diff options
-rw-r--r-- | japanese/trac/Makefile | 24 | ||||
-rw-r--r-- | japanese/trac/files/patch-0.10.3.1 | 194 |
2 files changed, 212 insertions, 6 deletions
diff --git a/japanese/trac/Makefile b/japanese/trac/Makefile index 8883283b5a06..0a13fa492ac1 100644 --- a/japanese/trac/Makefile +++ b/japanese/trac/Makefile @@ -7,7 +7,7 @@ PORTNAME= trac PORTVERSION= 0.10.3 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= japanese www devel python MASTER_SITES= http://dist.bsdlab.org/ \ http://www.i-act.co.jp/project/products/downloads/ @@ -16,14 +16,13 @@ DISTFILES= ${PORTNAME}-${PORTVERSION}-ja-1.zip MAINTAINER= kuriyama@FreeBSD.org COMMENT= An enhanced wiki and issue tracking system for software projects -BUILD_DEPENDS= ${PYTHON_SITELIBDIR}/pysqlite2/__init__.py:${PORTSDIR}/databases/py-pysqlite20 \ - ${PYTHON_SITELIBDIR}/neo_cgi.so:${PORTSDIR}/www/clearsilver-python \ - ${PYTHON_SITELIBDIR}/svn/__init__.py:${PORTSDIR}/devel/subversion-python \ - ${PYTHON_SITELIBDIR}/japanese.pth:${PORTSDIR}/japanese/pycodec +BUILD_DEPENDS= ${PYTHON_SITELIBDIR}/neo_cgi.so:${PORTSDIR}/www/clearsilver-python RUN_DEPENDS= ${BUILD_DEPENDS} OPTIONS= SILVERCITY "Use Silvercity for syntax highlighting" On \ - DOCUTILS "Allow additional text markup" On + DOCUTILS "Allow additional text markup" On \ + PGSQL "Use PostgreSQL instead of SQLite3" Off \ + SUBVERSION "Support for subversion RCS" On CONFLICTS= trac-0.* WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}-ja-1 @@ -44,6 +43,9 @@ x-generate-plist: ;s,@dirrm (%%PYTHON_SITELIBDIR%%|${PYTHON_LIBDIR:S,${PYTHONBASE}/,,})$$,,g \ ' | ${TR} -s '\n') > temp-pkg-plist +post-patch: + ${FIND} ${WRKSRC} -name '*.orig' | ${XARGS} ${RM} + post-install: @${ECHO_CMD} @${CAT} ${PKGMESSAGE} @@ -59,4 +61,14 @@ RUN_DEPENDS+= ${PREFIX}/bin/source2html.py:${PORTSDIR}/textproc/silvercity RUN_DEPENDS+= ${PREFIX}/bin/rst2html:${PORTSDIR}/textproc/py-docutils .endif +.if defined(WITH_PGSQL) +RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/psycopg2/__init__.py:${PORTSDIR}/databases/py-psycopg2 +.else +RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/pysqlite2/__init__.py:${PORTSDIR}/databases/py-pysqlite20 +.endif + +.if !defined(WITHOUT_SUBVERSION) +RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/svn/__init__.py:${PORTSDIR}/devel/subversion-python +.endif + .include <bsd.port.post.mk> diff --git a/japanese/trac/files/patch-0.10.3.1 b/japanese/trac/files/patch-0.10.3.1 new file mode 100644 index 000000000000..f9c5c3c56cb0 --- /dev/null +++ b/japanese/trac/files/patch-0.10.3.1 @@ -0,0 +1,194 @@ +Index: RELEASE +=================================================================== +--- RELEASE (.../trac-0.10.3) (revision 4957) ++++ RELEASE (.../trac-0.10.3.1) (revision 4957) +@@ -1,8 +1,8 @@ +-Release Notes for Trac 0.10.3 +-============================= +-December 12, 2006 ++Release Notes for Trac 0.10.3.1 ++=============================== ++March 8, 2007 + +-We're happy to announce the Trac 0.10.3 release, available from: ++We're happy to announce the Trac 0.10.3.1 release, available from: + + http://trac.edgewall.org/wiki/TracDownload + +@@ -11,18 +11,15 @@ + + http://trac.edgewall.org/wiki/MailingList + +-Trac 0.10.3 is a bug fix release and fixes a few bugs introduced in the +-0.10.1 and 0.10.2 releases. A brief summary of major changes: ++Trac 0.10.3.1 is a security release: ++* Always send "Content-Disposition: attachment" headers where potentially ++ unsafe (user provided) content is available for download. This behaviour ++ can be altered using the "render_unsafe_content" option in the ++ "attachment" and "browser" sections of trac.ini. ++ * Fixed XSS vulnerability in "download wiki page as text" in combination with ++ Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc. + +- * Timeline fail to load with a "NoSuchChangeset" error message (#4132). +- * Timed out MySQL connections not handled properly (#3645). +- * Subversion repository resync broken. (#4204). + +-The complete list of closed tickets can be found here: +- +- http://trac.edgewall.org/query?status=closed&milestone=0.10.3 +- +- + Acknowledgements + ================ + +Index: wiki-default/WikiStart +=================================================================== +--- wiki-default/WikiStart (.../trac-0.10.3) (revision 4957) ++++ wiki-default/WikiStart (.../trac-0.10.3.1) (revision 4957) +@@ -1,4 +1,4 @@ +-= Welcome to Trac 0.10.3 =
++= Welcome to Trac 0.10.3.1 =
+
+ Trac is a '''minimalistic''' approach to '''web-based''' management of
+ '''software projects'''. Its goal is to simplify effective tracking and handling of software issues, enhancements and overall progress.
+Index: ChangeLog +=================================================================== +--- ChangeLog (.../trac-0.10.3) (revision 4957) ++++ ChangeLog (.../trac-0.10.3.1) (revision 4957) +@@ -1,3 +1,14 @@ ++Trac 0.10.3.1 (March 8, 2007) ++http://svn.edgewall.org/repos/trac/tags/trac-0.10.3.1 ++ ++ Trac 0.10.3.1 is a security release: ++ * Always send "Content-Disposition: attachment" headers where potentially ++ unsafe (user provided) content is available for download. This behaviour ++ can be altered using the "render_unsafe_content" option in the ++ "attachment" and "browser" sections of trac.ini. ++ * Fixed XSS vulnerability in "download wiki page as text" in combination with ++ Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc. ++ + Trac 0.10.3 (Dec 12, 2006) + http://svn.edgewall.org/repos/trac/tags/trac-0.10.3 + +Index: trac/attachment.py +=================================================================== +--- trac/attachment.py (.../trac-0.10.3) (revision 4957) ++++ trac/attachment.py (.../trac-0.10.3.1) (revision 4957) +@@ -555,22 +555,24 @@ + # Eventually send the file directly + format = req.args.get('format') + if format in ('raw', 'txt'): +- if not self.render_unsafe_content and not binary: +- # Force browser to download HTML/SVG/etc pages that may +- # contain malicious code enabling XSS attacks +- req.send_header('Content-Disposition', 'attachment;' + +- 'filename=' + attachment.filename) +- if not mime_type or (self.render_unsafe_content and \ +- not binary and format == 'txt'): +- mime_type = 'text/plain' ++ if not self.render_unsafe_content: ++ # Force browser to download files instead of rendering ++ # them, since they might contain malicious code enabling ++ # XSS attacks ++ req.send_header('Content-Disposition', 'attachment') ++ if format == 'txt': ++ mime_type = 'text/plain' ++ elif not mime_type: ++ mime_type = 'application/octet-stream' + if 'charset=' not in mime_type: + charset = mimeview.get_charset(str_data, mime_type) + mime_type = mime_type + '; charset=' + charset ++ + req.send_file(attachment.path, mime_type) + + # add ''Plain Text'' alternate link if needed +- if self.render_unsafe_content and not binary and \ +- mime_type and not mime_type.startswith('text/plain'): ++ if (self.render_unsafe_content and ++ mime_type and not mime_type.startswith('text/plain')): + plaintext_href = attachment.href(req, format='txt') + add_link(req, 'alternate', plaintext_href, 'Plain Text', + mime_type) +Index: trac/mimeview/api.py +=================================================================== +--- trac/mimeview/api.py (.../trac-0.10.3) (revision 4957) ++++ trac/mimeview/api.py (.../trac-0.10.3.1) (revision 4957) +@@ -604,8 +604,8 @@ + content, selector) + req.send_response(200) + req.send_header('Content-Type', output_type) +- req.send_header('Content-Disposition', 'filename=%s.%s' % (filename, +- ext)) ++ req.send_header('Content-Disposition', 'attachment; filename=%s.%s' % ++ (filename, ext)) + req.end_headers() + req.write(content) + raise RequestDone +Index: trac/__init__.py +=================================================================== +--- trac/__init__.py (.../trac-0.10.3) (revision 4957) ++++ trac/__init__.py (.../trac-0.10.3.1) (revision 4957) +@@ -11,7 +11,7 @@ + """ + __docformat__ = 'epytext en' + +-__version__ = '0.10.3' ++__version__ = '0.10.3.1' + __url__ = 'http://trac.edgewall.org/' + __copyright__ = '(C) 2003-2006 Edgewall Software' + __license__ = 'BSD' +Index: trac/versioncontrol/web_ui/browser.py +=================================================================== +--- trac/versioncontrol/web_ui/browser.py (.../trac-0.10.3) (revision 4957) ++++ trac/versioncontrol/web_ui/browser.py (.../trac-0.10.3.1) (revision 4957) +@@ -21,7 +21,7 @@ + from fnmatch import fnmatchcase + + from trac import util +-from trac.config import ListOption, Option ++from trac.config import ListOption, BoolOption, Option + from trac.core import * + from trac.mimeview import Mimeview, is_binary, get_mimetype + from trac.perm import IPermissionRequestor +@@ -57,6 +57,18 @@ + glob patterns, i.e. "*" can be used as a wild card) + (''since 0.10'')""") + ++ render_unsafe_content = BoolOption('browser', 'render_unsafe_content', ++ 'false', ++ """Whether attachments should be rendered in the browser, or ++ only made downloadable. ++ ++ Pretty much any file may be interpreted as HTML by the browser, ++ which allows a malicious user to attach a file containing cross-site ++ scripting attacks. ++ ++ For public sites where anonymous users can create attachments it is ++ recommended to leave this option disabled (which is the default).""") ++ + # INavigationContributor methods + + def get_active_navigation_item(self, req): +@@ -216,6 +228,11 @@ + format == 'txt' and 'text/plain' or mime_type) + req.send_header('Content-Length', node.content_length) + req.send_header('Last-Modified', http_date(node.last_modified)) ++ if not self.render_unsafe_content: ++ # Force browser to download files instead of rendering ++ # them, since they might contain malicious code enabling ++ # XSS attacks ++ req.send_header('Content-Disposition', 'attachment') + req.end_headers() + + while 1: +Index: trac/scripts/tests/admin-tests.txt +=================================================================== +--- trac/scripts/tests/admin-tests.txt (.../trac-0.10.3) (revision 4957) ++++ trac/scripts/tests/admin-tests.txt (.../trac-0.10.3.1) (revision 4957) +@@ -1,5 +1,5 @@ + ===== test_help_ok ===== +-trac-admin - The Trac Administration Console 0.10.3 ++trac-admin - The Trac Administration Console 0.10.3.1 + + Usage: trac-admin </path/to/projenv> [command [subcommand] [option ...]] + |