Date: Mon, 9 Apr 2007 22:42:50 +1000 (YAKST) From: Alexander Logvinov <ports@logvinov.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Alexander Logvinov <ports@logvinov.com> Subject: ports/111407: [PATCH] www/instiki: Fix cross site scripting vulnerability Message-ID: <200704091242.l39CgokV082864@blg.akavia.ru> Resent-Message-ID: <200704091250.l39Co2kP069486@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 111407
>Category: ports
>Synopsis: [PATCH] www/instiki: Fix cross site scripting vulnerability
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 09 12:50:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Alexander Logvinov
>Release: FreeBSD 6.2-RELEASE-p3 i386
>Organization:
>Environment:
>Description:
Update to 0.11 Patch Level 1 and fix cross site scripting vulnerability
Release info: http://rubyforge.org/frs/shownotes.php?group_id=186&release_id=10014
Security: http://golem.ph.utexas.edu/~distler/blog/archives/001181.html
>How-To-Repeat:
>Fix:
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/www/instiki/Makefile,v
retrieving revision 1.11
diff -u -r1.11 Makefile
--- Makefile 3 Oct 2006 00:59:47 -0000 1.11
+++ Makefile 9 Apr 2007 12:40:29 -0000
@@ -7,10 +7,11 @@
PORTNAME= instiki
PORTVERSION= 0.11.0
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= www ruby
MASTER_SITES= ${MASTER_SITE_RUBYFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
+DISTNAME= ${PORTNAME}-0.11.pl1
EXTRACT_SUFX= .tgz
MAINTAINER= arsptr@internode.on.net
@@ -40,6 +41,7 @@
rake environment RAILS_ENV=production migrate )
do-install:
+ @${FIND} -E ${WRKSRC} -type f -iregex ".*\._.+" -exec ${RM} "{}" \;
${CP} -pR ${WRKSRC}/ ${PREFIX}/${INSTIKIDIR}
${CP} ${PREFIX}/${INSTIKIDIR}/db/production.db.sqlite3 \
${PREFIX}/${INSTIKIDIR}/db/default.db.sqlite3
Index: distinfo
===================================================================
RCS file: /home/pcvs/ports/www/instiki/distinfo,v
retrieving revision 1.3
diff -u -r1.3 distinfo
--- distinfo 1 May 2006 14:32:27 -0000 1.3
+++ distinfo 9 Apr 2007 12:40:29 -0000
@@ -1,3 +1,3 @@
-MD5 (instiki-0.11.0.tgz) = c8d86d05ef9a801e21e12d661fc737ab
-SHA256 (instiki-0.11.0.tgz) = 4bc1315c73ecf2dbaef9c243b5073aa49ca3ea2c64a61c54b8fd57e4baf039ce
-SIZE (instiki-0.11.0.tgz) = 1483964
+MD5 (instiki-0.11.pl1.tgz) = 42859487777cf56199cfe8c343a9c33b
+SHA256 (instiki-0.11.pl1.tgz) = 777fc053818b139b0aac7dd96d274a194b93d35dbfb70d0d8a8aa2d3e49a27d8
+SIZE (instiki-0.11.pl1.tgz) = 1344168
Index: pkg-plist
===================================================================
RCS file: /home/pcvs/ports/www/instiki/pkg-plist,v
retrieving revision 1.6
diff -u -r1.6 pkg-plist
--- pkg-plist 24 Jun 2006 11:52:15 -0000 1.6
