From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Apr 27 08:10:12 2003 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55F4B37B401 for ; Sun, 27 Apr 2003 08:10:12 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BA5B43F85 for ; Sun, 27 Apr 2003 08:10:11 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3RFAAUp054582 for ; Sun, 27 Apr 2003 08:10:10 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3RFAAQc054579; Sun, 27 Apr 2003 08:10:10 -0700 (PDT) Resent-Date: Sun, 27 Apr 2003 08:10:10 -0700 (PDT) Resent-Message-Id: <200304271510.h3RFAAQc054579@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Lapo Luchini Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C51137B401 for ; Sun, 27 Apr 2003 08:01:34 -0700 (PDT) Received: from vaio.alexdupre.com (212-41-211-209.adsl.galactica.it [212.41.211.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F1A443F85 for ; Sun, 27 Apr 2003 08:01:32 -0700 (PDT) (envelope-from alex@vaio.alexdupre.com) Received: from vaio.alexdupre.com (localhost [127.0.0.1]) by vaio.alexdupre.com (8.12.9/8.12.9) with ESMTP id h3RF1QH2048968; Sun, 27 Apr 2003 17:01:27 +0200 (CEST) (envelope-from alex@vaio.alexdupre.com) Received: (from alex@localhost) by vaio.alexdupre.com (8.12.9/8.12.9/Submit) id h3RF1PoJ048967; Sun, 27 Apr 2003 17:01:25 +0200 (CEST) Message-Id: <200304271337.h3RDb121004666@cyberx.lapo.it> Date: Sun, 27 Apr 2003 15:37:01 +0200 (CEST) From: Lapo Luchini To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: Lapo Luchini cc: sysadmin@alexdupre.com Subject: ports/51465: [Patch Port] devel/viewcvs (unforbidden) X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Lapo Luchini List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2003 15:10:12 -0000 >Number: 51465 >Category: ports >Synopsis: [Patch Port] devel/viewcvs (unforbidden) >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sun Apr 27 08:10:10 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Lapo Luchini >Release: FreeBSD 4.8-RC i386 >Organization: >Environment: System: FreeBSD lapo.m4d.sm 4.8-RC FreeBSD 4.8-RC #8: Fri Mar 21 16:04:11 CET 2003 lapo@lapo.m4d.sm:/usr/obj/usr/src/sys/CYBERX i386 >Description: This patch solves two problems of the actual ViewCVs port: 1. it is forbidden as it is CSS-vulnerable, ViewCVS's CVS contains a patch but a new release was still not created by the authors 2. it overwrites the configuration files on installation To solve problem 1 I "back-ported" the patch 1.117 to lib/viewcvs.py http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/lib/viewcvs.py#rev1.117 as the author itself says, it solves the problem: http://mailman.lyra.org/pipermail/viewcvs-dev/2002-July/000776.html To solve problem 2 I changed the install script to install viewcvs.conf.dist directly instead of renaming it to viewcvs.conf, leaving it up to the user and specifying it in the pkg-message. >How-To-Repeat: >Fix: The patch applies from /usr/ports/devel with -p0 --- viewcvs-0.9.2.diff begins here --- diff -ruN viewcvs.orig/Makefile viewcvs/Makefile --- viewcvs.orig/Makefile Fri Apr 25 19:23:05 2003 +++ viewcvs/Makefile Fri Apr 25 19:49:11 2003 @@ -7,6 +7,7 @@ PORTNAME= viewcvs PORTVERSION= 0.9.2 +PORTREVISION= 1 CATEGORIES= devel python MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -19,17 +20,12 @@ PKGMESSAGE= ${WRKDIR}/pkg-message INSTDIR?