Added security patch for XSS vulnerability (CVE-2009-4497)

PR:		ports/146337
Submitted by:	Eygene Ryabinkin (maintainer)
Approved by:	itetcu (mentor, implicit)
Security:	http://www.vuxml.org/freebsd/0491d15a-5875-11df-8d80-0015587e2cc1.html

4 files changed, 38 insertions, 131 deletions

diff --git a/devel/lxr/Makefile b/devel/lxr/Makefile
index 63e6608b2a67..d5a9f3d798dd 100644
--- a/devel/lxr/Makefile
+++ b/devel/lxr/Makefile
@@ -7,8 +7,9 @@
 
 PORTNAME=	lxr
 PORTVERSION=	0.9.6
+PORTREVISION=	1
 CATEGORIES=	devel
-MASTER_SITES=	SF/${PORTNAME}/development/${PORTNAME}-${PORTVERSION}
+MASTER_SITES=	SF/${PORTNAME}/stable/${PORTNAME}-${PORTVERSION}
 EXTRACT_SUFX=	.tgz
 
 MAINTAINER=	rea-fbsd@codelabs.ru
@@ -19,7 +20,6 @@ BUILD_DEPENDS=	exctags:${PORTSDIR}/devel/ctags \
 		${SITE_PERL}/File/MMagic.pm:${PORTSDIR}/devel/p5-File-MMagic
 
 PATCH_STRIP=	-p1
-EXTRA_PATCHES=	${PATCHDIR}/fix-perl-warnings.patch
 
 USE_GZIP=	yes
 USE_PERL5=	yes
@@ -122,8 +122,8 @@ do-install:
 .endif # !defined(NOPORTDOCS)
 	${MKDIR} ${PREFIX}/${SITE_PERL_REL}
 	${INSTALL_DATA} ${WRKSRC}/Local.pm ${PREFIX}/${SITE_PERL_REL}
-	${TAR} -C ${WRKSRC}/lib -cf - --exclude *.orig LXR | ${TAR} -C ${PREFIX}/${SITE_PERL_REL} -xf -
-	${TAR} -C ${WRKSRC} -cf - --exclude *.orig templates | ${TAR} -C ${LXRDIR} -xf -
+	${TAR} -C ${WRKSRC}/lib -cf - --exclude '*.orig' LXR | ${TAR} -C ${PREFIX}/${SITE_PERL_REL} -xf -
+	${TAR} -C ${WRKSRC} -cf - --exclude '*.orig' templates | ${TAR} -C ${LXRDIR} -xf -
 	${CHMOD} 640 ${LXRDIR}/templates/lxr.conf
 
