Date: Wed, 19 Nov 2003 15:50:30 +0900 (JST) From: Fumihiko Kimura <jfkimura@yahoo.co.jp> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/59451: maintainer-update ports: www/tdiary 1.5.6 to 1.5.6_1 Message-ID: <200311190650.hAJ6oU3n055850@sh0.radio.gr.jp> Resent-Message-ID: <200311190700.hAJ70dWB073538@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 59451 >Category: ports >Synopsis: maintainer-update ports: www/tdiary 1.5.6 to 1.5.6_1 >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Nov 18 23:00:39 PST 2003 >Closed-Date: >Last-Modified: >Originator: Fumihiko Kimura >Release: FreeBSD 4.9-RELEASE i386 >Organization: >Environment: >Description: There is security related problem in tDiary 1.5.6, the tDiary developer released a security advisory. See http://www.tdiary.org/20031119.html (By Japanese Language only) It occurs only in the following terms. * "@secure = true" in setting file (tdiary.conf) * output_rdf.rb or tb-send.rb by plugin choice When both sides served as the terms mentioned above, a patch file needs consideration. You are not required if you do not fall under this. >How-To-Repeat: Checked: FreeBSD 4.9-RELEASE FreeBSD FreeBSD 5.1-RELEASE-p10 >Fix: === begin cut here === diff -urN /usr/ports/www/tdiary/Makefile /usr/ports/www/tdiary-stable/Makefile --- /usr/ports/www/tdiary/Makefile Sat Nov 15 19:13:01 2003 +++ /usr/ports/www/tdiary-stable/Makefile Wed Nov 19 14:01:50 2003 @@ -7,6 +7,7 @@ PORTNAME= tdiary PORTVERSION= 1.5.6 +PORTREVISION= 1 CATEGORIES?= www ruby MASTER_SITES= \ ${MASTER_SITE_SOURCEFORGE} \ @@ -70,6 +71,7 @@ post-install: @cd ${WRKSRC} && ${FIND} . -type f -o -type l | ${SED} -e 's,^\.,${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST} @cd ${WRKSRC} && ${FIND} . -type d -depth | ${SED} -e 's,^\.,@dirrm ${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST} - @${SED} -e "s,%%EXAMPLESDIR%%,${EXAMPLESDIR},g" ${PKGMESSAGE} + @${SED} -e 's|%%EXAMPLESDIR%%|${EXAMPLESDIR}|' < ${FILESDIR}/pkg-message.in > ${PKGMESSAGE} + @${CAT} ${PKGMESSAGE} .include <bsd.port.mk> diff -urN /usr/ports/www/tdiary/files/patch-aa /usr/ports/www/tdiary-stable/files/patch-aa --- /usr/ports/www/tdiary/files/patch-aa Thu Jan 1 09:00:00 1970 +++ /usr/ports/www/tdiary-stable/files/patch-aa Wed Nov 19 13:35:35 2003 @@ -0,0 +1,52 @@ +=================================================================== +RCS file: /cvsroot/tdiary/core/tdiary.rb,v +retrieving revision 1.156 +retrieving revision 1.159 +diff -u -r1.156 -r1.159 +--- tdiary.rb 2003/11/13 06:34:22 1.156 ++++ tdiary.rb 2003/11/18 15:02:39 1.159 +@@ -1,13 +1,13 @@ + =begin + == NAME + tDiary: the "tsukkomi-able" web diary system. +-tdiary.rb $Revision: 1.156 $ ++tdiary.rb $Revision: 1.159 $ + + Copyright (C) 2001-2003, TADA Tadashi <sho@spc.gr.jp> + You can redistribute it and/or modify it under GPL2. + =end + +-TDIARY_VERSION = '1.5.6' ++TDIARY_VERSION = '1.5.6.20031118' + + require 'cgi' + begin +@@ -62,10 +62,14 @@ + module Safe + def safe( level = 4 ) + result = nil +- Thread.start { +- $SAFE = level ++ if $SAFE < level then ++ Thread.start { ++ $SAFE = level ++ result = yield ++ }.join ++ else + result = yield +- }.join ++ end + result + end + module_function :safe +@@ -740,7 +744,9 @@ + r = str.dup + if @options['apply_plugin'] and str.index( '<%' ) then + r = str.untaint if $SAFE < 3 +- r = ERbLight.new( r ).result( binding ) ++ Safe::safe( @conf.secure ? 4 : 1 ) do ++ r = ERbLight.new( r ).result( binding ) ++ end + end + r.gsub!( /<.*?>/, '' ) if remove_tag + r diff -urN /usr/ports/www/tdiary/files/pkg-message.in /usr/ports/www/tdiary-stable/files/pkg-message.in --- /usr/ports/www/tdiary/files/pkg-message.in Thu Jan 1 09:00:00 1970 +++ /usr/ports/www/tdiary-stable/files/pkg-message.in Wed Nov 19 13:45:59 2003 @@ -0,0 +1,29 @@ + +============================================================================= +There is a script to install tDiary in a user directory. +This script should be run manually. + +[Ruby 1.6.x] + + # ruby %%EXAMPLESDIR%%/tdiaryinst.rb --user=User + or + % ruby %%EXAMPLESDIR%%/tdiaryinst.rb + + * Option: --suexec Use suExec for CGI execution + --help Display Help information + +[Ruby 1.8.x] + + # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User + or + % %%EXAMPLESDIR%%/tdiary-FreeBSD.sh install + +--- +There is a document by English in the following directories. + See ... + %%EXAMPLESDIR%%/misc/i18n/ + and + Explanation by English of a tDiary system can refer to the following page : + + http://tdiary-users.sourceforge.jp/cgi-bin/wiki.cgi?FrontPage_en +============================================================================= diff -urN /usr/ports/www/tdiary/pkg-message /usr/ports/www/tdiary-stable/pkg-message --- /usr/ports/www/tdiary/pkg-message Sat Nov 15 19:13:01 2003 +++ /usr/ports/www/tdiary-stable/pkg-message Thu Jan 1 09:00:00 1970 @@ -1,26 +0,0 @@ - -============================================================================= -There is a script to install tDiary in a user directory. -This script should be run manually. - -[Ruby 1.6.x] - - # ruby %%EXAMPLESDIR%%/tdiaryinst.rb --user=User - or - % ruby %%EXAMPLESDIR%%/tdiaryinst.rb - -[Ruby 1.8.x] - - # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User - or - % %%EXAMPLESDIR%%/tdiary-FreeBSD.sh install - ---- -There is a document by English in the following directories. - See ... - %%EXAMPLESDIR%%/misc/i18n/ - and - Explanation by English of a tDiary system can refer to the following page : - - http://tdiary-users.sourceforge.jp/cgi-bin/wiki.cgi?FrontPage_en -============================================================================= === ended cut here === >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311190650.hAJ6oU3n055850>