1 files changed, 39 insertions, 0 deletions

diff --git a/devel/viewvc-devel/files/patch-lib_viewvc.py b/devel/viewvc-devel/files/patch-lib_viewvc.py
new file mode 100644
index 000000000000..739d60e1a50a
--- /dev/null
+++ b/devel/viewvc-devel/files/patch-lib_viewvc.py
@@ -0,0 +1,39 @@
+--- lib/viewvc.py.orig	2025-07-22 12:12:06 UTC
++++ lib/viewvc.py
+@@ -193,6 +193,10 @@ class Request:
+         # TODO: we might want to redirect to the cleaned up URL
+         path_parts = _path_parts(path_info)
+ 
++        # Protect against directory traversal attacks.
++        if ".." in path_parts:
++            raise ViewVCException("An illegal path was provided.", "400 Bad Request")
++
+         if path_parts:
+             # handle docroot magic path prefixes
+             if path_parts[0] == docroot_magic_path:
+@@ -3401,10 +3405,8 @@ def view_doc(request):
+     # Stat the file to get content length and last-modified date.
+     try:
+         info = os.stat(filename)
+-    except OSError as v:
+-        raise ViewVCException(
+-            'Static file "%s" not available (%s)' % (document, str(v)), "404 Not Found"
+-        )
++    except OSError:
++        raise ViewVCException('Static file "%s" not available' % (document), "404 Not Found")
+     content_length = str(info[stat.ST_SIZE])
+     last_modified = info[stat.ST_MTIME]
+ 
+@@ -3414,10 +3416,8 @@ def view_doc(request):
+ 
+     try:
+         fp = open(filename, "rb")
+-    except IOError as v:
+-        raise ViewVCException(
+-            'Static file "%s" not available (%s)' % (document, str(v)), "404 Not Found"
+-        )
++    except IOError:
++        raise ViewVCException('Static file "%s" not available' % (document), "404 Not Found")
+ 
+     if document[-3:] == "png":
+         mime_type = "image/png"