- update django ports to 1.3.4 and 1.4.2, that fixing couple of security issues.

  All users are encouraged to upgrade immediately.
- add vuxml entry

changes common for both ports:
- trim Makefile header
- strict python version to 2.x only
- utilize options framework multiple choice feature to let user to choose
  database backends needed. Make SQLITE option default
- shorten description of HTMLDOCS_DESC to make it fit into dialog screen
- SITELIBDIR -> PKGNAMEPREFIX change in dependencies
- convert NOPORTDOCS condition to optionsng
- tab -> space change in pkg-descr

PR:		173017
Submitted by:	rm (myself)
Approved by:	lwhsu (maintainer, by mail)
Security:	5f326d75-1db9-11e2-bc8f-d0df9acfd7e5
Feature safe:   yes

8 files changed, 102 insertions, 44 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index f7b879be083..c74b067aa0f 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,69 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="5f326d75-1db9-11e2-bc8f-d0df9acfd7e5">
+    <topic>django -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+        <name>django</name>
+        <range><lt>1.4.2</lt></range>
+      </package>
+      <package>
+        <name>django13</name>
+        <range><lt>1.3.4</lt></range>
+      </package>
+    </affects>
+    <description>
+     <body xmlns="http://www.w3.org/1999/xhtml">
+        <p>The Django Project reports:</p>
+        <blockquote cite="https://www.djangoproject.com/weblog/2012/oct/17/security/">
+        <ol>
+          <li>
+          <p>Host header poisoning</p>
+          <p>Some parts of Django -- independent of end-user-written applications
+             -- make use of full URLs, including domain name, which are generated
+             from the HTTP Host header. Some attacks against this are beyond Django's 
+             ability to control, and require the web server to be properly configured; 
+             Django's documentation has for some time contained notes advising users
+             on such configuration.</p>
+          <p>Django's own built-in parsing of the Host header is, however, still
+             vulnerable, as was reported to us recently. The Host header parsing
+             in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() 
+             -- was incorrectly handling username/password information in the header. 
+             Thus, for example, the following Host header would be accepted by Django when
+             running on "validsite.com":</p>
+          <p>Host: validsite.com:random@evilsite.com</p>
+          <p>Using this, an attacker can cause parts of Django -- particularly the
+             password-reset mechanism -- to generate and display arbitrary URLs to users.</p>
+          <p>To remedy this, the parsing in HttpRequest.get_host() is being modified; Host 
+             headers which contain potentially dangerous content (such as username/password
+             pairs) now raise the exception django.core.exceptions.SuspiciousOperation.</p>
+          </li>
+          <li>
+          <p>Documentation of HttpOnly cookie option</p>
+          <p>As of Django 1.4, session cookies are always sent with the HttpOnly flag, which
+             provides some additional protection from cross-site scripting attacks by denying
+             client-side scripts access to the session cookie.</p>
+          <p>Though not directly a security issue in Django, it has been reported that the
+             Django 1.4 documentation incorrectly described this change, by claiming that this
+             was now the default for all cookies set by the HttpResponse.set_cookie() method.</p>
+          <p>The Django documentation has been updated to reflect that this only applies to the
+             session cookie. Users of Django are encouraged to review their use of set_cookie()
+             to ensure that the HttpOnly flag is being set or unset appropriately.</p>
+          </li>
+          </ol>
+        </blockquote>
+      </body>
+    </description>
+    <references>
+        <url>https://www.djangoproject.com/weblog/2012/oct/17/security/</url>
+    </references>
+    <dates>
+      <discovery>2012-10-17</discovery>
+      <entry>2012-10-24</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="a7706414-1be7-11e2-9aad-902b343deec9">
     <topic>Wireshark -- Multiple Vulnerabilities</topic>
     <affects>
diff --git a/www/py-django/Makefile b/www/py-django/Makefile
index a460610fd5b..d02fb35479e 100644
--- a/www/py-django/Makefile
+++ b/www/py-django/Makefile
@@ -1,12 +1,8 @@
-# New ports collection makefile for:	django
-# Date created:				2005-11-19
-# Whom:					Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
-#
+# Created by: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
 # $FreeBSD$
-#
 
 PORTNAME=	django
-PORTVERSION=	1.4.1
+PORTVERSION=	1.4.2
 CATEGORIES=	www python
 MASTER_SITES=	https://www.djangoproject.com/m/releases/${PORTVERSION:R}/ \
 		CHEESESHOP
@@ -20,7 +16,7 @@ COMMENT=	High-level Python Web framework
 LICENSE=	BSD
 
 USE_GETTEXT=	yes
-USE_PYTHON=	yes
+USE_PYTHON=	-2.7
 USE_PYDISTUTILS=	yes
 PYDISTUTILS_PKGNAME=	Django
 
@@ -28,20 +24,20 @@ CONFLICTS=	py2[0-9]-django-devel-[0-9]* py2[0-9]-django-1.[23].*
 
 DOCSDIR=	${PREFIX}/share/doc/py-django
 
-OPTIONS_DEFINE=	PGSQL MYSQL SQLITE FASTCGI HTMLDOCS
-OPTIONS_DEFAULT=
-
-HTMLDOCS_DESC=	Build and install the HTML documentation (requires Sphinx)
-
-MAN1=		daily_cleanup.1 django-admin.1 gather_profile_stats.1
-
 # bypass infrastructure bug
 OPTIONSFILE=	${PORT_DBDIR}/py-${PORTNAME}/options
+OPTIONS_DEFINE=	FASTCGI HTMLDOCS
+OPTIONS_DEFAULT=SQLITE
+OPTIONS_MULTI=	DATABASE
+OPTIONS_MULTI_DATABASE=	PGSQL MYSQL SQLITE
+HTMLDOCS_DESC=	Install the HTML documentation (requires Sphinx)
+
+MAN1=		daily_cleanup.1 django-admin.1 gather_profile_stats.1
 
-.include <bsd.port.pre.mk>
+.include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MPGSQL}
-RUN_DEPENDS+=	${PYTHON_SITELIBDIR}/psycopg2/_psycopg.so:${PORTSDIR}/databases/py-psycopg2
+RUN_DEPENDS+=	${PYTHON_PKGNAMEPREFIX}psycopg2>0:${PORTSDIR}/databases/py-psycopg2
 .endif
 
 .if ${PORT_OPTIONS:MMYSQL}
@@ -49,7 +45,7 @@ RUN_DEPENDS+=	${PYTHON_PKGNAMEPREFIX}MySQLdb>=1.2.2:${PORTSDIR}/databases/py-MyS
 .endif
 
 .if ${PORT_OPTIONS:MSQLITE}
-RUN_DEPENDS+=	${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3
+RUN_DEPENDS+=	${PYTHON_PKGNAMEPREFIX}sqlite3>0:${PORTSDIR}/databases/py-sqlite3
 .endif
 
 .if ${PORT_OPTIONS:MFASTCGI}
@@ -57,7 +53,7 @@ RUN_DEPENDS+=	${PYTHON_PKGNAMEPREFIX}flup>0:${PORTSDIR}/www/py-flup
 .endif
 
 .if ${PORT_OPTIONS:MHTMLDOCS}
-.	if defined(NOPORTDOCS)
+.	if empty(PORT_OPTIONS:MDOCS)
 IGNORE=	you cannot build documentation while setting NOPORTDOCS
 .	endif
 BUILD_DEPENDS+=	${PYTHON_PKGNAMEPREFIX}sphinx>0:${PORTSDIR}/textproc/py-sphinx
@@ -79,4 +75,4 @@ post-install:
 	${CP} -R ${WRKSRC}/docs/_build/html ${DOCSDIR}
 .endif
 
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
diff --git a/www/py-django/distinfo b/www/py-django/distinfo
index 3958193eddf..a4b32b90039 100644
--- a/www/py-django/distinfo
+++ b/www/py-django/distinfo
@@ -1,2 +1,2 @@
-SHA256 (python/Django-1.4.1.tar.gz) = 4d8d20eba350d3d29613cc5a6302d5c23730c7f9e150985bc58b3175b755409b
-SIZE (python/Django-1.4.1.tar.gz) = 7656756
+SHA256 (python/Django-1.4.2.tar.gz) = edfd8733f45bbaa524cee25bcac3080ce28c21242c27227464eae3fa6b3d80e7
+SIZE (python/Django-1.4.2.tar.gz) = 7722026
diff --git a/www/py-django/pkg-descr b/www/py-django/pkg-descr
index 4356d5ad924..1eefec3fb49 100644
--- a/www/py-django/pkg-descr
+++ b/www/py-django/pkg-descr
@@ -7,4 +7,4 @@ intensive deadlines of a newsroom and the stringent requirements of experienced
 Web developers. It has convenient niceties for developing content-management
 systems, but it's an excellent tool for building any Web site.
 
-WWW:	http://www.djangoproject.com/
+WWW: http://www.djangoproject.com/
diff --git a/www/py-django/pkg-plist b/www/py-django/pkg-plist
index de460b6bf76..c07c2ed69cb 100644
--- a/www/py-django/pkg-plist
+++ b/www/py-django/pkg-plist
@@ -5294,6 +5294,9 @@ bin/django-admin.py
 %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.py
 %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.pyc
 %%PYTHON_SITELIBDIR%%/django/utils/simplejson/tool.pyo
+%%PYTHON_SITELIBDIR%%/django/utils/six.py
+%%PYTHON_SITELIBDIR%%/django/utils/six.pyc
+%%PYTHON_SITELIBDIR%%/django/utils/six.pyo
 %%PYTHON_SITELIBDIR%%/django/utils/synch.py
 %%PYTHON_SITELIBDIR%%/django/utils/synch.pyc
 %%PYTHON_SITELIBDIR%%/django/utils/synch.pyo
diff --git a/www/py-django13/Makefile b/www/py-django13/Makefile
index c137e75fbad..5f6acfb8f1f 100644
--- a/www/py-django13/Makefile
+++ b/www/py-django13/Makefile
@@ -1,12 +1,8 @@
-# New ports collection makefile for:	django
-# Date created:				2005-11-19
-# Whom:					Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
-#
+# Created by: Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
 # $FreeBSD$
-#
 
