From bde98a7340772ad78b1e327fb5e110496d26229f Mon Sep 17 00:00:00 2001
From: Mark Linimon <linimon@FreeBSD.org>
Date: Tue, 9 Dec 2003 02:48:11 +0000
Subject: Fix a security related problem in tDiary 1.5.6, see
 http://www.tdiary.org/20031119.html (Japanese-language) for details. It only
 happened in the following case:

 * "@secure = true" in setting file (tdiary.conf)
 * output_rdf.rb or tb-send.rb by plugin choice

PR:		ports/59451
Submitted by:	Fumihiko Kimura <jfkimura@yahoo.co.jp> (maintainer)
---
 www/tdiary-devel/Makefile             |  4 ++-
 www/tdiary-devel/files/patch-aa       | 47 +++++++++++++++++++++++++++++++++++
 www/tdiary-devel/files/pkg-message.in | 29 +++++++++++++++++++++
 www/tdiary-devel/pkg-message          | 26 -------------------
 www/tdiary/Makefile                   |  4 ++-
 www/tdiary/files/patch-aa             | 47 +++++++++++++++++++++++++++++++++++
 www/tdiary/files/pkg-message.in       | 29 +++++++++++++++++++++
 www/tdiary/pkg-message                | 26 -------------------
 8 files changed, 158 insertions(+), 54 deletions(-)
 create mode 100644 www/tdiary-devel/files/patch-aa
 create mode 100644 www/tdiary-devel/files/pkg-message.in
 delete mode 100644 www/tdiary-devel/pkg-message
 create mode 100644 www/tdiary/files/patch-aa
 create mode 100644 www/tdiary/files/pkg-message.in
 delete mode 100644 www/tdiary/pkg-message

diff --git a/www/tdiary-devel/Makefile b/www/tdiary-devel/Makefile
index 13383966da2f..fa00ee3b640c 100644
--- a/www/tdiary-devel/Makefile
+++ b/www/tdiary-devel/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	tdiary
 PORTVERSION=	1.5.6
+PORTREVISION=	1
 CATEGORIES?=	www ruby
 MASTER_SITES=	\
 		${MASTER_SITE_SOURCEFORGE} \
@@ -70,6 +71,7 @@ do-install:
 post-install:
 	@cd ${WRKSRC} && ${FIND} . -type f -o -type l | ${SED} -e 's,^\.,${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST}
 	@cd ${WRKSRC} && ${FIND} . -type d -depth  | ${SED} -e 's,^\.,@dirrm ${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST}
-	@${SED} -e "s,%%EXAMPLESDIR%%,${EXAMPLESDIR},g" ${PKGMESSAGE}
+	@${SED}	-e 's|%%EXAMPLESDIR%%|${EXAMPLESDIR}|' < ${FILESDIR}/pkg-message.in > ${PKGMESSAGE}
+	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.mk>
diff --git a/www/tdiary-devel/files/patch-aa b/www/tdiary-devel/files/patch-aa
new file mode 100644
index 000000000000..a88609622b12
--- /dev/null
+++ b/www/tdiary-devel/files/patch-aa
@@ -0,0 +1,47 @@
+--- tdiary.rb	Thu Nov 13 15:34:22 2003
++++ tdiary.rb.new	Fri Nov 21 16:11:26 2003
+@@ -1,13 +1,13 @@
+ =begin
+ == NAME
+ tDiary: the "tsukkomi-able" web diary system.
+-tdiary.rb $Revision: 1.156 $
++tdiary.rb $Revision: 1.159 $
+ 
+ Copyright (C) 2001-2003, TADA Tadashi <sho@spc.gr.jp>
+ You can redistribute it and/or modify it under GPL2.
