Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Nov 2003 15:50:30 +0900 (JST)
From:      Fumihiko Kimura <jfkimura@yahoo.co.jp>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/59451: maintainer-update ports: www/tdiary 1.5.6 to 1.5.6_1
Message-ID:  <200311190650.hAJ6oU3n055850@sh0.radio.gr.jp>
Resent-Message-ID: <200311190700.hAJ70dWB073538@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         59451
>Category:       ports
>Synopsis:       maintainer-update ports: www/tdiary 1.5.6 to 1.5.6_1
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 18 23:00:39 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Fumihiko Kimura
>Release:        FreeBSD 4.9-RELEASE i386
>Organization:
>Environment:
>Description:

There is security related problem in tDiary 1.5.6,
the tDiary developer released a security advisory.

See http://www.tdiary.org/20031119.html
(By Japanese Language only) 


It occurs only in the following terms.

 * "@secure = true" in setting file (tdiary.conf)
 * output_rdf.rb or tb-send.rb by plugin choice

When both sides served as the terms mentioned above, a patch file needs consideration.
You are not required if you do not fall under this.

>How-To-Repeat:

Checked:

	FreeBSD 4.9-RELEASE
	FreeBSD FreeBSD 5.1-RELEASE-p10

>Fix:

=== begin  cut here ===
diff -urN  /usr/ports/www/tdiary/Makefile /usr/ports/www/tdiary-stable/Makefile
--- /usr/ports/www/tdiary/Makefile	Sat Nov 15 19:13:01 2003
+++ /usr/ports/www/tdiary-stable/Makefile	Wed Nov 19 14:01:50 2003
@@ -7,6 +7,7 @@
 
 PORTNAME=	tdiary
 PORTVERSION=	1.5.6
+PORTREVISION=	1
 CATEGORIES?=	www ruby
 MASTER_SITES=	\
 		${MASTER_SITE_SOURCEFORGE} \
@@ -70,6 +71,7 @@
 post-install:
 	@cd ${WRKSRC} && ${FIND} . -type f -o -type l | ${SED} -e 's,^\.,${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST}
 	@cd ${WRKSRC} && ${FIND} . -type d -depth  | ${SED} -e 's,^\.,@dirrm ${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST}
-	@${SED} -e "s,%%EXAMPLESDIR%%,${EXAMPLESDIR},g" ${PKGMESSAGE}
+	@${SED}	-e 's|%%EXAMPLESDIR%%|${EXAMPLESDIR}|' < ${FILESDIR}/pkg-message.in > ${PKGMESSAGE}
+	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.mk>
diff -urN  /usr/ports/www/tdiary/files/patch-aa /usr/ports/www/tdiary-stable/files/patch-aa
--- /usr/ports/www/tdiary/files/patch-aa	Thu Jan  1 09:00:00 1970
+++ /usr/ports/www/tdiary-stable/files/patch-aa	Wed Nov 19 13:35:35 2003
@@ -0,0 +1,52 @@
+===================================================================
+RCS file: /cvsroot/tdiary/core/tdiary.rb,v
+retrieving revision 1.156
+retrieving revision 1.159
+diff -u -r1.156 -r1.159
+--- tdiary.rb	2003/11/13 06:34:22	1.156
++++ tdiary.rb	2003/11/18 15:02:39	1.159
+@@ -1,13 +1,13 @@
+ =begin
+ == NAME
+ tDiary: the "tsukkomi-able" web diary system.
+-tdiary.rb $Revision: 1.156 $
++tdiary.rb $Revision: 1.159 $
+ 
+ Copyright (C) 2001-2003, TADA Tadashi <sho@spc.gr.jp>
+ You can redistribute it and/or modify it under GPL2.
+ =end
+ 
+-TDIARY_VERSION = '1.5.6'
++TDIARY_VERSION = '1.5.6.20031118'
+ 
+ require 'cgi'
+ begin
+@@ -62,10 +62,14 @@
+ module Safe
+ 	def safe( level = 4 )
+ 		result = nil
+-		Thread.start {
+-			$SAFE = level
++		if $SAFE < level then
++			Thread.start {
++				$SAFE = level
++				result = yield
++			}.join
++		else
+ 			result = yield
+-		}.join
++		end
+ 		result
+   end
+   module_function :safe
+@@ -740,7 +744,9 @@
+ 			r = str.dup
+ 			if @options['apply_plugin'] and str.index( '<%' ) then
+ 				r = str.untaint if $SAFE < 3
+-				r = ERbLight.new( r ).result( binding )
++				Safe::safe( @conf.secure ? 4 : 1 ) do
++					r = ERbLight.new( r ).result( binding )
++				end
+ 			end
+ 			r.gsub!( /<.*?>/, '' ) if remove_tag
+ 			r
diff -urN  /usr/ports/www/tdiary/files/pkg-message.in /usr/ports/www/tdiary-stable/files/pkg-message.in
--- /usr/ports/www/tdiary/files/pkg-message.in	Thu Jan  1 09:00:00 1970
+++ /usr/ports/www/tdiary-stable/files/pkg-message.in	Wed Nov 19 13:45:59 2003
@@ -0,0 +1,29 @@
+
+=============================================================================
+There is a script to install tDiary in a user directory.
+This script should be run manually.
+
+[Ruby 1.6.x]
+
+  # ruby %%EXAMPLESDIR%%/tdiaryinst.rb --user=User
+   or
+  % ruby %%EXAMPLESDIR%%/tdiaryinst.rb
+
+ * Option: --suexec Use suExec for CGI execution
+	   --help   Display Help information
+
+[Ruby 1.8.x]
+
+  # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User
+   or
+  % %%EXAMPLESDIR%%/tdiary-FreeBSD.sh install
+
+---
+There is a document by English in the following directories.
+  See ...
+  %%EXAMPLESDIR%%/misc/i18n/
+   and
+  Explanation by English of a tDiary system can refer to the following page :
+
+  http://tdiary-users.sourceforge.jp/cgi-bin/wiki.cgi?FrontPage_en
+=============================================================================
diff -urN  /usr/ports/www/tdiary/pkg-message /usr/ports/www/tdiary-stable/pkg-message
--- /usr/ports/www/tdiary/pkg-message	Sat Nov 15 19:13:01 2003
+++ /usr/ports/www/tdiary-stable/pkg-message	Thu Jan  1 09:00:00 1970
@@ -1,26 +0,0 @@
-
-=============================================================================
-There is a script to install tDiary in a user directory.
-This script should be run manually.
-
-[Ruby 1.6.x]
-
-  # ruby %%EXAMPLESDIR%%/tdiaryinst.rb --user=User
-   or
-  % ruby %%EXAMPLESDIR%%/tdiaryinst.rb
-
-[Ruby 1.8.x]
-
-  # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User
-   or
-  % %%EXAMPLESDIR%%/tdiary-FreeBSD.sh install
-
----
-There is a document by English in the following directories.
-  See ...
-  %%EXAMPLESDIR%%/misc/i18n/
-   and
-  Explanation by English of a tDiary system can refer to the following page :
-
-  http://tdiary-users.sourceforge.jp/cgi-bin/wiki.cgi?FrontPage_en
-=============================================================================
=== ended  cut here ===

>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311190650.hAJ6oU3n055850>