[Pkg-cgit-commits] [pkg-cgit] 42/49: Refresh patches
Peter Colberg
peter at colberg.org
Thu Jun 16 01:49:22 UTC 2016
This is an automated email from the git hooks/post-receive script.
pc-guest pushed a commit to branch master
in repository pkg-cgit.
commit d4d6fb34a4de6b872c324ab5868029f07d85443f
Author: Alexander Wirt <formorer at debian.org>
Date: Tue Mar 1 13:52:54 2016 +0100
Refresh patches
---
debian/patches/Use-debian-binary-name-rst2html | 8 +-
debian/patches/debianize_makefile | 2 +-
...oid-integer-overflow-in-authenticate_post.patch | 34 --------
debian/patches/fix_status_code_for_unknown_repos | 90 +++++++++-------------
debian/patches/series | 3 -
.../ui-blob-Do-not-accept-mimetype-from-user.patch | 51 ------------
...revent-malicious-filename-from-injecting-.patch | 82 --------------------
7 files changed, 42 insertions(+), 228 deletions(-)
diff --git a/debian/patches/Use-debian-binary-name-rst2html b/debian/patches/Use-debian-binary-name-rst2html
index 47387cd..e3a74d5 100644
--- a/debian/patches/Use-debian-binary-name-rst2html
+++ b/debian/patches/Use-debian-binary-name-rst2html
@@ -6,11 +6,9 @@ Subject: Use debian binary name rst2html
filters/html-converters/rst2html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/filters/html-converters/rst2html b/filters/html-converters/rst2html
-index c51f5be..a1ba574 100755
--- a/filters/html-converters/rst2html
+++ b/filters/html-converters/rst2html
@@ -1,2 +1,2 @@
- #!/bin/sh
--rst2html.py --template="$(dirname $0)/resources/rst-template.txt"
-+rst2html --template="$(dirname $0)/resources/rst-template.txt"
+ #!/bin/bash
+-exec rst2html.py --template <(echo -e "%(stylesheet)s\n%(body_pre_docinfo)s\n%(docinfo)s\n%(body)s")
++exec rst2html --template <(echo -e "%(stylesheet)s\n%(body_pre_docinfo)s\n%(docinfo)s\n%(body)s")
diff --git a/debian/patches/debianize_makefile b/debian/patches/debianize_makefile
index 3446c0a..9ce235e 100644
--- a/debian/patches/debianize_makefile
+++ b/debian/patches/debianize_makefile
@@ -2,7 +2,7 @@
+++ b/Makefile
@@ -2,11 +2,11 @@
- CGIT_VERSION = v0.11.2
+ CGIT_VERSION = v0.12
CGIT_SCRIPT_NAME = cgit.cgi
-CGIT_SCRIPT_PATH = /var/www/htdocs/cgit
+CGIT_SCRIPT_PATH = /usr/share/cgit
diff --git a/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch b/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch
deleted file mode 100644
index 20cb966..0000000
--- a/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 4458abf64172a62b92810c2293450106e6dfc763 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason at zx2c4.com>
-Date: Tue, 24 Nov 2015 11:28:00 +0100
-Subject: [PATCH] filter: avoid integer overflow in authenticate_post
-
-ctx.env.content_length is an unsigned int, coming from the
-CONTENT_LENGTH environment variable, which is parsed by strtoul. The
-HTTP/1.1 spec says that "any Content-Length greater than or equal to
-zero is a valid value." By storing this into an int, we potentially
-overflow it, resulting in the following bounding check failing, leading
-to a buffer overflow.
