[pkgsrc/trunk]: pkgsrc/www/ja-trac Add two patches to fix CVE-2009-4405, take...

[obache <obache%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/072fb2190916
branches:  trunk
changeset: 569077:072fb2190916
user:      obache <obache%pkgsrc.org@localhost>
date:      Wed Jan 06 13:19:45 2010 +0000

description:
Add two patches to fix CVE-2009-4405, taken from upstream.
Bump PKGREVISION.

diffstat:

 www/ja-trac/Makefile         |   3 ++-
 www/ja-trac/distinfo         |   4 +++-
 www/ja-trac/patches/patch-ab |  32 ++++++++++++++++++++++++++++++++
 www/ja-trac/patches/patch-ac |  37 +++++++++++++++++++++++++++++++++++++
 4 files changed, 74 insertions(+), 2 deletions(-)

diffs (103 lines):

diff -r e75652758b2b -r 072fb2190916 www/ja-trac/Makefile
--- a/www/ja-trac/Makefile      Wed Jan 06 11:39:42 2010 +0000
+++ b/www/ja-trac/Makefile      Wed Jan 06 13:19:45 2010 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.27 2009/07/28 00:25:16 obache Exp $
+# $NetBSD: Makefile,v 1.28 2010/01/06 13:19:45 obache Exp $
 #
 
 DISTNAME=      Trac-0.11.5.ja1
 PKGNAME=       ja-${DISTNAME:tl:S/.ja/pl/}
+PKGREVISION=   1
 CATEGORIES=    www devel
 MASTER_SITES=  http://www.i-act.co.jp/project/products/downloads/
 EXTRACT_SUFX=  .zip
diff -r e75652758b2b -r 072fb2190916 www/ja-trac/distinfo
--- a/www/ja-trac/distinfo      Wed Jan 06 11:39:42 2010 +0000
+++ b/www/ja-trac/distinfo      Wed Jan 06 13:19:45 2010 +0000
@@ -1,5 +1,7 @@
-$NetBSD: distinfo,v 1.18 2009/07/28 00:25:16 obache Exp $
+$NetBSD: distinfo,v 1.19 2010/01/06 13:19:45 obache Exp $
 
 SHA1 (Trac-0.11.5.ja1.zip) = e2a53ac73fad0751587313a41267f70410359372
 RMD160 (Trac-0.11.5.ja1.zip) = e5f12051270b355d1e07a361e0378372f807cbe8
 Size (Trac-0.11.5.ja1.zip) = 1008558 bytes
+SHA1 (patch-ab) = 572537f6531dcaa793da288465e01e73f107d969
+SHA1 (patch-ac) = 326b50fb8e190b285d609b3e437787c069edf613
diff -r e75652758b2b -r 072fb2190916 www/ja-trac/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/ja-trac/patches/patch-ab      Wed Jan 06 13:19:45 2010 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-ab,v 1.1 2010/01/06 13:19:45 obache Exp $
+
+CVE-2009-4405
+http://trac.edgewall.org/changeset/8813
+
+--- trac/mimeview/rst.py.orig  2009-02-24 20:53:20.000000000 +0000
++++ trac/mimeview/rst.py
+@@ -43,6 +43,24 @@ from trac.web.href import Href
+ from trac.wiki.api import WikiSystem
+ from trac.wiki.formatter import WikiProcessor, Formatter, extract_link
+ 
++if has_docutils and StrictVersion(__version__) < StrictVersion('0.6'):
++    # Monkey-patch "raw" role handler in docutils to add a missing check
++    # See docutils bug #2845002 on SourceForge
++    def raw_role(role, rawtext, text, lineno, inliner, options={}, content=[]):
++        if not inliner.document.settings.raw_enabled:
++            msg = inliner.reporter.warning('raw (and derived) roles disabled')
++            prb = inliner.problematic(rawtext, rawtext, msg)
++            return [prb], [msg]
++        return _raw_role(role, rawtext, text, lineno, inliner, options,
++                         content)
++    
++    from docutils.parsers.rst import roles
++    raw_role.options = roles.raw_role.options
++    _raw_role = roles.raw_role
++    roles.raw_role = raw_role
++    roles.register_canonical_role('raw', raw_role)
++
++
+ class ReStructuredTextRenderer(Component):
+     """
+     Renders plain text in reStructuredText format as HTML.
diff -r e75652758b2b -r 072fb2190916 www/ja-trac/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/ja-trac/patches/patch-ac      Wed Jan 06 13:19:45 2010 +0000
@@ -0,0 +1,37 @@
+$NetBSD: patch-ac,v 1.1 2010/01/06 13:19:45 obache Exp $
+
+CVE-2009-4405
+http://trac.edgewall.org/changeset/8816
+
+--- trac/ticket/report.py.orig 2009-07-02 17:01:40.000000000 +0000
++++ trac/ticket/report.py
+@@ -400,6 +400,7 @@ class ReportModule(Component):
+         #  - group rows according to __group__ value, if defined
+         #  - group cells the same way headers are grouped
+         row_groups = []
++        authorized_results = [] 
+         prev_group_value = None
+         for row_idx, result in enumerate(results):
+             col_idx = 0
+@@ -439,6 +440,7 @@ class ReportModule(Component):
+             # FIXME: for now, we still need to hardcode the realm in the action
+             if resource.realm.upper()+'_VIEW' not in req.perm(resource):
+                 continue
++            authorized_results.append(result)
+             if email_cells:
+                 for cell in email_cells:
+                     emails = Chrome(self.env).format_emails(context(resource),
+@@ -474,11 +476,11 @@ class ReportModule(Component):
+             return 'report.rss', data, 'application/rss+xml'
+         elif format == 'csv':
+             filename = id and 'report_%s.csv' % id or 'report.csv'
+-            self._send_csv(req, cols, results, mimetype='text/csv',
++            self._send_csv(req, cols, authorized_results, mimetype='text/csv',
+                            filename=filename)
+         elif format == 'tab':
+             filename = id and 'report_%s.tsv' % id or 'report.tsv'
+-            self._send_csv(req, cols, results, '\t',
++            self._send_csv(req, cols, authorized_results, '\t',
+                            mimetype='text/tab-separated-values',
+                            filename=filename)
+         else: