From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Apr 9 12:50:02 2007 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C978416A407 for ; Mon, 9 Apr 2007 12:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id AA03F13C4D3 for ; Mon, 9 Apr 2007 12:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l39Co2Ga069488 for ; Mon, 9 Apr 2007 12:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l39Co2kP069486; Mon, 9 Apr 2007 12:50:02 GMT (envelope-from gnats) Resent-Date: Mon, 9 Apr 2007 12:50:02 GMT Resent-Message-Id: <200704091250.l39Co2kP069486@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alexander Logvinov Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0DF1816A405 for ; Mon, 9 Apr 2007 12:42:56 +0000 (UTC) (envelope-from user@blg.akavia.ru) Received: from blg.akavia.ru (blg.akavia.ru [62.33.174.250]) by mx1.freebsd.org (Postfix) with ESMTP id D892B13C44C for ; Mon, 9 Apr 2007 12:42:54 +0000 (UTC) (envelope-from user@blg.akavia.ru) Received: from blg.akavia.ru (localhost [127.0.0.1]) by blg.akavia.ru (8.13.8/8.13.8) with ESMTP id l39CgpJT082865; Mon, 9 Apr 2007 22:42:51 +1000 (YAKST) (envelope-from user@blg.akavia.ru) Received: (from root@localhost) by blg.akavia.ru (8.13.8/8.13.8/Submit) id l39CgokV082864; Mon, 9 Apr 2007 22:42:50 +1000 (YAKST) (envelope-from user) Message-Id: <200704091242.l39CgokV082864@blg.akavia.ru> Date: Mon, 9 Apr 2007 22:42:50 +1000 (YAKST) From: Alexander Logvinov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Alexander Logvinov Subject: ports/111407: [PATCH] www/instiki: Fix cross site scripting vulnerability X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Alexander Logvinov List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2007 12:50:02 -0000 >Number: 111407 >Category: ports >Synopsis: [PATCH] www/instiki: Fix cross site scripting vulnerability >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Mon Apr 09 12:50:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Alexander Logvinov >Release: FreeBSD 6.2-RELEASE-p3 i386 >Organization: >Environment: >Description: Update to 0.11 Patch Level 1 and fix cross site scripting vulnerability Release info: http://rubyforge.org/frs/shownotes.php?group_id=186&release_id=10014 Security: http://golem.ph.utexas.edu/~distler/blog/archives/001181.html >How-To-Repeat: >Fix: Index: Makefile =================================================================== RCS file: /home/pcvs/ports/www/instiki/Makefile,v retrieving revision 1.11 diff -u -r1.11 Makefile --- Makefile 3 Oct 2006 00:59:47 -0000 1.11 +++ Makefile 9 Apr 2007 12:40:29 -0000 @@ -7,10 +7,11 @@ PORTNAME= instiki PORTVERSION= 0.11.0 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= www ruby MASTER_SITES= ${MASTER_SITE_RUBYFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} +DISTNAME= ${PORTNAME}-0.11.pl1 EXTRACT_SUFX= .tgz MAINTAINER= arsptr@internode.on.net @@ -40,6 +41,7 @@ rake environment RAILS_ENV=production migrate ) do-install: + @${FIND} -E ${WRKSRC} -type f -iregex ".*\._.+" -exec ${RM} "{}" \; ${CP} -pR ${WRKSRC}/ ${PREFIX}/${INSTIKIDIR} ${CP} ${PREFIX}/${INSTIKIDIR}/db/production.db.sqlite3 \ ${PREFIX}/${INSTIKIDIR}/db/default.db.sqlite3 Index: distinfo =================================================================== RCS file: /home/pcvs/ports/www/instiki/distinfo,v retrieving revision 1.3 diff -u -r1.3 distinfo --- distinfo 1 May 2006 14:32:27 -0000 1.3 +++ distinfo 9 Apr 2007 12:40:29 -0000 @@ -1,3 +1,3 @@ -MD5 (instiki-0.11.0.tgz) = c8d86d05ef9a801e21e12d661fc737ab -SHA256 (instiki-0.11.0.tgz) = 4bc1315c73ecf2dbaef9c243b5073aa49ca3ea2c64a61c54b8fd57e4baf039ce -SIZE (instiki-0.11.0.tgz) = 1483964 +MD5 (instiki-0.11.pl1.tgz) = 42859487777cf56199cfe8c343a9c33b +SHA256 (instiki-0.11.pl1.tgz) = 777fc053818b139b0aac7dd96d274a194b93d35dbfb70d0d8a8aa2d3e49a27d8 +SIZE (instiki-0.11.pl1.tgz) = 1344168 Index: pkg-plist =================================================================== RCS file: /home/pcvs/ports/www/instiki/pkg-plist,v retrieving revision 1.6 diff -u -r1.6 pkg-plist --- pkg-plist 24 Jun 2006 11:52:15 -0000 1.6 +++ pkg-plist 9 Apr 2007 12:40:29 -0000 @@ -61,9 +61,9 @@ %%INSTIKIDIR%%db/default.db.sqlite3 %%INSTIKIDIR%%db/schema.rb %%INSTIKIDIR%%instiki +%%INSTIKIDIR%%instiki.bat %%INSTIKIDIR%%instiki.cmd %%INSTIKIDIR%%instiki.rb -%%INSTIKIDIR%%instiki.sh %%INSTIKIDIR%%lib/bluecloth_tweaked.rb %%INSTIKIDIR%%lib/chunks/category.rb %%INSTIKIDIR%%lib/chunks/chunk.rb @@ -74,15 +74,17 @@ %%INSTIKIDIR%%lib/chunks/test.rb %%INSTIKIDIR%%lib/chunks/uri.rb %%INSTIKIDIR%%lib/chunks/wiki.rb +%%INSTIKIDIR%%lib/db_structure.rb %%INSTIKIDIR%%lib/diff.rb %%INSTIKIDIR%%lib/instiki_errors.rb -%%INSTIKIDIR%%lib/native/linux/libsqlite3.so %%INSTIKIDIR%%lib/native/win32/sqlite3.dll %%INSTIKIDIR%%lib/native/win32/sqlite3_api.so +%%INSTIKIDIR%%lib/node.rb %%INSTIKIDIR%%lib/page_renderer.rb %%INSTIKIDIR%%lib/rdocsupport.rb %%INSTIKIDIR%%lib/redcloth.rb %%INSTIKIDIR%%lib/redcloth_for_tex.rb +%%INSTIKIDIR%%lib/sanitize.rb %%INSTIKIDIR%%lib/url_generator.rb %%INSTIKIDIR%%lib/wiki_content.rb %%INSTIKIDIR%%lib/wiki_words.rb @@ -127,6 +129,7 @@ %%INSTIKIDIR%%script/benchmarker %%INSTIKIDIR%%script/breakpointer %%INSTIKIDIR%%script/console +%%INSTIKIDIR%%script/create_db %%INSTIKIDIR%%script/destroy %%INSTIKIDIR%%script/generate %%INSTIKIDIR%%script/import_storage @@ -153,6 +156,7 @@ %%INSTIKIDIR%%test/unit/page_renderer_test.rb %%INSTIKIDIR%%test/unit/page_test.rb %%INSTIKIDIR%%test/unit/redcloth_for_tex_test.rb +%%INSTIKIDIR%%test/unit/sanitize_test.rb %%INSTIKIDIR%%test/unit/uri_test.rb %%INSTIKIDIR%%test/unit/web_test.rb %%INSTIKIDIR%%test/unit/wiki_file_test.rb Index: files/bluecloth-patch-lib-chunks-engines-rb =================================================================== RCS file: /home/pcvs/ports/www/instiki/files/bluecloth-patch-lib-chunks-engines-rb,v retrieving revision 1.1 diff -u -r1.1 bluecloth-patch-lib-chunks-engines-rb --- files/bluecloth-patch-lib-chunks-engines-rb 9 Jun 2006 08:58:56 -0000 1.1 +++ files/bluecloth-patch-lib-chunks-engines-rb 9 Apr 2007 12:40:29 -0000 @@ -1,12 +1,12 @@ ---- lib/chunks/engines.rb.orig Sun Mar 12 15:57:24 2006 -+++ lib/chunks/engines.rb Tue Jun 6 22:45:16 2006 -@@ -35,7 +35,8 @@ - - class Markdown < AbstractEngine +--- lib/chunks/engines.rb.orig Wed Feb 28 06:09:26 2007 ++++ lib/chunks/engines.rb Mon Apr 9 22:22:51 2007 +@@ -40,7 +40,8 @@ + require_dependency 'sanitize' + include Sanitize def mask - require_dependency 'bluecloth_tweaked' + require_dependency 'rubygems' + require_gem 'BlueCloth' - BlueCloth.new(@content, @content.options[:engine_opts]).to_html + html = BlueCloth.new(@content, @content.options[:engine_opts]).to_html + sanitize_html(html) end - end >Release-Note: >Audit-Trail: >Unformatted: