diff options
| author | Edwin Groothuis <edwin@FreeBSD.org> | 2003-08-24 12:40:03 +0000 |
|---|---|---|
| committer | Edwin Groothuis <edwin@FreeBSD.org> | 2003-08-24 12:40:03 +0000 |
| commit | 51fcfef1ce264fe5801dac34e9bb598340f8d535 (patch) | |
| tree | 1ffeada73054dcea1ddc5c8a507ea28e9c8b45f6 /devel/viewcvs/files/patch-lib::viewcvs.py | |
| parent | - Update to 0.8.2a (diff) | |
i[Patch Port] devel/viewcvs (unforbidden)
This patch solves two problems of the actual ViewCVs port:
1. it is forbidden as it is CSS-vulnerable, ViewCVS's CVS
contains a patch but a new release was still not created
by the authors 2. it overwrites the configuration files on
installation
To solve problem 1 I "back-ported" the patch 1.117 to
lib/viewcvs.py
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/lib/viewcvs.py#rev1.117
as the author itself says, it solves the problem:
http://mailman.lyra.org/pipermail/viewcvs-dev/2002-July/000776.html
To solve problem 2 I changed the install script to install
viewcvs.conf.dist directly instead of renaming it to
viewcvs.conf, leaving it up to the user and specifying it
in the pkg-message.
PR: ports/51464
Submitted by: Lapo Luchini <lapo@m4d.sm>
Notes
Notes:
svn path=/head/; revision=87606
Diffstat (limited to '')
| -rw-r--r-- | devel/viewcvs/files/patch-lib::viewcvs.py | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/devel/viewcvs/files/patch-lib::viewcvs.py b/devel/viewcvs/files/patch-lib::viewcvs.py new file mode 100644 index 000000000000..0e1123ec43a1 --- /dev/null +++ b/devel/viewcvs/files/patch-lib::viewcvs.py @@ -0,0 +1,91 @@ +--- lib/viewcvs.py.orig Tue Jan 15 10:35:55 2002 ++++ lib/viewcvs.py Fri Apr 25 19:18:22 2003 +@@ -174,6 +174,10 @@ + # parse the query params into a dictionary (and use defaults) + query_dict = default_settings.copy() + for name, values in cgi.parse().items(): ++ # validate the parameter ++ _validate_param(name, values[0]) ++ ++ # if we're here, then the parameter is okay + query_dict[name] = values[0] + + # set up query strings, prefixed by question marks and ampersands +@@ -228,6 +232,77 @@ + self.branch = branch + self.taginfo = taginfo + ++ ++def _validate_param(name, value): ++ """Validate whether the given value is acceptable for the param name. ++ ++ If the value is not allowed, then an error response is generated, and ++ this function throws an exception. Otherwise, it simply returns None. ++ """ ++ ++ try: ++ validator = _legal_params[name] ++ except KeyError: ++ error('An illegal parameter name ("%s") was passed.' % cgi.escape(name)) ++ ++ # is the validator a regex? ++ if hasattr(validator, 'match'): ++ if not validator.match(value): ++ error('An illegal value ("%s") was passed as a parameter.' % ++ cgi.escape(value)) ++ return ++ ++ # the validator must be a function ++ validator(value) ++ ++def _validate_cvsroot(value): ++ if not cfg.general.cvs_roots.has_key(value): ++ error('The CVS root "%s" is unknown.' % cgi.escape(value)) ++ ++def _validate_regex(value): ++ # hmm. there isn't anything that we can do here. ++ ++ ### we need to watch the flow of these parameters through the system ++ ### to ensure they don't hit the page unescaped. otherwise, these ++ ### parameters could constitute a CSS attack. ++ pass ++ ++# obvious things here. note that we don't need uppercase for alpha. ++_re_validate_alpha = re.compile('^[a-z]+$') ++_re_validate_number = re.compile('^[0-9]+$') ++ ++# when comparing two revs, we sometimes construct REV:SYMBOL, so ':' is needed ++_re_validate_revnum = re.compile('^[-_.a-zA-Z0-9:]+$') ++ ++# it appears that RFC 2045 also says these chars are legal: !#$%&'*+^{|}~` ++# but woah... I'll just leave them out for now ++_re_validate_mimetype = re.compile('^[-_.a-zA-Z0-9/]+$') ++ ++# the legal query parameters and their validation functions ++_legal_params = { ++ 'cvsroot' : _validate_cvsroot, ++ 'search' : _validate_regex, ++ ++ 'hideattic' : _re_validate_number, ++ 'sortby' : _re_validate_alpha, ++ 'sortdir' : _re_validate_alpha, ++ 'logsort' : _re_validate_alpha, ++ 'diff_format' : _re_validate_alpha, ++ 'only_with_tag' : _re_validate_revnum, ++ 'dir_pagestart' : _re_validate_number, ++ 'log_pagestart' : _re_validate_number, ++ 'hidecvsroot' : _re_validate_number, ++ 'annotate' : _re_validate_revnum, ++ 'graph' : _re_validate_revnum, ++ 'makeimage' : _re_validate_number, ++ 'tarball' : _re_validate_number, ++ 'r1' : _re_validate_revnum, ++ 'tr1' : _re_validate_revnum, ++ 'r2' : _re_validate_revnum, ++ 'tr2' : _re_validate_revnum, ++ 'rev' : _re_validate_revnum, ++ 'content-type' : _re_validate_mimetype, ++ } + + class LogEntry: + "Hold state for each revision entry in an 'rlog' output." |