Fix XSS vulnerability in rename hint, bug #378803, thank Nikoli for this job. Drop old.

Package-Manager: portage-2.1.10.11/cvs/Linux x86_64

6 files changed, 50 insertions, 177 deletions

diff --git a/www-apps/cgit/ChangeLog b/www-apps/cgit/ChangeLog
index a91acfee9fd3..187bdfff63e0 100644
--- a/www-apps/cgit/ChangeLog
+++ b/www-apps/cgit/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for www-apps/cgit
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/ChangeLog,v 1.8 2011/08/03 18:17:38 pva Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/ChangeLog,v 1.9 2011/09/11 11:39:20 pva Exp $
+
+*cgit-0.9.0.2-r1 (11 Sep 2011)
+
+  11 Sep 2011; Peter Volkov <pva@gentoo.org> -cgit-0.9.0.1.ebuild,
+  -cgit-0.9.0.2.ebuild, +cgit-0.9.0.2-r1.ebuild,
+  +files/cgit-0.9.0.2-fix-xss.patch, -cgit-9999.ebuild:
+  Fix XSS vulnerability in rename hint, bug #378803, thank Nikoli for this job.
+  Drop old.
 
 *cgit-0.9.0.2 (03 Aug 2011)
 
diff --git a/www-apps/cgit/Manifest b/www-apps/cgit/Manifest
index c5fb22d4fac8..3ab228413dde 100644
--- a/www-apps/cgit/Manifest
+++ b/www-apps/cgit/Manifest
@@ -1,15 +1,13 @@
+AUX cgit-0.9.0.2-fix-xss.patch 1381 RMD160 2ad578425a66e9115161d54c267f02f484928fb2 SHA1 db0c8183764e0056e665195db534c69cfaf6bf77 SHA256 7209929376d5e6be818ef74def7ef9edfaeca11f92e78e094e122f905707d576
 AUX cgitrc 2514 RMD160 614cb050acc97caaa1da7caa6a60e74b457bba37 SHA1 376d65e71ab2ee54896addaf4acb98ed7d5ba327 SHA256 5a53e02e38382b46e3e0dea5efb3ab4ff8eccc8c6a26e7213ab2dee192236c48
 AUX postinstall-en.txt 1844 RMD160 8b6048db73f2b806335ac76a672784a46ba19394 SHA1 f74f0ee924bf91bb9699e83fd947cdd26b0e4f5f SHA256 2bfadbe531386c9f2b9fd6b346c9542dd367f86f1ffc1be1a43d9aa182a0118b
 DIST cgit-0.8.3.5.tar.bz2 54844 RMD160 f47efaa9de8e6d6af85cdf29bfa95a7c17b2d4e5 SHA1 4e3d8a28688efe4372a7945db8ec96b383e8e88b SHA256 2ca856a3ceae1c58e1c066bd06f4112c604a9395ae46f69db524ada1b71d8298
-DIST cgit-0.9.0.1.tar.bz2 63992 RMD160 31636b09ae3d659fbafc614e6c351217410e678c SHA1 214791b92502d90ac2f57044529cecd51865874b SHA256 6fb1f8c6f67c176b1b300520ad8c5fb036d272e6051c85b5bb6a02f1772204f0
 DIST cgit-0.9.0.2.tar.bz2 64203 RMD160 3eae71b4232308ca62767529c25e9710dd46c80b SHA1 0ae0dcb07001c0e231355f5bb9634e8ebcd6e889 SHA256 97e0f78f5d4aabe59e3795849c6e1a72900cd558a94d88cb236fee12d72b528c
 DIST cgit-0.9.tar.bz2 63580 RMD160 01e2bf7a5f4f385a0a6cda18292f3f9a55337622 SHA1 acdea79a880521fcfd0d359b41fdd59abf76170d SHA256 530eaf702b8ca0a44750f5ed1f27b1d74b317441cce9d2d4bb340c7dbea8a48f
 DIST git-1.7.3.tar.bz2 2629734 RMD160 4b0f95b4d114f5b7a4eb61c0f73b2f9a533637a0 SHA1 32e231fd10b85265487f0c2cc50d6d889b71de78 SHA256 0035a4a7906f65812072457b65c609f24c66f31593d0ad372b7c18894a26b07d
 DIST git-1.7.4.tar.bz2 2703735 RMD160 a064d7a5b2d3fae6171ca91a03082eb46d7bb9b7 SHA1 57b783627d9a9515ce3ef8f79128074de6197b2e SHA256 8e260b9e5dfb46a35f26e3db450c2dabb4d1df254bfb2820779945a1ecbcef51
 EBUILD cgit-0.8.3.5.ebuild 1851 RMD160 08c348a38f50a15cd480556d8cfce4ce11ab45bc SHA1 7bb2865b2c92f6e0cb4543e6477c6245c950f3a0 SHA256 9d264701a4f2d94e44d45497ded6d9d49d12703d1c029fd332f929c9fb8d11ee
-EBUILD cgit-0.9.0.1.ebuild 1824 RMD160 218c6b4d6012f93ff093f6a6f9596ac5d838f269 SHA1 83d84d8615b2a206f39339f2b798e2ee9f59988d SHA256 0a279baf32631c3fc27b69aa7afdad08642654195cc8b95253aa054c4a130cbc
-EBUILD cgit-0.9.0.2.ebuild 1824 RMD160 83179c782c13cde7c8a16b07c6788bcba45e19ad SHA1 d156a45094c5783ddfc1921e8905ed1a7de0ba1c SHA256 e8b139997351816e82243214e29eda6307507874916ca4da91e0abaa6ebdf123
+EBUILD cgit-0.9.0.2-r1.ebuild 1869 RMD160 d4d92eda537ed076823f410524c605867afc687c SHA1 a1d1396f43803f8cd6dc19c638db1744fa7a8622 SHA256 1578240e483c7877933188ad40a40ed134691db6dcc9973d676335814a085b5c
 EBUILD cgit-0.9.ebuild 1830 RMD160 478a79bc043b4e766a3cf94538ad4dc065c09c97 SHA1 0aa15bda1672aaa95651caeebe11827ef87317de SHA256 844245a0a5d0c7a97cea53c095723aa01da90e59ab85b23c3f43184c5faed634
-EBUILD cgit-9999.ebuild 1813 RMD160 9af43899e314b9a29630c5ba4f848e2df3845556 SHA1 9f75a99aef7a31b199fb2afc623957c62f3f4196 SHA256 0e73d31c6aac225636c853bea88ba3a3ec011ae29b97bd9ccedcc9ffba300289
-MISC ChangeLog 1903 RMD160 dfe2366e55a583135c27b5ca7daa9cd79cbc93fd SHA1 43fe617b4d20f732a13caffd3446124365f94fbc SHA256 59c041c8635d0a75cfb45ae091a685454317953a05b77e4bd9f479de77a275b8
+MISC ChangeLog 2200 RMD160 ce0dedee2f2a383caa6507fbd5d00a1074f7fd61 SHA1 1a727bab99bb567389d4ca426d39be03d68849f1 SHA256 d2cc62272badcf33a59a290590aaabd500aad4947b34e37e62be2b415f8c27f8
 MISC metadata.xml 708 RMD160 9d4dec58ea4db0d424fa1fcdc98879bfac455205 SHA1 2bec92f38a0ff9ef4288093974a04c0dd3a02ee4 SHA256 d19c132bfeebaa0b6eddfc589f49eed3f03fe326e10ebbde8571f4cb97bfadfa
diff --git a/www-apps/cgit/cgit-0.9.0.1.ebuild b/www-apps/cgit/cgit-0.9.0.2-r1.ebuild
index 03b223a7dca9..9ecf4627a779 100644
--- a/www-apps/cgit/cgit-0.9.0.1.ebuild
+++ b/www-apps/cgit/cgit-0.9.0.2-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2011 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/cgit-0.9.0.1.ebuild,v 1.1 2011/06/27 08:58:08 pva Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/cgit-0.9.0.2-r1.ebuild,v 1.1 2011/09/11 11:39:20 pva Exp $
 
 EAPI="4"
 
