From cc29610abb853776a657bda981addd2bec9bc814 Mon Sep 17 00:00:00 2001
From: jasper <jasper@openbsd.org>
Date: Mon, 7 Mar 2011 18:38:06 +0000
Subject: [PATCH] Security fix for CVE-2011-1058, MoinMoin "refuri" Cross-Site
 Scripting Vulnerability

Note that 'rst' is not the default parser, but available if docutils are installed. For more information see http://moinmo.in/SecurityFixes
---
 www/moinmoin/Makefile                         |  3 ++-
 .../patches/patch-MoinMoin_parser_text_rst_py | 20 +++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 www/moinmoin/patches/patch-MoinMoin_parser_text_rst_py

diff --git a/www/moinmoin/Makefile b/www/moinmoin/Makefile
index 32d59f9d8fe..039c7b2d9aa 100644
--- a/www/moinmoin/Makefile
+++ b/www/moinmoin/Makefile
@@ -1,10 +1,11 @@
-# $OpenBSD: Makefile,v 1.19 2010/09/01 23:24:55 fgsch Exp $
+# $OpenBSD: Makefile,v 1.20 2011/03/07 18:38:06 jasper Exp $
 
 COMMENT =	wiki engine written in python
 
 MODPY_EGG_VERSION = 1.9.3
 DISTNAME =	moin-${MODPY_EGG_VERSION}
 PKGNAME =	moin${DISTNAME}
+REVISION =	0
 
 CATEGORIES =	www
 
diff --git a/www/moinmoin/patches/patch-MoinMoin_parser_text_rst_py b/www/moinmoin/patches/patch-MoinMoin_parser_text_rst_py
new file mode 100644
index 00000000000..29e573f8846
--- /dev/null
+++ b/www/moinmoin/patches/patch-MoinMoin_parser_text_rst_py
@@ -0,0 +1,20 @@
+$OpenBSD: patch-MoinMoin_parser_text_rst_py,v 1.1 2011/03/07 18:38:06 jasper Exp $
+
+Security fix for CVE-2011-1058,
+MoinMoin "refuri" Cross-Site Scripting Vulnerability
+
+Patch from upstream Mercurial:
+http://hg.moinmo.in/moin/1.9/rev/97208f67798f
+
+--- MoinMoin/parser/text_rst.py.orig	Mon Mar  7 19:35:58 2011
++++ MoinMoin/parser/text_rst.py	Mon Mar  7 19:36:02 2011
+@@ -391,6 +391,9 @@ class MoinTranslator(html4css1.HTMLTranslator):
+                 # for images with targets).
+                 if not [i for i in node.children if i.__class__ == docutils.nodes.image]:
+                     node['classes'].append('interwiki')
++            elif prefix == 'javascript':
++                # is someone trying to do XSS with javascript?
++                node['refuri'] = 'javascript:alert("it does not work")'
+             elif prefix != '':
+                 # Some link scheme (http, file, https, mailto, etc.), add class
+                 # information if the reference doesn't have a child image (don't