summaryrefslogtreecommitdiff
path: root/devel/viewvc-devel/files/patch-lib_viewvc.py
diff options
context:
space:
mode:
Diffstat (limited to 'devel/viewvc-devel/files/patch-lib_viewvc.py')
-rw-r--r--devel/viewvc-devel/files/patch-lib_viewvc.py39
1 files changed, 39 insertions, 0 deletions
diff --git a/devel/viewvc-devel/files/patch-lib_viewvc.py b/devel/viewvc-devel/files/patch-lib_viewvc.py
new file mode 100644
index 000000000000..739d60e1a50a
--- /dev/null
+++ b/devel/viewvc-devel/files/patch-lib_viewvc.py
@@ -0,0 +1,39 @@
+--- lib/viewvc.py.orig 2025-07-22 12:12:06 UTC
++++ lib/viewvc.py
+@@ -193,6 +193,10 @@ class Request:
+ # TODO: we might want to redirect to the cleaned up URL
+ path_parts = _path_parts(path_info)
+
++ # Protect against directory traversal attacks.
++ if ".." in path_parts:
++ raise ViewVCException("An illegal path was provided.", "400 Bad Request")
++
+ if path_parts:
+ # handle docroot magic path prefixes
+ if path_parts[0] == docroot_magic_path:
+@@ -3401,10 +3405,8 @@ def view_doc(request):
+ # Stat the file to get content length and last-modified date.
+ try:
+ info = os.stat(filename)
+- except OSError as v:
+- raise ViewVCException(
+- 'Static file "%s" not available (%s)' % (document, str(v)), "404 Not Found"
+- )
++ except OSError:
++ raise ViewVCException('Static file "%s" not available' % (document), "404 Not Found")
+ content_length = str(info[stat.ST_SIZE])
+ last_modified = info[stat.ST_MTIME]
+
+@@ -3414,10 +3416,8 @@ def view_doc(request):
+
+ try:
+ fp = open(filename, "rb")
+- except IOError as v:
+- raise ViewVCException(
+- 'Static file "%s" not available (%s)' % (document, str(v)), "404 Not Found"
+- )
++ except IOError:
++ raise ViewVCException('Static file "%s" not available' % (document), "404 Not Found")
+
+ if document[-3:] == "png":
+ mime_type = "image/png"