Tue Jun 24 12:50:15 2008 UTC ()
Pullup ticket #2432 - requested by taca
Security patch for geeklog

Revisions pulled:
- www/geeklog/Makefile		1.17-1.18
- www/geeklog/Makefile.common	1.6
- www/geeklog/distinfo		1.7
- www/geeklog/patches/patch-ah	1.1
---
    Module Name:    pkgsrc
    Committed By:   joerg
    Date:           Mon May 26 00:40:24 UTC 2008

    Modified Files:
        pkgsrc/www/geeklog: Makefile

    Log Message:
    Needs full pax dependency. Bump revision.
---
    Module Name:    pkgsrc
    Committed By:   taca
    Date:           Thu Jun 19 14:08:42 UTC 2008

    Modified Files:
        pkgsrc/www/geeklog: Makefile Makefile.common distinfo
    Added Files:
        pkgsrc/www/geeklog/patches: patch-ah

    Log Message:
    Add a security fix for kses, HTML filter which isn't used with default
    configuration: http://www.geeklog.net/article.php/kses.

    Also fix one pkglint warning.

    Bump PKGREVISION.


(tron)
diff -r1.16 -r1.16.6.1 pkgsrc/www/geeklog/Makefile
diff -r1.4 -r1.4.8.1 pkgsrc/www/geeklog/Makefile.common
diff -r1.6 -r1.6.8.1 pkgsrc/www/geeklog/distinfo
diff -r0 -r1.1.2.2 pkgsrc/www/geeklog/patches/patch-ah
cvs diff -r1.16 -r1.16.6.1 pkgsrc/www/geeklog/Makefile (expand / switch to unified diff)

