Fix XSS vulnerability in rename hint, bug #378803, thank Nikoli for this job. Drop old.

(Portage version: 2.1.10.11/cvs/Linux x86_64)

5 files changed, 47 insertions, 172 deletions

diff --git a/www-apps/cgit/ChangeLog b/www-apps/cgit/ChangeLog
index a91acfee9fd3..187bdfff63e0 100644
--- a/www-apps/cgit/ChangeLog
+++ b/www-apps/cgit/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for www-apps/cgit
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/ChangeLog,v 1.8 2011/08/03 18:17:38 pva Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/ChangeLog,v 1.9 2011/09/11 11:39:20 pva Exp $
+
+*cgit-0.9.0.2-r1 (11 Sep 2011)
+
+  11 Sep 2011; Peter Volkov <pva@gentoo.org> -cgit-0.9.0.1.ebuild,
+  -cgit-0.9.0.2.ebuild, +cgit-0.9.0.2-r1.ebuild,
+  +files/cgit-0.9.0.2-fix-xss.patch, -cgit-9999.ebuild:
+  Fix XSS vulnerability in rename hint, bug #378803, thank Nikoli for this job.
+  Drop old.
 
 *cgit-0.9.0.2 (03 Aug 2011)
 
diff --git a/www-apps/cgit/cgit-0.9.0.1.ebuild b/www-apps/cgit/cgit-0.9.0.2-r1.ebuild
index 03b223a7dca9..9ecf4627a779 100644
--- a/www-apps/cgit/cgit-0.9.0.1.ebuild
+++ b/www-apps/cgit/cgit-0.9.0.2-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2011 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/cgit-0.9.0.1.ebuild,v 1.1 2011/06/27 08:58:08 pva Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/cgit-0.9.0.2-r1.ebuild,v 1.1 2011/09/11 11:39:20 pva Exp $
 
 EAPI="4"
 
@@ -45,6 +45,8 @@ src_prepare() {
 	rmdir git || die
 	mv "${WORKDIR}"/git-"${GIT_V}" git || die
 
