Attachment #78448 for bug #112833

View | Details | Raw Unified | Return to bug 112833
Collapse All | Expand All

Lines 6-13 Link Here

(-)trac/Makefile (-2 / +1 lines)
6	#	6	#
7		7
8	PORTNAME= trac	8	PORTNAME= trac
9	PORTVERSION= 0.10.3	9	PORTVERSION= 0.10.4
10	PORTREVISION= 2
11	CATEGORIES= japanese www devel python	10	CATEGORIES= japanese www devel python
12	MASTER_SITES= http://dist.bsdlab.org/ \	11	MASTER_SITES= http://dist.bsdlab.org/ \
13	http://www.i-act.co.jp/project/products/downloads/	12	http://www.i-act.co.jp/project/products/downloads/

Lines 1-3 Link Here

(-)trac/distinfo (-3 / +3 lines)
1	MD5 (trac-0.10.3-ja-1.zip) = 2ed8046e0f59c3751b35b1941789baee	1	MD5 (trac-0.10.4-ja-1.zip) = dbc2468ca9acf70dd5fbd078e415fee6
2	SHA256 (trac-0.10.3-ja-1.zip) = d4b8a505d003649eb2dde7e85674280e9b84caf3721db74696d8d4d928823247	2	SHA256 (trac-0.10.4-ja-1.zip) = 9b9f188b726a7a15d28c1b44814b8db04a987bc165bcacfac8f3a0907123337a
3	SIZE (trac-0.10.3-ja-1.zip) = 644169	3	SIZE (trac-0.10.4-ja-1.zip) = 650892




Index: RELEASE
===================================================================
--- RELEASE	(.../trac-0.10.3)	(revision 4957)
+++ RELEASE	(.../trac-0.10.3.1)	(revision 4957)
@@ -1,8 +1,8 @@
-Release Notes for Trac 0.10.3
-=============================
-December 12, 2006
+Release Notes for Trac 0.10.3.1
+===============================
+March 8, 2007
 
-We're happy to announce the Trac 0.10.3 release, available from:
+We're happy to announce the Trac 0.10.3.1 release, available from:
 
   http://trac.edgewall.org/wiki/TracDownload
 
@@ -11,18 +11,15 @@
 
   http://trac.edgewall.org/wiki/MailingList
 
-Trac 0.10.3 is a bug fix release and fixes a few bugs introduced in the 
-0.10.1 and 0.10.2 releases. A brief summary of major changes:
+Trac 0.10.3.1 is a security release:
+* Always send "Content-Disposition: attachment" headers where potentially 
+  unsafe (user provided) content is available for download. This behaviour
+  can be altered using the "render_unsafe_content" option in the 
+  "attachment" and "browser" sections of trac.ini.
+ * Fixed XSS vulnerability in "download wiki page as text" in combination with 
+   Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc.
 
- * Timeline fail to load with a "NoSuchChangeset" error message (#4132).
- * Timed out MySQL connections not handled properly (#3645).
- * Subversion repository resync broken. (#4204).
 
-The complete list of closed tickets can be found here:
-
-   http://trac.edgewall.org/query?status=closed&milestone=0.10.3
-
-
 Acknowledgements
 ================
 
Index: wiki-default/WikiStart
===================================================================
--- wiki-default/WikiStart	(.../trac-0.10.3)	(revision 4957)
+++ wiki-default/WikiStart	(.../trac-0.10.3.1)	(revision 4957)
@@ -1,4 +1,4 @@
-= Welcome to Trac 0.10.3 =
+= Welcome to Trac 0.10.3.1 =
 
 Trac is a '''minimalistic''' approach to '''web-based''' management of
 '''software projects'''. Its goal is to simplify effective tracking and handling of software issues, enhancements and overall progress.
Index: ChangeLog
===================================================================
--- ChangeLog	(.../trac-0.10.3)	(revision 4957)
+++ ChangeLog	(.../trac-0.10.3.1)	(revision 4957)
@@ -1,3 +1,14 @@
+Trac 0.10.3.1 (March 8, 2007)
+http://svn.edgewall.org/repos/trac/tags/trac-0.10.3.1
+
+ Trac 0.10.3.1 is a security release:
+ * Always send "Content-Disposition: attachment" headers where potentially 
+   unsafe (user provided) content is available for download. This behaviour
+   can be altered using the "render_unsafe_content" option in the 
+   "attachment" and "browser" sections of trac.ini.
+ * Fixed XSS vulnerability in "download wiki page as text" in combination with 
+   Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc.
+	
 Trac 0.10.3 (Dec 12, 2006)
 http://svn.edgewall.org/repos/trac/tags/trac-0.10.3
 
Index: trac/attachment.py
===================================================================
--- trac/attachment.py	(.../trac-0.10.3)	(revision 4957)
+++ trac/attachment.py	(.../trac-0.10.3.1)	(revision 4957)
@@ -555,22 +555,24 @@
             # Eventually send the file directly
             format = req.args.get('format')
             if format in ('raw', 'txt'):
-                if not self.render_unsafe_content and not binary:
-                    # Force browser to download HTML/SVG/etc pages that may
-                    # contain malicious code enabling XSS attacks
-                    req.send_header('Content-Disposition', 'attachment;' +
-                                    'filename=' + attachment.filename)
-                if not mime_type or (self.render_unsafe_content and \
-                                     not binary and format == 'txt'):
-                    mime_type = 'text/plain'
+                if not self.render_unsafe_content:
+                    # Force browser to download files instead of rendering
+                    # them, since they might contain malicious code enabling 
+                    # XSS attacks
+                    req.send_header('Content-Disposition', 'attachment')
+                if format == 'txt':
+                      mime_type = 'text/plain'
+                elif not mime_type:
+                    mime_type = 'application/octet-stream'
                 if 'charset=' not in mime_type:
                     charset = mimeview.get_charset(str_data, mime_type)
                     mime_type = mime_type + '; charset=' + charset
+
                 req.send_file(attachment.path, mime_type)
 
             # add ''Plain Text'' alternate link if needed
-            if self.render_unsafe_content and not binary and \
-               mime_type and not mime_type.startswith('text/plain'):
+            if (self.render_unsafe_content and 
+                mime_type and not mime_type.startswith('text/plain')):
                 plaintext_href = attachment.href(req, format='txt')
                 add_link(req, 'alternate', plaintext_href, 'Plain Text',
                          mime_type)
Index: trac/mimeview/api.py
===================================================================
--- trac/mimeview/api.py	(.../trac-0.10.3)	(revision 4957)
+++ trac/mimeview/api.py	(.../trac-0.10.3.1)	(revision 4957)
@@ -604,8 +604,8 @@
                                                          content, selector)
         req.send_response(200)
         req.send_header('Content-Type', output_type)
-        req.send_header('Content-Disposition', 'filename=%s.%s' % (filename,
-                                                                   ext))
+        req.send_header('Content-Disposition', 'attachment; filename=%s.%s' % 
+                        (filename, ext))
         req.end_headers()
         req.write(content)
         raise RequestDone        
Index: trac/__init__.py
===================================================================
--- trac/__init__.py	(.../trac-0.10.3)	(revision 4957)
+++ trac/__init__.py	(.../trac-0.10.3.1)	(revision 4957)
@@ -11,7 +11,7 @@
 """
 __docformat__ = 'epytext en'
 
-__version__ = '0.10.3'
+__version__ = '0.10.3.1'
 __url__ = 'http://trac.edgewall.org/'
 __copyright__ = '(C) 2003-2006 Edgewall Software'
 __license__ = 'BSD'
Index: trac/versioncontrol/web_ui/browser.py
===================================================================
--- trac/versioncontrol/web_ui/browser.py	(.../trac-0.10.3)	(revision 4957)
+++ trac/versioncontrol/web_ui/browser.py	(.../trac-0.10.3.1)	(revision 4957)
@@ -21,7 +21,7 @@
 from fnmatch import fnmatchcase
 
 from trac import util
-from trac.config import ListOption, Option
+from trac.config import ListOption, BoolOption, Option
 from trac.core import *
 from trac.mimeview import Mimeview, is_binary, get_mimetype
 from trac.perm import IPermissionRequestor
@@ -57,6 +57,18 @@
         glob patterns, i.e. "*" can be used as a wild card)
         (''since 0.10'')""")
 