= ${PORTNAME}-${PORTVERSION} PLIST_SUB= INSTDIR=${INSTDIR} -FORBIDDEN= "due to cross-site scripting vulnerabilities" do-install: @ cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install post-install: @ ${SED} -e "s:%%INSTDIR%%:${PREFIX}/${INSTDIR}:g" pkg-message >${PKGMESSAGE} -.if !defined(BATCH) - @ ${ECHO} @ ${CAT} ${PKGMESSAGE} - @ ${ECHO} -.endif .include diff -ruN viewcvs.orig/files/patch-aa viewcvs/files/patch-aa --- viewcvs.orig/files/patch-aa Fri Apr 25 19:23:05 2003 +++ viewcvs/files/patch-aa Thu Jan 1 01:00:00 1970 @@ -1,35 +0,0 @@ ---- viewcvs-install.orig Fri Dec 21 20:59:45 2001 -+++ viewcvs-install Mon Dec 24 02:16:56 2001 -@@ -51,7 +51,7 @@ - """ % version - - ## installer defaults --ROOT_DIR = "/usr/local/viewcvs-" + version -+ROOT_DIR = os.environ['INSTDIR'] - - - ## list of files for installation -@@ -192,7 +192,7 @@ - if type(prompt_replace) == type(""): - print prompt_replace - while 1: -- temp = raw_input("\n File %s\n exists and is different from source file.\n DO YOU WANT TO,\n overwrite [o]\n do not overwrite [d]\n view differences [v]: " % (dest_path)) -+ temp = 'o' - print - - temp = string.lower(temp[0]) -@@ -245,10 +245,10 @@ - print INFO_TEXT - - ## get the install path -- temp = raw_input("Installation Path [%s]: " % ROOT_DIR) -- temp = string.strip(temp) -- if len(temp): -- ROOT_DIR = temp -+ #temp = raw_input("Installation Path [%s]: " % ROOT_DIR) -+ #temp = string.strip(temp) -+ #if len(temp): -+ # ROOT_DIR = temp - - ## install the files - print diff -ruN viewcvs.orig/files/patch-lib::viewcvs.py viewcvs/files/patch-lib::viewcvs.py --- viewcvs.orig/files/patch-lib::viewcvs.py Thu Jan 1 01:00:00 1970 +++ viewcvs/files/patch-lib::viewcvs.py Fri Apr 25 19:24:19 2003 @@ -0,0 +1,91 @@ +--- lib/viewcvs.py.orig Tue Jan 15 10:35:55 2002 ++++ lib/viewcvs.py Fri Apr 25 19:18:22 2003 +@@ -174,6 +174,10 @@ + # parse the query params into a dictionary (and use defaults) + query_dict = default_settings.copy() + for name, values in cgi.parse().items(): ++ # validate the parameter ++ _validate_param(name, values[0]) ++ ++ # if we're here, then the parameter is okay + query_dict[name] = values[0] + + # set up query strings, prefixed by question marks and ampersands +@@ -228,6 +232,77 @@ + self.branch = branch + self.taginfo = taginfo + ++ ++def _validate_param(name, value): ++ """Validate whether the given value is acceptable for the param name. ++ ++ If the value is not allowed, then an error response is generated, and ++ this function throws an exception. Otherwise, it simply returns None. ++ """ ++ ++ try: ++ validator = _legal_params[name] ++ except KeyError: ++ error('An illegal parameter name ("%s") was passed.' % cgi.escape(name)) ++ ++ # is the validator a regex? ++ if hasattr(validator, 'match'): ++ if not validator.match(value): ++ error('An illegal value ("%s") was passed as a parameter.' % ++ cgi.escape(value)) ++ return ++ ++ # the validator must be a function ++ validator(value) ++ ++def _validate_cvsroot(value): ++ if not cfg.general.cvs_roots.has_key(value): ++ error('The CVS root "%s" is unknown.' % cgi.escape(value)) ++ ++def _validate_regex(value): ++ # hmm. there isn't anything that we can do here. ++ ++ ### we need to watch the flow of these parameters through the system ++ ### to ensure they don't hit the page unescaped. otherwise, these ++ ### parameters could constitute a CSS attack. ++ pass ++ ++# obvious things here. note that we don't need uppercase for alpha. ++_re_validate_alpha = re.compile('^[a-z]+$') ++_re_validate_number = re.compile('^[0-9]+$') ++ ++# when comparing two revs, we sometimes construct REV:SYMBOL, so ':' is needed ++_re_validate_revnum = re.compile('^[-_.a-zA-Z0-9:]+$') ++ ++# it appears that RFC 2045 also says these chars are legal: !