diff options
author | Edwin Groothuis <edwin@FreeBSD.org> | 2003-08-24 12:40:03 +0000 |
---|---|---|
committer | Edwin Groothuis <edwin@FreeBSD.org> | 2003-08-24 12:40:03 +0000 |
commit | 51fcfef1ce264fe5801dac34e9bb598340f8d535 (patch) | |
tree | 1ffeada73054dcea1ddc5c8a507ea28e9c8b45f6 | |
parent | - Update to 0.8.2a (diff) |
i[Patch Port] devel/viewcvs (unforbidden)
This patch solves two problems of the actual ViewCVs port:
1. it is forbidden as it is CSS-vulnerable, ViewCVS's CVS
contains a patch but a new release was still not created
by the authors 2. it overwrites the configuration files on
installation
To solve problem 1 I "back-ported" the patch 1.117 to
lib/viewcvs.py
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/lib/viewcvs.py#rev1.117
as the author itself says, it solves the problem:
http://mailman.lyra.org/pipermail/viewcvs-dev/2002-July/000776.html
To solve problem 2 I changed the install script to install
viewcvs.conf.dist directly instead of renaming it to
viewcvs.conf, leaving it up to the user and specifying it
in the pkg-message.
PR: ports/51464
Submitted by: Lapo Luchini <lapo@m4d.sm>
-rw-r--r-- | devel/viewcvs/Makefile | 6 | ||||
-rw-r--r-- | devel/viewcvs/files/patch-lib::viewcvs.py | 91 | ||||
-rw-r--r-- | devel/viewcvs/files/patch-viewcvs-install (renamed from devel/viewcvs/files/patch-aa) | 18 | ||||
-rw-r--r-- | devel/viewcvs/pkg-message | 7 | ||||
-rw-r--r-- | devel/viewcvs/pkg-plist | 4 | ||||
-rw-r--r-- | devel/viewvc/Makefile | 6 | ||||
-rw-r--r-- | devel/viewvc/files/patch-lib::viewcvs.py | 91 | ||||
-rw-r--r-- | devel/viewvc/files/patch-viewcvs-install (renamed from devel/viewvc/files/patch-aa) | 18 | ||||
-rw-r--r-- | devel/viewvc/pkg-message | 7 | ||||
-rw-r--r-- | devel/viewvc/pkg-plist | 4 |
10 files changed, 234 insertions, 18 deletions
diff --git a/devel/viewcvs/Makefile b/devel/viewcvs/Makefile index d45725cad75f..ba1267d87a00 100644 --- a/devel/viewcvs/Makefile +++ b/devel/viewcvs/Makefile @@ -7,6 +7,7 @@ PORTNAME= viewcvs PORTVERSION= 0.9.2 +PORTREVISION= 1 CATEGORIES= devel python MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -19,17 +20,12 @@ NO_BUILD= yes PKGMESSAGE= ${WRKDIR}/pkg-message INSTDIR?= ${PORTNAME}-${PORTVERSION} PLIST_SUB= INSTDIR=${INSTDIR} -FORBIDDEN= "due to cross-site scripting vulnerabilities" do-install: @ cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install post-install: @ ${SED} -e "s:%%INSTDIR%%:${PREFIX}/${INSTDIR}:g" pkg-message >${PKGMESSAGE} -.if !defined(BATCH) - @ ${ECHO} @ ${CAT} ${PKGMESSAGE} - @ ${ECHO} -.endif .include <bsd.port.mk> diff --git a/devel/viewcvs/files/patch-lib::viewcvs.py b/devel/viewcvs/files/patch-lib::viewcvs.py new file mode 100644 index 000000000000..0e1123ec43a1 --- /dev/null +++ b/devel/viewcvs/files/patch-lib::viewcvs.py @@ -0,0 +1,91 @@ +--- lib/viewcvs.py.orig Tue Jan 15 10:35:55 2002 ++++ lib/viewcvs.py Fri Apr 25 19:18:22 2003 +@@ -174,6 +174,10 @@ + # parse the query params into a dictionary (and use defaults) + query_dict = default_settings.copy() + for