+ =end
+ 
+-TDIARY_VERSION = '1.5.6'
++TDIARY_VERSION = '1.5.6.20031118'
+ 
+ require 'cgi'
+ begin
+@@ -62,10 +62,14 @@
+ module Safe
+ 	def safe( level = 4 )
+ 		result = nil
+-		Thread.start {
+-			$SAFE = level
++		if $SAFE < level then
++			Thread.start {
++				$SAFE = level
++				result = yield
++			}.join
++		else
+ 			result = yield
+-		}.join
++		end
+ 		result
+   end
+   module_function :safe
+@@ -740,7 +744,9 @@
+ 			r = str.dup
+ 			if @options['apply_plugin'] and str.index( '<%' ) then
+ 				r = str.untaint if $SAFE < 3
+-				r = ERbLight.new( r ).result( binding )
++				Safe::safe( @conf.secure ? 4 : 1 ) do
++					r = ERbLight.new( r ).result( binding )
++				end
+ 			end
+ 			r.gsub!( /<.*?>/, '' ) if remove_tag
+ 			r
diff --git a/www/tdiary-devel/files/pkg-message.in b/www/tdiary-devel/files/pkg-message.in
new file mode 100644
index 000000000000..7641c845f302
--- /dev/null
+++ b/www/tdiary-devel/files/pkg-message.in
@@ -0,0 +1,29 @@
+
+=============================================================================
+There is a script to install tDiary in a user directory.
+This script should be run manually.
+
+[Ruby 1.6.x]
+
+  # ruby %%EXAMPLESDIR%%/tdiaryinst.rb --user=User
+   or
+  % ruby %%EXAMPLESDIR%%/tdiaryinst.rb
+
+ * Option: --suexec Use suExec for CGI execution
+	   --help   Display Help information
+
+[Ruby 1.8.x]
+
+  # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User
+   or
+  % %%EXAMPLESDIR%%/tdiary-FreeBSD.sh install
+
+---
+There is a document by English in the following directories.
+  See ...
+  %%EXAMPLESDIR%%/misc/i18n/
+   and
+  Explanation by English of a tDiary system can refer to the following page :
+
+  http://tdiary-users.sourceforge.jp/cgi-bin/wiki.cgi?FrontPage_en
+=============================================================================
diff --git a/www/tdiary-devel/pkg-message b/www/tdiary-devel/pkg-message
deleted file mode 100644
index 237ee08b2814..000000000000
--- a/www/tdiary-devel/pkg-message
+++ /dev/null
@@ -1,26 +0,0 @@
-
-=============================================================================
-There is a script to install tDiary in a user directory.
-This script should be run manually.
-
-[Ruby 1.6.x]
-
-  # ruby %%EXAMPLESDIR%%/tdiaryinst.rb --user=User
-   or
-  % ruby %%EXAMPLESDIR%%/tdiaryinst.rb
-
-[Ruby 1.8.x]
-
-  # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User
-   or
-  % %%EXAMPLESDIR%%/tdiary-FreeBSD.sh install
-
----
-There is a document by English in the following directories.
-  See ...
-  %%EXAMPLESDIR%%/misc/i18n/
-   and
-  Explanation by English of a tDiary system can refer to the following page :
-
-  http://tdiary-users.sourceforge.jp/cgi-bin/wiki.cgi?FrontPage_en
-=============================================================================
diff --git a/www/tdiary/Makefile b/www/tdiary/Makefile
index 13383966da2f..fa00ee3b640c 100644
--- a/www/tdiary/Makefile
+++ b/www/tdiary/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	tdiary
 PORTVERSION=	1.5.6
+PORTREVISION=	1
 CATEGORIES?=	www ruby
 MASTER_SITES=	\
 		${MASTER_SITE_SOURCEFORGE} \
@@ -70,6 +71,7 @@ do-install:
 post-install:
 	@cd ${WRKSRC} && ${FIND} . -type f -o -type l | ${SED} -e 's,^\.,${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST}
 	@cd ${WRKSRC} && ${FIND} . -type d -depth  | ${SED} -e 's,^\.,@dirrm ${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST}
-	@${SED} -e "s,%%EXAMPLESDIR%%,${EXAMPLESDIR},g" ${PKGMESSAGE}
+	@${SED}	-e 's|%%EXAMPLESDIR%%|${EXAMPLESDIR}|' < ${FILESDIR}/pkg-message.in > ${PKGMESSAGE}
+	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.mk>
diff --git a/www/tdiary/files/patch-aa b/www/tdiary/files/patch-aa
new file mode 100644
index 000000000000..a88609622b12
--- /dev/null
+++ b/www/tdiary/files/patch-aa
@@ -0,0 +1,47 @@
+--- tdiary.rb	Thu Nov 13 15:34:22 2003
++++ tdiary.rb.new	Fri Nov 21 16:11:26 2003
+@@ -1,13 +1,13 @@
+ =begin
+ == NAME
+ tDiary: the "tsukkomi-able" web diary system.