#$%&'*+^{|}~` ++# but woah... I'll just leave them out for now ++_re_validate_mimetype = re.compile('^[-_.a-zA-Z0-9/]+$') ++ ++# the legal query parameters and their validation functions ++_legal_params = { ++ 'cvsroot' : _validate_cvsroot, ++ 'search' : _validate_regex, ++ ++ 'hideattic' : _re_validate_number, ++ 'sortby' : _re_validate_alpha, ++ 'sortdir' : _re_validate_alpha, ++ 'logsort' : _re_validate_alpha, ++ 'diff_format' : _re_validate_alpha, ++ 'only_with_tag' : _re_validate_revnum, ++ 'dir_pagestart' : _re_validate_number, ++ 'log_pagestart' : _re_validate_number, ++ 'hidecvsroot' : _re_validate_number, ++ 'annotate' : _re_validate_revnum, ++ 'graph' : _re_validate_revnum, ++ 'makeimage' : _re_validate_number, ++ 'tarball' : _re_validate_number, ++ 'r1' : _re_validate_revnum, ++ 'tr1' : _re_validate_revnum, ++ 'r2' : _re_validate_revnum, ++ 'tr2' : _re_validate_revnum, ++ 'rev' : _re_validate_revnum, ++ 'content-type' : _re_validate_mimetype, ++ } + + class LogEntry: + "Hold state for each revision entry in an 'rlog' output." diff -ruN viewcvs.orig/files/patch-viewcvs-install viewcvs/files/patch-viewcvs-install --- viewcvs.orig/files/patch-viewcvs-install Thu Jan 1 01:00:00 1970 +++ viewcvs/files/patch-viewcvs-install Fri Apr 25 19:47:57 2003 @@ -0,0 +1,49 @@ +--- viewcvs-install.orig Fri Dec 21 12:59:45 2001 ++++ viewcvs-install Fri Apr 25 19:47:28 2003 +@@ -51,7 +51,7 @@ + """ % version + + ## installer defaults +-ROOT_DIR = "/usr/local/viewcvs-" + version ++ROOT_DIR = os.environ['INSTDIR'] + + + ## list of files for installation +@@ -65,11 +65,11 @@ + ("cgi/query.cgi", "cgi/query.cgi", 0755, 1, 0, 0), + ("standalone.py", "standalone.py", 0755, 1, 0, 0), + +- ("cgi/viewcvs.conf.dist", "viewcvs.conf", 0644, 1, ++ ("cgi/viewcvs.conf.dist", "viewcvs.conf.dist", 0644, 1, + """Note: If you are upgrading from viewcvs-0.7 or earlier: + The section [text] has been removed from viewcvs.conf. The functionality + went into the new files in subdirectory templates.""", 0), +- ("cgi/cvsgraph.conf.dist", "cvsgraph.conf", 0644, 0, 1, 0), ++ ("cgi/cvsgraph.conf.dist", "cvsgraph.conf.dist", 0644, 0, 1, 0), + + ("lib/PyFontify.py", "lib/PyFontify.py", 0644, 0, 0, 1), + ("lib/blame.py", "lib/blame.py", 0644, 0, 0, 1), +@@ -192,7 +192,7 @@ + if type(prompt_replace) == type(""): + print prompt_replace + while 1: +- temp = raw_input("\n File %s\n exists and is different from source file.\n DO YOU WANT TO,\n overwrite [o]\n do not overwrite [d]\n view differences [v]: " % (dest_path)) ++ temp = 'o' + print + + temp = string.lower(temp[0]) +@@ -245,10 +245,10 @@ + print INFO_TEXT + + ## get the install path +- temp = raw_input("Installation Path [%s]: " % ROOT_DIR) +- temp = string.strip(temp) +- if len(temp): +- ROOT_DIR = temp ++ #temp = raw_input("Installation Path [%s]: " % ROOT_DIR) ++ #temp = string.strip(temp) ++ #if len(temp): ++ # ROOT_DIR = temp + + ## install the files + print diff -ruN viewcvs.orig/pkg-message viewcvs/pkg-message --- viewcvs.orig/pkg-message Fri Apr 25 19:23:05 2003 +++ viewcvs/pkg-message Fri Apr 25 19:55:08 2003 @@ -3,3 +3,10 @@ %%INSTDIR%%/viewcvs.conf, to note where your CVSROOT is, and then copy the actual CGI (located at %%INSTDIR%%/cgi/viewcvs.cgi) to your cgi-bin. +Please notice that configuration files are installed as +".dist" and must be copied to their actual names prior to +be edited, e.g.: +$ cd %%INSTDIR%% +$ cp viewcvs.conf.dist viewcvs.conf +$ cp cvsgraph.conf.dist cvsgraph.conf +It's up to yo to check the ".dist" files after upgrades. diff -ruN viewcvs.orig/pkg-plist viewcvs/pkg-plist --- viewcvs.orig/pkg-plist Fri Apr 25 19:23:05 2003 +++ viewcvs/pkg-plist Fri Apr 25 19:59:18 2003 @@ -1,7 +1,7 @@ %%INSTDIR%%/cgi/query.cgi %%INSTDIR%%/cgi/viewcvs.cgi %%INSTDIR%%/cvsdbadmin -%%INSTDIR%%/cvsgraph.conf +%%INSTDIR%%/cvsgraph.conf.dist %%INSTDIR%%/doc/help_dirview.html %%INSTDIR%%/doc/help_log.html %%INSTDIR%%/doc/help_logtable.html @@ -57,7 +57,7 @@ %%INSTDIR%%/templates/log_table.ezt %%INSTDIR%%/templates/markup.ezt %%INSTDIR%%/templates/query.ezt -%%INSTDIR%%/viewcvs.conf +%%INSTDIR%%/viewcvs.conf.dist @dirrm %%INSTDIR%%/templates @dirrm %%INSTDIR%%/lib @dirrm %%INSTDIR%%/doc/images --- viewcvs-0.9.2.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: