diff options
author | stas <stas@FreeBSD.org> | 2008-04-06 18:29:54 +0800 |
---|---|---|
committer | stas <stas@FreeBSD.org> | 2008-04-06 18:29:54 +0800 |
commit | 6335338d6b1fc897345888b0821493af97482b43 (patch) | |
tree | 517e6d04c9f2e7996b659a2fc89df73bdcd98e29 /lang/ruby18 | |
parent | 3b655ad7984a378c54ac8fb46a697cc1c1d0700a (diff) | |
download | freebsd-ports-gnome-6335338d6b1fc897345888b0821493af97482b43.tar.gz freebsd-ports-gnome-6335338d6b1fc897345888b0821493af97482b43.tar.zst freebsd-ports-gnome-6335338d6b1fc897345888b0821493af97482b43.zip |
- Fix webrick vulnerability
- Update rexml to 3.1.7.2
- Bump portrevision.
Obtained from: ruby svn
Diffstat (limited to 'lang/ruby18')
-rw-r--r-- | lang/ruby18/files/patch-lib_rexml_document.rb | 11 | ||||
-rw-r--r-- | lang/ruby18/files/patch-lib_webrick_httpservlet_filehandler.rb | 51 | ||||
-rw-r--r-- | lang/ruby18/files/patch-rexml-update | 345 | ||||
-rw-r--r-- | lang/ruby18/pkg-plist | 1 |
4 files changed, 397 insertions, 11 deletions
diff --git a/lang/ruby18/files/patch-lib_rexml_document.rb b/lang/ruby18/files/patch-lib_rexml_document.rb deleted file mode 100644 index 8f12653cb9d8..000000000000 --- a/lang/ruby18/files/patch-lib_rexml_document.rb +++ /dev/null @@ -1,11 +0,0 @@ ---- lib/rexml/document.rb.orig 2007-12-04 03:05:22.000000000 +0300 -+++ lib/rexml/document.rb 2007-12-04 03:05:26.000000000 +0300 -@@ -183,7 +183,7 @@ - output = Output.new( output, xml_decl.encoding ) - end - formatter = if indent > -1 -- if transitive -+ if trans - REXML::Formatters::Transitive.new( indent, ie_hack ) - else - REXML::Formatters::Pretty.new( indent, ie_hack ) diff --git a/lang/ruby18/files/patch-lib_webrick_httpservlet_filehandler.rb b/lang/ruby18/files/patch-lib_webrick_httpservlet_filehandler.rb new file mode 100644 index 000000000000..e993320bad3b --- /dev/null +++ b/lang/ruby18/files/patch-lib_webrick_httpservlet_filehandler.rb @@ -0,0 +1,51 @@ +--- lib/webrick/httpservlet/filehandler.rb 2007-02-13 02:01:19.000000000 +0300 ++++ lib/webrick/httpservlet/filehandler.rb 2008-03-03 17:36:04.000000000 +0300 +@@ -163,6 +163,7 @@ + end + end + end ++ prevent_directory_traversal(req, res) + super(req, res) + end + +@@ -198,6 +199,22 @@ + + private + ++ def prevent_directory_traversal(req, res) ++ # Preventing directory traversal on DOSISH platforms; ++ # Backslashes (0x5c) in path_info are not interpreted as special ++ # character in URI notation. So the value of path_info should be ++ # normalize before accessing to the filesystem. ++ if File::ALT_SEPARATOR ++ # File.expand_path removes the trailing path separator. ++ # Adding a character is a workaround to save it. ++ # File.expand_path("/aaa/") #=> "/aaa" ++ # File.expand_path("/aaa/" + "x") #=> "/aaa/x" ++ expanded = File.expand_path(req.path_info + "x") ++ expanded[-1, 1] = "" # remove trailing "x" ++ req.path_info = expanded ++ end ++ end ++ + def exec_handler(req, res) + raise HTTPStatus::NotFound, "`#{req.path}' not found" unless @root + if set_filename(req, res) +@@ -256,7 +273,7 @@ + + def check_filename(req, res, name) + @options[:NondisclosureName].each{|pattern| +- if File.fnmatch("/#{pattern}", name) ++ if File.fnmatch("/#{pattern}", name, File::FNM_CASEFOLD) + @logger.warn("the request refers nondisclosure name `#{name}'.") + raise HTTPStatus::NotFound, "`#{req.path}' not found." + end +@@ -310,7 +327,7 @@ + + def nondisclosure_name?(name) + @options[:NondisclosureName].each{|pattern| +- if File.fnmatch(pattern, name) ++ if File.fnmatch(pattern, name, File::FNM_CASEFOLD) + return true + end + } diff --git a/lang/ruby18/files/patch-rexml-update b/lang/ruby18/files/patch-rexml-update new file mode 100644 index 000000000000..2b0e31143d49 --- /dev/null +++ b/lang/ruby18/files/patch-rexml-update @@ -0,0 +1,345 @@ +diff -ruN ruby-1.8.6-p111/lib/rexml/attribute.rb ruby-1.8.6-p114/lib/rexml/attribute.rb +--- lib/rexml/attribute.rb 2007-07-28 06:46:08.000000000 +0400 ++++ lib/rexml/attribute.rb 2007-11-04 07:50:15.000000000 +0300 +@@ -50,7 +50,7 @@ + @element = first.element + end + elsif first.kind_of? String +- @element = parent if parent.kind_of? Element ++ @element = parent + self.name = first + @normalized = second.to_s + else +diff -ruN ruby-1.8.6-p111/lib/rexml/document.rb ruby-1.8.6-p114/lib/rexml/document.rb +--- lib/rexml/document.rb 2007-07-28 06:46:08.000000000 +0400 ++++ lib/rexml/document.rb 2007-11-04 07:50:15.000000000 +0300 +@@ -66,6 +66,7 @@ + def add( child ) + if child.kind_of? XMLDecl + @children.unshift child ++ child.parent = self + elsif child.kind_of? DocType + # Find first Element or DocType node and insert the decl right + # before it. If there is no such node, just insert the child at the +@@ -183,7 +184,7 @@ + output = Output.new( output, xml_decl.encoding ) + end + formatter = if indent > -1 +- if transitive ++ if trans + REXML::Formatters::Transitive.new( indent, ie_hack ) + else + REXML::Formatters::Pretty.new( indent, ie_hack ) +diff -ruN ruby-1.8.6-p111/lib/rexml/element.rb ruby-1.8.6-p114/lib/rexml/element.rb +--- lib/rexml/element.rb 2007-07-28 06:46:08.000000000 +0400 ++++ lib/rexml/element.rb 2007-11-04 07:50:15.000000000 +0300 +@@ -553,6 +553,7 @@ + def attribute( name, namespace=nil ) + prefix = nil + prefix = namespaces.index(namespace) if namespace ++ prefix = nil if prefix == 'xmlns' + attributes.get_attribute( "#{prefix ? prefix + ':' : ''}#{name}" ) + end + +@@ -854,15 +855,15 @@ + # Source (see Element.initialize). If not supplied or nil, a + # new, default Element will be constructed + # Returns:: the added Element +- # a = Element.new 'a' +- # a.elements.add Element.new 'b' #-> <a><b/></a> +- # a.elements.add 'c' #-> <a><b/><c/></a> ++ # a = Element.new('a') ++ # a.elements.add(Element.new('b')) #-> <a><b/></a> ++ # a.elements.add('c') #-> <a><b/><c/></a> + def add element=nil + rv = nil + if element.nil? +- Element.new "", self, @element.context ++ Element.new("", self, @element.context) + elsif not element.kind_of?(Element) +- Element.new element, self, @element.context ++ Element.new(element, self, @element.context) + else + @element << element + element.context = @element.context +diff -ruN ruby-1.8.6-p111/lib/rexml/encoding.rb ruby-1.8.6-p114/lib/rexml/encoding.rb +--- lib/rexml/encoding.rb 2007-07-28 06:46:08.000000000 +0400 ++++ lib/rexml/encoding.rb 2007-11-04 07:50:15.000000000 +0300 +@@ -56,8 +56,13 @@ + + def check_encoding str + # We have to recognize UTF-16, LSB UTF-16, and UTF-8 +- return UTF_16 if /\A\xfe\xff/n =~ str +- return UNILE if /\A\xff\xfe/n =~ str ++ if str[0] == 0xfe && str[1] == 0xff ++ str[0,2] = "" ++ return UTF_16 ++ elsif str[0] == 0xff && str[1] == 0xfe ++ str[0,2] = "" ++ return UNILE ++ end + str =~ /^\s*<\?xml\s+version\s*=\s*(['"]).*?\1\s+encoding\s*=\s*(["'])(.*?)\2/um + return $3.upcase if $3 + return UTF_8 +diff -ruN ruby-1.8.6-p111/lib/rexml/parsers/baseparser.rb ruby-1.8.6-p114/lib/rexml/parsers/baseparser.rb +--- lib/rexml/parsers/baseparser.rb 2007-07-28 06:46:08.000000000 +0400 ++++ lib/rexml/parsers/baseparser.rb 2007-11-04 07:50:15.000000000 +0300 +@@ -1,5 +1,7 @@ + require 'rexml/parseexception' ++require 'rexml/undefinednamespaceexception' + require 'rexml/source' ++require 'set' + + module REXML + module Parsers +@@ -24,7 +26,8 @@ + # Nat Price gave me some good ideas for the API. + class BaseParser + NCNAME_STR= '[\w:][\-\w\d.]*' +- NAME_STR= "(?:#{NCNAME_STR}:)?#{NCNAME_STR}" ++ NAME_STR= "(?:(#{NCNAME_STR}):)?(#{NCNAME_STR})" ++ UNAME_STR= "(?:#{NCNAME_STR}:)?#{NCNAME_STR}" + + NAMECHAR = '[\-\w\d\.:]' + NAME = "([\\w:]#{NAMECHAR}*)" +@@ -35,7 +38,7 @@ + + DOCTYPE_START = /\A\s*<!DOCTYPE\s/um + DOCTYPE_PATTERN = /\s*<!DOCTYPE\s+(.*?)(\[|>)/um +- ATTRIBUTE_PATTERN = /\s*(#{NAME_STR})\s*=\s*(["'])(.*?)\2/um ++ ATTRIBUTE_PATTERN = /\s*(#{NAME_STR})\s*=\s*(["'])(.*?)\4/um + COMMENT_START = /\A<!--/u + COMMENT_PATTERN = /<!--(.*?)-->/um + CDATA_START = /\A<!\[CDATA\[/u +@@ -45,7 +48,7 @@ + XMLDECL_PATTERN = /<\?xml\s+(.*?)\?>/um + INSTRUCTION_START = /\A<\?/u + INSTRUCTION_PATTERN = /<\?(.*?)(\s+.*?)?\?>/um +- TAG_MATCH = /^<((?>#{NAME_STR}))\s*((?>\s+#{NAME_STR}\s*=\s*(["']).*?\3)*)\s*(\/)?>/um ++ TAG_MATCH = /^<((?>#{NAME_STR}))\s*((?>\s+#{UNAME_STR}\s*=\s*(["']).*?\5)*)\s*(\/)?>/um + CLOSE_MATCH = /^\s*<\/(#{NAME_STR})\s*>/um + + VERSION = /\bversion\s*=\s*["'](.*?)['"]/um +@@ -133,6 +136,7 @@ + @tags = [] + @stack = [] + @entities = [] ++ @nsstack = [] + end + + def position +@@ -188,6 +192,7 @@ + end + return [ :end_document ] if empty? + return @stack.shift if @stack.size > 0 ++ #STDERR.puts @source.encoding + @source.read if @source.buffer.size<2 + #STDERR.puts "BUFFER = #{@source.buffer.inspect}" + if @document_status == nil +@@ -213,6 +218,7 @@ + return [ :processing_instruction, *@source.match(INSTRUCTION_PATTERN, true)[1,2] ] + when DOCTYPE_START + md = @source.match( DOCTYPE_PATTERN, true ) ++ @nsstack.unshift(curr_ns=Set.new) + identity = md[1] + close = md[2] + identity =~ IDENTITY +@@ -288,6 +294,9 @@ + val = attdef[3] + val = attdef[4] if val == "#FIXED " + pairs[attdef[0]] = val ++ if attdef[0] =~ /^xmlns:(.*)/ ++ @nsstack[0] << $1 ++ end + end + end + return [ :attlistdecl, element, pairs, contents ] +@@ -312,6 +321,7 @@ + begin + if @source.buffer[0] == ?< + if @source.buffer[1] == ?