sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-07-18 09:49:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix information leakage security vulnerability.

Browse source 
VuXML:		http://vuxml.FreeBSD.org/323784cf-48a6-11d9-a9e7-0001020eed82.html
Approved by:	nectar
Obtained from:	Debian
This commit is contained in:
Simon L. B. Nielsen 2004-12-08 10:50:38 +00:00
parent c46101db22
commit c4371e60ed
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=123452
4 changed files with 76 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
devel/viewcvs/Makefile
View file

@ -7,7 +7,7 @@
PORTNAME= viewcvs PORTNAME= viewcvs
PORTVERSION= 0.9.2 PORTVERSION= 0.9.2
PORTREVISION= 1 PORTREVISION= 2
CATEGORIES= devel python CATEGORIES= devel python
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME} MASTER_SITE_SUBDIR= ${PORTNAME}

37
devel/viewcvs/files/patch-CAN-2004-0915 Normal file
View file

@ -0,0 +1,37 @@
--- lib/viewcvs.py.orig 2004-10-20 15:03:41.000000000 +0200
+++ lib/viewcvs.py 2004-10-20 16:37:35.000000000 +0200
@@ -2455,10 +2455,17 @@ def generate_tarball_header(out, name, s
def generate_tarball(out, relative, directory, tag, stack=[]):
subdirs = [ ]
rcs_files = [ ]
+ if relative == 'CVSROOT' and cfg.options.hide_cvsroot:
+ return
+
for file, pathname, isdir in get_file_data(directory):
if pathname == _UNREADABLE_MARKER:
continue
if isdir:
+ if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot:
+ continue
+ if relative.find('/') == -1 and cfg.is_forbidden(file):
+ continue
subdirs.append(file)
else:
rcs_files.append(file)
@@ -2583,6 +2590,16 @@ def main():
'</body></html>\n')
return
+ if where == 'CVSROOT' and cfg.options.hide_cvsroot:
+ print "Status: 400"
+ http_header()
+ print ('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n'
+ '<html><head>\n<title>400 Bad Request</title>\n'
+ '</head><body>\n'
+ '<H1>Bad Request</H1>\n Listing of CVSROOT is disallowed.<p>\n'
+ '</body></html>\n')
+ return
+
### look for GZIP binary
# if we have a directory and the request didn't end in "/", then redirect

2
devel/viewvc/Makefile
View file

@ -7,7 +7,7 @@
PORTNAME= viewcvs PORTNAME= viewcvs
PORTVERSION= 0.9.2 PORTVERSION= 0.9.2
PORTREVISION= 1 PORTREVISION= 2
CATEGORIES= devel python CATEGORIES= devel python
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME} MASTER_SITE_SUBDIR= ${PORTNAME}

37
devel/viewvc/files/patch-CAN-2004-0915 Normal file
View file

@ -0,0 +1,37 @@
--- lib/viewcvs.py.orig 2004-10-20 15:03:41.000000000 +0200
+++ lib/viewcvs.py 2004-10-20 16:37:35.000000000 +0200
@@ -2455,10 +2455,17 @@ def generate_tarball_header(out, name, s
def generate_tarball(out, relative, directory, tag, stack=[]):
subdirs = [ ]
rcs_files = [ ]
+ if relative == 'CVSROOT' and cfg.options.hide_cvsroot:
+ return
+
for file, pathname, isdir in get_file_data(directory):
if pathname == _UNREADABLE_MARKER:
continue
if isdir:
+ if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot:
+ continue
+ if relative.find('/') == -1 and cfg.is_forbidden(file):
+ continue
subdirs.append(file)
else:
rcs_files.append(file)
@@ -2583,6 +2590,16 @@ def main():
'</body></html>\n')
return
+ if where == 'CVSROOT' and cfg.options.hide_cvsroot:
+ print "Status: 400"
+ http_header()
+ print ('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n'
+ '<html><head>\n<title>400 Bad Request</title>\n'
+ '</head><body>\n'
+ '<H1>Bad Request</H1>\n Listing of CVSROOT is disallowed.<p>\n'
+ '</body></html>\n')
+ return
+
### look for GZIP binary
# if we have a directory and the request didn't end in "/", then redirect