aboutsummaryrefslogtreecommitdiffstats
path: root/devel/viewvc
diff options
context:
space:
mode:
authorsimon <simon@FreeBSD.org>2004-12-08 18:50:38 +0800
committersimon <simon@FreeBSD.org>2004-12-08 18:50:38 +0800
commiteebbbe59aff007a7c07ee48e06fbaf7ef2d45982 (patch)
tree0d6b32152edbcf2e573752c029e2dbedade6a035 /devel/viewvc
parent40ead4c4bc8b5ff61eba936543ee9fdfacde6da5 (diff)
downloadfreebsd-ports-gnome-eebbbe59aff007a7c07ee48e06fbaf7ef2d45982.tar.gz
freebsd-ports-gnome-eebbbe59aff007a7c07ee48e06fbaf7ef2d45982.tar.zst
freebsd-ports-gnome-eebbbe59aff007a7c07ee48e06fbaf7ef2d45982.zip
Fix information leakage security vulnerability.
VuXML: http://vuxml.FreeBSD.org/323784cf-48a6-11d9-a9e7-0001020eed82.html Approved by: nectar Obtained from: Debian
Diffstat (limited to 'devel/viewvc')
-rw-r--r--devel/viewvc/Makefile2
-rw-r--r--devel/viewvc/files/patch-CAN-2004-091537
2 files changed, 38 insertions, 1 deletions
diff --git a/devel/viewvc/Makefile b/devel/viewvc/Makefile
index fb7a7e504179..5ae981e9066b 100644
--- a/devel/viewvc/Makefile
+++ b/devel/viewvc/Makefile
@@ -7,7 +7,7 @@
PORTNAME= viewcvs
PORTVERSION= 0.9.2
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= devel python
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
diff --git a/devel/viewvc/files/patch-CAN-2004-0915 b/devel/viewvc/files/patch-CAN-2004-0915
new file mode 100644
index 000000000000..6e150bc53438
--- /dev/null
+++ b/devel/viewvc/files/patch-CAN-2004-0915
@@ -0,0 +1,37 @@
+--- lib/viewcvs.py.orig 2004-10-20 15:03:41.000000000 +0200
++++ lib/viewcvs.py 2004-10-20 16:37:35.000000000 +0200
+@@ -2455,10 +2455,17 @@ def generate_tarball_header(out, name, s
+ def generate_tarball(out, relative, directory, tag, stack=[]):
+ subdirs = [ ]
+ rcs_files = [ ]
++ if relative == 'CVSROOT' and cfg.options.hide_cvsroot:
++ return
++
+ for file, pathname, isdir in get_file_data(directory):
+ if pathname == _UNREADABLE_MARKER:
+ continue
+ if isdir:
++ if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot:
++ continue
++ if relative.find('/') == -1 and cfg.is_forbidden(file):
++ continue
+ subdirs.append(file)
+ else:
+ rcs_files.append(file)
+@@ -2583,6 +2590,16 @@ def main():
+ '</body></html>\n')
+ return
+
++ if where == 'CVSROOT' and cfg.options.hide_cvsroot:
++ print "Status: 400"
++ http_header()
++ print ('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n'
++ '<html><head>\n<title>400 Bad Request</title>\n'
++ '</head><body>\n'
++ '<H1>Bad Request</H1>\n Listing of CVSROOT is disallowed.<p>\n'
++ '</body></html>\n')
++ return
++
+ ### look for GZIP binary
+
+ # if we have a directory and the request didn't end in "/", then redirect