FreeBSD Bugzilla – Attachment 78448 Details for
Bug 112833
[PATCH] japanese/trac: update to 0.10.4
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 11.48 KB, created by
TAKATSU Tomonari
on 2007-05-21 13:50:04 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
TAKATSU Tomonari
Created:
2007-05-21 13:50:04 UTC
Size:
11.48 KB
patch
obsolete
>diff -urN trac.orig/Makefile trac/Makefile >--- trac.orig/Makefile Mon Mar 12 23:09:29 2007 >+++ trac/Makefile Mon May 21 21:19:59 2007 >@@ -6,8 +6,7 @@ > # > > PORTNAME= trac >-PORTVERSION= 0.10.3 >-PORTREVISION= 2 >+PORTVERSION= 0.10.4 > CATEGORIES= japanese www devel python > MASTER_SITES= http://dist.bsdlab.org/ \ > http://www.i-act.co.jp/project/products/downloads/ >diff -urN trac.orig/distinfo trac/distinfo >--- trac.orig/distinfo Wed Mar 7 23:48:38 2007 >+++ trac/distinfo Mon May 21 21:20:04 2007 >@@ -1,3 +1,3 @@ >-MD5 (trac-0.10.3-ja-1.zip) = 2ed8046e0f59c3751b35b1941789baee >-SHA256 (trac-0.10.3-ja-1.zip) = d4b8a505d003649eb2dde7e85674280e9b84caf3721db74696d8d4d928823247 >-SIZE (trac-0.10.3-ja-1.zip) = 644169 >+MD5 (trac-0.10.4-ja-1.zip) = dbc2468ca9acf70dd5fbd078e415fee6 >+SHA256 (trac-0.10.4-ja-1.zip) = 9b9f188b726a7a15d28c1b44814b8db04a987bc165bcacfac8f3a0907123337a >+SIZE (trac-0.10.4-ja-1.zip) = 650892 >diff -urN trac.orig/files/patch-0.10.3.1 trac/files/patch-0.10.3.1 >--- trac.orig/files/patch-0.10.3.1 Sat Mar 10 11:18:14 2007 >+++ trac/files/patch-0.10.3.1 Thu Jan 1 09:00:00 1970 >@@ -1,194 +0,0 @@ >-Index: RELEASE >-=================================================================== >---- RELEASE (.../trac-0.10.3) (revision 4957) >-+++ RELEASE (.../trac-0.10.3.1) (revision 4957) >-@@ -1,8 +1,8 @@ >--Release Notes for Trac 0.10.3 >--============================= >--December 12, 2006 >-+Release Notes for Trac 0.10.3.1 >-+=============================== >-+March 8, 2007 >- >--We're happy to announce the Trac 0.10.3 release, available from: >-+We're happy to announce the Trac 0.10.3.1 release, available from: >- >- http://trac.edgewall.org/wiki/TracDownload >- >-@@ -11,18 +11,15 @@ >- >- http://trac.edgewall.org/wiki/MailingList >- >--Trac 0.10.3 is a bug fix release and fixes a few bugs introduced in the >--0.10.1 and 0.10.2 releases. A brief summary of major changes: >-+Trac 0.10.3.1 is a security release: >-+* Always send "Content-Disposition: attachment" headers where potentially >-+ unsafe (user provided) content is available for download. This behaviour >-+ can be altered using the "render_unsafe_content" option in the >-+ "attachment" and "browser" sections of trac.ini. >-+ * Fixed XSS vulnerability in "download wiki page as text" in combination with >-+ Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc. >- >-- * Timeline fail to load with a "NoSuchChangeset" error message (#4132). >-- * Timed out MySQL connections not handled properly (#3645). >-- * Subversion repository resync broken. (#4204). >- >--The complete list of closed tickets can be found here: >-- >-- http://trac.edgewall.org/query?status=closed&milestone=0.10.3 >-- >-- >- Acknowledgements >- ================ >- >-Index: wiki-default/WikiStart >-=================================================================== >---- wiki-default/WikiStart (.../trac-0.10.3) (revision 4957) >-+++ wiki-default/WikiStart (.../trac-0.10.3.1) (revision 4957) >-@@ -1,4 +1,4 @@ >--= Welcome to Trac 0.10.3 = >-+= Welcome to Trac 0.10.3.1 = >- >- Trac is a '''minimalistic''' approach to '''web-based''' management of >- '''software projects'''. Its goal is to simplify effective tracking and handling of software issues, enhancements and overall progress. >-Index: ChangeLog >-=================================================================== >---- ChangeLog (.../trac-0.10.3) (revision 4957) >-+++ ChangeLog (.../trac-0.10.3.1) (revision 4957) >-@@ -1,3 +1,14 @@ >-+Trac 0.10.3.1 (March 8, 2007) >-+http://svn.edgewall.org/repos/trac/tags/trac-0.10.3.1 >-+ >-+ Trac 0.10.3.1 is a security release: >-+ * Always send "Content-Disposition: attachment" headers where potentially >-+ unsafe (user provided) content is available for download. This behaviour >-+ can be altered using the "render_unsafe_content" option in the >-+ "attachment" and "browser" sections of trac.ini. >-+ * Fixed XSS vulnerability in "download wiki page as text" in combination with >-+ Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc. >-+ >- Trac 0.10.3 (Dec 12, 2006) >- http://svn.edgewall.org/repos/trac/tags/trac-0.10.3 >- >-Index: trac/attachment.py >-=================================================================== >---- trac/attachment.py (.../trac-0.10.3) (revision 4957) >-+++ trac/attachment.py (.../trac-0.10.3.1) (revision 4957) >-@@ -555,22 +555,24 @@ >- # Eventually send the file directly >- format = req.args.get('format') >- if format in ('raw', 'txt'): >-- if not self.render_unsafe_content and not binary: >-- # Force browser to download HTML/SVG/etc pages that may >-- # contain malicious code enabling XSS attacks >-- req.send_header('Content-Disposition', 'attachment;' + >-- 'filename=' + attachment.filename) >-- if not mime_type or (self.render_unsafe_content and \ >-- not binary and format == 'txt'): >-- mime_type = 'text/plain' >-+ if not self.render_unsafe_content: >-+ # Force browser to download files instead of rendering >-+ # them, since they might contain malicious code enabling >-+ # XSS attacks >-+ req.send_header('Content-Disposition', 'attachment') >-+ if format == 'txt': >-+ mime_type = 'text/plain' >-+ elif not mime_type: >-+ mime_type = 'application/octet-stream' >- if 'charset=' not in mime_type: >- charset = mimeview.get_charset(str_data, mime_type) >- mime_type = mime_type + '; charset=' + charset >-+ >- req.send_file(attachment.path, mime_type) >- >- # add ''Plain Text'' alternate link if needed >-- if self.render_unsafe_content and not binary and \ >-- mime_type and not mime_type.startswith('text/plain'): >-+ if (self.render_unsafe_content and >-+ mime_type and not mime_type.startswith('text/plain')): >- plaintext_href = attachment.href(req, format='txt') >- add_link(req, 'alternate', plaintext_href, 'Plain Text', >- mime_type) >-Index: trac/mimeview/api.py >-=================================================================== >---- trac/mimeview/api.py (.../trac-0.10.3) (revision 4957) >-+++ trac/mimeview/api.py (.../trac-0.10.3.1) (revision 4957) >-@@ -604,8 +604,8 @@ >- content, selector) >- req.send_response(200) >- req.send_header('Content-Type', output_type) >-- req.send_header('Content-Disposition', 'filename=%s.%s' % (filename, >-- ext)) >-+ req.send_header('Content-Disposition', 'attachment; filename=%s.%s' % >-+ (filename, ext)) >- req.end_headers() >- req.write(content) >- raise RequestDone >-Index: trac/__init__.py >-=================================================================== >---- trac/__init__.py (.../trac-0.10.3) (revision 4957) >-+++ trac/__init__.py (.../trac-0.10.3.1) (revision 4957) >-@@ -11,7 +11,7 @@ >- """ >- __docformat__ = 'epytext en' >- >--__version__ = '0.10.3' >-+__version__ = '0.10.3.1' >- __url__ = 'http://trac.edgewall.org/' >- __copyright__ = '(C) 2003-2006 Edgewall Software' >- __license__ = 'BSD' >-Index: trac/versioncontrol/web_ui/browser.py >-=================================================================== >---- trac/versioncontrol/web_ui/browser.py (.../trac-0.10.3) (revision 4957) >-+++ trac/versioncontrol/web_ui/browser.py (.../trac-0.10.3.1) (revision 4957) >-@@ -21,7 +21,7 @@ >- from fnmatch import fnmatchcase >- >- from trac import util >--from trac.config import ListOption, Option >-+from trac.config import ListOption, BoolOption, Option >- from trac.core import * >- from trac.mimeview import Mimeview, is_binary, get_mimetype >- from trac.perm import IPermissionRequestor >-@@ -57,6 +57,18 @@ >- glob patterns, i.e. "*" can be used as a wild card) >- (''since 0.10'')""") >- >-+ render_unsafe_content = BoolOption('browser', 'render_unsafe_content', >-+ 'false', >-+ """Whether attachments should be rendered in the browser, or >-+ only made downloadable. >-+ >-+ Pretty much any file may be interpreted as HTML by the browser, >-+ which allows a malicious user to attach a file containing cross-site >-+ scripting attacks. >-+ >-+ For public sites where anonymous users can create attachments it is >-+ recommended to leave this option disabled (which is the default).""") >-+ >- # INavigationContributor methods >- >- def get_active_navigation_item(self, req): >-@@ -216,6 +228,11 @@ >- format == 'txt' and 'text/plain' or mime_type) >- req.send_header('Content-Length', node.content_length) >- req.send_header('Last-Modified', http_date(node.last_modified)) >-+ if not self.render_unsafe_content: >-+ # Force browser to download files instead of rendering >-+ # them, since they might contain malicious code enabling >-+ # XSS attacks >-+ req.send_header('Content-Disposition', 'attachment') >- req.end_headers() >- >- while 1: >-Index: trac/scripts/tests/admin-tests.txt >-=================================================================== >---- trac/scripts/tests/admin-tests.txt (.../trac-0.10.3) (revision 4957) >-+++ trac/scripts/tests/admin-tests.txt (.../trac-0.10.3.1) (revision 4957) >-@@ -1,5 +1,5 @@ >- ===== test_help_ok ===== >--trac-admin - The Trac Administration Console 0.10.3 >-+trac-admin - The Trac Administration Console 0.10.3.1 >- >- Usage: trac-admin </path/to/projenv> [command [subcommand] [option ...]] >- >diff -urN trac.orig/files/patch-setup.py trac/files/patch-setup.py >--- trac.orig/files/patch-setup.py Fri Nov 4 21:30:10 2005 >+++ trac/files/patch-setup.py Mon May 21 21:28:33 2007 >@@ -1,6 +1,6 @@ >---- setup.py.orig Thu Nov 3 11:44:28 2005 >-+++ setup.py Thu Nov 3 11:45:01 2005 >-@@ -225,7 +225,7 @@ >+--- setup.py.orig Thu Nov 2 20:58:46 2006 >++++ setup.py Mon May 21 21:28:00 2007 >+@@ -231,7 +231,7 @@ > (_p('share/trac/htdocs'), glob(_p('htdocs/*.*')) + [_p('htdocs/README')]), > (_p('share/trac/htdocs/css'), glob(_p('htdocs/css/*'))), > (_p('share/trac/htdocs/js'), glob(_p('htdocs/js/*'))), >diff -urN trac.orig/files/patch-trac.css trac/files/patch-trac.css >--- trac.orig/files/patch-trac.css Sun Dec 18 01:37:04 2005 >+++ trac/files/patch-trac.css Mon May 21 21:35:38 2007 >@@ -1,6 +1,6 @@ >---- ./htdocs/css/trac.css.orig Fri Dec 16 11:24:16 2005 >-+++ ./htdocs/css/trac.css Fri Dec 16 11:24:26 2005 >-@@ -47,7 +47,7 @@ >+--- ./htdocs/css/trac.css.orig Mon Sep 25 16:52:05 2006 >++++ ./htdocs/css/trac.css Mon May 21 21:32:02 2007 >+@@ -63,7 +63,7 @@ > background: url(../extlink.gif) left center no-repeat; > padding-left: 16px; > } >diff -urN trac.orig/pkg-plist trac/pkg-plist >--- trac.orig/pkg-plist Wed Mar 7 23:48:38 2007 >+++ trac/pkg-plist Mon May 21 21:38:23 2007 >@@ -159,6 +159,9 @@ > %%PYTHON_SITELIBDIR%%/trac/upgrades/db19.py > %%PYTHON_SITELIBDIR%%/trac/upgrades/db19.pyc > %%PYTHON_SITELIBDIR%%/trac/upgrades/db19.pyo >+%%PYTHON_SITELIBDIR%%/trac/upgrades/db20.py >+%%PYTHON_SITELIBDIR%%/trac/upgrades/db20.pyc >+%%PYTHON_SITELIBDIR%%/trac/upgrades/db20.pyo > %%PYTHON_SITELIBDIR%%/trac/upgrades/db3.py > %%PYTHON_SITELIBDIR%%/trac/upgrades/db3.pyc > %%PYTHON_SITELIBDIR%%/trac/upgrades/db3.pyo
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=78448">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 112833
: 78448