/ ++ @nsstack.shift + last_tag = @tags.pop + #md = @source.match_to_consume( '>', CLOSE_MATCH) + md = @source.match( CLOSE_MATCH, true ) +@@ -345,19 +355,47 @@ + raise REXML::ParseException.new("missing attribute quote", @source) if @source.match(MISSING_ATTRIBUTE_QUOTES ) + raise REXML::ParseException.new("malformed XML: missing tag start", @source) + end +- attrs = [] +- if md[2].size > 0 +- attrs = md[2].scan( ATTRIBUTE_PATTERN ) ++ attributes = {} ++ prefixes = Set.new ++ prefixes << md[2] if md[2] ++ @nsstack.unshift(curr_ns=Set.new) ++ if md[4].size > 0 ++ attrs = md[4].scan( ATTRIBUTE_PATTERN ) + raise REXML::ParseException.new( "error parsing attributes: [#{attrs.join ', '}], excess = \"#$'\"", @source) if $' and $'.strip.size > 0 ++ attrs.each { |a,b,c,d,e| ++ if b == "xmlns" ++ if c == "xml" ++ if d != "http://www.w3.org/XML/1998/namespace" ++ msg = "The 'xml' prefix must not be bound to any other namespace "+ ++ "(http://www.w3.org/TR/REC-xml-names/#ns-decl)" ++ raise REXML::ParseException.new( msg, @source, self ) ++ end ++ elsif c == "xmlns" ++ msg = "The 'xmlns' prefix must not be declared "+ ++ "(http://www.w3.org/TR/REC-xml-names/#ns-decl)" ++ raise REXML::ParseException.new( msg, @source, self) ++ end ++ curr_ns << c ++ elsif b ++ prefixes << b unless b == "xml" ++ end ++ attributes[a] = e ++ } + end + +- if md[4] ++ # Verify that all of the prefixes have been defined ++ for prefix in prefixes ++ unless @nsstack.find{|k| k.member?(prefix)} ++ raise UndefinedNamespaceException.new(prefix,@source,self) ++ end ++ end ++ ++ if md[6] + @closed = md[1] ++ @nsstack.shift + else + @tags.push( md[1] ) + end +- attributes = {} +- attrs.each { |a,b,c| attributes[a] = c } + return [ :start_element, md[1], attributes ] + end + else +@@ -371,6 +409,8 @@ + # return PullEvent.new( :text, md[1], unnormalized ) + return [ :text, md[1] ] + end ++ rescue REXML::UndefinedNamespaceException ++ raise + rescue REXML::ParseException + raise + rescue Exception, NameError => error +diff -ruN ruby-1.8.6-p111/lib/rexml/parsers/treeparser.rb ruby-1.8.6-p114/lib/rexml/parsers/treeparser.rb +--- lib/rexml/parsers/treeparser.rb 2007-02-13 02:01:19.000000000 +0300 ++++ lib/rexml/parsers/treeparser.rb 2007-11-04 07:50:15.000000000 +0300 +@@ -1,4 +1,5 @@ + require 'rexml/validation/validationexception' ++require 'rexml/undefinednamespaceexception' + + module REXML + module Parsers +@@ -29,8 +30,7 @@ + return + when :start_element + tag_stack.push(event[1]) +- # find the observers for namespaces +- @build_context = @build_context.add_element( event[1], event[2] ) ++ el = @build_context = @build_context.add_element( event[1], event[2] ) + when :end_element + tag_stack.pop + @build_context = @build_context.parent +@@ -86,6 +86,8 @@ + end + rescue REXML::Validation::ValidationException + raise ++ rescue REXML::UndefinedNamespaceException ++ raise + rescue + raise ParseException.new( $!.message, @parser.source, @parser, $! ) + end +diff -ruN ruby-1.8.6-p111/lib/rexml/rexml.rb ruby-1.8.6-p114/lib/rexml/rexml.rb +--- lib/rexml/rexml.rb 2007-07-28 17:24:46.000000000 +0400 ++++ lib/rexml/rexml.rb 2007-11-04 07:50:15.000000000 +0300 +@@ -1,3 +1,4 @@ ++# -*- encoding: utf-8 -*- + # REXML is an XML toolkit for Ruby[http://www.ruby-lang.org], in Ruby. + # + # REXML is a _pure_ Ruby, XML 1.0 conforming, +@@ -10,8 +11,9 @@ + # + # Main page:: http://www.germane-software.com/software/rexml + # Author:: Sean Russell <serATgermaneHYPHENsoftwareDOTcom> +-# Version:: 3.1.7.1 +-# Date:: 2007/209 ++# Version:: 3.1.7.2 ++# Date:: 2007/275 ++# Revision:: $Revision: 