From c4371e60ede3627dc4ed3c4d6fefbaf3c20b068d Mon Sep 17 00:00:00 2001 From: "Simon L. B. Nielsen" Date: Wed, 8 Dec 2004 10:50:38 +0000 Subject: [PATCH] Fix information leakage security vulnerability. VuXML: http://vuxml.FreeBSD.org/323784cf-48a6-11d9-a9e7-0001020eed82.html Approved by: nectar Obtained from: Debian --- devel/viewcvs/Makefile | 2 +- devel/viewcvs/files/patch-CAN-2004-0915 | 37 +++++++++++++++++++++++++ devel/viewvc/Makefile | 2 +- devel/viewvc/files/patch-CAN-2004-0915 | 37 +++++++++++++++++++++++++ 4 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 devel/viewcvs/files/patch-CAN-2004-0915 create mode 100644 devel/viewvc/files/patch-CAN-2004-0915 diff --git a/devel/viewcvs/Makefile b/devel/viewcvs/Makefile index fb7a7e504179..5ae981e9066b 100644 --- a/devel/viewcvs/Makefile +++ b/devel/viewcvs/Makefile @@ -7,7 +7,7 @@ PORTNAME= viewcvs PORTVERSION= 0.9.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= devel python MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} diff --git a/devel/viewcvs/files/patch-CAN-2004-0915 b/devel/viewcvs/files/patch-CAN-2004-0915 new file mode 100644 index 000000000000..6e150bc53438 --- /dev/null +++ b/devel/viewcvs/files/patch-CAN-2004-0915 @@ -0,0 +1,37 @@ +--- lib/viewcvs.py.orig 2004-10-20 15:03:41.000000000 +0200 ++++ lib/viewcvs.py 2004-10-20 16:37:35.000000000 +0200 +@@ -2455,10 +2455,17 @@ def generate_tarball_header(out, name, s + def generate_tarball(out, relative, directory, tag, stack=[]): + subdirs = [ ] + rcs_files = [ ] ++ if relative == 'CVSROOT' and cfg.options.hide_cvsroot: ++ return ++ + for file, pathname, isdir in get_file_data(directory): + if pathname == _UNREADABLE_MARKER: + continue + if isdir: ++ if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot: ++ continue ++ if relative.find('/') == -1 and cfg.is_forbidden(file): ++ continue + subdirs.append(file) + else: + rcs_files.append(file) +@@ -2583,6 +2590,16 @@ def main(): + '\n') + return + ++ if where == 'CVSROOT' and cfg.options.hide_cvsroot: ++ print "Status: 400" ++ http_header() ++ print ('\n' ++ '\n400 Bad Request\n' ++ '\n' ++ '

Bad Request

\n Listing of CVSROOT is disallowed.

\n' ++ '\n') ++ return ++ + ### look for GZIP binary + + # if we have a directory and the request didn't end in "/", then redirect diff --git a/devel/viewvc/Makefile b/devel/viewvc/Makefile index fb7a7e504179..5ae981e9066b 100644 --- a/devel/viewvc/Makefile +++ b/devel/viewvc/Makefile @@ -7,7 +7,7 @@ PORTNAME= viewcvs PORTVERSION= 0.9.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= devel python MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} diff --git a/devel/viewvc/files/patch-CAN-2004-0915 b/devel/viewvc/files/patch-CAN-2004-0915 new file mode 100644 index 000000000000..6e150bc53438 --- /dev/null +++ b/devel/viewvc/files/patch-CAN-2004-0915 @@ -0,0 +1,37 @@ +--- lib/viewcvs.py.orig 2004-10-20 15:03:41.000000000 +0200 ++++ lib/viewcvs.py 2004-10-20 16:37:35.000000000 +0200 +@@ -2455,10 +2455,17 @@ def generate_tarball_header(out, name, s + def generate_tarball(out, relative, directory, tag, stack=[]): + subdirs = [ ] + rcs_files = [ ] ++ if relative == 'CVSROOT' and cfg.options.hide_cvsroot: ++ return ++ + for file, pathname, isdir in get_file_data(directory): + if pathname == _UNREADABLE_MARKER: + continue + if isdir: ++ if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot: ++ continue ++ if relative.find('/') == -1 and cfg.is_forbidden(file): ++ continue + subdirs.append(file) + else: + rcs_files.append(file) +@@ -2583,6 +2590,16 @@ def main(): + '\n') + return + ++ if where == 'CVSROOT' and cfg.options.hide_cvsroot: ++ print "Status: 400" ++ http_header() ++ print ('\n' ++ '\n400 Bad Request\n' ++ '\n' ++ '

Bad Request

\n Listing of CVSROOT is disallowed.

\n' ++ '\n') ++ return ++ + ### look for GZIP binary + + # if we have a directory and the request didn't end in "/", then redirect