+++ pkg-plist 9 Apr 2007 12:40:29 -0000
@@ -61,9 +61,9 @@
%%INSTIKIDIR%%db/default.db.sqlite3
%%INSTIKIDIR%%db/schema.rb
%%INSTIKIDIR%%instiki
+%%INSTIKIDIR%%instiki.bat
%%INSTIKIDIR%%instiki.cmd
%%INSTIKIDIR%%instiki.rb
-%%INSTIKIDIR%%instiki.sh
%%INSTIKIDIR%%lib/bluecloth_tweaked.rb
%%INSTIKIDIR%%lib/chunks/category.rb
%%INSTIKIDIR%%lib/chunks/chunk.rb
@@ -74,15 +74,17 @@
%%INSTIKIDIR%%lib/chunks/test.rb
%%INSTIKIDIR%%lib/chunks/uri.rb
%%INSTIKIDIR%%lib/chunks/wiki.rb
+%%INSTIKIDIR%%lib/db_structure.rb
%%INSTIKIDIR%%lib/diff.rb
%%INSTIKIDIR%%lib/instiki_errors.rb
-%%INSTIKIDIR%%lib/native/linux/libsqlite3.so
%%INSTIKIDIR%%lib/native/win32/sqlite3.dll
%%INSTIKIDIR%%lib/native/win32/sqlite3_api.so
+%%INSTIKIDIR%%lib/node.rb
%%INSTIKIDIR%%lib/page_renderer.rb
%%INSTIKIDIR%%lib/rdocsupport.rb
%%INSTIKIDIR%%lib/redcloth.rb
%%INSTIKIDIR%%lib/redcloth_for_tex.rb
+%%INSTIKIDIR%%lib/sanitize.rb
%%INSTIKIDIR%%lib/url_generator.rb
%%INSTIKIDIR%%lib/wiki_content.rb
%%INSTIKIDIR%%lib/wiki_words.rb
@@ -127,6 +129,7 @@
%%INSTIKIDIR%%script/benchmarker
%%INSTIKIDIR%%script/breakpointer
%%INSTIKIDIR%%script/console
+%%INSTIKIDIR%%script/create_db
%%INSTIKIDIR%%script/destroy
%%INSTIKIDIR%%script/generate
%%INSTIKIDIR%%script/import_storage
@@ -153,6 +156,7 @@
%%INSTIKIDIR%%test/unit/page_renderer_test.rb
%%INSTIKIDIR%%test/unit/page_test.rb
%%INSTIKIDIR%%test/unit/redcloth_for_tex_test.rb
+%%INSTIKIDIR%%test/unit/sanitize_test.rb
%%INSTIKIDIR%%test/unit/uri_test.rb
%%INSTIKIDIR%%test/unit/web_test.rb
%%INSTIKIDIR%%test/unit/wiki_file_test.rb
Index: files/bluecloth-patch-lib-chunks-engines-rb
===================================================================
RCS file: /home/pcvs/ports/www/instiki/files/bluecloth-patch-lib-chunks-engines-rb,v
retrieving revision 1.1
diff -u -r1.1 bluecloth-patch-lib-chunks-engines-rb
--- files/bluecloth-patch-lib-chunks-engines-rb 9 Jun 2006 08:58:56 -0000 1.1
+++ files/bluecloth-patch-lib-chunks-engines-rb 9 Apr 2007 12:40:29 -0000
@@ -1,12 +1,12 @@
---- lib/chunks/engines.rb.orig Sun Mar 12 15:57:24 2006
-+++ lib/chunks/engines.rb Tue Jun 6 22:45:16 2006
-@@ -35,7 +35,8 @@
-
- class Markdown < AbstractEngine
+--- lib/chunks/engines.rb.orig Wed Feb 28 06:09:26 2007
++++ lib/chunks/engines.rb Mon Apr 9 22:22:51 2007
+@@ -40,7 +40,8 @@
+ require_dependency 'sanitize'
+ include Sanitize
def mask
- require_dependency 'bluecloth_tweaked'
+ require_dependency 'rubygems'
+ require_gem 'BlueCloth'
- BlueCloth.new(@content, @content.options[:engine_opts]).to_html
+ html = BlueCloth.new(@content, @content.options[:engine_opts]).to_html
+ sanitize_html(html)
end
- end
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704091242.l39CgokV082864>