name, values in cgi.parse().items(): ++ # validate the parameter ++ _validate_param(name, values[0]) ++ ++ # if we're here, then the parameter is okay + query_dict[name] = values[0] + + # set up query strings, prefixed by question marks and ampersands +@@ -228,6 +232,77 @@ + self.branch = branch + self.taginfo = taginfo + ++ ++def _validate_param(name, value): ++ """Validate whether the given value is acceptable for the param name. ++ ++ If the value is not allowed, then an error response is generated, and ++ this function throws an exception. Otherwise, it simply returns None. ++ """ ++ ++ try: ++ validator = _legal_params[name] ++ except KeyError: ++ error('An illegal parameter name ("%s") was passed.' % cgi.escape(name)) ++ ++ # is the validator a regex? ++ if hasattr(validator, 'match'): ++ if not validator.match(value): ++ error('An illegal value ("%s") was passed as a parameter.' % ++ cgi.escape(value)) ++ return ++ ++ # the validator must be a function ++ validator(value) ++ ++def _validate_cvsroot(value): ++ if not cfg.general.cvs_roots.has_key(value): ++ error('The CVS root "%s" is unknown.' % cgi.escape(value)) ++ ++def _validate_regex(value): ++ # hmm. there isn't anything that we can do here. ++ ++ ### we need to watch the flow of these parameters through the system ++ ### to ensure they don't hit the page unescaped. otherwise, these ++ ### parameters could constitute a CSS attack. ++ pass ++ ++# obvious things here. note that we don't need uppercase for alpha. ++_re_validate_alpha = re.compile('^[a-z]+$') ++_re_validate_number = re.compile('^[0-9]+$') ++ ++# when comparing two revs, we sometimes construct REV:SYMBOL, so ':' is needed ++_re_validate_revnum = re.compile('^[-_.a-zA-Z0-9:]+$') ++ ++# it appears that RFC 2045 also says these chars are legal: !#$%&'*+^{|}~` ++# but woah... I'll just leave them out for now ++_re_validate_mimetype = re.compile('^[-_.a-zA-Z0-9/]+$') ++ ++# the legal query parameters and their validation functions ++_legal_params = { ++ 'cvsroot' : _validate_cvsroot, ++ 'search' : _validate_regex, ++ ++ 'hideattic' : _re_validate_number, ++ 'sortby' : _re_validate_alpha, ++ 'sortdir' : _re_validate_alpha, ++ 'logsort' : _re_validate_alpha, ++ 'diff_format' : _re_validate_alpha, ++ 'only_with_tag' : _re_validate_revnum, ++ 'dir_pagestart' : _re_validate_number, ++ 'log_pagestart' : _re_validate_number, ++ 'hidecvsroot' : _re_validate_number, ++ 'annotate' : _re_validate_revnum, ++ 'graph' : _re_validate_revnum, ++ 'makeimage' : _re_validate_number, ++ 'tarball' : _re_validate_number, ++ 'r1' : _re_validate_revnum, ++ 'tr1' : _re_validate_revnum, ++ 'r2' : _re_validate_revnum, ++ 'tr2' : _re_validate_revnum, ++ 'rev' : _re_validate_revnum, ++ 'content-type' : _re_validate_mimetype, ++ } + + class LogEntry: + "Hold state for each revision entry in an 'rlog' output." diff --git a/devel/viewcvs/files/patch-aa b/devel/viewcvs/files/patch-viewcvs-install index f6924c80db22..aeab05b698ff 100644 --- a/devel/viewcvs/files/patch-aa +++ b/devel/viewcvs/files/patch-viewcvs-install @@ -1,5 +1,5 @@ ---- viewcvs-install.orig Fri Dec 21 20:59:45 2001 -+++ viewcvs-install Mon Dec 24 02:16:56 2001 +--- viewcvs-install.orig Fri Dec 21 03:59:45 2001 ++++ viewcvs-install Sun Aug 24 05:38:29 2003 @@ -51,7 +51,7 @@ """ % version @@ -9,6 +9,20 @@ ## list of files for installation +@@ -65,11 +65,11 @@ + ("cgi/query.cgi", "cgi/query.cgi", 0755, 1, 0, 0), + ("standalone.py", "standalone.py", 0755, 1, 0, 0), + +- ("cgi/viewcvs.conf.dist", "viewcvs.conf", 0644, 1, ++ ("cgi/viewcvs.conf.dist", "viewcvs.conf.dist", 0644, 1, + """Note: If you are upgrading from viewcvs-0.7 or earlier: + The section [text] has been removed from viewcvs.conf. The functionality + went into the new files in subdirectory templates.""", 0), +- ("cgi/cvsgraph.conf.dist", "cvsgraph.conf", 0644, 0, 1, 0), ++ ("cgi/cvsgraph.conf.dist", "cvsgraph.conf.dist", 0644, 0, 1, 0), + + ("lib/PyFontify.py", "lib/PyFontify.py", 0644, 0, 0, 1), + ("lib/blame.py", "lib/blame.py", 0644, 0, 0, 1), @@ -192,7 +192,7 @@ if type(prompt_replace) == type(""): print prompt_replace diff --git a/devel/viewcvs/pkg-message b/devel/viewcvs/pkg-message index ac1d1f45867e..c45fbf9165ce 100644 --- a/devel/viewcvs/pkg-message +++ b/devel/viewcvs/pkg-message @@ -3,3 +3,10 @@ you need to do is modify the configuration file, located at %%INSTDIR%%/viewcvs.conf, to note where your CVSROOT is, and then copy the actual CGI (located at %%INSTDIR%%/cgi/viewcvs.cgi) to your cgi-bin. +Please notice that configuration files are installed as +".dist" and must be copied to their actual names prior to +be edited, e.g.: +$ cd %%INSTDIR%% +$ cp viewcvs.conf.dist viewcvs.conf +$ cp cvsgraph.conf.dist cvsgraph.conf +It's up to yo to check the ".dist" files after upgrades. diff --git a/devel/viewcvs/pkg-plist b/devel/viewcvs/pkg-plist index 786e2ef62f65..4868e8f043f5 100644 --- a/devel/viewcvs/pkg-plist +++ b/devel/viewcvs/pkg-plist @@ -1,7 +1,7 @@ %%INSTDIR%%/cgi/query.cgi %%INSTDIR%%/cgi/viewcvs.cgi %%INSTDIR%%/cvsdbadmin -%%INSTDIR%%/cvsgraph.conf +%%INSTDIR%%/cvsgraph.conf.dist %%INSTDIR%%/doc/help_dirview.html %%INSTDIR%%/doc/help_log.html %%INSTDIR%%/doc/help_logtable.html @@ -57,7 +57,7 @@ %%INSTDIR%%/templates/log_table.ezt %%INSTDIR%%/templates/markup.ezt %%INSTDIR%%/templates/query.ezt -%%INSTDIR%%/viewcvs.conf +%%INSTDIR%%/viewcvs.conf.dist @dirrm %%INSTDIR%%/templates @dirrm %%INSTDIR%%/lib @dirrm %%INSTDIR%%/doc/images diff --git a/devel/viewvc/Makefile b/devel/viewvc/Makefile index d45725cad75f..ba1267d87a00 100644 --- a/devel/viewvc/Makefile +++ b/devel/viewvc/Makefile @@ -7,6 +7,7 @@ PORTNAME= viewcvs PORTVERSION= 0.9.2 +PORTREVISION= 1 CATEGORIES= devel python MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -19,17 +20,12 @@ NO_BUILD= yes PKGMESSAGE= ${WRKDIR}/pkg-message INSTDIR?