Update to cvsweb-2.1, including partial XSS mitigations;

OK gonzalo@ brynet@. Note that autodetecting the location of the configuration file is no longer supported. Now, it must be set explicitly in the script.
2019-11-10 08:23:35 +00:00 · 2019-11-10 08:23:35 +00:00 · 4aacab025a
commit 4aacab025a
parent 564546fe0b
6 changed files with 26 additions and 176 deletions
--- a/devel/cvsweb/Makefile
+++ b/devel/cvsweb/Makefile
@ -1,38 +1,32 @@
-# $OpenBSD: Makefile,v 1.62 2019/07/12 20:44:07 sthen Exp $
+# $OpenBSD: Makefile,v 1.63 2019/11/10 08:23:35 schwarze Exp $

 COMMENT=	CGI script to browse CVS repository trees

-DISTNAME=	cvsweb-2.0.6
-REVISION=	27
+DISTNAME=	cvsweb-2.1
 CATEGORIES=	devel www
-HOMEPAGE=	http://www.freebsd.org/projects/cvsweb.html
+HOMEPAGE=	https://mandoc.bsd.lv/cvsweb/
+MAINTAINER=	Ingo Schwarze <schwarze@openbsd.org>

 # BSD
 PERMIT_PACKAGE=	Yes

-MASTER_SITES=	${MASTER_SITE_FREEBSD_LOCAL:=scop/} \
-		http://people.FreeBSD.org/~scop/cvsweb/
+MASTER_SITES=	https://mandoc.bsd.lv/cvsweb/release/