 post-install:
diff --git a/devel/lxr/files/fix-perl-warnings.patch b/devel/lxr/files/fix-perl-warnings.patch
deleted file mode 100644
index b933fd980197..000000000000
--- a/devel/lxr/files/fix-perl-warnings.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 5e71b7d7e7b4b7619b156b0fb13e52775ed17ccc Mon Sep 17 00:00:00 2001
-From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
-Date: Fri, 12 Dec 2008 19:26:20 +0300
-Subject: [PATCH] Fixed some warnings produced by 'perl -w'
-
-Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
----
- lib/LXR/Common.pm         |   23 +++++++++++++++++------
- lib/LXR/Files/Plain.pm    |    1 +
- lib/LXR/Index/Postgres.pm |    6 ++++++
- 3 files changed, 24 insertions(+), 6 deletions(-)
-
-diff --git a/lib/LXR/Common.pm b/lib/LXR/Common.pm
-index fea8479..84f38e4 100644
---- a/lib/LXR/Common.pm
-+++ b/lib/LXR/Common.pm
-@@ -120,6 +120,7 @@ sub fileref {
- 	# jwz: URL-quote any special characters.
- 	$path =~ s|([^-a-zA-Z0-9.\@/_\r\n])|sprintf("%%%02X", ord($1))|ge;
- 
-+	$line = -1 unless defined($line);
- 	if ($line > 0 && length($line) < 3) {
- 		$line = ('0' x (3 - length($line))) . $line;
- 	}
-@@ -134,7 +135,8 @@ sub diffref {
- 	my ($desc, $css, $path, $darg) = @_;
- 	my $dval;
- 
--	($darg, $dval) = $darg =~ /(.*?)=(.*)/;
-+        ($darg, $dval) = (defined($darg) ?
-+	    $darg =~ /(.*?)=(.*)/ : (undef, undef));
- 	return ("<a class='$css' href=\"$config->{virtroot}/diff$path"
- 		  . &urlargs(($darg ? "diffvar=$darg" : ""), ($dval ? "diffval=$dval" : ""))
- 		  . "\"\>$desc</a>");
-@@ -280,6 +282,9 @@ sub markupfile {
- 		while (defined($frag)) {
- 			&markspecials($frag);
- 
-+			# Use value that won't match anything
-+			# in the next if-else for the undefined $btype
-+			$btype = '' unless (defined($btype));
- 			if ($btype eq 'comment') {
- 
- 				# Comment
-@@ -295,7 +300,6 @@ sub markupfile {
- 				# Include directive
- 				$lang->processinclude(\$frag, $dir);
- 			} else {
--
- 				# Code
- 				$lang->processcode(\$frag);
- 			}
-@@ -371,6 +375,7 @@ sub markupfile {
- }
- 
- sub fixpaths {
-+	return '/' unless defined($_[0]);
- 	my $node = '/' . shift;
- 
- 	while ($node =~ s|/[^/]+/\.\./|/|g) { }
-@@ -473,7 +478,9 @@ sub httpinit {
- 	$HTTP->{'this_url'} = 'http://' . $ENV{'SERVER_NAME'};
- 	$HTTP->{'this_url'} .= ':' . $ENV{'SERVER_PORT'}
- 	  if $ENV{'SERVER_PORT'} != 80;
--	$HTTP->{'this_url'} .= $ENV{'SCRIPT_NAME'} . $ENV{'PATH_INFO'};
-+	$HTTP->{'this_url'} .= $ENV{'SCRIPT_NAME'};
-+	$HTTP->{'this_url'} .= $ENV{'PATH_INFO'}
-+	    if defined($ENV{'PATH_INFO'});
- 	$HTTP->{'this_url'} .= '?' . $ENV{'QUERY_STRING'}
- 	  if $ENV{'QUERY_STRING'};
- 
-@@ -721,9 +728,13 @@ sub varlinks {
- 				$vallink = &idref($val, "varlink", $identifier, "$var=$val");
- 			} elsif ($who eq 'search') {
- 				$vallink =
--				    "<a class=\"varlink\" href=\"$config->{virtroot}/search"
--				  . &urlargs("$var=$val", "string=" . $HTTP->{'param'}->{'string'})
--				  . "\">$val</a>";
-+				    "<a class=\"varlink\" href=\"$config->{virtroot}/search";
-+				if (defined($HTTP->{'param'}->{'string'})) {
-+                                        $vallink .= &urlargs("$var=$val",
-+                                            "string=" .
-+                                            $HTTP->{'param'}->{'string'});
-+                                }
-+                                $vallink .= "\">$val</a>";
- 			}
- 		}
- 
-diff --git a/lib/LXR/Files/Plain.pm b/lib/LXR/Files/Plain.pm
-index 27c5dee..ade40fd 100644
---- a/lib/LXR/Files/Plain.pm
-+++ b/lib/LXR/Files/Plain.pm
-@@ -131,6 +131,7 @@ sub getdir {
- 
- sub toreal {
- 	my ($self, $pathname, $release) = @_;
-+	$release = "" unless defined($release);
- 
- # nearly all (if not all) method calls eventually call toreal(), so this is a good place to block file access
- 	foreach my $ignoredir ($config->ignoredirs) {
-diff --git a/lib/LXR/Index/Postgres.pm b/lib/LXR/Index/Postgres.pm
-index ae1e11f..4667036 100644
---- a/lib/LXR/Index/Postgres.pm
-+++ b/lib/LXR/Index/Postgres.pm
-@@ -158,6 +158,9 @@ sub getindex {
- 	my ($self, $symname, $release) = @_;
- 	my ($rows, @ret);
- 
-+	$release = "" unless defined($release);
-+	return () unless defined($symname);
-+
- 	$rows = $indexes_select->execute("$symname", "$release");
- 
- 	while ($rows-- > 0) {
-@@ -175,6 +178,9 @@ sub getreference {
- 	my ($self, $symname, $release) = @_;
- 	my ($rows, @ret);
- 
-+	$release = "" unless defined($release);
-+	return () unless defined($symname);
-+
- 	$rows = $usage_select->execute("$symname", "$release");
- 
- 	while ($rows-- > 0) {
--- 
-1.6.0.4
-
diff --git a/devel/lxr/files/patch-CVE-2009-4497 b/devel/lxr/files/patch-CVE-2009-4497
new file mode 100644
index 000000000000..5c844f46d2e6
--- /dev/null
+++ b/devel/lxr/files/patch-CVE-2009-4497
@@ -0,0 +1,14 @@
+Obtained-From: http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?r1=1.63&r2=1.64&view=patch
+Modified-As: two first hunks containing $Id$ were removed to allow clean patching
+
+--- a/lib/LXR/Common.pm	2010/01/05 17:59:38	1.63
++++ b/lib/LXR/Common.pm	2010/01/15 23:23:20	1.64
+@@ -633,6 +633,8 @@
+ 		return $config->sourcerootname . ' identifier search' . ($i ? ": $i" : '');
+ 	} elsif ($who eq 'search') {
+ 		my $s = $HTTP->{'param'}->{'string'};
++		$s =~ s/</&lt;/g;
++		$s =~ s/>/&gt;/g;
+ 		return $config->sourcerootname . ' general search' . ($s ? ": $s" : '');
+ 	}
+ }
diff --git a/devel/lxr/files/patch-fix-clean_identifier b/devel/lxr/files/patch-fix-clean_identifier
new file mode 100644
index 000000000000..5751a87f6561
--- /dev/null
+++ b/devel/lxr/files/patch-fix-clean_identifier
@@ -0,0 +1,20 @@
+Obtained-From: http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?r1=1.62&r2=1.63&view=patch
+Modified-As: two first hunks containing $Id$ changes were removed to allow clean patching
+
+--- a/lib/LXR/Common.pm	2009/05/10 11:54:29	1.62
++++ b/lib/LXR/Common.pm	2010/01/05 17:59:38	1.63
+@@ -526,9 +526,13 @@
+ }
+ 
+ sub clean_identifier {
++	# Cleans up the identifier parameter
++	# Result should be HTML-safe and a valid identifier in
++	# any supported language...
++	# Well, not Lisp symbols since they can contain anything
+ 	my $id = shift;
+ 
+-	$id =~ s/(^[\w`:.,]+).*/$1/ if defined $id;
++	$id =~ s/[^\w`:.,\-_ ]//g if defined $id;
+ 
+ 	return $id;
+ }