= ${PORTNAME}-${PORTVERSION} PLIST_SUB= INSTDIR=${INSTDIR} -FORBIDDEN= "due to cross-site scripting vulnerabilities" do-install: @ cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install post-install: @ ${SED} -e "s:%%INSTDIR%%:${PREFIX}/${INSTDIR}:g" pkg-message >${PKGMESSAGE} -.if !defined(BATCH) - @ ${ECHO} @ ${CAT} ${PKGMESSAGE} - @ ${ECHO} -.endif .include <bsd.port.mk> diff --git a/devel/viewvc/files/patch-lib::viewcvs.py b/devel/viewvc/files/patch-lib::viewcvs.py new file mode 100644 index 000000000000..0e1123ec43a1 --- /dev/null +++ b/devel/viewvc/files/patch-lib::viewcvs.py @@ -0,0 +1,91 @@ +--- lib/viewcvs.py.orig Tue Jan 15 10:35:55 2002 ++++ lib/viewcvs.py Fri Apr 25 19:18:22 2003 +@@ -174,6 +174,10 @@ + # parse the query params into a dictionary (and use defaults) + query_dict = default_settings.copy() + for name, values in cgi.parse().items(): ++ # validate the parameter ++ _validate_param(name, values[0]) ++ ++ # if we're here, then the parameter is okay + query_dict[name] = values[0] + + # set up query strings, prefixed by question marks and ampersands +@@ -228,6 +232,77 @@ + self.branch = branch + self.taginfo = taginfo + ++ ++def _validate_param(name, value): ++ """Validate whether the given value is acceptable for the param name. ++ ++ If the value is not allowed, then an error response is generated, and ++ this function throws an exception. Otherwise, it simply returns None. ++ """ ++ ++ try: ++ validator = _legal_params[name] ++ except KeyError: ++ error('An illegal parameter name ("%s") was passed.' % cgi.escape(name)) ++ ++ # is the validator a regex? ++ if hasattr(validator, 'match'): ++ if not validator.match(value): ++ error('An illegal value ("%s") was passed as a parameter.' % ++ cgi.escape(value)) ++ return ++ ++ # the validator must be a function ++ validator(value) ++ ++def _validate_cvsroot(value): ++ if not cfg.general.cvs_roots.has_key(value): ++ error('The CVS root "%s" is unknown.' % cgi.escape(value)) ++ ++def _validate_regex(value): ++ # hmm. there isn't anything that we can do here. ++ ++ ### we need to watch the flow of these parameters through the system ++ ### to ensure they don't hit the page unescaped. otherwise, these ++ ### parameters could constitute a CSS attack. ++ pass ++ ++# obvious things here. note that we don't need uppercase for alpha. ++_re_validate_alpha = re.compile('^[a-z]+$') ++_re_validate_number = re.compile('^[0-9]+$') ++ ++# when comparing two revs, we sometimes construct REV:SYMBOL, so ':' is needed ++_re_validate_revnum = re.compile('^[-_.a-zA-Z0-9:]+$') ++ ++# it appears that RFC 2045 also says these chars are legal: !#$%&'*+^{|}~` ++# but woah... I'll just leave them out for now ++_re_validate_mimetype = re.compile('^[-_.a-zA-Z0-9/]+$') ++ ++# the legal query parameters and their validation functions ++_legal_params = { ++ 'cvsroot' : _validate_cvsroot, ++ 'search' : _validate_regex, ++ ++ 'hideattic' : _re_validate_number, ++ 'sortby' : _re_validate_alpha, ++ 'sortdir' : _re_validate_alpha, ++ 'logsort' : _re_validate_alpha, ++ 'diff_format' : _re_validate_alpha, ++ 'only_with_tag' : _re_validate_revnum, ++ 'dir_pagestart' : _re_validate_number, ++ 'log_pagestart' : _re_validate_number, ++ 'hidecvsroot' : _re_validate_number, ++ 