13815 $ + # + # This API documentation can be downloaded from the REXML home page, or can + # be accessed online[http://www.germane-software.com/software/rexml_doc] +@@ -20,10 +22,10 @@ + # or can be accessed + # online[http://www.germane-software.com/software/rexml/docs/tutorial.html] + module REXML +- COPYRIGHT = "Copyright © 2001-2007 Sean Russell <ser@germane-software.com>" +- DATE = "2007/209" +- VERSION = "3.1.7.1" +- REVISION = "$Revision: 1270$".gsub(/\$Revision:|\$/,'').strip ++ COPYRIGHT = "Copyright \xC2\xA9 2001-2006 Sean Russell <ser@germane-software.com>" ++ VERSION = "3.1.7.2" ++ DATE = "2007/275" ++ REVISION = "$Revision: 13815 $".gsub(/\$Revision:|\$/,'').strip + + Copyright = COPYRIGHT + Version = VERSION +diff -ruN ruby-1.8.6-p111/lib/rexml/source.rb ruby-1.8.6-p114/lib/rexml/source.rb +--- lib/rexml/source.rb 2007-07-28 06:46:08.000000000 +0400 ++++ lib/rexml/source.rb 2007-11-04 07:50:15.000000000 +0300 +@@ -17,8 +17,8 @@ + elsif arg.kind_of? Source + arg + else +- raise "#{source.class} is not a valid input stream. It must walk \n"+ +- "like either a String, IO, or Source." ++ raise "#{arg.class} is not a valid input stream. It must walk \n"+ ++ "like either a String, an IO, or a Source." + end + end + end +@@ -134,6 +134,7 @@ + def initialize(arg, block_size=500, encoding=nil) + @er_source = @source = arg + @to_utf = false ++ + # Determining the encoding is a deceptively difficult issue to resolve. + # First, we check the first two bytes for UTF-16. Then we + # assume that the encoding is at least ASCII enough for the '>', and +@@ -145,13 +146,16 @@ + str = @source.read( 2 ) + if encoding + self.encoding = encoding +- elsif /\A(?:\xfe\xff|\xff\xfe)/n =~ str +- self.encoding = check_encoding( str ) +- elsif (0xef == str[0] && 0xbb == str[1]) ++ elsif 0xfe == str[0] && 0xff == str[1] ++ @line_break = "\000>" ++ elsif 0xff == str[0] && 0xfe == str[1] ++ @line_break = ">\000" ++ elsif 0xef == str[0] && 0xbb == str[1] + str += @source.read(1) + str = '' if (0xbf == str[2]) ++ @line_break = ">" + else +- @line_break = '>' ++ @line_break = ">" + end + super str+@source.readline( @line_break ) + end +diff -ruN ruby-1.8.6-p111/lib/rexml/undefinednamespaceexception.rb ruby-1.8.6-p114/lib/rexml/undefinednamespaceexception.rb +--- lib/rexml/undefinednamespaceexception.rb 1970-01-01 03:00:00.000000000 +0300 ++++ lib/rexml/undefinednamespaceexception.rb 2007-11-04 07:50:15.000000000 +0300 +@@ -0,0 +1,8 @@ ++require 'rexml/parseexception' ++module REXML ++ class UndefinedNamespaceException < ParseException ++ def initialize( prefix, source, parser ) ++ super( "Undefined prefix #{prefix} found" ) ++ end ++ end ++end diff --git a/lang/ruby18/pkg-plist b/lang/ruby18/pkg-plist index 30386d9b8f62..ca90945b304e 100644 --- a/lang/ruby18/pkg-plist +++ b/lang/ruby18/pkg-plist @@ -518,6 +518,7 @@ lib/lib%%RUBY_NAME%%.so.%%RUBY_SHLIBVER%% %%RUBY_LIBDIR%%/rexml/streamlistener.rb %%RUBY_LIBDIR%%/rexml/syncenumerator.rb %%RUBY_LIBDIR%%/rexml/text.rb +%%RUBY_LIBDIR%%/rexml/undefinednamespaceexception.rb %%RUBY_LIBDIR%%/rexml/validation/relaxng.rb %%RUBY_LIBDIR%%/rexml/validation/validation.rb %%RUBY_LIBDIR%%/rexml/validation/validationexception.rb |