View | Details | Raw Unified | Return to bug 207740
Collapse All | Expand All

(-)Makefile (+1 lines)
Lines 3-8 Link Here
3
3
4
PORTNAME=	websvn
4
PORTNAME=	websvn
5
PORTVERSION=	2.3.3
5
PORTVERSION=	2.3.3
6
PORTREVISION=	1
6
CATEGORIES=	devel www
7
CATEGORIES=	devel www
7
MASTER_SITES=	http://websvn.tigris.org/files/documents/1380/49056/
8
MASTER_SITES=	http://websvn.tigris.org/files/documents/1380/49056/
8
9
(-)files/patch-CVE-2013-6892 (+37 lines)
Line 0 Link Here
1
Arbitrary files with a known path can be accessed in websvn by committing a
2
symlink to a repository and then downloading the file (using the download
3
link).
4
5
Author: Thijs Kinkhorst <thijs@debian.org>
6
7
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
8
--- dl.php.orig	2011-06-27 09:02:52 UTC
9
+++ dl.php
10
@@ -137,6 +137,18 @@ if ($rep) {
11
 		exit(0);
12
 	}
13
 
14
+	// For security reasons, disallow direct downloads of filenames that
15
+	// are a symlink, since they may be a symlink to anywhere (/etc/passwd)
16
+	// Deciding whether the symlink is relative and legal within the
17
+	// repository would be nice but seems to error prone at this moment.
18
+	if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
19
+		header('HTTP/1.x 500 Internal Server Error', true, 500);
20
+		error_log('to be downloaded file is symlink, aborting: '.$archiveName);
21
+		print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
22
+		removeDirectory($tempDir);
23
+		exit(0);
24
+	}
25
+
26
 	// Set timestamp of exported directory (and subdirectories) to timestamp of
27
 	// the revision so every archive of a given revision has the same timestamp.
28
 	$revDate = $logEntry->date;
29
@@ -180,7 +192,7 @@ if ($rep) {
30
 		$downloadMimeType = 'application/x-zip';
31
 		$downloadArchive .= '.zip';
32
 		// Create zip file
33
-		$cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
34
+		$cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
35
 		execCommand($cmd, $retcode);
36
 		if ($retcode != 0) {
37
 			error_log('Unable to call zip command: '.$cmd);
(-)files/patch-CVE-2016-2511 (+12 lines)
Line 0 Link Here
1
Obtained from: Debian
2
--- include/setup.php.orig	2011-06-27 09:12:51 UTC
3
+++ include/setup.php
4
@@ -467,7 +467,7 @@ $vars['indexurl'] = $config->getURL('', 
5
 $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26');
6
 
7
 // To avoid a possible XSS exploit, need to clean up the passed-in path first
8
-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
9
+$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
10
 if ($path === null || $path === '')
11
 	$path = '/';
12
 $vars['safepath'] = escape($path);

Return to bug 207740