ports/51465: [Patch Port] devel/viewcvs (unforbidden)
Lapo Luchini
lapo at lapo.it
Sun Apr 27 15:10:12 UTC 2003
>Number: 51465
>Category: ports
>Synopsis: [Patch Port] devel/viewcvs (unforbidden)
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 27 08:10:10 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Lapo Luchini
>Release: FreeBSD 4.8-RC i386
>Organization:
>Environment:
System: FreeBSD lapo.m4d.sm 4.8-RC FreeBSD 4.8-RC #8: Fri Mar 21
16:04:11 CET 2003 lapo at lapo.m4d.sm:/usr/obj/usr/src/sys/CYBERX i386
>Description:
This patch solves two problems of the actual ViewCVs port:
1. it is forbidden as it is CSS-vulnerable, ViewCVS's CVS contains a
patch but a new release was still not created by the authors
2. it overwrites the configuration files on installation
To solve problem 1 I "back-ported" the patch 1.117 to lib/viewcvs.py
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/lib/viewcvs.py#rev1.117
as the author itself says, it solves the problem:
http://mailman.lyra.org/pipermail/viewcvs-dev/2002-July/000776.html
To solve problem 2 I changed the install script to install
viewcvs.conf.dist directly instead of renaming it to viewcvs.conf,
leaving it up to the user and specifying it in the pkg-message.
>How-To-Repeat:
>Fix:
The patch applies from /usr/ports/devel with -p0
--- viewcvs-0.9.2.diff begins here ---
diff -ruN viewcvs.orig/Makefile viewcvs/Makefile
--- viewcvs.orig/Makefile Fri Apr 25 19:23:05 2003
+++ viewcvs/Makefile Fri Apr 25 19:49:11 2003
@@ -7,6 +7,7 @@
PORTNAME= viewcvs
PORTVERSION= 0.9.2
+PORTREVISION= 1
CATEGORIES= devel python
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
@@ -19,17 +20,12 @@
PKGMESSAGE= ${WRKDIR}/pkg-message
INSTDIR?= ${PORTNAME}-${PORTVERSION}
PLIST_SUB= INSTDIR=${INSTDIR}
-FORBIDDEN= "due to cross-site scripting vulnerabilities"
do-install:
@ cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install
post-install:
@ ${SED} -e "s:%%INSTDIR%%:${PREFIX}/${INSTDIR}:g" pkg-message >${PKGMESSAGE}
-.if !defined(BATCH)
- @ ${ECHO}
@ ${CAT} ${PKGMESSAGE}
- @ ${ECHO}
-.endif
.include <bsd.port.mk>
diff -ruN viewcvs.orig/files/patch-aa viewcvs/files/patch-aa
--- viewcvs.orig/files/patch-aa Fri Apr 25 19:23:05 2003
+++ viewcvs/files/patch-aa Thu Jan 1 01:00:00 1970
@@ -1,35 +0,0 @@
---- viewcvs-install.orig Fri Dec 21 20:59:45 2001
-+++ viewcvs-install Mon Dec 24 02:16:56 2001
-@@ -51,7 +51,7 @@
- """ % version
-
- ## installer defaults
--ROOT_DIR = "/usr/local/viewcvs-" + version
-+ROOT_DIR = os.environ['INSTDIR']
-
-
- ## list of files for installation
-@@ -192,7 +192,7 @@
- if type(prompt_replace) == type(""):
- print prompt_replace
- while 1:
-- temp = raw_input("\n File %s\n exists and is different from source file.\n DO YOU WANT TO,\n overwrite [o]\n do not overwrite [d]\n view differences [v]: " % (dest_path))
-+ temp = 'o'
- print
-
- temp = string.lower(temp[0])
-@@ -245,10 +245,10 @@
- print INFO_TEXT
-
- ## get the install path
-- temp = raw_input("Installation Path [%s]: " % ROOT_DIR)
-- temp = string.strip(temp)
-- if len(temp):
-- ROOT_DIR = temp
-+ #temp = raw_input("Installation Path [%s]: " % ROOT_DIR)
-+ #temp = string.strip(temp)
-+ #if len(temp):
-+ # ROOT_DIR = temp
-
- ## install the files
- print
diff -ruN viewcvs.orig/files/patch-lib::viewcvs.py viewcvs/files/patch-lib::viewcvs.py
--- viewcvs.orig/files/patch-lib::viewcvs.py Thu Jan 1 01:00:00 1970
+++ viewcvs/files/patch-lib::viewcvs.py Fri Apr 25 19:24:19 2003
@@ -0,0 +1,91 @@
+--- lib/viewcvs.py.orig Tue Jan 15 10:35:55 2002
++++ lib/viewcvs.py Fri Apr 25 19:18:22 2003
+@@ -174,6 +174,10 @@
+ # parse the query params into a dictionary (and use defaults)
+ query_dict = default_settings.copy()
+ for name, values in cgi.parse().items():
++ # validate the parameter
++ _validate_param(name, values[0])
++
++ # if we're here, then the parameter is okay
+ query_dict[name] = values[0]
+
+ # set up query strings, prefixed by question marks and ampersands
+@@ -228,6 +232,77 @@
+ self.branch = branch
+ self.taginfo = taginfo
+
++
++def _validate_param(name, value):
++ """Validate whether the given value is acceptable for the param name.