+    render_unsafe_content = BoolOption('browser', 'render_unsafe_content',
+                                        'false',
+        """Whether attachments should be rendered in the browser, or
+        only made downloadable.
+ 
+        Pretty much any file may be interpreted as HTML by the browser,
+        which allows a malicious user to attach a file containing cross-site
+        scripting attacks.
+        
+        For public sites where anonymous users can create attachments it is
+        recommended to leave this option disabled (which is the default).""")
+ 
     # INavigationContributor methods
 
     def get_active_navigation_item(self, req):
@@ -216,6 +228,11 @@
                             format == 'txt' and 'text/plain' or mime_type)
             req.send_header('Content-Length', node.content_length)
             req.send_header('Last-Modified', http_date(node.last_modified))
+            if not self.render_unsafe_content:
+                # Force browser to download files instead of rendering
+                # them, since they might contain malicious code enabling 
+                # XSS attacks
+                req.send_header('Content-Disposition', 'attachment')
             req.end_headers()
 
             while 1:
Index: trac/scripts/tests/admin-tests.txt
===================================================================
--- trac/scripts/tests/admin-tests.txt	(.../trac-0.10.3)	(revision 4957)
+++ trac/scripts/tests/admin-tests.txt	(.../trac-0.10.3.1)	(revision 4957)
@@ -1,5 +1,5 @@
 ===== test_help_ok =====
-trac-admin - The Trac Administration Console 0.10.3
+trac-admin - The Trac Administration Console 0.10.3.1
 
 Usage: trac-admin </path/to/projenv> [command [subcommand] [option ...]]
 

Lines 1-6 Link Here

(-)trac/files/patch-setup.py (-3 / +3 lines)
1	--- setup.py.orig Thu Nov 3 11:44:28 2005	1	--- setup.py.orig Thu Nov 2 20:58:46 2006
2	+++ setup.py Thu Nov 3 11:45:01 2005	2	+++ setup.py Mon May 21 21:28:00 2007
3	@@ -225,7 +225,7 @@	3	@@ -231,7 +231,7 @@
4	(_p('share/trac/htdocs'), glob(_p('htdocs/.')) + [_p('htdocs/README')]),	4	(_p('share/trac/htdocs'), glob(_p('htdocs/.')) + [_p('htdocs/README')]),
5	(_p('share/trac/htdocs/css'), glob(_p('htdocs/css/*'))),	5	(_p('share/trac/htdocs/css'), glob(_p('htdocs/css/*'))),
6	(_p('share/trac/htdocs/js'), glob(_p('htdocs/js/*'))),	6	(_p('share/trac/htdocs/js'), glob(_p('htdocs/js/*'))),

Lines 1-6 Link Here

(-)trac/files/patch-trac.css (-3 / +3 lines)
1	--- ./htdocs/css/trac.css.orig Fri Dec 16 11:24:16 2005	1	--- ./htdocs/css/trac.css.orig Mon Sep 25 16:52:05 2006
2	+++ ./htdocs/css/trac.css Fri Dec 16 11:24:26 2005	2	+++ ./htdocs/css/trac.css Mon May 21 21:32:02 2007
3	@@ -47,7 +47,7 @@	3	@@ -63,7 +63,7 @@
4	background: url(../extlink.gif) left center no-repeat;	4	background: url(../extlink.gif) left center no-repeat;
5	padding-left: 16px;	5	padding-left: 16px;
6	}	6	}

Lines 159-164 Link Here

(-)trac/pkg-plist (+3 lines)
159	%%PYTHON_SITELIBDIR%%/trac/upgrades/db19.py	159	%%PYTHON_SITELIBDIR%%/trac/upgrades/db19.py
160	%%PYTHON_SITELIBDIR%%/trac/upgrades/db19.pyc	160	%%PYTHON_SITELIBDIR%%/trac/upgrades/db19.pyc
161	%%PYTHON_SITELIBDIR%%/trac/upgrades/db19.pyo	161	%%PYTHON_SITELIBDIR%%/trac/upgrades/db19.pyo
		162	%%PYTHON_SITELIBDIR%%/trac/upgrades/db20.py
		163	%%PYTHON_SITELIBDIR%%/trac/upgrades/db20.pyc
		164	%%PYTHON_SITELIBDIR%%/trac/upgrades/db20.pyo
162	%%PYTHON_SITELIBDIR%%/trac/upgrades/db3.py	165	%%PYTHON_SITELIBDIR%%/trac/upgrades/db3.py
163	%%PYTHON_SITELIBDIR%%/trac/upgrades/db3.pyc	166	%%PYTHON_SITELIBDIR%%/trac/upgrades/db3.pyc
164	%%PYTHON_SITELIBDIR%%/trac/upgrades/db3.pyo	167	%%PYTHON_SITELIBDIR%%/trac/upgrades/db3.pyo