 PORTNAME=	django
-PORTVERSION=	1.3.3
+PORTVERSION=	1.3.4
 CATEGORIES=	www python
 MASTER_SITES=	http://www.djangoproject.com/m/releases/${PORTVERSION:R}/ \
 		CHEESESHOP
@@ -22,7 +18,7 @@ LICENSE=	BSD
 LATEST_LINK=	${PYTHON_PKGNAMEPREFIX}django13
 
 USE_GETTEXT=	yes
-USE_PYTHON=	yes
+USE_PYTHON=	-2.7
 USE_PYDISTUTILS=	yes
 PYDISTUTILS_PKGNAME=	Django
 
@@ -30,20 +26,20 @@ CONFLICTS=	py2[0-9]-django-devel-[0-9]* py2[0-9]-django-1.[24]*
 
 DOCSDIR=	${PREFIX}/share/doc/py-django
 
-OPTIONS_DEFINE=	PGSQL MYSQL SQLITE FASTCGI HTMLDOCS
-OPTIONS_DEFAULT=
-
-HTMLDOCS_DESC=	Build and install the HTML documentation (requires Sphinx)
-
-MAN1=		daily_cleanup.1 django-admin.1 gather_profile_stats.1
-
 # bypass infrastructure bug
 OPTIONSFILE=	${PORT_DBDIR}/py-${PORTNAME}/options
+OPTIONS_DEFINE=	FASTCGI HTMLDOCS
+OPTIONS_DEFAULT=SQLITE
+OPTIONS_MULTI=	DATABASE
+OPTIONS_MULTI_DATABASE=	PGSQL MYSQL SQLITE
+HTMLDOCS_DESC=	Install the HTML documentation (requires Sphinx)
+
+MAN1=		daily_cleanup.1 django-admin.1 gather_profile_stats.1
 
-.include <bsd.port.pre.mk>
+.include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MPGSQL}
-RUN_DEPENDS+=	${PYTHON_SITELIBDIR}/psycopg2/_psycopg.so:${PORTSDIR}/databases/py-psycopg2
+RUN_DEPENDS+=	${PYTHON_PKGNAMEPREFIX}psycopg2>0:${PORTSDIR}/databases/py-psycopg2
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-changeset_16520.diff
 .endif
 
@@ -52,7 +48,7 @@ RUN_DEPENDS+=	${PYTHON_PKGNAMEPREFIX}MySQLdb>=1.2.2:${PORTSDIR}/databases/py-MyS
 .endif
 
 .if ${PORT_OPTIONS:MSQLITE}
-RUN_DEPENDS+=	${PYTHON_SITELIBDIR}/_sqlite3.so:${PORTSDIR}/databases/py-sqlite3
+RUN_DEPENDS+=	${PYTHON_PKGNAMEPREFIX}sqlite3>0:${PORTSDIR}/databases/py-sqlite3
 .endif
 
 .if ${PORT_OPTIONS:MFASTCGI}
@@ -60,7 +56,7 @@ RUN_DEPENDS+=	${PYTHON_PKGNAMEPREFIX}flup>0:${PORTSDIR}/www/py-flup
 .endif
 
 .if ${PORT_OPTIONS:MHTMLDOCS}
-.	if defined(NOPORTDOCS)
+.	if empty(PORT_OPTIONS:MDOCS)
 IGNORE=	you cannot build documentation while setting NOPORTDOCS
 .	endif
 BUILD_DEPENDS+=	${PYTHON_PKGNAMEPREFIX}sphinx>0:${PORTSDIR}/textproc/py-sphinx
@@ -83,4 +79,4 @@ post-install:
 	${CP} -R ${WRKSRC}/docs/_build/html ${DOCSDIR}
 .endif
 
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
diff --git a/www/py-django13/distinfo b/www/py-django13/distinfo
index bec9c2d3580..f3576575565 100644
--- a/www/py-django13/distinfo
+++ b/www/py-django13/distinfo
@@ -1,2 +1,2 @@
-SHA256 (python/Django-1.3.3.tar.gz) = 8ef44cfd89dee0331018ec56a2ed27dc14ae8d65feb664c10e128b3437cbd46a
-SIZE (python/Django-1.3.3.tar.gz) = 6507280
+SHA256 (python/Django-1.3.4.tar.gz) = 2626e6b216e1bdef887bd923f00d94d94b4d4e75fc2e336c6f156d842d10a607
+SIZE (python/Django-1.3.4.tar.gz) = 6507771
diff --git a/www/py-django13/pkg-descr b/www/py-django13/pkg-descr
index 4356d5ad924..1eefec3fb49 100644
--- a/www/py-django13/pkg-descr
+++ b/www/py-django13/pkg-descr
@@ -7,4 +7,4 @@ intensive deadlines of a newsroom and the stringent requirements of experienced
 Web developers. It has convenient niceties for developing content-management
 systems, but it's an excellent tool for building any Web site.
 
-WWW:	http://www.djangoproject.com/
+WWW: http://www.djangoproject.com/