+-tdiary.rb $Revision: 1.156 $
++tdiary.rb $Revision: 1.159 $
+ 
+ Copyright (C) 2001-2003, TADA Tadashi <sho@spc.gr.jp>
+ You can redistribute it and/or modify it under GPL2.
+ =end
+ 
+-TDIARY_VERSION = '1.5.6'
++TDIARY_VERSION = '1.5.6.20031118'
+ 
+ require 'cgi'
+ begin
+@@ -62,10 +62,14 @@
+ module Safe
+ 	def safe( level = 4 )
+ 		result = nil
+-		Thread.start {
+-			$SAFE = level
++		if $SAFE < level then
++			Thread.start {
++				$SAFE = level
++				result = yield
++			}.join
++		else
+ 			result = yield
+-		}.join
++		end
+ 		result
+   end
+   module_function :safe
+@@ -740,7 +744,9 @@
+ 			r = str.dup
+ 			if @options['apply_plugin'] and str.index( '<%' ) then
+ 				r = str.untaint if $SAFE < 3
+-				r = ERbLight.new( r ).result( binding )
++				Safe::safe( @conf.secure ? 4 : 1 ) do
++					r = ERbLight.new( r ).result( binding )
++				end
+ 			end
+ 			r.gsub!( /<.*?>/, '' ) if remove_tag
+ 			r
diff --git a/www/tdiary/files/pkg-message.in b/www/tdiary/files/pkg-message.in
new file mode 100644
index 000000000000..7641c845f302
--- /dev/null
+++ b/www/tdiary/files/pkg-message.in
@@ -0,0 +1,29 @@
+
+=============================================================================
+There is a script to install tDiary in a user directory.
+This script should be run manually.
+
+[Ruby 1.6.x]
+
+  # ruby %%EXAMPLESDIR%%/tdiaryinst.rb --user=User
+   or
+  % ruby %%EXAMPLESDIR%%/tdiaryinst.rb
+
+ * Option: --suexec Use suExec for CGI execution
+	   --help   Display Help information
+
+[Ruby 1.8.x]
+
+  # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User
+   or
+  % %%EXAMPLESDIR%%/tdiary-FreeBSD.sh install
+
+---
+There is a document by English in the following directories.
+  See ...
+  %%EXAMPLESDIR%%/misc/i18n/
+   and
+  Explanation by English of a tDiary system can refer to the following page :
+
+  http://tdiary-users.sourceforge.jp/cgi-bin/wiki.cgi?FrontPage_en
+=============================================================================
diff --git a/www/tdiary/pkg-message b/www/tdiary/pkg-message
deleted file mode 100644
index 237ee08b2814..000000000000
--- a/www/tdiary/pkg-message
+++ /dev/null
@@ -1,26 +0,0 @@
-
-=============================================================================
-There is a script to install tDiary in a user directory.
-This script should be run manually.
-
-[Ruby 1.6.x]
-
-  # ruby %%EXAMPLESDIR%%/tdiaryinst.rb --user=User
-   or
-  % ruby %%EXAMPLESDIR%%/tdiaryinst.rb
-
-[Ruby 1.8.x]
-
-  # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User
-   or
-  % %%EXAMPLESDIR%%/tdiary-FreeBSD.sh install
-
----
-There is a document by English in the following directories.
-  See ...
-  %%EXAMPLESDIR%%/misc/i18n/
-   and
-  Explanation by English of a tDiary system can refer to the following page :
-
-  http://tdiary-users.sourceforge.jp/cgi-bin/wiki.cgi?FrontPage_en
-=============================================================================
-- 
cgit v1.2.3