@@ -45,6 +45,8 @@ src_prepare() {
 	rmdir git || die
 	mv "${WORKDIR}"/git-"${GIT_V}" git || die
 
+	epatch "${FILESDIR}"/${P}-fix-xss.patch
+
 	sed -i \
 		-e "/^CACHE_ROOT =/s:/var/cache/cgit:${CGIT_CACHEDIR}:" \
 		Makefile || die
diff --git a/www-apps/cgit/cgit-0.9.0.2.ebuild b/www-apps/cgit/cgit-0.9.0.2.ebuild
deleted file mode 100644
index 5176fb3c086d..000000000000
--- a/www-apps/cgit/cgit-0.9.0.2.ebuild
+++ /dev/null
@@ -1,85 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/cgit-0.9.0.2.ebuild,v 1.1 2011/08/03 18:17:38 pva Exp $
-
-EAPI="4"
-
-WEBAPP_MANUAL_SLOT="yes"
-
-inherit webapp eutils multilib
-
-[[ -z "${CGIT_CACHEDIR}" ]] && CGIT_CACHEDIR="/var/cache/${PN}/"
-
-GIT_V="1.7.4"
-
-DESCRIPTION="a fast web-interface for git repositories"
-HOMEPAGE="http://hjemli.net/git/cgit/about/"
-SRC_URI="mirror://kernel/software/scm/git/git-${GIT_V}.tar.bz2
-	http://hjemli.net/git/cgit/snapshot/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE="doc highlight"
-
-RDEPEND="
-	dev-vcs/git
-	sys-libs/zlib
-	dev-libs/openssl
-	virtual/httpd-cgi
-	highlight? ( app-text/highlight )
-"
-# ebuilds without WEBAPP_MANUAL_SLOT="yes" are broken
-DEPEND="${RDEPEND}
-	!<www-apps/cgit-0.8.3.3
-	doc? ( app-text/docbook-xsl-stylesheets
-		>=app-text/asciidoc-8.5.1 )
-"
-
-pkg_setup() {
-	webapp_pkg_setup
-	enewuser "${PN}"
-}
-
-src_prepare() {
-	rmdir git || die
-	mv "${WORKDIR}"/git-"${GIT_V}" git || die
-
-	sed -i \
-		-e "/^CACHE_ROOT =/s:/var/cache/cgit:${CGIT_CACHEDIR}:" \
-		Makefile || die
-}
-
-src_compile() {
-	emake
-	use doc && emake doc-man
-}
-
-src_install() {
-	webapp_src_preinst
-
-	emake \
-		prefix="${EPREFIX}"/usr \
-		libdir="${EPREFIX}"/usr/$(get_libdir) \
-		CGIT_SCRIPT_PATH="${MY_CGIBINDIR}" \
-		CGIT_DATA_PATH="${MY_HTDOCSDIR}" \
-		DESTDIR="${D}" install
-
-	insinto /etc
-	doins "${FILESDIR}"/cgitrc
-
-	dodoc README
-	use doc && doman cgitrc.5
-
-	webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt
-	webapp_src_install
-
-	keepdir "${CGIT_CACHEDIR}"
-	fowners ${PN}:${PN} "${CGIT_CACHEDIR}"
-	fperms 700 "${CGIT_CACHEDIR}"
-}
-
-pkg_postinst() {
-	ewarn "If you intend to run cgit using web server's user"
-	ewarn "you should change ${CGIT_CACHEDIR} permissions."
-}
diff --git a/www-apps/cgit/cgit-9999.ebuild b/www-apps/cgit/cgit-9999.ebuild
deleted file mode 100644
index 37000f3d913f..000000000000
--- a/www-apps/cgit/cgit-9999.ebuild
+++ /dev/null
@@ -1,85 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/cgit-9999.ebuild,v 1.2 2011/06/27 08:58:08 pva Exp $
-
-EAPI="4"
-
-WEBAPP_MANUAL_SLOT="yes"
-
-inherit webapp eutils multilib git-2
-
-[[ -z "${CGIT_CACHEDIR}" ]] && CGIT_CACHEDIR="/var/cache/${PN}/"
-
-GIT_V="1.7.4"
-
-DESCRIPTION="a fast web-interface for git repositories"
-HOMEPAGE="http://hjemli.net/git/cgit/about/"
-SRC_URI="mirror://kernel/software/scm/git/git-${GIT_V}.tar.bz2"
-EGIT_REPO_URI="git://hjemli.net/pub/git/${PN}"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS=""
-IUSE="doc highlight"
-
-RDEPEND="
-	dev-vcs/git
-	sys-libs/zlib
-	dev-libs/openssl
-	virtual/httpd-cgi
-	highlight? ( app-text/highlight )
-"
-# ebuilds without WEBAPP_MANUAL_SLOT="yes" are broken
-DEPEND="${RDEPEND}
-	!<www-apps/cgit-0.8.3.3
-	doc? ( app-text/docbook-xsl-stylesheets
-		>=app-text/asciidoc-8.5.1 )
-"
-
-pkg_setup() {
-	webapp_pkg_setup
-	enewuser "${PN}"
-}
-
-src_prepare() {
-	rmdir git || die
-	mv "${WORKDIR}"/git-"${GIT_V}" git || die
-
-	sed -i \
-		-e "/^CACHE_ROOT =/s:/var/cache/cgit:${CGIT_CACHEDIR}:" \
-		Makefile || die
-}
-
-src_compile() {
-	emake
-	use doc && emake doc-man
-}
-
-src_install() {
-	webapp_src_preinst
-
-	emake \
-		prefix="${EPREFIX}"/usr \
-		libdir="${EPREFIX}"/usr/$(get_libdir) \
-		CGIT_SCRIPT_PATH="${MY_CGIBINDIR}" \
-		CGIT_DATA_PATH="${MY_HTDOCSDIR}" \
-		DESTDIR="${D}" install
-
-	insinto /etc
-	doins "${FILESDIR}"/cgitrc
-
-	dodoc README
-	use doc && doman cgitrc.5
-
-	webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt
-	webapp_src_install
-
-	keepdir "${CGIT_CACHEDIR}"
-	fowners ${PN}:${PN} "${CGIT_CACHEDIR}"
-	fperms 700 "${CGIT_CACHEDIR}"
-}
-
-pkg_postinst() {
-	ewarn "If you intend to run cgit using web server's user"
-	ewarn "you should change ${CGIT_CACHEDIR} permissions."
-}
diff --git a/www-apps/cgit/files/cgit-0.9.0.2-fix-xss.patch b/www-apps/cgit/files/cgit-0.9.0.2-fix-xss.patch
new file mode 100644
index 000000000000..cfd230cd62f3
--- /dev/null
+++ b/www-apps/cgit/files/cgit-0.9.0.2-fix-xss.patch
@@ -0,0 +1,35 @@
+From bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5 Mon Sep 17 00:00:00 2001
+From: Lukas Fleischer <cgit@cryptocrack.de>
+Date: Fri, 22 Jul 2011 11:47:19 +0000
+Subject: Fix potential XSS vulnerability in rename hint
+
+The file name displayed in the rename hint should be escaped to avoid
+XSS. Note that this vulnerability is only applicable when an attacker
+has gained push access to the repository.
+
+Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
+Signed-off-by: Lars Hjemli <hjemli@gmail.com>
+---
+diff --git a/ui-diff.c b/ui-diff.c
+index d21541b..383a534 100644
+--- a/ui-diff.c
++++ b/ui-diff.c
+@@ -97,10 +97,12 @@ static void print_fileinfo(struct fileinfo *info)
+ 	htmlf("</td><td class='%s'>", class);
+ 	cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1,
+ 		       ctx.qry.sha2, info->new_path, 0);
+-	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED)
+-		htmlf(" (%s from %s)",
+-		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed",
+-		      info->old_path);
++	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) {
++		htmlf(" (%s from ",
++		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed");
++		html_txt(info->old_path);
++		html(")");
++	}
+ 	html("</td><td class='right'>");
+ 	if (info->binary) {
+ 		htmlf("bin</td><td class='graph'>%ld -> %ld bytes",
+--
+cgit v0.9.0.2-51-g5d24