Date: Mon, 9 Apr 2007 22:42:50 +1000 (YAKST) From: Alexander Logvinov <ports@logvinov.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Alexander Logvinov <ports@logvinov.com> Subject: ports/111407: [PATCH] www/instiki: Fix cross site scripting vulnerability Message-ID: <200704091242.l39CgokV082864@blg.akavia.ru> Resent-Message-ID: <200704091250.l39Co2kP069486@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 111407 >Category: ports >Synopsis: [PATCH] www/instiki: Fix cross site scripting vulnerability >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Mon Apr 09 12:50:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Alexander Logvinov >Release: FreeBSD 6.2-RELEASE-p3 i386 >Organization: >Environment: >Description: Update to 0.11 Patch Level 1 and fix cross site scripting vulnerability Release info: http://rubyforge.org/frs/shownotes.php?group_id=186&release_id=10014 Security: http://golem.ph.utexas.edu/~distler/blog/archives/001181.html >How-To-Repeat: >Fix: Index: Makefile =================================================================== RCS file: /home/pcvs/ports/www/instiki/Makefile,v retrieving revision 1.11 diff -u -r1.11 Makefile --- Makefile 3 Oct 2006 00:59:47 -0000 1.11 +++ Makefile 9 Apr 2007 12:40:29 -0000 @@ -7,10 +7,11 @@ PORTNAME= instiki PORTVERSION= 0.11.0 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= www ruby MASTER_SITES= ${MASTER_SITE_RUBYFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} +DISTNAME= ${PORTNAME}-0.11.pl1 EXTRACT_SUFX= .tgz MAINTAINER= arsptr@internode.on.net @@ -40,6 +41,7 @@ rake environment RAILS_ENV=production migrate ) do-install: + @${FIND} -E ${WRKSRC} -type f -iregex ".*\._.+" -exec ${RM} "{}" \; ${CP} -pR ${WRKSRC}/ ${PREFIX}/${INSTIKIDIR} ${CP} ${PREFIX}/${INSTIKIDIR}/db/production.db.sqlite3 \ ${PREFIX}/${INSTIKIDIR}/db/default.db.sqlite3 Index: distinfo =================================================================== RCS file: /home/pcvs/ports/www/instiki/distinfo,v retrieving revision 1.3 diff -u -r1.3 distinfo --- distinfo 1 May 2006 14:32:27 -0000 1.3 +++ distinfo 9 Apr 2007 12:40:29 -0000 @@ -1,3 +1,3 @@ -MD5 (instiki-0.11.0.tgz) = c8d86d05ef9a801e21e12d661fc737ab -SHA256 (instiki-0.11.0.tgz) = 4bc1315c73ecf2dbaef9c243b5073aa49ca3ea2c64a61c54b8fd57e4baf039ce -SIZE (instiki-0.11.0.tgz) = 1483964 +MD5 (instiki-0.11.pl1.tgz) = 42859487777cf56199cfe8c343a9c33b +SHA256 (instiki-0.11.pl1.tgz) = 777fc053818b139b0aac7dd96d274a194b93d35dbfb70d0d8a8aa2d3e49a27d8 +SIZE (instiki-0.11.pl1.tgz) = 1344168 Index: pkg-plist =================================================================== RCS file: /home/pcvs/ports/www/instiki/pkg-plist,v retrieving revision 1.6 diff -u -r1.6 pkg-plist --- pkg-plist 24 Jun 2006 11:52:15 -0000 1.6 +++ pkg-plist 9 Apr 2007 12:40:29 -0000 @@ -61,9 +61,9 @@ %%INSTIKIDIR%%db/default.db.sqlite3 %%INSTIKIDIR%%db/schema.rb %%INSTIKIDIR%%instiki +%%INSTIKIDIR%%instiki.bat %%INSTIKIDIR%%instiki.cmd %%INSTIKIDIR%%instiki.rb -%%INSTIKIDIR%%instiki.sh %%INSTIKIDIR%%lib/bluecloth_tweaked.rb %%INSTIKIDIR%%lib/chunks/category.rb %%INSTIKIDIR%%lib/chunks/chunk.rb @@ -74,15 +74,17 @@ %%INSTIKIDIR%%lib/chunks/test.rb %%INSTIKIDIR%%lib/chunks/uri.rb %%INSTIKIDIR%%lib/chunks/wiki.rb +%%INSTIKIDIR%%lib/db_structure.rb %%INSTIKIDIR%%lib/diff.rb %%INSTIKIDIR%%lib/instiki_errors.rb -%%INSTIKIDIR%%lib/native/linux/libsqlite3.so %%INSTIKIDIR%%lib/native/win32/sqlite3.dll %%INSTIKIDIR%%lib/native/win32/sqlite3_api.so +%%INSTIKIDIR%%lib/node.rb %%INSTIKIDIR%%lib/page_renderer.rb %%INSTIKIDIR%%lib/rdocsupport.rb %%INSTIKIDIR%%lib/redcloth.rb %%INSTIKIDIR%%lib/redcloth_for_tex.rb +%%INSTIKIDIR%%lib/sanitize.rb %%INSTIKIDIR%%lib/url_generator.rb %%INSTIKIDIR%%lib/wiki_content.rb %%INSTIKIDIR%%lib/wiki_words.rb @@ -127,6 +129,7 @@ %%INSTIKIDIR%%script/benchmarker %%INSTIKIDIR%%script/breakpointer %%INSTIKIDIR%%script/console +%%INSTIKIDIR%%script/create_db %%INSTIKIDIR%%script/destroy %%INSTIKIDIR%%script/generate %%INSTIKIDIR%%script/import_storage @@ -153,6 +156,7 @@ %%INSTIKIDIR%%test/unit/page_renderer_test.rb %%INSTIKIDIR%%test/unit/page_test.rb %%INSTIKIDIR%%test/unit/redcloth_for_tex_test.rb +%%INSTIKIDIR%%test/unit/sanitize_test.rb %%INSTIKIDIR%%test/unit/uri_test.rb %%INSTIKIDIR%%test/unit/web_test.rb %%INSTIKIDIR%%test/unit/wiki_file_test.rb Index: files/bluecloth-patch-lib-chunks-engines-rb =================================================================== RCS file: /home/pcvs/ports/www/instiki/files/bluecloth-patch-lib-chunks-engines-rb,v retrieving revision 1.1 diff -u -r1.1 bluecloth-patch-lib-chunks-engines-rb --- files/bluecloth-patch-lib-chunks-engines-rb 9 Jun 2006 08:58:56 -0000 1.1 +++ files/bluecloth-patch-lib-chunks-engines-rb 9 Apr 2007 12:40:29 -0000 @@ -1,12 +1,12 @@ ---- lib/chunks/engines.rb.orig Sun Mar 12 15:57:24 2006 -+++ lib/chunks/engines.rb Tue Jun 6 22:45:16 2006 -@@ -35,7 +35,8 @@ - - class Markdown < AbstractEngine +--- lib/chunks/engines.rb.orig Wed Feb 28 06:09:26 2007 ++++ lib/chunks/engines.rb Mon Apr 9 22:22:51 2007 +@@ -40,7 +40,8 @@ + require_dependency 'sanitize' + include Sanitize def mask - require_dependency 'bluecloth_tweaked' + require_dependency 'rubygems' + require_gem 'BlueCloth' - BlueCloth.new(@content, @content.options[:engine_opts]).to_html + html = BlueCloth.new(@content, @content.options[:engine_opts]).to_html + sanitize_html(html) end - end >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704091242.l39CgokV082864>