query_dict = default_settings.copy()
+ for name, values in cgi.parse().items():
++ # validate the parameter
++ _validate_param(name, values[0])
++
++ # if we're here, then the parameter is okay
+ query_dict[name] = values[0]
+
+ # set up query strings, prefixed by question marks and ampersands
+@@ -228,6 +232,77 @@
+ self.branch = branch
+ self.taginfo = taginfo
+
++
++def _validate_param(name, value):
++ """Validate whether the given value is acceptable for the param name.
++
++ If the value is not allowed, then an error response is generated, and
++ this function throws an exception. Otherwise, it simply returns None.
++ """
++
++ try:
++ validator = _legal_params[name]
++ except KeyError:
++ error('An illegal parameter name ("%s") was passed.' % cgi.escape(name))
++
++ # is the validator a regex?
++ if hasattr(validator, 'match'):
++ if not validator.match(value):
++ error('An illegal value ("%s") was passed as a parameter.' %
++ cgi.escape(value))
++ return
++
++ # the validator must be a function
++ validator(value)
++
++def _validate_cvsroot(value):
++ if not cfg.general.cvs_roots.has_key(value):
++ error('The CVS root "%s" is unknown.' % cgi.escape(value))
++
++def _validate_regex(value):
++ # hmm. there isn't anything that we can do here.
++
++ ### we need to watch the flow of these parameters through the system
++ ### to ensure they don't hit the page unescaped. otherwise, these
++ ### parameters could constitute a CSS attack.
++ pass
++
++# obvious things here. note that we don't need uppercase for alpha.
++_re_validate_alpha = re.compile('^[a-z]+$')
++_re_validate_number = re.compile('^[0-9]+$')
++
++# when comparing two revs, we sometimes construct REV:SYMBOL, so ':' is needed
++_re_validate_revnum = re.compile('^[-_.a-zA-Z0-9:]+$')
++
++# it appears that RFC 2045 also says these chars are legal: !#$%&'*+^{|}~`
++# but woah... I'll just leave them out for now
++_re_validate_mimetype = re.compile('^[-_.a-zA-Z0-9/]+$')
++
++# the legal query parameters and their validation functions
++_legal_params = {
++ 'cvsroot' : _validate_cvsroot,
++ 'search' : _validate_regex,
++
++ 'hideattic' : _re_validate_number,
++ 'sortby' : _re_validate_alpha,
++ 'sortdir' : _re_validate_alpha,
++ 'logsort' : _re_validate_alpha,
++ 'diff_format' : _re_validate_alpha,
++ 'only_with_tag' : _re_validate_revnum,
++ 'dir_pagestart' : _re_validate_number,
++ 'log_pagestart' : _re_validate_number,
++ 'hidecvsroot' : _re_validate_number,
++ 'annotate' : _re_validate_revnum,
++ 'graph' : _re_validate_revnum,
++ 'makeimage' : _re_validate_number,
++ 'tarball' : _re_validate_number,
++ 'r1' : _re_validate_revnum,
++ 'tr1' : _re_validate_revnum,
++ 'r2' : _re_validate_revnum,
++ 'tr2' : _re_validate_revnum,
++ 'rev' : _re_validate_revnum,
++ 'content-type' : _re_validate_mimetype,
++ }
+
+ class LogEntry:
+ "Hold state for each revision entry in an 'rlog' output."
diff --git a/devel/viewvc/files/patch-aa b/devel/viewvc/files/patch-viewcvs-install
index f6924c8..aeab05b 100644
--- a/devel/viewvc/files/patch-aa
+++ b/devel/viewvc/files/patch-viewcvs-install
@@ -1,5 +1,5 @@
---- viewcvs-install.orig Fri Dec 21 20:59:45 2001
-+++ viewcvs-install Mon Dec 24 02:16:56 2001
+--- viewcvs-install.orig Fri Dec 21 03:59:45 2001
++++ viewcvs-install Sun Aug 24 05:38:29 2003
@@ -51,7 +51,7 @@
""" % version
@@ -9,6 +9,20 @@
## list of files for installation
+@@ -65,11 +65,11 @@
+ ("cgi/query.cgi", "cgi/query.cgi", 0755, 1, 0, 0),
+ ("standalone.py", "standalone.py", 0755, 1, 0, 0),
+
+- ("cgi/viewcvs.conf.dist", "viewcvs.conf", 0644, 1,
++ ("cgi/viewcvs.conf.dist", "viewcvs.conf.dist", 0644, 1,
+ """Note: If you are upgrading from viewcvs-0.7 or earlier:
+ The section [text] has been removed from viewcvs.conf. The functionality
+ went into the new files in subdirectory templates.""", 0),
+- ("cgi/cvsgraph.conf.dist", "cvsgraph.conf", 0644, 0, 1, 0),
++ ("cgi/cvsgraph.conf.dist", "cvsgraph.conf.dist", 0644, 0, 1, 0),
+
+ ("lib/PyFontify.py", "lib/PyFontify.py", 0644, 0, 0, 1),
+ ("lib/blame.py", "lib/blame.py", 0644, 0, 0, 1),
@@ -192,7 +192,7 @@
if type(prompt_replace) == type(""):
print prompt_replace
diff --git a/devel/viewvc/pkg-message b/devel/viewvc/pkg-message
index ac1d1f4..c45fbf9 100644
--- a/devel/viewvc/pkg-message
+++ b/devel/viewvc/pkg-message
@@ -3,3 +3,10 @@ you need to do is modify the configuration file, located at
%%INSTDIR%%/viewcvs.conf, to note where your
CVSROOT is, and then copy the actual CGI (located at
%%INSTDIR%%/cgi/viewcvs.cgi) to your cgi-bin.
+Please notice that configuration files are installed as
+".dist" and must be copied to their actual names prior to
+be edited, e.g.:
+$ cd %%INSTDIR%%
+$ cp viewcvs.conf.dist viewcvs.conf
+$ cp cvsgraph.conf.dist cvsgraph.conf
+It's up to yo to check the ".dist" files after upgrades.
diff --git a/devel/viewvc/pkg-plist b/devel/viewvc/pkg-plist
index 786e2ef..4868e8f 100644
--- a/devel/viewvc/pkg-plist
+++ b/devel/viewvc/pkg-plist
@@ -1,7 +1,7 @@
%%INSTDIR%%/cgi/query.cgi
%%INSTDIR%%/cgi/viewcvs.cgi
%%INSTDIR%%/cvsdbadmin
-%%INSTDIR%%/cvsgraph.conf
+%%INSTDIR%%/cvsgraph.conf.dist
%%INSTDIR%%/doc/help_dirview.html
%%INSTDIR%%/doc/help_log.html
%%INSTDIR%%/doc/help_logtable.html
@@ -57,7 +57,7 @@
%%INSTDIR%%/templates/log_table.ezt
%%INSTDIR%%/templates/markup.ezt
%%INSTDIR%%/templates/query.ezt
-%%INSTDIR%%/viewcvs.conf
+%%INSTDIR%%/viewcvs.conf.dist
@dirrm %%INSTDIR%%/templates
@dirrm %%INSTDIR%%/lib
@dirrm %%INSTDIR%%/doc/images
OpenPOWER on IntegriCloud