From 56aea0b2f23112bcb4e6f2bf8287efa119c48175 Mon Sep 17 00:00:00 2001 From: edwin Date: Sun, 24 Aug 2003 12:40:03 +0000 Subject: i[Patch Port] devel/viewcvs (unforbidden) This patch solves two problems of the actual ViewCVs port: 1. it is forbidden as it is CSS-vulnerable, ViewCVS's CVS contains a patch but a new release was still not created by the authors 2. it overwrites the configuration files on installation To solve problem 1 I "back-ported" the patch 1.117 to lib/viewcvs.py http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/lib/viewcvs.py#rev1.117 as the author itself says, it solves the problem: http://mailman.lyra.org/pipermail/viewcvs-dev/2002-July/000776.html To solve problem 2 I changed the install script to install viewcvs.conf.dist directly instead of renaming it to viewcvs.conf, leaving it up to the user and specifying it in the pkg-message. PR: ports/51464 Submitted by: Lapo Luchini --- devel/viewvc/Makefile | 6 +-- devel/viewvc/files/patch-aa | 35 ------------ devel/viewvc/files/patch-lib::viewcvs.py | 91 ++++++++++++++++++++++++++++++++ devel/viewvc/files/patch-viewcvs-install | 49 +++++++++++++++++ devel/viewvc/pkg-message | 7 +++ devel/viewvc/pkg-plist | 4 +- 6 files changed, 150 insertions(+), 42 deletions(-) delete mode 100644 devel/viewvc/files/patch-aa create mode 100644 devel/viewvc/files/patch-lib::viewcvs.py create mode 100644 devel/viewvc/files/patch-viewcvs-install (limited to 'devel/viewvc') diff --git a/devel/viewvc/Makefile b/devel/viewvc/Makefile index d45725c..ba1267d 100644 --- a/devel/viewvc/Makefile +++ b/devel/viewvc/Makefile @@ -7,6 +7,7 @@ PORTNAME= viewcvs PORTVERSION= 0.9.2 +PORTREVISION= 1 CATEGORIES= devel python MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -19,17 +20,12 @@ NO_BUILD= yes PKGMESSAGE= ${WRKDIR}/pkg-message INSTDIR?= ${PORTNAME}-${PORTVERSION} PLIST_SUB= INSTDIR=${INSTDIR} -FORBIDDEN= "due to cross-site scripting vulnerabilities" do-install: @ cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install post-install: @ ${SED} -e "s:%%INSTDIR%%:${PREFIX}/${INSTDIR}:g" pkg-message >${PKGMESSAGE} -.if !defined(BATCH) - @ ${ECHO} @ ${CAT} ${PKGMESSAGE} - @ ${ECHO} -.endif .include diff --git a/devel/viewvc/files/patch-aa b/devel/viewvc/files/patch-aa deleted file mode 100644 index f6924c8..0000000 --- a/devel/viewvc/files/patch-aa +++ /dev/null @@ -1,35 +0,0 @@ ---- viewcvs-install.orig Fri Dec 21 20:59:45 2001 -+++ viewcvs-install Mon Dec 24 02:16:56 2001 -@@ -51,7 +51,7 @@ - """ % version - - ## installer defaults --ROOT_DIR = "/usr/local/viewcvs-" + version -+ROOT_DIR = os.environ['INSTDIR'] - - - ## list of files for installation -@@ -192,7 +192,7 @@ - if type(prompt_replace) == type(""): - print prompt_replace - while 1: -- temp = raw_input("\n File %s\n exists and is different from source file.\n DO YOU WANT TO,\n overwrite [o]\n do not overwrite [d]\n view differences [v]: " % (dest_path)) -+ temp = 'o' - print - - temp = string.lower(temp[0]) -@@ -245,10 +245,10 @@ - print INFO_TEXT - - ## get the install path -- temp = raw_input("Installation Path [%s]: " % ROOT_DIR) -- temp = string.strip(temp) -- if len(temp): -- ROOT_DIR = temp -+ #temp = raw_input("Installation Path [%s]: " % ROOT_DIR) -+ #temp = string.strip(temp) -+ #if len(temp): -+ # ROOT_DIR = temp - - ## install the files - print diff --git a/devel/viewvc/files/patch-lib::viewcvs.py b/devel/viewvc/files/patch-lib::viewcvs.py new file mode 100644 index 0000000..0e1123e --- /dev/null +++ b/devel/viewvc/files/patch-lib::viewcvs.py @@ -0,0 +1,91 @@ +--- lib/viewcvs.py.orig Tue Jan 15 10:35:55 2002 ++++ lib/viewcvs.py Fri Apr 25 19:18:22 2003 +@@ -174,6 +174,10 @@ + # parse the query params into a dictionary (and use defaults) + query_dict = default_settings.copy() + for name, values in cgi.parse().items(): ++ # validate the parameter ++ _validate_param(name, values[0]) ++ ++ # if we're here, then the parameter is okay + query_dict[name] = values[0] + + # set up query strings, prefixed by question marks and ampersands +@@ -228,6 +232,77 @@ + self.branch = branch + self.taginfo = taginfo + ++ ++def _validate_param(name, value): ++ """Validate whether the given value is acceptable for the param name. ++ ++ If the value is not allowed, then an error response is generated, and ++ this function throws an exception. Otherwise, it simply returns None. ++ """ ++ ++ try: ++ validator = _legal_params[name] ++ except KeyError: ++ error('An illegal parameter name ("%s") was passed.' % cgi.escape(name)) ++ ++ # is the validator a regex? ++ if hasattr(validator, 'match'): ++ if not validator.match(value): ++ error('An illegal value ("%s") was passed as a parameter.' % ++ cgi.escape(value)) ++ return ++ ++ # the validator must be a function ++ validator(value) ++ ++def _validate_cvsroot(value): ++ if not cfg.general.cvs_roots.has_key(value): ++ error('The CVS root "%s" is unknown.' % cgi.escape(value)) ++ ++def _validate_regex(value): ++ # hmm. there isn't anything that we can do here. ++ ++ ### we need to watch the flow of these parameters through the system ++ ### to ensure they don't hit the page unescaped. otherwise, these ++ ### parameters could constitute a CSS attack. ++ pass ++ ++# obvious things here. note that we don't need uppercase for alpha. ++_re_validate_alpha = re.compile('^[a-z]+$') ++_re_validate_number = re.compile('^[0-9]+$') ++ ++# when comparing two revs, we sometimes construct REV:SYMBOL, so ':' is needed ++_re_validate_revnum = re.compile('^[-_.a-zA-Z0-9:]+$') ++ ++# it appears that RFC 2045 also says these chars are legal: !#$%&'*+^{|}~` ++# but woah... I'll just leave them out for now ++_re_validate_mimetype = re.compile('^[-_.a-zA-Z0-9/]+$') ++ ++# the legal query parameters and their validation functions ++_legal_params = { ++ 'cvsroot' : _validate_cvsroot, ++ 'search' : _validate_regex, ++ ++ 'hideattic' : _re_validate_number, ++ 'sortby' : _re_validate_alpha, ++ 'sortdir' : _re_validate_alpha, ++ 'logsort' : _re_validate_alpha, ++ 'diff_format' : _re_validate_alpha, ++ 'only_with_tag' : _re_validate_revnum, ++ 'dir_pagestart' : _re_validate_number, ++ 'log_pagestart' : _re_validate_number, ++ 'hidecvsroot' : _re_validate_number, ++ 'annotate' : _re_validate_revnum, ++ 'graph' : _re_validate_revnum, ++ 'makeimage' : _re_validate_number, ++ 'tarball' : _re_validate_number, ++ 'r1' : _re_validate_revnum, ++ 'tr1' : _re_validate_revnum, ++ 'r2' : _re_validate_revnum, ++ 'tr2' : _re_validate_revnum, ++ 'rev' : _re_validate_revnum, ++ 'content-type' : _re_validate_mimetype, ++ } + + class LogEntry: + "Hold state for each revision entry in an 'rlog' output." diff --git a/devel/viewvc/files/patch-viewcvs-install b/devel/viewvc/files/patch-viewcvs-install new file mode 100644 index 0000000..aeab05b --- /dev/null +++ b/devel/viewvc/files/patch-viewcvs-install @@ -0,0 +1,49 @@ +--- viewcvs-install.orig Fri Dec 21 03:59:45 2001 ++++ viewcvs-install Sun Aug 24 05:38:29 2003 +@@ -51,7 +51,7 @@ + """ % version + + ## installer defaults +-ROOT_DIR = "/usr/local/viewcvs-" + version ++ROOT_DIR = os.environ['INSTDIR'] + + + ## list of files for installation +@@ -65,11 +65,11 @@ + ("cgi/query.cgi", "cgi/query.cgi", 0755, 1, 0, 0), + ("standalone.py", "standalone.py", 0755, 1, 0, 0), + +- ("cgi/viewcvs.conf.dist", "viewcvs.conf", 0644, 1, ++ ("cgi/viewcvs.conf.dist", "viewcvs.conf.dist", 0644, 1, + """Note: If you are upgrading from viewcvs-0.7 or earlier: + The section [text] has been removed from viewcvs.conf. The functionality + went into the new files in subdirectory templates.""", 0), +- ("cgi/cvsgraph.conf.dist", "cvsgraph.conf", 0644, 0, 1, 0), ++ ("cgi/cvsgraph.conf.dist", "cvsgraph.conf.dist", 0644, 0, 1, 0), + + ("lib/PyFontify.py", "lib/PyFontify.py", 0644, 0, 0, 1), + ("lib/blame.py", "lib/blame.py", 0644, 0, 0, 1), +@@ -192,7 +192,7 @@ + if type(prompt_replace) == type(""): + print prompt_replace + while 1: +- temp = raw_input("\n File %s\n exists and is different from source file.\n DO YOU WANT TO,\n overwrite [o]\n do not overwrite [d]\n view differences [v]: " % (dest_path)) ++ temp = 'o' + print + + temp = string.lower(temp[0]) +@@ -245,10 +245,10 @@ + print INFO_TEXT + + ## get the install path +- temp = raw_input("Installation Path [%s]: " % ROOT_DIR) +- temp = string.strip(temp) +- if len(temp): +- ROOT_DIR = temp ++ #temp = raw_input("Installation Path [%s]: " % ROOT_DIR) ++ #temp = string.strip(temp) ++ #if len(temp): ++ # ROOT_DIR = temp + + ## install the files + print diff --git a/devel/viewvc/pkg-message b/devel/viewvc/pkg-message index ac1d1f4..c45fbf9 100644 --- a/devel/viewvc/pkg-message +++ b/devel/viewvc/pkg-message @@ -3,3 +3,10 @@ you need to do is modify the configuration file, located at %%INSTDIR%%/viewcvs.conf, to note where your CVSROOT is, and then copy the actual CGI (located at %%INSTDIR%%/cgi/viewcvs.cgi) to your cgi-bin. +Please notice that configuration files are installed as +".dist" and must be copied to their actual names prior to +be edited, e.g.: +$ cd %%INSTDIR%% +$ cp viewcvs.conf.dist viewcvs.conf +$ cp cvsgraph.conf.dist cvsgraph.conf +It's up to yo to check the ".dist" files after upgrades. diff --git a/devel/viewvc/pkg-plist b/devel/viewvc/pkg-plist index 786e2ef..4868e8f 100644 --- a/devel/viewvc/pkg-plist +++ b/devel/viewvc/pkg-plist @@ -1,7 +1,7 @@ %%INSTDIR%%/cgi/query.cgi %%INSTDIR%%/cgi/viewcvs.cgi %%INSTDIR%%/cvsdbadmin -%%INSTDIR%%/cvsgraph.conf +%%INSTDIR%%/cvsgraph.conf.dist %%INSTDIR%%/doc/help_dirview.html %%INSTDIR%%/doc/help_log.html %%INSTDIR%%/doc/help_logtable.html @@ -57,7 +57,7 @@ %%INSTDIR%%/templates/log_table.ezt %%INSTDIR%%/templates/markup.ezt %%INSTDIR%%/templates/query.ezt -%%INSTDIR%%/viewcvs.conf +%%INSTDIR%%/viewcvs.conf.dist @dirrm %%INSTDIR%%/templates @dirrm %%INSTDIR%%/lib @dirrm %%INSTDIR%%/doc/images -- cgit v1.1