-
-Reported-by: Erik Cabetas <Erik at cabetas.com>
-Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
----
- cgit.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/cgit.c b/cgit.c
-index 5937b9e..05e5d57 100644
---- a/cgit.c
-+++ b/cgit.c
-@@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function)
- static inline void authenticate_post(void)
- {
- char buffer[MAX_AUTHENTICATION_POST_BYTES];
-- int len;
-+ unsigned int len;
-
- open_auth_filter("authenticate-post");
- len = ctx.env.content_length;
---
-2.7.0
-
diff --git a/debian/patches/fix_status_code_for_unknown_repos b/debian/patches/fix_status_code_for_unknown_repos
index c16679c..cb7f08d 100644
--- a/debian/patches/fix_status_code_for_unknown_repos
+++ b/debian/patches/fix_status_code_for_unknown_repos
@@ -25,89 +25,75 @@ Subject: Return a proper status code when there is no repository found
+test_done
--- a/ui-repolist.c
+++ b/ui-repolist.c
-@@ -249,37 +249,59 @@
+@@ -272,22 +272,48 @@
void cgit_print_repolist(void)
{
- int i, columns = 3, hits = 0, header = 0;
-+ int i, columns = 3, hits = 0, header = 0, found_repos = 0, matched_size = 0;
++ int i, columns = 3, hits = 0, header = 0, found_repos = 0, matched_size = 0;
char *last_section = NULL;
char *section;
int sorted = 0;
-+ struct cgit_repo *repo = NULL;
-+ struct cgit_repo **matched_repos = NULL;
++ struct cgit_repo *repo = NULL;
++ struct cgit_repo **matched_repos = NULL;
+ if (!any_repos_visible()) {
+ cgit_print_error_page(404, "Not found", "No repositories found");
+ return;
+ }
+
++ if (ctx.qry.sort)
++ sorted = sort_repolist(ctx.qry.sort);
++ else if (ctx.cfg.section_sort)
++ sort_repolist("section");
++
++ for (i = 0; i < cgit_repolist.count; i++) {
++ repo = &cgit_repolist.repos[i];
++ if (!(is_match(repo) && is_in_url(repo)))
++ continue;
++ if (++found_repos > matched_size) {
++ if (matched_size == 0)
++ matched_size = 8;
++ else
++ matched_size *= 2;
++ matched_repos = xrealloc(matched_repos,
++ matched_size *
++ sizeof(struct cgit_repo *));
++ }
++ matched_repos[found_repos-1] = repo;
++ }
++
if (ctx.cfg.enable_index_links)
++columns;
if (ctx.cfg.enable_index_owner)
++columns;
-+ if (ctx.qry.sort)
-+ sorted = sort_repolist(ctx.qry.sort);
-+ else if (ctx.cfg.section_sort)
-+ sort_repolist("section");
-+
-+ for (i = 0; i < cgit_repolist.count; i++) {
-+ repo = &cgit_repolist.repos[i];
-+ if (!(is_match(repo) && is_in_url(repo)))
-+ continue;
-+ if (++found_repos > matched_size) {
-+ if (matched_size == 0)
-+ matched_size = 8;
-+ else
-+ matched_size *= 2;
-+ matched_repos = xrealloc(matched_repos,
-+ matched_size *
-+ sizeof(struct cgit_repo *));
-+ }
-+ matched_repos[found_repos-1] = repo;
-+ }
-+
ctx.page.title = ctx.cfg.root_title;
-+
+ if (!found_repos)
+ ctx.page.status = 404;
+
cgit_print_http_headers();
cgit_print_docstart();
cgit_print_pageheader();
-
- if (ctx.cfg.index_header)
- html_include(ctx.cfg.index_header);
--
-- if (ctx.qry.sort)
-- sorted = sort_repolist(ctx.qry.sort);
-- else if (ctx.cfg.section_sort)
-- sort_repolist("section");
-+
-+ if (!found_repos) {
-+ cgit_print_error("No repositories found");
-+ goto docend;
-+ }
+@@ -301,11 +327,9 @@
+ sort_repolist("section");
html("<table summary='repository list' class='list nowrap'>");
- for (i = 0; i < cgit_repolist.count; i++) {
- ctx.repo = &cgit_repolist.repos[i];
-- if (ctx.repo->hide || ctx.repo->ignore)
-- continue;
-- if (!(is_match(ctx.repo) && is_in_url(ctx.repo)))
+- if (!is_visible(ctx.repo))
- continue;
- hits++;
-+ for (hits = 1; hits <= found_repos; hits++) {
-+ ctx.repo = matched_repos[hits-1];
++ for (hits = 1; hits <= found_repos; hits++) {
++ ctx.repo = matched_repos[hits-1];
++
if (hits <= ctx.qry.ofs)
continue;
if (hits > ctx.qry.ofs + ctx.cfg.max_repo_count)
-@@ -337,11 +359,12 @@
- html("</tr>\n");
- }
+@@ -365,7 +389,9 @@
html("</table>");
-- if (!hits)
-- cgit_print_error("No repositories found");
-- else if (hits > ctx.cfg.max_repo_count)
-+ if (hits > ctx.cfg.max_repo_count)
+ if (hits > ctx.cfg.max_repo_count)
print_pager(hits, ctx.cfg.max_repo_count, ctx.qry.search, ctx.qry.sort);
-+
+docend:
cgit_print_docend();
+ free(matched_repos);
diff --git a/debian/patches/series b/debian/patches/series
index 924d0a9..972d846 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,6 +8,3 @@ hardening
assume-highlight-version-3-in-filter-script
add-highlighting-rules-to-cgit.css
Use-debian-binary-name-rst2html
-ui-blob-Do-not-accept-mimetype-from-user.patch