++
++ If the value is not allowed, then an error response is generated, and
++ this function throws an exception. Otherwise, it simply returns None.
++ """
++
++ try:
++ validator = _legal_params[name]
++ except KeyError:
++ error('An illegal parameter name ("%s") was passed.' % cgi.escape(name))
++
++ # is the validator a regex?
++ if hasattr(validator, 'match'):
++ if not validator.match(value):
++ error('An illegal value ("%s") was passed as a parameter.' %
++ cgi.escape(value))
++ return
++
++ # the validator must be a function
++ validator(value)
++
++def _validate_cvsroot(value):
++ if not cfg.general.cvs_roots.has_key(value):
++ error('The CVS root "%s" is unknown.' % cgi.escape(value))
++
++def _validate_regex(value):
++ # hmm. there isn't anything that we can do here.
++
++ ### we need to watch the flow of these parameters through the system
++ ### to ensure they don't hit the page unescaped. otherwise, these
++ ### parameters could constitute a CSS attack.
++ pass
++
++# obvious things here. note that we don't need uppercase for alpha.
++_re_validate_alpha = re.compile('^[a-z]+$')
++_re_validate_number = re.compile('^[0-9]+$')
++
++# when comparing two revs, we sometimes construct REV:SYMBOL, so ':' is needed
++_re_validate_revnum = re.compile('^[-_.a-zA-Z0-9:]+$')
++
++# it appears that RFC 2045 also says these chars are legal: !#$%&'*+^{|}~`
++# but woah... I'll just leave them out for now
++_re_validate_mimetype = re.compile('^[-_.a-zA-Z0-9/]+$')
++
++# the legal query parameters and their validation functions
++_legal_params = {
++ 'cvsroot' : _validate_cvsroot,
++ 'search' : _validate_regex,
++
++ 'hideattic' : _re_validate_number,
++ 'sortby' : _re_validate_alpha,
++ 'sortdir' : _re_validate_alpha,
++ 'logsort' : _re_validate_alpha,
++ 'diff_format' : _re_validate_alpha,
++ 'only_with_tag' : _re_validate_revnum,
++ 'dir_pagestart' : _re_validate_number,
++ 'log_pagestart' : _re_validate_number,
++ 'hidecvsroot' : _re_validate_number,
++ 'annotate' : _re_validate_revnum,
++ 'graph' : _re_validate_revnum,
++ 'makeimage' : _re_validate_number,
++ 'tarball' : _re_validate_number,
++ 'r1' : _re_validate_revnum,
++ 'tr1' : _re_validate_revnum,
++ 'r2' : _re_validate_revnum,
++ 'tr2' : _re_validate_revnum,
++ 'rev' : _re_validate_revnum,
++ 'content-type' : _re_validate_mimetype,
++ }
+
+ class LogEntry:
+ "Hold state for each revision entry in an 'rlog' output."
diff -ruN viewcvs.orig/files/patch-viewcvs-install viewcvs/files/patch-viewcvs-install
--- viewcvs.orig/files/patch-viewcvs-install Thu Jan 1 01:00:00 1970
+++ viewcvs/files/patch-viewcvs-install Fri Apr 25 19:47:57 2003
@@ -0,0 +1,49 @@
+--- viewcvs-install.orig Fri Dec 21 12:59:45 2001
++++ viewcvs-install Fri Apr 25 19:47:28 2003
+@@ -51,7 +51,7 @@
+ """ % version
+
+ ## installer defaults
+-ROOT_DIR = "/usr/local/viewcvs-" + version
++ROOT_DIR = os.environ['INSTDIR']
+
+
+ ## list of files for installation
+@@ -65,11 +65,11 @@
+ ("cgi/query.cgi", "cgi/query.cgi", 0755, 1, 0, 0),
+ ("standalone.py", "standalone.py", 0755, 1, 0, 0),
+
+- ("cgi/viewcvs.conf.dist", "viewcvs.conf", 0644, 1,
++ ("cgi/viewcvs.conf.dist", "viewcvs.conf.dist", 0644, 1,
+ """Note: If you are upgrading from viewcvs-0.7 or earlier:
+ The section [text] has been removed from viewcvs.conf. The functionality
+ went into the new files in subdirectory templates.""", 0),
+- ("cgi/cvsgraph.conf.dist", "cvsgraph.conf", 0644, 0, 1, 0),
++ ("cgi/cvsgraph.conf.dist", "cvsgraph.conf.dist", 0644, 0, 1, 0),
+
+ ("lib/PyFontify.py", "lib/PyFontify.py", 0644, 0, 0, 1),
+ ("lib/blame.py", "lib/blame.py", 0644, 0, 0, 1),
+@@ -192,7 +192,7 @@
+ if type(prompt_replace) == type(""):
+ print prompt_replace
+ while 1:
+- temp = raw_input("\n File %s\n exists and is different from source file.\n DO YOU WANT TO,\n overwrite [o]\n do not overwrite [d]\n view differences [v]: " % (dest_path))
++ temp = 'o'
+ print
+
+ temp = string.lower(temp[0])
+@@ -245,10 +245,10 @@
+ print INFO_TEXT
+
+ ## get the install path
+- temp = raw_input("Installation Path [%s]: " % ROOT_DIR)
+- temp = string.strip(temp)
+- if len(temp):
+- ROOT_DIR = temp
++ #temp = raw_input("Installation Path [%s]: " % ROOT_DIR)
++ #temp = string.strip(temp)
++ #if len(temp):
++ # ROOT_DIR = temp
+
+ ## install the files
+ print
diff -ruN viewcvs.orig/pkg-message viewcvs/pkg-message
--- viewcvs.orig/pkg-message Fri Apr 25 19:23:05 2003
+++ viewcvs/pkg-message Fri Apr 25 19:55:08 2003
@@ -3,3 +3,10 @@
%%INSTDIR%%/viewcvs.conf, to note where your
CVSROOT is, and then copy the actual CGI (located at
%%INSTDIR%%/cgi/viewcvs.cgi) to your cgi-bin.
+Please notice that configuration files are installed as
+".dist" and must be copied to their actual names prior to
+be edited, e.g.:
+$ cd %%INSTDIR%%
+$ cp viewcvs.conf.dist viewcvs.conf
+$ cp cvsgraph.conf.dist cvsgraph.conf
+It's up to yo to check the ".dist" files after upgrades.
diff -ruN viewcvs.orig/pkg-plist viewcvs/pkg-plist
--- viewcvs.orig/pkg-plist Fri Apr 25 19:23:05 2003
+++ viewcvs/pkg-plist Fri Apr 25 19:59:18 2003
@@ -1,7 +1,7 @@
%%INSTDIR%%/cgi/query.cgi
%%INSTDIR%%/cgi/viewcvs.cgi
%%INSTDIR%%/cvsdbadmin
-%%INSTDIR%%/cvsgraph.conf
+%%INSTDIR%%/cvsgraph.conf.dist
%%INSTDIR%%/doc/help_dirview.html
%%INSTDIR%%/doc/help_log.html
%%INSTDIR%%/doc/help_logtable.html
@@ -57,7 +57,7 @@
%%INSTDIR%%/templates/log_table.ezt
%%INSTDIR%%/templates/markup.ezt
%%INSTDIR%%/templates/query.ezt
-%%INSTDIR%%/viewcvs.conf
+%%INSTDIR%%/viewcvs.conf.dist
@dirrm %%INSTDIR%%/templates
@dirrm %%INSTDIR%%/lib
@dirrm %%INSTDIR%%/doc/images
--- viewcvs-0.9.2.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list