'annotate' : _re_validate_revnum, ++ 'graph' : _re_validate_revnum, ++ 'makeimage' : _re_validate_number, ++ 'tarball' : _re_validate_number, ++ 'r1' : _re_validate_revnum, ++ 'tr1' : _re_validate_revnum, ++ 'r2' : _re_validate_revnum, ++ 'tr2' : _re_validate_revnum, ++ 'rev' : _re_validate_revnum, ++ 'content-type' : _re_validate_mimetype, ++ } + + class LogEntry: + "Hold state for each revision entry in an 'rlog' output." diff --git a/devel/viewvc/files/patch-aa b/devel/viewvc/files/patch-viewcvs-install index f6924c80db22..aeab05b698ff 100644 --- a/devel/viewvc/files/patch-aa +++ b/devel/viewvc/files/patch-viewcvs-install @@ -1,5 +1,5 @@ ---- viewcvs-install.orig Fri Dec 21 20:59:45 2001 -+++ viewcvs-install Mon Dec 24 02:16:56 2001 +--- viewcvs-install.orig Fri Dec 21 03:59:45 2001 ++++ viewcvs-install Sun Aug 24 05:38:29 2003 @@ -51,7 +51,7 @@ """ % version @@ -9,6 +9,20 @@ ## list of files for installation +@@ -65,11 +65,11 @@ + ("cgi/query.cgi", "cgi/query.cgi", 0755, 1, 0, 0), + ("standalone.py", "standalone.py", 0755, 1, 0, 0), + +- ("cgi/viewcvs.conf.dist", "viewcvs.conf", 0644, 1, ++ ("cgi/viewcvs.conf.dist", "viewcvs.conf.dist", 0644, 1, + """Note: If you are upgrading from viewcvs-0.7 or earlier: + The section [text] has been removed from viewcvs.conf. The functionality + went into the new files in subdirectory templates.""", 0), +- ("cgi/cvsgraph.conf.dist", "cvsgraph.conf", 0644, 0, 1, 0), ++ ("cgi/cvsgraph.conf.dist", "cvsgraph.conf.dist", 0644, 0, 1, 0), + + ("lib/PyFontify.py", "lib/PyFontify.py", 0644, 0, 0, 1), + ("lib/blame.py", "lib/blame.py", 0644, 0, 0, 1), @@ -192,7 +192,7 @@ if type(prompt_replace) == type(""): print prompt_replace diff --git a/devel/viewvc/pkg-message b/devel/viewvc/pkg-message index ac1d1f45867e..c45fbf9165ce 100644 --- a/devel/viewvc/pkg-message +++ b/devel/viewvc/pkg-message @@ -3,3 +3,10 @@ you need to do is modify the configuration file, located at %%INSTDIR%%/viewcvs.conf, to note where your CVSROOT is, and then copy the actual CGI (located at %%INSTDIR%%/cgi/viewcvs.cgi) to your cgi-bin. +Please notice that configuration files are installed as +".dist" and must be copied to their actual names prior to +be edited, e.g.: +$ cd %%INSTDIR%% +$ cp viewcvs.conf.dist viewcvs.conf +$ cp cvsgraph.conf.dist cvsgraph.conf +It's up to yo to check the ".dist" files after upgrades. diff --git a/devel/viewvc/pkg-plist b/devel/viewvc/pkg-plist index 786e2ef62f65..4868e8f043f5 100644 --- a/devel/viewvc/pkg-plist +++ b/devel/viewvc/pkg-plist @@ -1,7 +1,7 @@ %%INSTDIR%%/cgi/query.cgi %%INSTDIR%%/cgi/viewcvs.cgi %%INSTDIR%%/cvsdbadmin -%%INSTDIR%%/cvsgraph.conf +%%INSTDIR%%/cvsgraph.conf.dist %%INSTDIR%%/doc/help_dirview.html %%INSTDIR%%/doc/help_log.html %%INSTDIR%%/doc/help_logtable.html @@ -57,7 +57,7 @@ %%INSTDIR%%/templates/log_table.ezt %%INSTDIR%%/templates/markup.ezt %%INSTDIR%%/templates/query.ezt -%%INSTDIR%%/viewcvs.conf +%%INSTDIR%%/viewcvs.conf.dist @dirrm %%INSTDIR%%/templates @dirrm %%INSTDIR%%/lib @dirrm %%INSTDIR%%/doc/images |