aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--japanese/trac/Makefile24
-rw-r--r--japanese/trac/files/patch-0.10.3.1194
2 files changed, 212 insertions, 6 deletions
diff --git a/japanese/trac/Makefile b/japanese/trac/Makefile
index 8883283b5a06..0a13fa492ac1 100644
--- a/japanese/trac/Makefile
+++ b/japanese/trac/Makefile
@@ -7,7 +7,7 @@
PORTNAME= trac
PORTVERSION= 0.10.3
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= japanese www devel python
MASTER_SITES= http://dist.bsdlab.org/ \
http://www.i-act.co.jp/project/products/downloads/
@@ -16,14 +16,13 @@ DISTFILES= ${PORTNAME}-${PORTVERSION}-ja-1.zip
MAINTAINER= kuriyama@FreeBSD.org
COMMENT= An enhanced wiki and issue tracking system for software projects
-BUILD_DEPENDS= ${PYTHON_SITELIBDIR}/pysqlite2/__init__.py:${PORTSDIR}/databases/py-pysqlite20 \
- ${PYTHON_SITELIBDIR}/neo_cgi.so:${PORTSDIR}/www/clearsilver-python \
- ${PYTHON_SITELIBDIR}/svn/__init__.py:${PORTSDIR}/devel/subversion-python \
- ${PYTHON_SITELIBDIR}/japanese.pth:${PORTSDIR}/japanese/pycodec
+BUILD_DEPENDS= ${PYTHON_SITELIBDIR}/neo_cgi.so:${PORTSDIR}/www/clearsilver-python
RUN_DEPENDS= ${BUILD_DEPENDS}
OPTIONS= SILVERCITY "Use Silvercity for syntax highlighting" On \
- DOCUTILS "Allow additional text markup" On
+ DOCUTILS "Allow additional text markup" On \
+ PGSQL "Use PostgreSQL instead of SQLite3" Off \
+ SUBVERSION "Support for subversion RCS" On
CONFLICTS= trac-0.*
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}-ja-1
@@ -44,6 +43,9 @@ x-generate-plist:
;s,@dirrm (%%PYTHON_SITELIBDIR%%|${PYTHON_LIBDIR:S,${PYTHONBASE}/,,})$$,,g \
' | ${TR} -s '\n') > temp-pkg-plist
+post-patch:
+ ${FIND} ${WRKSRC} -name '*.orig' | ${XARGS} ${RM}
+
post-install:
@${ECHO_CMD}
@${CAT} ${PKGMESSAGE}
@@ -59,4 +61,14 @@ RUN_DEPENDS+= ${PREFIX}/bin/source2html.py:${PORTSDIR}/textproc/silvercity
RUN_DEPENDS+= ${PREFIX}/bin/rst2html:${PORTSDIR}/textproc/py-docutils
.endif
+.if defined(WITH_PGSQL)
+RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/psycopg2/__init__.py:${PORTSDIR}/databases/py-psycopg2
+.else
+RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/pysqlite2/__init__.py:${PORTSDIR}/databases/py-pysqlite20
+.endif
+
+.if !defined(WITHOUT_SUBVERSION)
+RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/svn/__init__.py:${PORTSDIR}/devel/subversion-python
+.endif
+
.include <bsd.port.post.mk>
diff --git a/japanese/trac/files/patch-0.10.3.1 b/japanese/trac/files/patch-0.10.3.1
new file mode 100644
index 000000000000..f9c5c3c56cb0
--- /dev/null
+++ b/japanese/trac/files/patch-0.10.3.1
@@ -0,0 +1,194 @@
+Index: RELEASE
+===================================================================
+--- RELEASE (.../trac-0.10.3) (revision 4957)
++++ RELEASE (.../trac-0.10.3.1) (revision 4957)
+@@ -1,8 +1,8 @@
+-Release Notes for Trac 0.10.3
+-=============================
+-December 12, 2006
++Release Notes for Trac 0.10.3.1
++===============================
++March 8, 2007
+
+-We're happy to announce the Trac 0.10.3 release, available from:
++We're happy to announce the Trac 0.10.3.1 release, available from:
+
+ http://trac.edgewall.org/wiki/TracDownload
+
+@@ -11,18 +11,15 @@
+
+ http://trac.edgewall.org/wiki/MailingList
+
+-Trac 0.10.3 is a bug fix release and fixes a few bugs introduced in the
+-0.10.1 and 0.10.2 releases. A brief summary of major changes:
++Trac 0.10.3.1 is a security release:
++* Always send "Content-Disposition: attachment" headers where potentially
++ unsafe (user provided) content is available for download. This behaviour
++ can be altered using the "render_unsafe_content" option in the
++ "attachment" and "browser" sections of trac.ini.
