Date: Mon, 21 May 2007 21:48:58 +0900 (JST) From: TAKATSU Tomonari <tota@rtfm.jp> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/112833: [PATCH] japanese/trac: update to 0.10.4 Message-ID: <200705211248.l4LCmwGG050576@www2.inetd.co.jp> Resent-Message-ID: <200705211250.l4LCo492048983@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 112833 >Category: ports >Synopsis: [PATCH] japanese/trac: update to 0.10.4 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Mon May 21 12:50:04 GMT 2007 >Closed-Date: >Last-Modified: >Originator: TAKATSU Tomonari >Release: FreeBSD 6.2-STABLE i386 >Organization: none (personal) >Environment: System: FreeBSD photon.rtfm.jp 6.2-STABLE FreeBSD 6.2-STABLE #0: Tue Feb 13 03:58:33 JST 2007 root@photon.rtfm.jp:/usr/obj/usr/src/sys/GENERIC i386 >Description: - update to 0.10.4 Generated with FreeBSD Port Tools 0.77 >How-To-Repeat: >Fix: diff -urN trac.orig/Makefile trac/Makefile --- trac.orig/Makefile Mon Mar 12 23:09:29 2007 +++ trac/Makefile Mon May 21 21:19:59 2007 @@ -6,8 +6,7 @@ # PORTNAME= trac -PORTVERSION= 0.10.3 -PORTREVISION= 2 +PORTVERSION= 0.10.4 CATEGORIES= japanese www devel python MASTER_SITES= http://dist.bsdlab.org/ \ http://www.i-act.co.jp/project/products/downloads/ diff -urN trac.orig/distinfo trac/distinfo --- trac.orig/distinfo Wed Mar 7 23:48:38 2007 +++ trac/distinfo Mon May 21 21:20:04 2007 @@ -1,3 +1,3 @@ -MD5 (trac-0.10.3-ja-1.zip) = 2ed8046e0f59c3751b35b1941789baee -SHA256 (trac-0.10.3-ja-1.zip) = d4b8a505d003649eb2dde7e85674280e9b84caf3721db74696d8d4d928823247 -SIZE (trac-0.10.3-ja-1.zip) = 644169 +MD5 (trac-0.10.4-ja-1.zip) = dbc2468ca9acf70dd5fbd078e415fee6 +SHA256 (trac-0.10.4-ja-1.zip) = 9b9f188b726a7a15d28c1b44814b8db04a987bc165bcacfac8f3a0907123337a +SIZE (trac-0.10.4-ja-1.zip) = 650892 diff -urN trac.orig/files/patch-0.10.3.1 trac/files/patch-0.10.3.1 --- trac.orig/files/patch-0.10.3.1 Sat Mar 10 11:18:14 2007 +++ trac/files/patch-0.10.3.1 Thu Jan 1 09:00:00 1970 @@ -1,194 +0,0 @@ -Index: RELEASE -=================================================================== ---- RELEASE (.../trac-0.10.3) (revision 4957) -+++ RELEASE (.../trac-0.10.3.1) (revision 4957) -@@ -1,8 +1,8 @@ --Release Notes for Trac 0.10.3 --============================= --December 12, 2006 -+Release Notes for Trac 0.10.3.1 -+=============================== -+March 8, 2007 - --We're happy to announce the Trac 0.10.3 release, available from: -+We're happy to announce the Trac 0.10.3.1 release, available from: - - http://trac.edgewall.org/wiki/TracDownload - -@@ -11,18 +11,15 @@ - - http://trac.edgewall.org/wiki/MailingList - --Trac 0.10.3 is a bug fix release and fixes a few bugs introduced in the --0.10.1 and 0.10.2 releases. A brief summary of major changes: -+Trac 0.10.3.1 is a security release: -+* Always send "Content-Disposition: attachment" headers where potentially -+ unsafe (user provided) content is available for download. This behaviour -+ can be altered using the "render_unsafe_content" option in the -+ "attachment" and "browser" sections of trac.ini. -+ * Fixed XSS vulnerability in "download wiki page as text" in combination with -+ Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc. - -- * Timeline fail to load with a "NoSuchChangeset" error message (#4132). -- * Timed out MySQL connections not handled properly (#3645). -- * Subversion repository resync broken. (#4204). - --The complete list of closed tickets can be found here: -- -- http://trac.edgewall.org/query?status=closed&milestone=0.10.3 -- -- - Acknowledgements - ================ - -Index: wiki-default/WikiStart -=================================================================== ---- wiki-default/WikiStart (.../trac-0.10.3) (revision 4957) -+++ wiki-default/WikiStart (.../trac-0.10.3.1) (revision 4957) -@@ -1,4 +1,4 @@ --= Welcome to Trac 0.10.3 = -+= Welcome