Hello community,
here is the log from the commit of package viewvc for openSUSE:Factory
checked in at Thu Apr 1 17:48:24 CEST 2010.
--------
--- viewvc/viewvc.changes 2010-03-11 20:40:20.000000000 +0100
+++ /mounts/work_src_done/STABLE/viewvc/viewvc.changes 2010-04-01 11:32:53.000000000 +0200
@@ -1,0 +2,6 @@
+Tue Mar 30 09:10:12 UTC 2010 - pascal.bleser@opensuse.org
+
+- update to 1.1.5 (bnc#592932):
+ * security fix: escape user-provided search_re input to avoid XSS attack
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
viewvc-1.1.4.tar.bz2
New:
----
viewvc-1.1.5.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ viewvc.spec ++++++
--- /var/tmp/diff_new_pack.45a0xT/_old 2010-04-01 17:48:20.000000000 +0200
+++ /var/tmp/diff_new_pack.45a0xT/_new 2010-04-01 17:48:20.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package viewvc (Version 1.1.4)
+# spec file for package viewvc (Version 1.1.5)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -20,7 +20,7 @@
Name: viewvc
BuildRequires: apache2-devel python-devel
-Version: 1.1.4
+Version: 1.1.5
Release: 1
#
%define apxs /usr/sbin/apxs2
++++++ viewvc-1.1.4.tar.bz2 -> viewvc-1.1.5.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.4/CHANGES new/viewvc-1.1.5/CHANGES
--- old/viewvc-1.1.4/CHANGES 2010-03-10 22:22:31.000000000 +0100
+++ new/viewvc-1.1.5/CHANGES 2010-03-29 17:24:33.000000000 +0200
@@ -1,3 +1,7 @@
+Version 1.1.5 (released 29-Mar-2010)
+
+ * security fix: escape user-provided search_re input to avoid XSS attack
+
Version 1.1.4 (released 10-Mar-2010)
* security fix: escape user-provided query form input to avoid XSS attack
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.4/LICENSE.html new/viewvc-1.1.5/LICENSE.html
--- old/viewvc-1.1.4/LICENSE.html 2009-03-18 17:45:10.000000000 +0100
+++ new/viewvc-1.1.5/LICENSE.html 2010-03-29 17:37:39.000000000 +0200
@@ -15,7 +15,7 @@
<blockquote>
-<p><strong>Copyright © 1999-2009 The ViewCVS Group. All rights
+<p><strong>Copyright © 1999-2010 The ViewCVS Group. All rights
reserved.</strong></p>
<p>By using ViewVC, you agree to the terms and conditions set forth
@@ -60,6 +60,7 @@
<li>April 10, 2007 — copyright years updated</li>
<li>February 22, 2008 — copyright years updated</li>
<li>March 18, 2009 — copyright years updated</li>
+ <li>March 29, 2010 — copyright years updated</li>
</ul>
</body>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.4/lib/blame.py new/viewvc-1.1.5/lib/blame.py
--- old/viewvc-1.1.4/lib/blame.py 2009-03-18 17:45:10.000000000 +0100
+++ new/viewvc-1.1.5/lib/blame.py 2010-03-29 17:32:43.000000000 +0200
@@ -1,7 +1,7 @@
#!/usr/bin/env python
# -*-python-*-
#
-# Copyright (C) 1999-2008 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
# Copyright (C) 2000 Curt Hagenlocher
#
# By using this file, you agree to the terms and conditions set forth in
@@ -32,9 +32,8 @@
import re
import time
import math
-import cgi
import vclib
-
+import sapi
re_includes = re.compile('\\#(\\s*)include(\\s*)"(.*?)"')
@@ -82,7 +81,7 @@
diff_url = None
if item.prev_rev:
diff_url = '%sr1=%s&r2=%s' % (self.diff_url, item.prev_rev, item.rev)
- thisline = link_includes(cgi.escape(item.text), self.repos,
+ thisline = link_includes(sapi.escape(item.text), self.repos,
self.path_parts, self.include_url)
return _item(text=thisline, line_number=item.line_number,
rev=item.rev, prev_rev=item.prev_rev,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.4/lib/idiff.py new/viewvc-1.1.5/lib/idiff.py
--- old/viewvc-1.1.4/lib/idiff.py 2006-03-18 03:07:36.000000000 +0100
+++ new/viewvc-1.1.5/lib/idiff.py 2010-03-29 17:32:43.000000000 +0200
@@ -1,6 +1,6 @@
# -*-python-*-
#
-# Copyright (C) 1999-2006 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
#
# By using this file, you agree to the terms and conditions set forth in
# the LICENSE.html file which can be found at the top level of the ViewVC
@@ -20,7 +20,7 @@
import sys
import re
import ezt
-import cgi
+import sapi
def sidebyside(fromlines, tolines, context):
"""Generate side by side diff"""
@@ -49,18 +49,18 @@
while True:
m = _re_mdiff.search(text, pos)
if not m:
- segments.append(_item(text=cgi.escape(text[pos:]), type=None))
+ segments.append(_item(text=sapi.escape(text[pos:]), type=None))
break
if m.start() > pos:
- segments.append(_item(text=cgi.escape(text[pos:m.start()]), type=None))
+ segments.append(_item(text=sapi.escape(text[pos:m.start()]), type=None))
if m.group(1) == "+":
- segments.append(_item(text=cgi.escape(m.group(2)), type="add"))
+ segments.append(_item(text=sapi.escape(m.group(2)), type="add"))
elif m.group(1) == "-":
- segments.append(_item(text=cgi.escape(m.group(2)), type="remove"))
+ segments.append(_item(text=sapi.escape(m.group(2)), type="remove"))
elif m.group(1) == "^":
- segments.append(_item(text=cgi.escape(m.group(2)), type="change"))
+ segments.append(_item(text=sapi.escape(m.group(2)), type="change"))
pos = m.end()
@@ -166,12 +166,12 @@
for m in _re_differ.finditer(guide, pos):
if m.start() > pos:
- segments.append(_item(text=cgi.escape(line[pos:m.start()]), type=None))
- segments.append(_item(text=cgi.escape(line[m.start():m.end()]),
+ segments.append(_item(text=sapi.escape(line[pos:m.start()]), type=None))
+ segments.append(_item(text=sapi.escape(line[m.start():m.end()]),
type="change"))
pos = m.end()
- segments.append(_item(text=cgi.escape(line[pos:]), type=None))
+ segments.append(_item(text=sapi.escape(line[pos:]), type=None))
return _item(gap=ezt.boolean(gap), type=type, segments=segments,
left_number=left_number, right_number=right_number)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.4/lib/query.py new/viewvc-1.1.5/lib/query.py
--- old/viewvc-1.1.4/lib/query.py 2009-12-03 07:09:25.000000000 +0100
+++ new/viewvc-1.1.5/lib/query.py 2010-03-29 17:32:43.000000000 +0200
@@ -1,7 +1,7 @@
#!/usr/bin/env python
# -*-python-*-
#
-# Copyright (C) 1999-2009 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
#
# By using this file, you agree to the terms and conditions set forth in
# the LICENSE.html file which can be found at the top level of the ViewVC
@@ -439,11 +439,11 @@
'cfg' : cfg,
'address' : cfg.general.address,
'vsn' : viewvc.__version__,
- 'repository' : server.escape(form_data.repository, 1),
- 'branch' : server.escape(form_data.branch, 1),
- 'directory' : server.escape(form_data.directory, 1),
- 'file' : server.escape(form_data.file, 1),
- 'who' : server.escape(form_data.who, 1),
+ 'repository' : server.escape(form_data.repository),
+ 'branch' : server.escape(form_data.branch),
+ 'directory' : server.escape(form_data.directory),
+ 'file' : server.escape(form_data.file),
+ 'who' : server.escape(form_data.who),
'docroot' : cfg.options.docroot is None \
and viewvc_link + '/' + viewvc.docroot_magic_path \
or cfg.options.docroot,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.4/lib/sapi.py new/viewvc-1.1.5/lib/sapi.py
--- old/viewvc-1.1.4/lib/sapi.py 2009-06-16 17:05:56.000000000 +0200
+++ new/viewvc-1.1.5/lib/sapi.py 2010-03-29 17:32:43.000000000 +0200
@@ -1,6 +1,6 @@
# -*-python-*-
#
-# Copyright (C) 1999-2006 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
#
# By using this file, you agree to the terms and conditions set forth in
# the LICENSE.html file which can be found at the top level of the ViewVC
@@ -20,6 +20,7 @@
import os
import sys
import re
+import cgi
# global server object. It will be either a CgiServer or a proxy to
@@ -27,6 +28,18 @@
server = None
+# Simple HTML string escaping. Note that we always escape the
+# double-quote character -- ViewVC shouldn't ever need to preserve
+# that character as-is, and sometimes needs to embed escaped values
+# into HTML attributes.
+def escape(s):
+ s = string.replace(s, '&', '&')
+ s = string.replace(s, '>', '>')
+ s = string.replace(s, '<', '<')
+ s = string.replace(s, '"', """)
+ return s
+
+
class Server:
def __init__(self):
self.pageGlobals = {}
@@ -34,6 +47,9 @@
def self(self):
return self
+ def escape(self, s):
+ return escape(s)
+
def close(self):
pass
@@ -129,9 +145,6 @@
global server
server = self
- global cgi
- import cgi
-
def addheader(self, name, value):
self.headers.append((name, value))
@@ -160,9 +173,6 @@
self.header(status='301 Moved')
sys.stdout.write('This document is located <a href="%s">here</a>.\n' % url)
- def escape(self, s, quote = None):
- return cgi.escape(s, quote)
-
def getenv(self, name, value=None):
ret = os.environ.get(name, value)
if self.iis and name == 'PATH_INFO' and ret:
@@ -219,9 +229,6 @@
def redirect(self, url):
self.response.Redirect(url)
- def escape(self, s, quote = None):
- return self.server.HTMLEncode(str(s))
-
def getenv(self, name, value = None):
ret = self.request.ServerVariables(name)()
if not type(ret) is types.UnicodeType:
@@ -283,9 +290,6 @@
self.request = request
self.headerSent = 0
- global cgi
- import cgi
-
def addheader(self, name, value):
self.request.headers_out.add(name, value)
@@ -308,9 +312,6 @@
self.request.write("You are being redirected to %s</a>"
% (url, url))
- def escape(self, s, quote = None):
- return cgi.escape(s, quote)
-
def getenv(self, name, value = None):
try:
return self.request.subprocess_env[name]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.4/lib/viewvc.py new/viewvc-1.1.5/lib/viewvc.py
--- old/viewvc-1.1.4/lib/viewvc.py 2010-03-10 22:25:25.000000000 +0100
+++ new/viewvc-1.1.5/lib/viewvc.py 2010-03-29 17:41:46.000000000 +0200
@@ -14,7 +14,7 @@
#
# -----------------------------------------------------------------------
-__version__ = '1.1.4'
+__version__ = '1.1.5'
# this comes from our library; measure the startup time
import debug
@@ -24,7 +24,6 @@
# standard modules that we know are in the path or builtin
import sys
import os
-import cgi
import gzip
import mimetypes
import re
@@ -432,7 +431,8 @@
action = self.server.escape(urllib.quote(url, _URL_SAFE_CHARS))
hidden_values = []
for name, value in params.items():
- hidden_values.append(_item(name=name, value=value))
+ hidden_values.append(_item(name=self.server.escape(name),
+ value=self.server.escape(value)))
return action, hidden_values
def get_link(self, view_func=None, where=None, pathtype=None, params=None):
@@ -1075,9 +1075,6 @@
revision_href=revision_href,
prefer_markup=ezt.boolean(prefer_markup))
-def htmlify(html):
- return html and cgi.escape(html) or html
-
# Matches URLs
_re_rewrite_url = re.compile('((http|https|ftp|file|svn|svn\+ssh)'
@@ -1110,8 +1107,8 @@
"""
s = mobj.group(0)
trunc_s = maxlen and s[:maxlen] or s
- return '<a href="%s">%s</a>' % (cgi.escape(s),
- cgi.escape(trunc_s)), \
+ return '<a href="%s">%s</a>' % (sapi.escape(s),
+ sapi.escape(trunc_s)), \
len(trunc_s)
def format_email(self, mobj, userdata, maxlen=0):
@@ -1162,7 +1159,7 @@
- the number of characters returned.
"""
trunc_s = maxlen and s[:maxlen] or s
- return cgi.escape(trunc_s), len(trunc_s)
+ return sapi.escape(trunc_s), len(trunc_s)
def add_formatter(self, regexp, conv, userdata=None):
"""Register a formatter which finds instances of strings matching
@@ -1467,7 +1464,7 @@
if not chunk:
break
if htmlize:
- chunk = htmlify(chunk)
+ chunk = sapi.escape(chunk)
dst.write(chunk)
class MarkupPipeWrapper:
@@ -1496,7 +1493,7 @@
blame_source = []
if blame_data:
for i in blame_data:
- i.text = cgi.escape(i.text)
+ i.text = sapi.escape(i.text)
i.diff_href = None
if i.prev_rev:
i.diff_href = request.get_url(view_func=view_diff,
@@ -1559,7 +1556,7 @@
if not line:
break
line_no = line_no + 1
- line = cgi.escape(string.expandtabs(line, cfg.options.tabsize))
+ line = sapi.escape(string.expandtabs(line, cfg.options.tabsize))
item = vclib.Annotation(line, line_no, None, None, None, None)
item.diff_href = None
lines.append(item)
@@ -2034,7 +2031,7 @@
'entries' : rows,
'sortby' : sortby,
'sortdir' : sortdir,
- 'search_re' : htmlify(search_re),
+ 'search_re' : request.server.escape(search_re),
'dir_pagestart' : None,
'sortby_file_href' : request.get_url(params={'sortby': 'file',
'sortdir': None},
@@ -2766,7 +2763,7 @@
hr_breakable = self.cfg.options.hr_breakable
# in the code below, "\x01" will be our stand-in for "&". We don't want
- # to insert "&" because it would get escaped by htmlify(). Similarly,
+ # to insert "&" because it would get escaped by sapi.escape(). Similarly,
# we use "\x02" as a stand-in for "<br>"
if hr_breakable > 1 and len(text) > hr_breakable:
@@ -2776,7 +2773,7 @@
text = string.replace(text, ' ', ' \x01nbsp;')
else:
text = string.replace(text, ' ', '\x01nbsp;')
- text = htmlify(text)
+ text = sapi.escape(text)
text = string.replace(text, '\x01', '&')
text = string.replace(text, '\x02',
'<span style="color:red">\</span><br />')
@@ -3157,7 +3154,7 @@
else:
changes = DiffSource(fp, cfg)
else:
- raw_diff_fp = MarkupPipeWrapper(fp, htmlify(headers), None, 1)
+ raw_diff_fp = MarkupPipeWrapper(fp, request.server.escape(headers), None, 1)
no_format_params = request.query_dict.copy()
no_format_params['diff_format'] = None
@@ -3704,7 +3701,7 @@
ret.append('on all branches ')
comment = request.query_dict.get('comment', '')
if comment:
- ret.append('with comment <i>%s</i> ' % htmlify(comment))
+ ret.append('with comment <i>%s</i> ' % request.server.escape(comment))
if who:
ret.append('by <em>%s</em> ' % request.server.escape(who))
date = request.query_dict.get('date', 'hours')
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org