 NO_BUILD=	Yes
 NO_TEST=	Yes
 PKG_ARCH=	*

 PREFIX=		${VARBASE}/www
-CONFDIR=	${PREFIX}/conf

 ICONS=		back.gif dir.gif text.gif \
 		miniback.gif minidir.gif minitext.gif

-SUBST_VARS=	CONFDIR
-
-do-configure:
-	@perl -i -pe 's@%%CONFDIR%%@${CONFDIR}@g' ${WRKSRC}/cvsweb.cgi
-
 do-install:
 	${INSTALL_SCRIPT_DIR} ${PREFIX}/cgi-bin
 	${INSTALL_SCRIPT} ${WRKSRC}/cvsweb.cgi ${PREFIX}/cgi-bin/cvsweb
-	${INSTALL_DATA_DIR} ${CONFDIR}/cvsweb
-	${INSTALL_DATA} ${WRKSRC}/cvsweb.conf ${CONFDIR}/cvsweb/cvsweb.conf.dist
+	${INSTALL_DATA_DIR} ${PREFIX}/conf/cvsweb
+	${INSTALL_DATA} ${WRKSRC}/cvsweb.conf \
+		${PREFIX}/conf/cvsweb/cvsweb.conf.dist
 	${INSTALL_DATA_DIR} ${PREFIX}/htdocs/cvsweb/icons
 .for file in ${ICONS}
 	${INSTALL_DATA} ${WRKSRC}/icons/${file} ${PREFIX}/htdocs/cvsweb/icons/
--- a/devel/cvsweb/distinfo
+++ b/devel/cvsweb/distinfo
@ -1,2 +1,2 @@
-SHA256 (cvsweb-2.0.6.tar.gz) = lUW+4XFQh+ehmVGzNbNJDEnpVMLTVpINC2VEYiPV/UI=
-SIZE (cvsweb-2.0.6.tar.gz) = 52659
+SHA256 (cvsweb-2.1.tar.gz) = bBfC222oIX3iOM2D9f7svHDJM2Zh4y2IkL7zTuwRE84=
+SIZE (cvsweb-2.1.tar.gz) = 52697
--- a/devel/cvsweb/patches/patch-cvsweb_cgi
+++ b/devel/cvsweb/patches/patch-cvsweb_cgi
@ -1,69 +0,0 @@
-$OpenBSD: patch-cvsweb_cgi,v 1.13 2013/04/07 20:07:24 naddy Exp $
--- cvsweb.cgi.orig	Thu Sep 26 22:56:05 2002
-+++ cvsweb.cgi	Sun Apr  7 14:15:55 2013
-@@ -1,4 +1,4 @@
-#!/usr/bin/perl -wT
-+#!/usr/bin/perl -w
- #
- # cvsweb - a CGI interface to CVS trees.
- #
-@@ -157,7 +157,7 @@ use File::Basename ();
- 
- # == EDIT this ==
- # Locations to search for user configuration, in order:
-for ("$mydir/cvsweb.conf", '/usr/local/etc/cvsweb/cvsweb.conf') {
-+for ("$mydir/cvsweb.conf", '%%CONFDIR%%/cvsweb/cvsweb.conf') {
- 	if (defined($_) && -r $_) {
- 		$config = $_;
- 		last;
-@@ -193,7 +193,7 @@ $tmpdir = defined($ENV{TMPDIR}) ? $ENV{TMPDIR} : "/var
- $LOG_FILESEPARATOR = q/^={77}$/;
- $LOG_REVSEPARATOR  = q/^-{28}$/;
- 
-@DIFFTYPES = qw(h H u c s);
-+@DIFFTYPES = qw(h H u c);
- @DIFFTYPES{@DIFFTYPES} = (
- 	{
- 		'descr'   => 'colored',
-@@ -215,11 +215,6 @@ $LOG_REVSEPARATOR  = q/^-{28}$/;
- 		'opts'    => ['-c'],
- 		'colored' => 0,
- 	},
-	{
-		'descr'   => 'side by side',
-		'opts'    => ['--side-by-side', '--width=164'],
-		'colored' => 0,
-	},
- );
- 
- @LOGSORTKEYS = qw(cvs date rev);
-@@ -2014,20 +2009,6 @@ sub doDiff($$$$$$) {
- 	my @difftype       = @{$difftype->{'opts'}};
- 	my $human_readable = $difftype->{'colored'};
- 
-	# apply special options
-	if ($showfunc) {
-		push @difftype, '-p' if $f ne 's';
-
-		my ($re1, $re2);
-
-		while (($re1, $re2) = each %funcline_regexp) {
-			if ($fullname =~ /$re1/) {
-				push @difftype, '-F', $re2;
-				last;
-			}
-		}
-	}
-
- 	if ($human_readable) {
- 		if ($hr_ignwhite) {
- 			push @difftype, '-w';
-@@ -2658,7 +2639,7 @@ sub printLog($;$) {
- 	if (/^1\.1\.1\.\d+$/) {
- 		print " <i>(vendor branch)</i>";
- 	}
-	if (defined @mytz) {
-+	if (@mytz) {
- 		my ($est) = $mytz[(localtime($date{$_}))[8]];
- 		print ", <i>", scalar localtime($date{$_}), " $est</i> (";
- 	} else {
--- a/devel/cvsweb/patches/patch-cvsweb_conf
+++ b/devel/cvsweb/patches/patch-cvsweb_conf
@ -1,59 +0,0 @@
-$OpenBSD: patch-cvsweb_conf,v 1.13 2014/07/26 19:38:03 naddy Exp $
--- cvsweb.conf.orig	Mon Sep 23 07:30:17 2002
-+++ cvsweb.conf	Sat Jul 26 03:08:50 2014
-@@ -81,8 +81,7 @@ $cvstreedefault = $CVSrepositories[2 * 0];    # The fi
- ##############
- # Manual gateway
- ##############
-$mancgi =
-    "http://www.FreeBSD.org/cgi/man.cgi?apropos=0&sektion=%s&query=%s&manpath=FreeBSD+5.0-current&format=html";
-+$mancgi = "http://www.openbsd.org/cgi-bin/man.cgi?&sec=%s&query=%s";
- 
- ##############
- # Defaults for UserSettings
-@@ -115,7 +114,6 @@ $mancgi =
- 	#   h      Human readable
- 	#   u      Unified diff
- 	#   c      Context diff
-	#   s      Side by side
- 	"f" => "u",
- 
- 	# hidecvsroot: Don't show the CVSROOT directory
-@@ -200,7 +198,7 @@ EOT
- # These default icons are coming with apache.
- # If these icons are too large, check out the miniicons in the
- # icons/ directory; they have a width/height of 16/16
-my $iconsdir = "/icons";
-+my $iconsdir = "/cvsweb/icons";
- 
- # format:             TEXT      ICON-URL              width height
- %ICONS = (
-@@ -290,19 +288,6 @@ $use_descriptions = 0;
- # exceed the width of the browser
- $hr_breakable = 1;
- 
-# give out function names in diffs
-# this just makes sense if we have C-files, otherwise
-# diff's heuristic doesn't work well ..
-# ( '-p' option to diff)
-$showfunc = 1;
-
-# For each pair of regexps, files that match the first regexp will be diff'ed
-# with an '-F' option with the second regexp.
-%funcline_regexp = (
-	"\\.(4th|fr)\$" => "\\(^\\|[ \t]\\): ",
-	"\\.rb\$"       => "^[\t ]*\\(class\\|module\\|def\\) ",
-);
-
- # ignore whitespaces for human readable diffs
- # (indendation and stuff ..)
- # ( '-w' option to diff)
-@@ -335,7 +320,7 @@ $inputTextSize = 12;
- # cvsweb to guess the correct mime-type on
- # checkout; you can use the mime.types from
- # apache here:
-$mime_types = '/usr/local/etc/apache/mime.types';
-+$mime_types = '/var/www/conf/mime.types';
- 
- # quick mime-type lookup; maps file-suffices to
- # mime-types for displaying checkouts in the browser.
--- a/devel/cvsweb/pkg/PLIST
+++ b/devel/cvsweb/pkg/PLIST
@ -1,8 +1,8 @@
-@comment $OpenBSD: PLIST,v 1.10 2018/09/04 12:46:10 espie Exp $
+@comment $OpenBSD: PLIST,v 1.11 2019/11/10 08:23:35 schwarze Exp $
 cgi-bin/cvsweb
 conf/cvsweb/
 conf/cvsweb/cvsweb.conf.dist
-@sample ${CONFDIR}/cvsweb/cvsweb.conf
+@sample conf/cvsweb/cvsweb.conf
 htdocs/cvsweb/
 htdocs/cvsweb/icons/
 htdocs/cvsweb/icons/back.gif
@ -11,5 +11,5 @@ htdocs/cvsweb/icons/miniback.gif
 htdocs/cvsweb/icons/minidir.gif
 htdocs/cvsweb/icons/minitext.gif
 htdocs/cvsweb/icons/text.gif
-@cwd ${LOCALBASE}/share/doc/pkg-readmes
-${PKGSTEM}
+@cwd ${LOCALBASE}
+share/doc/pkg-readmes/${PKGSTEM}
--- a/devel/cvsweb/pkg/README
+++ b/devel/cvsweb/pkg/README
@ -1,5 +1,5 @@
-# $OpenBSD: README,v 1.18 2019/05/02 18:58:38 naddy Exp $
-# 
+# $OpenBSD: README,v 1.19 2019/11/10 08:23:35 schwarze Exp $
+#
 # +-----------------------------------------------------------------------
 # | Running ${PKGSTEM} on OpenBSD
 # +-----------------------------------------------------------------------
@ -80,35 +80,19 @@ rcctl start slowcgi

 # Editing cvsweb and cvsweb.conf
 # ------------------------------
-#
-# The cvsweb program itself and cvsweb.conf both assume httpd is not
-# running in a chroot environment, so we need to change some default paths
-# so they are relative to /var/www.
-#
-# In /var/www/cgi-bin/cvsweb:
-#
-# for ("$mydir/cvsweb.conf", '/var/www/conf/cvsweb/cvsweb.conf') {
-# for ("$mydir/cvsweb.conf", '/conf/cvsweb/cvsweb.conf') {
-# 
-# In /var/www/conf/cvsweb/cvsweb.conf:
-# 
-# Change CVSrepositories to reflect the location of the directories which
-# contain CVSROOT.  This example shows a local repository NFS mounted over
-# loopback into /var/www/cvs, since the directory must be relative to
-# /var/www, we use /cvs.
-#
-# @CVSrepositories = (
-# 	'local'   => ['Local Repository', '/home/cvs'],	      (default)
-# 	'local'   => ['Local Repository', '/cvs'],	      (chroot)
-#
-# And the same idea for $mimetypes:
-#
-# $mime_types = '/var/www/conf/mime.types';		       (default)
-# $mime_types = '/conf/mime.types';			       (chroot)
+# The cvsweb program already assumes that it is running chrooted,
+# and the location of the configuration file is hardcoded to
+# /conf/cvsweb/cvsweb.conf, so usually there is no need to edit
+# the cvsweb program itself.
+
+# By default, /var/www/conf/cvsweb/cvsweb.conf configures one
+# repository to be served: /var/www/cvs/, which should contain
+# the subdirectory CVSROOT and one or more module directories.
+# Additional repositories, each containing their own CVSROOT
+# subdirectory, can be added to the @CVSrepositories array.

 # Example httpd.conf(5) for cvsweb
 # --------------------------------
-#
 # server "domain.tld" {
 #      listen on * port 80
 #      #listen on egress tls port 443