Return to bug 112833

Lines 1-194 Link Here

(-)trac/files/patch-0.10.3.1 (-194 lines)
1	Index: RELEASE
2	===================================================================
3	--- RELEASE (.../trac-0.10.3) (revision 4957)
4	+++ RELEASE (.../trac-0.10.3.1) (revision 4957)
5	@@ -1,8 +1,8 @@
6	-Release Notes for Trac 0.10.3
7	-=============================
8	-December 12, 2006
9	+Release Notes for Trac 0.10.3.1
10	+===============================
11	+March 8, 2007
12
13	-We're happy to announce the Trac 0.10.3 release, available from:
14	+We're happy to announce the Trac 0.10.3.1 release, available from:
15
16	http://trac.edgewall.org/wiki/TracDownload
17
18	@@ -11,18 +11,15 @@
19
20	http://trac.edgewall.org/wiki/MailingList
21
22	-Trac 0.10.3 is a bug fix release and fixes a few bugs introduced in the
23	-0.10.1 and 0.10.2 releases. A brief summary of major changes:
24	+Trac 0.10.3.1 is a security release:
25	+* Always send "Content-Disposition: attachment" headers where potentially
26	+ unsafe (user provided) content is available for download. This behaviour
27	+ can be altered using the "render_unsafe_content" option in the
28	+ "attachment" and "browser" sections of trac.ini.
29	+ * Fixed XSS vulnerability in "download wiki page as text" in combination with
30	+ Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc.
31
32	- * Timeline fail to load with a "NoSuchChangeset" error message (#4132).
33	- * Timed out MySQL connections not handled properly (#3645).
34	- * Subversion repository resync broken. (#4204).
35
36	-The complete list of closed tickets can be found here:
37	-
38	- http://trac.edgewall.org/query?status=closed&milestone=0.10.3
39	-
40	-
41	Acknowledgements
42	================
43
44	Index: wiki-default/WikiStart
45	===================================================================
46	--- wiki-default/WikiStart (.../trac-0.10.3) (revision 4957)
47	+++ wiki-default/WikiStart (.../trac-0.10.3.1) (revision 4957)
48	@@ -1,4 +1,4 @@
49	-= Welcome to Trac 0.10.3 =
50	+= Welcome to Trac 0.10.3.1 =
51
52	Trac is a '''minimalistic''' approach to '''web-based''' management of
53	'''software projects'''. Its goal is to simplify effective tracking and handling of software issues, enhancements and overall progress.
54	Index: ChangeLog
55	===================================================================
56	--- ChangeLog (.../trac-0.10.3) (revision 4957)
57	+++ ChangeLog (.../trac-0.10.3.1) (revision 4957)
58	@@ -1,3 +1,14 @@
59	+Trac 0.10.3.1 (March 8, 2007)
60	+http://svn.edgewall.org/repos/trac/tags/trac-0.10.3.1
61	+
62	+ Trac 0.10.3.1 is a security release:
63	+ * Always send "Content-Disposition: attachment" headers where potentially
64	+ unsafe (user provided) content is available for download. This behaviour
65	+ can be altered using the "render_unsafe_content" option in the
66	+ "attachment" and "browser" sections of trac.ini.
67	+ * Fixed XSS vulnerability in "download wiki page as text" in combination with
68	+ Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc.
69	+
70	Trac 0.10.3 (Dec 12, 2006)
71	http://svn.edgewall.org/repos/trac/tags/trac-0.10.3
72
73	Index: trac/attachment.py
74	===================================================================
75	--- trac/attachment.py (.../trac-0.10.3) (revision 4957)
76	+++ trac/attachment.py (.../trac-0.10.3.1) (revision 4957)
77	@@ -555,22 +555,24 @@
78	# Eventually send the file directly
79	format = req.args.get('format')
80	if format in ('raw', 'txt'):
81	- if not self.render_unsafe_content and not binary:
82	- # Force browser to download HTML/SVG/etc pages that may
83	- # contain malicious code enabling XSS attacks
84	- req.send_header('Content-Disposition', 'attachment;' +
85	- 'filename=' + attachment.filename)
86	- if not mime_type or (self.render_unsafe_content and \
87	- not binary and format == 'txt'):
88	- mime_type = 'text/plain'
89	+ if not self.render_unsafe_content:
90	+ # Force browser to download files instead of rendering
91	+ # them, since they might contain malicious code enabling
92	+ # XSS attacks
93	+ req.send_header('Content-Disposition', 'attachment')
94	+ if format == 'txt':