to Trac 0.10.3.1 = - - Trac is a '''minimalistic''' approach to '''web-based''' management of - '''software projects'''. Its goal is to simplify effective tracking and handling of software issues, enhancements and overall progress. -Index: ChangeLog -=================================================================== ---- ChangeLog (.../trac-0.10.3) (revision 4957) -+++ ChangeLog (.../trac-0.10.3.1) (revision 4957) -@@ -1,3 +1,14 @@ -+Trac 0.10.3.1 (March 8, 2007) -+http://svn.edgewall.org/repos/trac/tags/trac-0.10.3.1 -+ -+ Trac 0.10.3.1 is a security release: -+ * Always send "Content-Disposition: attachment" headers where potentially -+ unsafe (user provided) content is available for download. This behaviour -+ can be altered using the "render_unsafe_content" option in the -+ "attachment" and "browser" sections of trac.ini. -+ * Fixed XSS vulnerability in "download wiki page as text" in combination with -+ Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc. -+ - Trac 0.10.3 (Dec 12, 2006) - http://svn.edgewall.org/repos/trac/tags/trac-0.10.3 - -Index: trac/attachment.py -=================================================================== ---- trac/attachment.py (.../trac-0.10.3) (revision 4957) -+++ trac/attachment.py (.../trac-0.10.3.1) (revision 4957) -@@ -555,22 +555,24 @@ - # Eventually send the file directly - format = req.args.get('format') - if format in ('raw', 'txt'): -- if not self.render_unsafe_content and not binary: -- # Force browser to download HTML/SVG/etc pages that may -- # contain malicious code enabling XSS attacks -- req.send_header('Content-Disposition', 'attachment;' + -- 'filename=' + attachment.filename) -- if not mime_type or (self.render_unsafe_content and \ -- not binary and format == 'txt'): -- mime_type = 'text/plain' -+ if not self.render_unsafe_content: -+ # Force browser to download files instead of rendering -+ # them, since they might contain malicious code enabling -+ # XSS attacks -+ req.send_header('Content-Disposition', 'attachment') -+ if format == 'txt': -+ mime_type = 'text/plain' -+ elif not mime_type: -+ mime_type = 'application/octet-stream' - if 'charset=' not in mime_type: - charset = mimeview.get_charset(str_data, mime_type) - mime_type = mime_type + '; charset=' + charset -+ - req.send_file(attachment.path, mime_type) - - # add ''Plain Text'' alternate link if needed -- if self.render_unsafe_content and not binary and \ -- mime_type and not mime_type.startswith('text/plain'): -+ if (self.render_unsafe_content and -+ mime_type and not mime_type.startswith('text/plain')): - plaintext_href = attachment.href(req, format='txt') - add_link(req, 'alternate', plaintext_href, 'Plain Text', - mime_type) -Index: trac/mimeview/api.py -=================================================================== ---- trac/mimeview/api.py (.../trac-0.10.3) (revision 4957) -+++ trac/mimeview/api.py (.../trac-0.10.3.1) (revision 4957) -@@ -604,8 +604,8 @@ - content, selector) - req.send_response(200) - req.send_header('Content-Type', output_type) -- req.send_header('Content-Disposition', 'filename=%s.%s' % (filename, -- ext)) -+ req.send_header('Content-Disposition', 'attachment; filename=%s.%s' % -+ (filename, ext)) - req.end_headers() - req.write(content) - raise RequestDone -Index: trac/__init__.py -=================================================================== ---- trac/__init__.py (.../trac-0.10.3) (revision 4957) -+++ trac/__init__.py (.../trac-0.10.3.1) (revision 4957) -@@ -11,7 +11,7 @@ - """ - __docformat__ = 'epytext en' - --__version__ = '0.10.3' -+__version__ = '0.10.3.1' - __url__ = 'http://trac.edgewall.org/' - __copyright__ = '(C) 2003-2006 Edgewall Software' - __license__ = 'BSD' -Index: trac/versioncontrol/web_ui/browser.py -=================================================================== ---- trac/versioncontrol/web_ui/browser.py (.../trac-0.10.3) (revision 4957) -+++ trac/versioncontrol/web_ui/browser.py (.../trac-0.10.3.1) (revision 4957) -@@ -21,7 +21,7 @@ - from fnmatch import fnmatchcase - - from trac import util --from trac.config import ListOption, Option -+from trac.config import ListOption, BoolOption, Option - from trac.core import * - from trac.mimeview import Mimeview, is_binary, get_mimetype - from trac.perm import IPermissionRequestor -@@ -57,6 +57,18 @@ - glob patterns, i.e. "*" can be used as a wild card) - (''since 0.10'')""") - -+ render_unsafe_content = BoolOption('browser', 'render_unsafe_content', -+ 'false', -+ """Whether attachments should be rendered in the browser, or -+ only made downloadable. -+ -+ Pretty much any file may be interpreted as HTML by the browser, -+ which allows a malicious user to attach a file containing cross-site -+ scripting attacks. -+ -+ For public sites where anonymous users can create attachments it is -+ recommended to leave this option disabled (which is the default).""") -+ - # INavigationContributor methods - - def get_active_navigation_item(self, req): -@@ -216,6 +228,11 @@ - format == 'txt' and 'text/plain' or mime_type) - req.send_header('Content-Length', node.content_length) - req.send_header('Last-Modified', http_date(node.last_modified)) -+ if not self.render_unsafe_content: -+ # Force browser to download files instead of rendering -+ # them, since they might contain malicious code enabling -+ # XSS attacks -+ req.send_header('Content-Disposition', 'attachment') - req.end_headers() - - while 1: -Index: trac/scripts/tests/admin-tests.txt -=================================================================== ---- trac/scripts/tests/admin-tests.txt (.../trac-0.10.3) (revision 4957) -+++ trac/scripts/tests/admin-tests.txt (.../trac-0.10.3.1) (revision 4957) -@@ -1,5 +1,5 @@ - ===== test_help_ok ===== --trac-admin - The Trac Administration Console 0.10.3 -+trac-admin - The Trac Administration Console 0.10.3.1 - - Usage: trac-admin </path/to/projenv> [command [subcommand] [option ...]] - diff -urN trac.orig/files/patch-setup.py trac/files/patch-setup.py --- trac.orig/files/patch-setup.py Fri Nov 4 21:30:10 2005 +++ trac/files/patch-setup.py Mon May 21 21:28:33 2007 @@ -1,6 +1,6 @@ ---- setup.py.orig Thu Nov 3 11:44:28 2005 -+++ setup.py Thu Nov 3 11:45:01 2005 -@@ -225,7 +225,7 @@ +--- setup.py.orig Thu Nov 2 20:58:46 2006 ++++ setup.py Mon May 21 21:28:00 2007 +@@ -231,7 +231,7 @@ (_p('share/trac/htdocs'), glob(_p('htdocs/*.*')) + [_p('htdocs/README')]), (_p('share/trac/htdocs/css'), glob(_p('htdocs/css/*'))), (_p('share/trac/htdocs/js'), glob(_p('htdocs/js/*'))), diff -urN trac.orig/files/patch-trac.css trac/files/patch-trac.css --- trac.orig/files/patch-trac.css Sun Dec 18 01:37:04 2005 +++ trac/files/patch-trac.css Mon May 21 21:35:38 2007 @@ -1,6 +1,6 @@ ---- ./htdocs/css/trac.css.orig Fri Dec 16 11:24:16 2005 -+++ ./htdocs/css/trac.css Fri Dec 16 11:24:26 2005 -@@ -47,7 +47,7 @@ +--- ./htdocs/css/trac.css.orig Mon Sep 25 16:52:05 2006 ++++ ./htdocs/css/trac.css Mon May 21 21:32:02 2007 +@@ -63,7 +63,7 @@ background: url(../extlink.gif) left center no-repeat; padding-left: 16px; } diff -urN trac.orig/pkg-plist trac/pkg-plist --- trac.orig/pkg-plist Wed Mar 7 23:48:38 2007 +++ trac/pkg-plist Mon May 21 21:38:23 2007 @@ -159,6 +159,9 @@ %%PYTHON_SITELIBDIR%%/trac/upgrades/db19.py %%PYTHON_SITELIBDIR%%/trac/upgrades/db19.pyc %%PYTHON_SITELIBDIR%%/trac/upgrades/db19.pyo +%%PYTHON_SITELIBDIR%%/trac/upgrades/db20.py +%%PYTHON_SITELIBDIR%%/trac/upgrades/db20.pyc +%%PYTHON_SITELIBDIR%%/trac/upgrades/db20.pyo %%PYTHON_SITELIBDIR%%/trac/upgrades/db3.py %%PYTHON_SITELIBDIR%%/trac/upgrades/db3.pyc %%PYTHON_SITELIBDIR%%/trac/upgrades/db3.pyo >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705211248.l4LCmwGG050576>