++ * Fixed XSS vulnerability in "download wiki page as text" in combination with
++ Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc.
+
+- * Timeline fail to load with a "NoSuchChangeset" error message (#4132).
+- * Timed out MySQL connections not handled properly (#3645).
+- * Subversion repository resync broken. (#4204).
+
+-The complete list of closed tickets can be found here:
+-
+- http://trac.edgewall.org/query?status=closed&milestone=0.10.3
+-
+-
+ Acknowledgements
+ ================
+
+Index: wiki-default/WikiStart
+===================================================================
+--- wiki-default/WikiStart (.../trac-0.10.3) (revision 4957)
++++ wiki-default/WikiStart (.../trac-0.10.3.1) (revision 4957)
+@@ -1,4 +1,4 @@
+-= Welcome to Trac 0.10.3 =
++= Welcome to Trac 0.10.3.1 =
+
+ Trac is a '''minimalistic''' approach to '''web-based''' management of
+ '''software projects'''. Its goal is to simplify effective tracking and handling of software issues, enhancements and overall progress.
+Index: ChangeLog
+===================================================================
+--- ChangeLog (.../trac-0.10.3) (revision 4957)
++++ ChangeLog (.../trac-0.10.3.1) (revision 4957)
+@@ -1,3 +1,14 @@
++Trac 0.10.3.1 (March 8, 2007)
++http://svn.edgewall.org/repos/trac/tags/trac-0.10.3.1
++
++ Trac 0.10.3.1 is a security release:
++ * Always send "Content-Disposition: attachment" headers where potentially
++ unsafe (user provided) content is available for download. This behaviour
++ can be altered using the "render_unsafe_content" option in the
++ "attachment" and "browser" sections of trac.ini.
++ * Fixed XSS vulnerability in "download wiki page as text" in combination with
++ Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc.
++
+ Trac 0.10.3 (Dec 12, 2006)
+ http://svn.edgewall.org/repos/trac/tags/trac-0.10.3
+
+Index: trac/attachment.py
+===================================================================
+--- trac/attachment.py (.../trac-0.10.3) (revision 4957)
++++ trac/attachment.py (.../trac-0.10.3.1) (revision 4957)
+@@ -555,22 +555,24 @@
+ # Eventually send the file directly
+ format = req.args.get('format')
+ if format in ('raw', 'txt'):
+- if not self.render_unsafe_content and not binary:
+- # Force browser to download HTML/SVG/etc pages that may
+- # contain malicious code enabling XSS attacks
+- req.send_header('Content-Disposition', 'attachment;' +
+- 'filename=' + attachment.filename)
+- if not mime_type or (self.render_unsafe_content and \
+- not binary and format == 'txt'):
+- mime_type = 'text/plain'
++ if not self.render_unsafe_content:
++ # Force browser to download files instead of rendering
++ # them, since they might contain malicious code enabling
++ # XSS attacks
++ req.send_header('Content-Disposition', 'attachment')
++ if format == 'txt':
++ mime_type = 'text/plain'
++ elif not mime_type:
++ mime_type = 'application/octet-stream'
+ if 'charset=' not in mime_type:
+ charset = mimeview.get_charset(str_data, mime_type)
+ mime_type = mime_type + '; charset=' + charset
++
+ req.send_file(attachment.path, mime_type)
+
+ # add ''Plain Text'' alternate link if needed
+- if self.render_unsafe_content and not binary and \
+- mime_type and not mime_type.startswith('text/plain'):
++ if (self.render_unsafe_content and
++ mime_type and not mime_type.startswith('text/plain')):
+ plaintext_href = attachment.href(req, format='txt')
+ add_link(req, 'alternate', plaintext_href, 'Plain Text',
+ mime_type)
+Index: trac/mimeview/api.py
+===================================================================
+--- trac/mimeview/api.py (.../trac-0.10.3) (revision 4957)
++++ trac/mimeview/api.py (.../trac-0.10.3.1) (revision 4957)
+@@ -604,8 +604,8 @@
+ content, selector)
+ req.send_response(200)
+ req.send_header('Content-Type', output_type)
+- req.send_header('Content-Disposition', 'filename=%s.%s' % (filename,
+- ext))
++ req.send_header('Content-Disposition', 'attachment; filename=%s.%s' %
++ (filename, ext))
+ req.end_headers()
+ req.write(content)
+ raise RequestDone
+Index: trac/__init__.py
+===================================================================
+--- trac/__init__.py (.../trac-0.10.3) (revision 4957)
++++ trac/__init__.py (.../trac-0.10.3.1) (revision 4957)
+@@ -11,7 +11,7 @@
+ """
+ __docformat__ = 'epytext en'
+
+-__version__ = '0.10.3'
++__version__ = '0.10.3.1'
+ __url__ = 'http://trac.edgewall.org/'
+ __copyright__ = '(C) 2003-2006 Edgewall Software'
+ __license__ = 'BSD'
+Index: trac/versioncontrol/web_ui/browser.py
+===================================================================
+--- trac/versioncontrol/web_ui/browser.py (.../trac-0.10.3) (revision 4957)
++++ trac/versioncontrol/web_ui/browser.py (.../trac-0.10.3.1) (revision 4957)
+@@ -21,7 +21,7 @@
+ from fnmatch import fnmatchcase
+
+ from trac import util
+-from trac.config import ListOption, Option
++from trac.config import ListOption, BoolOption, Option
+ from trac.core import *
+ from trac.mimeview import Mimeview, is_binary, get_mimetype
+ from trac.perm import IPermissionRequestor
+@@ -57,6 +57,18 @@
+ glob patterns, i.e. "*" can be used as a wild card)
+ (''since 0.10'')""")
+
++ render_unsafe_content = BoolOption('browser', 'render_unsafe_content',
++ 'false',
++ """Whether attachments should be rendered in the browser, or
++ only made downloadable.
++
++ Pretty much any file may be interpreted as HTML by the browser,
++ which allows a malicious user to attach a file containing cross-site
++ scripting attacks.
++
++ For public sites where anonymous users can create attachments it is
++ recommended to leave this option disabled (which is the default).""")
++
+ # INavigationContributor methods
+
+ def get_active_navigation_item(self, req):
+@@ -216,6 +228,11 @@
+ format == 'txt' and 'text/plain' or mime_type)
+ req.send_header('Content-Length', node.content_length)
+ req.send_header('Last-Modified', http_date(node.last_modified))
++ if not self.render_unsafe_content:
++ # Force browser to download files instead of rendering
++ # them, since they might contain malicious code enabling
++ # XSS attacks
++ req.send_header('Content-Disposition', 'attachment')
+ req.end_headers()
+
+ while 1:
+Index: trac/scripts/tests/admin-tests.txt
+===================================================================
+--- trac/scripts/tests/admin-tests.txt (.../trac-0.10.3) (revision 4957)
++++ trac/scripts/tests/admin-tests.txt (.../trac-0.10.3.1) (revision 4957)
+@@ -1,5 +1,5 @@
+ ===== test_help_ok =====
+-trac-admin - The Trac Administration Console 0.10.3
++trac-admin - The Trac Administration Console 0.10.3.1
+
+ Usage: trac-admin </path/to/projenv> [command [subcommand] [option ...]]
+