-ui-shared-prevent-malicious-filename-from-injecting-.patch
-filter-avoid-integer-overflow-in-authenticate_post.patch
diff --git a/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch b/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch
deleted file mode 100644
index 8523274..0000000
--- a/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 1c581a072651524f3b0d91f33e22a42c4166dd96 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason at zx2c4.com>
-Date: Thu, 14 Jan 2016 14:31:13 +0100
-Subject: [PATCH] ui-blob: Do not accept mimetype from user
-
----
- cgit.c | 2 --
- cgit.h | 1 -
- ui-blob.c | 1 -
- 3 files changed, 4 deletions(-)
-
-diff --git a/cgit.c b/cgit.c
-index 05e5d57..3ed1935 100644
---- a/cgit.c
-+++ b/cgit.c
-@@ -314,8 +314,6 @@ static void querystring_cb(const char *name, const char *value)
- ctx.qry.path = trim_end(value, '/');
- } else if (!strcmp(name, "name")) {
- ctx.qry.name = xstrdup(value);
-- } else if (!strcmp(name, "mimetype")) {
-- ctx.qry.mimetype = xstrdup(value);
- } else if (!strcmp(name, "s")) {
- ctx.qry.sort = xstrdup(value);
- } else if (!strcmp(name, "showmsg")) {
-diff --git a/cgit.h b/cgit.h
-index b7eccdd..4b4bcf4 100644
---- a/cgit.h
-+++ b/cgit.h
-@@ -173,7 +173,6 @@ struct cgit_query {
- char *sha2;
- char *path;
- char *name;
-- char *mimetype;
- char *url;
- char *period;
- int ofs;
-diff --git a/ui-blob.c b/ui-blob.c
-index 1ded839..2cce11c 100644
---- a/ui-blob.c
-+++ b/ui-blob.c
-@@ -161,7 +161,6 @@ void cgit_print_blob(const char *hex, char *path, const char *head, int file_onl
- }
-
- buf[size] = '\0';
-- ctx.page.mimetype = ctx.qry.mimetype;
- if (!ctx.page.mimetype) {
- if (buffer_is_binary(buf, size))
- ctx.page.mimetype = "application/octet-stream";
---
-2.7.0
-
diff --git a/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch b/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch
deleted file mode 100644
index ea81853..0000000
--- a/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 513b3863d999f91b47d7e9f26710390db55f9463 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason at zx2c4.com>
-Date: Thu, 14 Jan 2016 14:28:37 +0100
-Subject: [PATCH] ui-shared: prevent malicious filename from injecting headers
-
----
- html.c | 26 ++++++++++++++++++++++++++
- html.h | 1 +
- ui-shared.c | 8 +++++---
- 3 files changed, 32 insertions(+), 3 deletions(-)
-
-diff --git a/html.c b/html.c
-index 959148c..d89df3a 100644
---- a/html.c
-+++ b/html.c
-@@ -239,6 +239,32 @@ void html_url_arg(const char *txt)
- html(txt);
- }
-
-+void html_header_arg_in_quotes(const char *txt)
-+{
-+ const char *t = txt;
-+ while (t && *t) {
-+ unsigned char c = *t;
-+ const char *e = NULL;
-+ if (c == '\\')
-+ e = "\\\\";
-+ else if (c == '\r')
-+ e = "\\r";
-+ else if (c == '\n')
-+ e = "\\n";
-+ else if (c == '"')
-+ e = "\\\"";
-+ if (e) {
-+ html_raw(txt, t - txt);
-+ html(e);
-+ txt = t + 1;
-+ }
-+ t++;
-+ }
-+ if (t != txt)
-+ html(txt);
-+
-+}
-+
- void html_hidden(const char *name, const char *value)
- {
- html("<input type='hidden' name='");
-diff --git a/html.h b/html.h
-index c554763..c72e845 100644
---- a/html.h
-+++ b/html.h
-@@ -23,6 +23,7 @@ extern void html_ntxt(int len, const char *txt);
- extern void html_attr(const char *txt);
- extern void html_url_path(const char *txt);
- extern void html_url_arg(const char *txt);
-+extern void html_header_arg_in_quotes(const char *txt);
- extern void html_hidden(const char *name, const char *value);
- extern void html_option(const char *value, const char *text, const char *selected_value);
- extern void html_intoption(int value, const char *text, int selected_value);
-diff --git a/ui-shared.c b/ui-shared.c
-index 21f581f..54bbde7 100644
---- a/ui-shared.c
-+++ b/ui-shared.c
-@@ -692,9 +692,11 @@ void cgit_print_http_headers(void)
- htmlf("Content-Type: %s\n", ctx.page.mimetype);
- if (ctx.page.size)
- htmlf("Content-Length: %zd\n", ctx.page.size);
-- if (ctx.page.filename)
-- htmlf("Content-Disposition: inline; filename=\"%s\"\n",
-- ctx.page.filename);
-+ if (ctx.page.filename) {
-+ html("Content-Disposition: inline; filename=\"");
-+ html_header_arg_in_quotes(ctx.page.filename);
-+ html("\"\n");
-+ }
- if (!ctx.env.authenticated)
- html("Cache-Control: no-cache, no-store\n");
- htmlf("Last-Modified: %s\n", http_date(ctx.page.modified));
---
-2.7.0
-
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-cgit/pkg-cgit.git
More information about the Pkg-cgit-commits
mailing list