diff options
| author | Mark Linimon <linimon@FreeBSD.org> | 2003-12-09 02:48:11 +0000 |
|---|---|---|
| committer | Mark Linimon <linimon@FreeBSD.org> | 2003-12-09 02:48:11 +0000 |
| commit | bde98a7340772ad78b1e327fb5e110496d26229f (patch) | |
| tree | 3daf3121ac83885be2fcbb2f11112df43e615ef6 /www/tdiary-devel | |
| parent | 31c1c5d1a4b8b3ea17d6e105ade9b9263a70c335 (diff) | |
| download | ports-bde98a7340772ad78b1e327fb5e110496d26229f.tar.gz ports-bde98a7340772ad78b1e327fb5e110496d26229f.zip | |
Fix a security related problem in tDiary 1.5.6, see
http://www.tdiary.org/20031119.html (Japanese-language) for details.
It only happened in the following case:
* "@secure = true" in setting file (tdiary.conf)
* output_rdf.rb or tb-send.rb by plugin choice
PR: ports/59451
Submitted by: Fumihiko Kimura <jfkimura@yahoo.co.jp> (maintainer)
Notes
Notes:
svn path=/head/; revision=95448
Diffstat (limited to 'www/tdiary-devel')
| -rw-r--r-- | www/tdiary-devel/Makefile | 4 | ||||
| -rw-r--r-- | www/tdiary-devel/files/patch-aa | 47 | ||||
| -rw-r--r-- | www/tdiary-devel/files/pkg-message.in (renamed from www/tdiary-devel/pkg-message) | 3 |
3 files changed, 53 insertions, 1 deletions
diff --git a/www/tdiary-devel/Makefile b/www/tdiary-devel/Makefile index 13383966da2f..fa00ee3b640c 100644 --- a/www/tdiary-devel/Makefile +++ b/www/tdiary-devel/Makefile @@ -7,6 +7,7 @@ PORTNAME= tdiary PORTVERSION= 1.5.6 +PORTREVISION= 1 CATEGORIES?= www ruby MASTER_SITES= \ ${MASTER_SITE_SOURCEFORGE} \ @@ -70,6 +71,7 @@ do-install: post-install: @cd ${WRKSRC} && ${FIND} . -type f -o -type l | ${SED} -e 's,^\.,${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST} @cd ${WRKSRC} && ${FIND} . -type d -depth | ${SED} -e 's,^\.,@dirrm ${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST} - @${SED} -e "s,%%EXAMPLESDIR%%,${EXAMPLESDIR},g" ${PKGMESSAGE} + @${SED} -e 's|%%EXAMPLESDIR%%|${EXAMPLESDIR}|' < ${FILESDIR}/pkg-message.in > ${PKGMESSAGE} + @${CAT} ${PKGMESSAGE} .include <bsd.port.mk> diff --git a/www/tdiary-devel/files/patch-aa b/www/tdiary-devel/files/patch-aa new file mode 100644 index 000000000000..a88609622b12 --- /dev/null +++ b/www/tdiary-devel/files/patch-aa @@ -0,0 +1,47 @@ +--- tdiary.rb Thu Nov 13 15:34:22 2003 ++++ tdiary.rb.new Fri Nov 21 16:11:26 2003 +@@ -1,13 +1,13 @@ + =begin + == NAME + tDiary: the "tsukkomi-able" web diary system. +-tdiary.rb $Revision: 1.156 $ ++tdiary.rb $Revision: 1.159 $ + + Copyright (C) 2001-2003, TADA Tadashi <sho@spc.gr.jp> + You can redistribute it and/or modify it under GPL2. + =end + +-TDIARY_VERSION = '1.5.6' ++TDIARY_VERSION = '1.5.6.20031118' + + require 'cgi' + begin +@@ -62,10 +62,14 @@ + module Safe + def safe( level = 4 ) + result = nil +- Thread.start { +- $SAFE = level ++ if $SAFE < level then ++ Thread.start { ++ $SAFE = level ++ result = yield ++ }.join ++ else + result = yield +- }.join ++ end + result + end + module_function :safe +@@ -740,7 +744,9 @@ + r = str.dup + if @options['apply_plugin'] and str.index( '<%' ) then + r = str.untaint if $SAFE < 3 +- r = ERbLight.new( r ).result( binding ) ++ Safe::safe( @conf.secure ? 4 : 1 ) do ++ r = ERbLight.new( r ).result( binding ) ++ end + end + r.gsub!( /<.*?>/, '' ) if remove_tag + r diff --git a/www/tdiary-devel/pkg-message b/www/tdiary-devel/files/pkg-message.in index 237ee08b2814..7641c845f302 100644 --- a/www/tdiary-devel/pkg-message +++ b/www/tdiary-devel/files/pkg-message.in @@ -9,6 +9,9 @@ This script should be run manually. or % ruby %%EXAMPLESDIR%%/tdiaryinst.rb + * Option: --suexec Use suExec for CGI execution + --help Display Help information + [Ruby 1.8.x] # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User |