95	+ mime_type = 'text/plain'
96	+ elif not mime_type:
97	+ mime_type = 'application/octet-stream'
98	if 'charset=' not in mime_type:
99	charset = mimeview.get_charset(str_data, mime_type)
100	mime_type = mime_type + '; charset=' + charset
101	+
102	req.send_file(attachment.path, mime_type)
103
104	# add ''Plain Text'' alternate link if needed
105	- if self.render_unsafe_content and not binary and \
106	- mime_type and not mime_type.startswith('text/plain'):
107	+ if (self.render_unsafe_content and
108	+ mime_type and not mime_type.startswith('text/plain')):
109	plaintext_href = attachment.href(req, format='txt')
110	add_link(req, 'alternate', plaintext_href, 'Plain Text',
111	mime_type)
112	Index: trac/mimeview/api.py
113	===================================================================
114	--- trac/mimeview/api.py (.../trac-0.10.3) (revision 4957)
115	+++ trac/mimeview/api.py (.../trac-0.10.3.1) (revision 4957)
116	@@ -604,8 +604,8 @@
117	content, selector)
118	req.send_response(200)
119	req.send_header('Content-Type', output_type)
120	- req.send_header('Content-Disposition', 'filename=%s.%s' % (filename,
121	- ext))
122	+ req.send_header('Content-Disposition', 'attachment; filename=%s.%s' %
123	+ (filename, ext))
124	req.end_headers()
125	req.write(content)
126	raise RequestDone
127	Index: trac/__init__.py
128	===================================================================
129	--- trac/__init__.py (.../trac-0.10.3) (revision 4957)
130	+++ trac/__init__.py (.../trac-0.10.3.1) (revision 4957)
131	@@ -11,7 +11,7 @@
132	"""
133	__docformat__ = 'epytext en'
134
135	-__version__ = '0.10.3'
136	+__version__ = '0.10.3.1'
137	__url__ = 'http://trac.edgewall.org/'
138	__copyright__ = '(C) 2003-2006 Edgewall Software'
139	__license__ = 'BSD'
140	Index: trac/versioncontrol/web_ui/browser.py
141	===================================================================
142	--- trac/versioncontrol/web_ui/browser.py (.../trac-0.10.3) (revision 4957)
143	+++ trac/versioncontrol/web_ui/browser.py (.../trac-0.10.3.1) (revision 4957)
144	@@ -21,7 +21,7 @@
145	from fnmatch import fnmatchcase
146
147	from trac import util
148	-from trac.config import ListOption, Option
149	+from trac.config import ListOption, BoolOption, Option
150	from trac.core import *
151	from trac.mimeview import Mimeview, is_binary, get_mimetype
152	from trac.perm import IPermissionRequestor
153	@@ -57,6 +57,18 @@
154	glob patterns, i.e. "*" can be used as a wild card)
155	(''since 0.10'')""")
156
157	+ render_unsafe_content = BoolOption('browser', 'render_unsafe_content',
158	+ 'false',
159	+ """Whether attachments should be rendered in the browser, or
160	+ only made downloadable.
161	+
162	+ Pretty much any file may be interpreted as HTML by the browser,
163	+ which allows a malicious user to attach a file containing cross-site
164	+ scripting attacks.
165	+
166	+ For public sites where anonymous users can create attachments it is
167	+ recommended to leave this option disabled (which is the default).""")
168	+
169	# INavigationContributor methods
170
171	def get_active_navigation_item(self, req):
172	@@ -216,6 +228,11 @@
173	format == 'txt' and 'text/plain' or mime_type)
174	req.send_header('Content-Length', node.content_length)
175	req.send_header('Last-Modified', http_date(node.last_modified))
176	+ if not self.render_unsafe_content:
177	+ # Force browser to download files instead of rendering
178	+ # them, since they might contain malicious code enabling
179	+ # XSS attacks
180	+ req.send_header('Content-Disposition', 'attachment')
181	req.end_headers()
182
183	while 1:
184	Index: trac/scripts/tests/admin-tests.txt
185	===================================================================
186	--- trac/scripts/tests/admin-tests.txt (.../trac-0.10.3) (revision 4957)
187	+++ trac/scripts/tests/admin-tests.txt (.../trac-0.10.3.1) (revision 4957)
188	@@ -1,5 +1,5 @@
189	===== test_help_ok =====
190	-trac-admin - The Trac Administration Console 0.10.3
191	+trac-admin - The Trac Administration Console 0.10.3.1
192
193	Usage: trac-admin </path/to/projenv> [command [subcommand] [option ...]]
194