+	epatch "${FILESDIR}"/${P}-fix-xss.patch
+
 	sed -i \
 		-e "/^CACHE_ROOT =/s:/var/cache/cgit:${CGIT_CACHEDIR}:" \
 		Makefile || die
diff --git a/www-apps/cgit/cgit-0.9.0.2.ebuild b/www-apps/cgit/cgit-0.9.0.2.ebuild
deleted file mode 100644
index 5176fb3c086d..000000000000
--- a/www-apps/cgit/cgit-0.9.0.2.ebuild
+++ /dev/null
@@ -1,85 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/cgit-0.9.0.2.ebuild,v 1.1 2011/08/03 18:17:38 pva Exp $
-
-EAPI="4"
-
-WEBAPP_MANUAL_SLOT="yes"
-
-inherit webapp eutils multilib
-
-[[ -z "${CGIT_CACHEDIR}" ]] && CGIT_CACHEDIR="/var/cache/${PN}/"
-
-GIT_V="1.7.4"
-
-DESCRIPTION="a fast web-interface for git repositories"
-HOMEPAGE="http://hjemli.net/git/cgit/about/"
-SRC_URI="mirror://kernel/software/scm/git/git-${GIT_V}.tar.bz2
-	http://hjemli.net/git/cgit/snapshot/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE="doc highlight"
-
-RDEPEND="
-	dev-vcs/git
-	sys-libs/zlib
-	dev-libs/openssl
-	virtual/httpd-cgi
-	highlight? ( app-text/highlight )
-"
-# ebuilds without WEBAPP_MANUAL_SLOT="yes" are broken
-DEPEND="${RDEPEND}
-	!<www-apps/cgit-0.8.3.3
-	doc? ( app-text/docbook-xsl-stylesheets
-		>=app-text/asciidoc-8.5.1 )
-"
-
-pkg_setup() {
-	webapp_pkg_setup
-	enewuser "${PN}"
-}
-
-src_prepare() {
-	rmdir git || die
-	mv "${WORKDIR}"/git-"${GIT_V}" git || die
-
-	sed -i \
-		-e "/^CACHE_ROOT =/s:/var/cache/cgit:${CGIT_CACHEDIR}:" \
-		Makefile || die
-}
-
-src_compile() {
-	emake
-	use doc && emake doc-man
-}
-
-src_install() {
-	webapp_src_preinst
-
-	emake \
-		prefix="${EPREFIX}"/usr \
-		libdir="${EPREFIX}"/usr/$(get_libdir) \
-		CGIT_SCRIPT_PATH="${MY_CGIBINDIR}" \
-		CGIT_DATA_PATH="${MY_HTDOCSDIR}" \
-		DESTDIR="${D}" install
-
-	insinto /etc
-	doins "${FILESDIR}"/cgitrc
-
-	dodoc README
-	use doc && doman cgitrc.5
-
-	webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt
-	webapp_src_install
-
-	keepdir "${CGIT_CACHEDIR}"
-	fowners ${PN}:${PN} "${CGIT_CACHEDIR}"
-	fperms 700 "${CGIT_CACHEDIR}"
-}
-
-pkg_postinst() {
-	ewarn "If you intend to run cgit using web server's user"
-	ewarn "you should change ${CGIT_CACHEDIR} permissions."
-}
diff --git a/www-apps/cgit/cgit-9999.ebuild b/www-apps/cgit/cgit-9999.ebuild
deleted file mode 100644
index 37000f3d913f..000000000000
--- a/www-apps/cgit/cgit-9999.ebuild
+++ /dev/null
@@ -1,85 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/cgit/cgit-9999.ebuild,v 1.2 2011/06/27 08:58:08 pva Exp $
-
-EAPI="4"
-
-WEBAPP_MANUAL_SLOT="yes"
-
-inherit webapp eutils multilib git-2
-
-[[ -z "${CGIT_CACHEDIR}" ]] && CGIT_CACHEDIR="/var/cache/${PN}/"
-
-GIT_V="1.7.4"
-
-DESCRIPTION="a fast web-interface for git repositories"
-HOMEPAGE="http://hjemli.net/git/cgit/about/"
-SRC_URI="mirror://kernel/software/scm/git/git-${GIT_V}.tar.bz2"
-EGIT_REPO_URI="git://hjemli.net/pub/git/${PN}"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS=""
-IUSE="doc highlight"
-
-RDEPEND="
-	dev-vcs/git
-	sys-libs/zlib
-	dev-libs/openssl
-	virtual/httpd-cgi
-	highlight? ( app-text/highlight )
-"
-# ebuilds without WEBAPP_MANUAL_SLOT="yes" are broken
-DEPEND="${RDEPEND}
-	!<www-apps/cgit-0.8.3.3
-	doc? ( app-text/docbook-xsl-stylesheets
-		>=app-text/asciidoc-8.5.1 )
-"
-
-pkg_setup() {
-	webapp_pkg_setup
-	enewuser "${PN}"
-}
-
-src_prepare() {
-	rmdir git || die
-	mv "${WORKDIR}"/git-"${GIT_V}" git || die
-
-	sed -i \
-		-e "/^CACHE_ROOT =/s:/var/cache/cgit:${CGIT_CACHEDIR}:" \
-		Makefile || die
-}
-
-src_compile() {
-	emake
-	use doc && emake doc-man
-}
-
-src_install() {
-	webapp_src_preinst
-
-	emake \
-		prefix="${EPREFIX}"/usr \
-		libdir="${EPREFIX}"/usr/$(get_libdir) \
-		CGIT_SCRIPT_PATH="${MY_CGIBINDIR}" \
-		CGIT_DATA_PATH="${MY_HTDOCSDIR}" \
-		DESTDIR="${D}" install
-
-	insinto /etc
-	doins "${FILESDIR}"/cgitrc
-
-	dodoc README
-	use doc && doman cgitrc.5
-
-	webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt
-	webapp_src_install
-
-	keepdir "${CGIT_CACHEDIR}"
-	fowners ${PN}:${PN} "${CGIT_CACHEDIR}"
-	fperms 700 "${CGIT_CACHEDIR}"
-}
-
-pkg_postinst() {
-	ewarn "If you intend to run cgit using web server's user"
-	ewarn "you should change ${CGIT_CACHEDIR} permissions."
-}
diff --git a/www-apps/cgit/files/cgit-0.9.0.2-fix-xss.patch b/www-apps/cgit/files/cgit-0.9.0.2-fix-xss.patch
new file mode 100644
index 000000000000..cfd230cd62f3
--- /dev/null
+++ b/www-apps/cgit/files/cgit-0.9.0.2-fix-xss.patch
@@ -0,0 +1,35 @@
+From bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5 Mon Sep 17 00:00:00 2001
+From: Lukas Fleischer <cgit@cryptocrack.de>
+Date: Fri, 22 Jul 2011 11:47:19 +0000
+Subject: Fix potential XSS vulnerability in rename hint
+
+The file name displayed in the rename hint should be escaped to avoid
+XSS. Note that this vulnerability is only applicable when an attacker
+has gained push access to the repository.
+
+Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
+Signed-off-by: Lars Hjemli <hjemli@gmail.com>
+---
+diff --git a/ui-diff.c b/ui-diff.c
+index d21541b..383a534 100644
+--- a/ui-diff.c
++++ b/ui-diff.c
+@@ -97,10 +97,12 @@ static void print_fileinfo(struct fileinfo *info)
+ 	htmlf("</td><td class='%s'>", class);
+ 	cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1,
+ 		       ctx.qry.sha2, info->new_path, 0);
+-	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED)
+-		htmlf(" (%s from %s)",
+-		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed",
+-		      info->old_path);
++	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) {
++		htmlf(" (%s from ",
++		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed");
++		html_txt(info->old_path);
++		html(")");
++	}
+ 	html("</td><td class='right'>");
+ 	if (info->binary) {
+ 		htmlf("bin</td><td class='graph'>%ld -> %ld bytes",
+--
+cgit v0.9.0.2-51-g5d24