Hello community, here is the log from the commit of package viewvc for openSUSE:Factory checked in at Fri Mar 12 01:54:18 CET 2010. -------- --- viewvc/viewvc.changes 2010-01-22 23:34:11.000000000 +0100 +++ /mounts/work_src_done/STABLE/viewvc/viewvc.changes 2010-03-11 20:40:20.000000000 +0100 @@ -1,0 +2,8 @@ +Thu Mar 11 11:06:14 UTC 2010 - pascal.bleser@opensuse.org + +- update to 1.1.4 (bnc#587357): + * security fix: escape user-provided query form input to avoid XSS attack + * fix standalone.py failure (when per-root options aren't used) (issue #445) + * fix annotate failure caused by ignored svn_config_dir (issue #447) + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- viewvc-1.1.3.tar.bz2 New: ---- viewvc-1.1.4.tar.bz2 viewvc-rpmlintrc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ viewvc.spec ++++++ --- /var/tmp/diff_new_pack.iy6Gee/_old 2010-03-12 01:54:03.000000000 +0100 +++ /var/tmp/diff_new_pack.iy6Gee/_new 2010-03-12 01:54:03.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package viewvc (Version 1.1.3) +# spec file for package viewvc (Version 1.1.4) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -20,8 +20,8 @@ Name: viewvc BuildRequires: apache2-devel python-devel -Version: 1.1.3 -Release: 2 +Version: 1.1.4 +Release: 1 # %define apxs /usr/sbin/apxs2 %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) @@ -31,16 +31,20 @@ # %define viewvc_dir /srv/viewvc Requires: subversion-python -Provides: subversion-viewcvs viewcvs -Obsoletes: subversion-viewcvs viewcvs +Provides: subversion-viewcvs = %{version} +Provides: viewcvs = %{version} +Obsoletes: subversion-viewcvs < %{version} +Obsoletes: viewcvs < %{version} Group: Development/Tools/Version Control Url: http://www.viewvc.org/ -Summary: ViewVC - Browse a Subversion Repository with a Web Browser +Summary: Browse a Subversion Repository with a Web Browser # BuildRoot: %{_tmppath}/%{name}-%{version}-build License: BSD3c(or similar) +# http://www.viewvc.org/viewvc-%{version}.tar.gz Source0: viewvc-%{version}.tar.bz2 Source1: viewvc.conf +Source99: viewvc-rpmlintrc Patch0: viewvc-buglink.patch BuildArch: noarch ++++++ viewvc-1.1.3.tar.bz2 -> viewvc-1.1.4.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.3/CHANGES new/viewvc-1.1.4/CHANGES --- old/viewvc-1.1.3/CHANGES 2009-12-22 20:52:47.000000000 +0100 +++ new/viewvc-1.1.4/CHANGES 2010-03-10 22:22:31.000000000 +0100 @@ -1,3 +1,9 @@ +Version 1.1.4 (released 10-Mar-2010) + + * security fix: escape user-provided query form input to avoid XSS attack + * fix standalone.py failure (when per-root options aren't used) (issue #445) + * fix annotate failure caused by ignored svn_config_dir (issue #447) + Version 1.1.3 (released 22-Dec-2009) * security fix: add root listing support of per-root authz config diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.3/conf/viewvc.conf.dist new/viewvc-1.1.4/conf/viewvc.conf.dist --- old/viewvc-1.1.3/conf/viewvc.conf.dist 2009-12-08 18:13:53.000000000 +0100 +++ new/viewvc-1.1.4/conf/viewvc.conf.dist 2010-01-08 18:47:29.000000000 +0100 @@ -858,6 +858,10 @@ ## utilities ## authz-* ## +## WARNING: Do not use per-root overrides if your ViewVC instance is +## served via the standalone.py server option! Doing so could cause +## ViewVC to be unable to function properly (or at all). +## ## Here is an example showing how to enable Subversion authz-based ## authorization for only the single root named "svnroot": ## @@ -872,8 +876,15 @@ [authz-forbidden] ## The "forbidden" authorizer forbids access to repository modules, -## defined to be top-level subdirectories in a repository. You can use -## a simple list of modules, or something more complex: +## defined to be top-level subdirectories in a repository. +## +## NOTE: The options in this section apply only when the 'authorizer' +## option (in the [options] section) is set to 'forbidden'. + +## forbidden: A comma-delimited list of patterns which match modules +## that ViewVC should hide from users. +## +## You can use a simple list of modules, or something more complex: ## ## *) The "!" can be used before a module to explicitly state that it ## is NOT forbidden. Whenever this form is seen, then all modules will @@ -928,6 +939,12 @@ ## regular expressions. Directory paths will be terminated by a forward ## slash. ## +## NOTE: The options in this section apply only when the 'authorizer' +## option (in the [options] section) is set to 'forbiddenre'. + +## forbiddenre: A comma-delimited list of regular expressions which +## match paths that ViewVC should hide from users. +## ## Like the "forbidden" authorizer... ## ## *) The "!" can be used before a module to explicitly state that it @@ -962,6 +979,9 @@ ## The "svnauthz" authorizer uses a Subversion authz configuration file ## to determine access to repository paths. +## +## NOTE: The options in this section apply only when the 'authorizer' +## option (in the [options] section) is set to 'svnauthz'. ## authzfile: Specifies the location of the authorization rules file ## (using an absolute path). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.3/docs/upgrading-howto.html new/viewvc-1.1.4/docs/upgrading-howto.html --- old/viewvc-1.1.3/docs/upgrading-howto.html 2009-05-05 17:49:50.000000000 +0200 +++ new/viewvc-1.1.4/docs/upgrading-howto.html 2010-01-29 15:31:53.000000000 +0100 @@ -348,7 +348,7 @@ all = viewvc.* [all-options] -allow_tar = 1 +allowed_views = annotate, diff, markup, tar </pre> </blockquote> @@ -358,7 +358,7 @@ all = viewvc.* [vhost-all/options] -allow_tar = 1 +allowed_views = annotate, diff, markup, tar </pre> </blockquote> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.3/lib/config.py new/viewvc-1.1.4/lib/config.py --- old/viewvc-1.1.3/lib/config.py 2009-12-03 07:09:25.000000000 +0100 +++ new/viewvc-1.1.4/lib/config.py 2010-03-10 22:18:17.000000000 +0100 @@ -1,6 +1,6 @@ # -*-python-*- # -# Copyright (C) 1999-2009 The ViewCVS Group. All Rights Reserved. +# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved. # # By using this file, you agree to the terms and conditions set forth in # the LICENSE.html file which can be found at the top level of the ViewVC @@ -274,9 +274,7 @@ """Overlay per-root options for ROOTNAME atop the existing option set. This is a destructive change to the configuration.""" - # We can only deal with this happening once! - assert(self.root_options_overlayed == 0) - self.root_options_overlayed = 1 + did_overlay = 0 if not self.conf_path: return @@ -285,7 +283,17 @@ base_section = self._is_allowed_override(self.parser, 'root', rootname, section) if base_section: + # We can currently only deal with root overlays happening + # once, so check that we've not yet done any overlaying of + # per-root options. + assert(self.root_options_overlayed == 0) self._process_section(self.parser, section, base_section) + did_overlay = 1 + + # If we actually did any overlaying, remember this fact so we + # don't do it again later. + if did_overlay: + self.root_options_overlayed = 1 def _get_parser_items(self, parser, section): """Basically implement ConfigParser.items() for pre-Python-2.3 versions.""" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.3/lib/vclib/svn/svn_repos.py new/viewvc-1.1.4/lib/vclib/svn/svn_repos.py --- old/viewvc-1.1.3/lib/vclib/svn/svn_repos.py 2009-05-05 19:09:01.000000000 +0200 +++ new/viewvc-1.1.4/lib/vclib/svn/svn_repos.py 2010-03-10 22:18:17.000000000 +0100 @@ -1,6 +1,6 @@ # -*-python-*- # -# Copyright (C) 1999-2009 The ViewCVS Group. All Rights Reserved. +# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved. # # By using this file, you agree to the terms and conditions set forth in # the LICENSE.html file which can be found at the top level of the ViewVC @@ -314,14 +314,14 @@ class BlameSource: - def __init__(self, local_url, rev, first_rev): + def __init__(self, local_url, rev, first_rev, config_dir): self.idx = -1 self.first_rev = first_rev self.blame_data = [] ctx = client.ctx_t() - core.svn_config_ensure(None) - ctx.config = core.svn_config_get_config(None) + core.svn_config_ensure(config_dir) + ctx.config = core.svn_config_get_config(config_dir) ctx.auth_baton = core.svn_auth_open([]) try: ### TODO: Is this use of FIRST_REV always what we want? Should we @@ -376,7 +376,7 @@ self.auth = authorizer self.svn_client_path = utilities.svn or 'svn' self.diff_cmd = utilities.diff or 'diff' - self.config_dir = config_dir + self.config_dir = config_dir or None # See if this repository is even viewable, authz-wise. if not vclib.check_root_access(self): @@ -567,7 +567,7 @@ youngest_rev, youngest_path = history[0] oldest_rev, oldest_path = history[-1] source = BlameSource(_rootpath2url(self.rootpath, path), - youngest_rev, oldest_rev) + youngest_rev, oldest_rev, self.config_dir) return source, youngest_rev def _revinfo(self, rev, include_changed_paths=0): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.3/lib/viewvc.py new/viewvc-1.1.4/lib/viewvc.py --- old/viewvc-1.1.3/lib/viewvc.py 2009-12-22 20:54:14.000000000 +0100 +++ new/viewvc-1.1.4/lib/viewvc.py 2010-03-10 22:25:25.000000000 +0100 @@ -1,6 +1,6 @@ # -*-python-*- # -# Copyright (C) 1999-2009 The ViewCVS Group. All Rights Reserved. +# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved. # # By using this file, you agree to the terms and conditions set forth in # the LICENSE.html file which can be found at the top level of the ViewVC @@ -14,7 +14,7 @@ # # ----------------------------------------------------------------------- -__version__ = '1.1.3' +__version__ = '1.1.4' # this comes from our library; measure the startup time import debug @@ -3621,23 +3621,26 @@ limit_changes = \ int(request.query_dict.get('limit_changes', request.cfg.options.limit_changes)) - + + def escaped_query_dict_get(itemname, itemdefault=''): + return request.server.escape(request.query_dict.get(itemname, itemdefault)) + data = common_template_data(request) data.merge(ezt.TemplateData({ - 'branch' : request.query_dict.get('branch', ''), - 'branch_match' : request.query_dict.get('branch_match', 'exact'), - 'dir' : request.query_dict.get('dir', ''), - 'file' : request.query_dict.get('file', ''), - 'file_match' : request.query_dict.get('file_match', 'exact'), - 'who' : request.query_dict.get('who', ''), - 'who_match' : request.query_dict.get('who_match', 'exact'), - 'comment' : request.query_dict.get('comment', ''), - 'comment_match' : request.query_dict.get('comment_match', 'exact'), - 'querysort' : request.query_dict.get('querysort', 'date'), - 'date' : request.query_dict.get('date', 'hours'), - 'hours' : request.query_dict.get('hours', '2'), - 'mindate' : request.query_dict.get('mindate', ''), - 'maxdate' : request.query_dict.get('maxdate', ''), + 'branch' : escaped_query_dict_get('branch', ''), + 'branch_match' : escaped_query_dict_get('branch_match', 'exact'), + 'dir' : escaped_query_dict_get('dir', ''), + 'file' : escaped_query_dict_get('file', ''), + 'file_match' : escaped_query_dict_get('file_match', 'exact'), + 'who' : escaped_query_dict_get('who', ''), + 'who_match' : escaped_query_dict_get('who_match', 'exact'), + 'comment' : escaped_query_dict_get('comment', ''), + 'comment_match' : escaped_query_dict_get('comment_match', 'exact'), + 'querysort' : escaped_query_dict_get('querysort', 'date'), + 'date' : escaped_query_dict_get('date', 'hours'), + 'hours' : escaped_query_dict_get('hours', '2'), + 'mindate' : escaped_query_dict_get('mindate', ''), + 'maxdate' : escaped_query_dict_get('maxdate', ''), 'query_action' : query_action, 'query_hidden_values' : query_hidden_values, 'limit_changes' : limit_changes, @@ -3908,27 +3911,29 @@ return commit def query_backout(request, commits): - request.server.header('text/plain') - if commits: - print '# This page can be saved as a shell script and executed.' - print '# It should be run at the top of your work area. It will update' - print '# your working copy to back out the changes selected by the' - print '# query.' - print - else: - print '# No changes were selected by the query.' - print '# There is nothing to back out.' + server_fp = get_writeready_server_file(request, 'text/plain') + if not commits: + server_fp.write("""\ +# No changes were selected by the query. +# There is nothing to back out. +""") return + server_fp.write("""\ +# This page can be saved as a shell script and executed. +# It should be run at the top of your work area. It will update +# your working copy to back out the changes selected by the +# query. +""") for commit in commits: for fileinfo in commit.files: if request.roottype == 'cvs': - print 'cvs update -j %s -j %s %s/%s' \ - % (fileinfo.rev, prev_rev(fileinfo.rev), - fileinfo.dir, fileinfo.file) + server_fp.write('cvs update -j %s -j %s %s/%s\n' + % (fileinfo.rev, prev_rev(fileinfo.rev), + fileinfo.dir, fileinfo.file)) elif request.roottype == 'svn': - print 'svn merge -r %s:%s %s/%s' \ - % (fileinfo.rev, prev_rev(fileinfo.rev), - fileinfo.dir, fileinfo.file) + server_fp.write('svn merge -r %s:%s %s/%s\n' + % (fileinfo.rev, prev_rev(fileinfo.rev), + fileinfo.dir, fileinfo.file)) def view_query(request): if not is_query_supported(request): ++++++ viewvc-rpmlintrc ++++++ addFilter("W: non-etc-or-var-file-marked-as-conffile /srv/viewvc/.*") addFilter("W: script-without-shebang /srv/viewvc/bin/mod_python/.*") addFilter("W: files-duplicate /srv/viewvc/templates/.*") addFilter("W: files-duplicate /srv/viewvc/templates-contrib/.*") addFilter("W: files-duplicate /srv/viewvc/mimetypes.conf.*") addFilter("W: htaccess-file /srv/viewvc/bin/mod_python/.*") ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org