Fix information leakage security vulnerability.

VuXML: http://vuxml.FreeBSD.org/323784cf-48a6-11d9-a9e7-0001020eed82.html Approved by: nectar Obtained from: Debian
svn path=/head/; revision=123452
2004-12-08 10:50:38 +00:00 · 2004-12-08 10:50:38 +00:00 · c4371e60ed · 2021-03-31 03:12:20 +00:00
commit c4371e60ed
parent c46101db22
4 changed files with 76 additions and 2 deletions
--- a/devel/viewcvs/Makefile
+++ b/devel/viewcvs/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	viewcvs
 PORTVERSION=	0.9.2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	devel python
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
--- a/devel/viewcvs/files/patch-CAN-2004-0915
+++ b/devel/viewcvs/files/patch-CAN-2004-0915
@ -0,0 +1,37 @@
+--- lib/viewcvs.py.orig	2004-10-20 15:03:41.000000000 +0200
+++ lib/viewcvs.py	2004-10-20 16:37:35.000000000 +0200
+@@ -2455,10 +2455,17 @@ def generate_tarball_header(out, name, s
+ def generate_tarball(out, relative, directory, tag, stack=[]):
+   subdirs = [ ]
+   rcs_files = [ ]
+  if relative == 'CVSROOT' and cfg.options.hide_cvsroot:
+    return
+
+   for file, pathname, isdir in get_file_data(directory):
+     if pathname == _UNREADABLE_MARKER:
+       continue
+     if isdir:
+      if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot:
+        continue
+      if relative.find('/') == -1 and cfg.is_forbidden(file):
+        continue
+       subdirs.append(file)
+     else:
+       rcs_files.append(file)
+@@ -2583,6 +2590,16 @@ def main():
+            '</body></html>\n')
+     return
+ 
+  if where == 'CVSROOT' and cfg.options.hide_cvsroot:
+    print "Status: 400"
+    http_header()
+    print ('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n'
+           '<html><head>\n<title>400 Bad Request</title>\n'
+           '</head><body>\n'
+           '<H1>Bad Request</H1>\n Listing of CVSROOT is disallowed.<p>\n'
+           '</body></html>\n')
+    return
+
+   ### look for GZIP binary
+ 
+   # if we have a directory and the request didn't end in "/", then redirect
--- a/devel/viewvc/Makefile
+++ b/devel/viewvc/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	viewcvs
 PORTVERSION=	0.9.2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	devel python
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
--- a/devel/viewvc/files/patch-CAN-2004-0915
+++ b/devel/viewvc/files/patch-CAN-2004-0915
@ -0,0 +1,37 @@
+--- lib/viewcvs.py.orig	2004-10-20 15:03:41.000000000 +0200
+++ lib/viewcvs.py	2004-10-20 16:37:35.000000000 +0200
+@@ -2455,10 +2455,17 @@ def generate_tarball_header(out, name, s
+ def generate_tarball(out, relative, directory, tag, stack=[]):
+   subdirs = [ ]
+   rcs_files = [ ]
+  if relative == 'CVSROOT' and cfg.options.hide_cvsroot:
+    return
+
+   for file, pathname, isdir in get_file_data(directory):
+     if pathname == _UNREADABLE_MARKER:
+       continue
+     if isdir:
+      if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot:
+        continue
+      if relative.find('/') == -1 and cfg.is_forbidden(file):
+        continue
+       subdirs.append(file)
+     else:
+       rcs_files.append(file)
+@@ -2583,6 +2590,16 @@ def main():
+            '</body></html>\n')
+     return
+ 
+  if where == 'CVSROOT' and cfg.options.hide_cvsroot:
+    print "Status: 400"
+    http_header()
+    print ('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n'
+           '<html><head>\n<title>400 Bad Request</title>\n'
+           '</head><body>\n'
+           '<H1>Bad Request</H1>\n Listing of CVSROOT is disallowed.<p>\n'
+           '</body></html>\n')
+    return
+
+   ### look for GZIP binary
+ 
+   # if we have a directory and the request didn't end in "/", then redirect