--- pkgsrc/www/geeklog/Makefile 2007/07/04 20:55:04 1.16
+++ pkgsrc/www/geeklog/Makefile 2008/06/24 12:50:15 1.16.6.1
@@ -1,28 +1,31 @@ @@ -1,28 +1,31 @@
1# $NetBSD: Makefile,v 1.16 2007/07/04 20:55:04 jlam Exp $ 1# $NetBSD: Makefile,v 1.16.6.1 2008/06/24 12:50:15 tron Exp $
2# 2#
3 3
4DISTNAME= geeklog-${VER} 4DISTNAME= geeklog-${VER}
5PKGNAME= geeklog-${VER:C/(sr|-)/./g} 5PKGNAME= geeklog-${VER:C/(sr|-)/./g}
 6PKGREVISION= 2
6CATEGORIES= www 7CATEGORIES= www
7MASTER_SITES= http://www.geeklog.net/filemgmt/upload_dir/ 8MASTER_SITES= http://www.geeklog.net/filemgmt/upload_dir/
8 9
9MAINTAINER= taca@NetBSD.org 10MAINTAINER= taca@NetBSD.org
10HOMEPAGE= http://www.geeklog.net/ 11HOMEPAGE= http://www.geeklog.net/
11COMMENT= PHP/MySQL based application for managing dynamic web content 12COMMENT= PHP/MySQL based application for managing dynamic web content
12 13
13DEPENDS+= ${APACHE_PKG_PREFIX}-${PHP_PKG_PREFIX}>=4.3.3:../../www/ap-php 14DEPENDS+= ${APACHE_PKG_PREFIX}-${PHP_PKG_PREFIX}>=4.3.3:../../www/ap-php
14DEPENDS+= ${PHP_PKG_PREFIX}-mysql>=4.3.0:../../databases/php-mysql 15DEPENDS+= ${PHP_PKG_PREFIX}-mysql>=4.3.0:../../databases/php-mysql
15 16
 17USE_TOOLS+= pax:run
 18
16VER= 1.4.1 19VER= 1.4.1
17NO_BUILD= YES 20NO_BUILD= YES
18 21
19PKG_GROUPS_VARS+= APACHE_GROUP 22PKG_GROUPS_VARS+= APACHE_GROUP
20BUILD_DEFS+= GEEKLOG_SITEBASE 23BUILD_DEFS+= GEEKLOG_SITEBASE
21 24
22GEEKLOG_SYS= emailgeeklogstories language plugins readme sql system 25GEEKLOG_SYS= emailgeeklogstories language plugins readme sql system
23GEEKLOG_TMPL_SUB= backend images/articles images/library \ 26GEEKLOG_TMPL_SUB= backend images/articles images/library \
24 images/topics images/userphotos 27 images/topics images/userphotos
25 28
26GEEKLOG_CONF_FILES= config.php plugins/calendar/config.php \ 29GEEKLOG_CONF_FILES= config.php plugins/calendar/config.php \
27 plugins/links/config.php plugins/polls/config.php \ 30 plugins/links/config.php plugins/polls/config.php \
28 plugins/spamx/config.php \ 31 plugins/spamx/config.php \
@@ -98,30 +101,30 @@ pre-install: @@ -98,30 +101,30 @@ pre-install:
98 ${FIND} pear -type f -exec ${CHMOD} 0644 {} \; 101 ${FIND} pear -type f -exec ${CHMOD} 0644 {} \;
99 102
100do-install: 103do-install:
101 ${INSTALL_DATA_DIR} ${GEEKLOG_DOCDIR} 104 ${INSTALL_DATA_DIR} ${GEEKLOG_DOCDIR}
102 ${INSTALL_DATA} ${WRKDIR}/README ${GEEKLOG_DOCDIR} 105 ${INSTALL_DATA} ${WRKDIR}/README ${GEEKLOG_DOCDIR}
103.for f in ${GEEKLOG_CONF_FILES} 106.for f in ${GEEKLOG_CONF_FILES}
104 ${INSTALL_DATA_DIR} ${GEEKLOG_EXAMPLESDIR}/${f:H} 107 ${INSTALL_DATA_DIR} ${GEEKLOG_EXAMPLESDIR}/${f:H}
105 ${INSTALL_DATA} ${WRKSRC}/${f} ${GEEKLOG_EXAMPLESDIR}/${f} 108 ${INSTALL_DATA} ${WRKSRC}/${f} ${GEEKLOG_EXAMPLESDIR}/${f}
106 ${RM} ${WRKSRC}/${f} 109 ${RM} ${WRKSRC}/${f}
107.endfor 110.endfor
108 ${INSTALL_SCRIPT} ${WRKDIR}/createdb.php ${GEEKLOG_DIR} 111 ${INSTALL_SCRIPT} ${WRKDIR}/createdb.php ${GEEKLOG_DIR}
109 ${INSTALL_DATA} ${WRKDIR}/geeklog.conf ${GEEKLOG_EXAMPLESDIR} 112 ${INSTALL_DATA} ${WRKDIR}/geeklog.conf ${GEEKLOG_EXAMPLESDIR}
110.for f in ${GEEKLOG_SYS} 113.for f in ${GEEKLOG_SYS}
111 cd ${WRKSRC}; ${PAX} -rw ${f} ${GEEKLOG_DIR} 114 cd ${WRKSRC}; pax -rw ${f} ${GEEKLOG_DIR}
112.endfor 115.endfor
113 cd ${WRKSRC}/public_html; \ 116 cd ${WRKSRC}/public_html; \
114 ${PAX} -rw admin ${GEEKLOG_DIR}; \ 117 pax -rw admin ${GEEKLOG_DIR}; \
115 ${RM} -rf admin 118 ${RM} -rf admin
116.for d in ${GEEKLOG_TMPL_SUB} 119.for d in ${GEEKLOG_TMPL_SUB}
117 cd ${WRKSRC}/public_html; \ 120 cd ${WRKSRC}/public_html; \
118 if [ -d ${d} ]; then \ 121 if [ -d ${d} ]; then \
119 ${PAX} -rw ${d} ${GEEKLOG_TMPL_DIR}; \ 122 pax -rw ${d} ${GEEKLOG_TMPL_DIR}; \
120 ${RM} -rf ${d}; \ 123 ${RM} -rf ${d}; \
121 fi 124 fi
122.endfor 125.endfor
123 cd ${WRKSRC}/public_html; ${PAX} -rw . ${GEEKLOG_PUBDIR} 126 cd ${WRKSRC}/public_html; pax -rw . ${GEEKLOG_PUBDIR}
124 127
125.include "../../mk/apache.mk" 128.include "../../mk/apache.mk"
126.include "../../lang/php/phpversion.mk" 129.include "../../lang/php/phpversion.mk"
127.include "../../mk/bsd.pkg.mk" 130.include "../../mk/bsd.pkg.mk"
cvs diff -r1.4 -r1.4.8.1 pkgsrc/www/geeklog/Makefile.common (expand / switch to unified diff)

--- pkgsrc/www/geeklog/Makefile.common 2007/05/20 15:56:44 1.4
+++ pkgsrc/www/geeklog/Makefile.common 2008/06/24 12:50:15 1.4.8.1
@@ -1,15 +1,16 @@ @@ -1,15 +1,16 @@
1# $NetBSD: Makefile.common,v 1.4 2007/05/20 15:56:44 taca Exp $ 1# $NetBSD: Makefile.common,v 1.4.8.1 2008/06/24 12:50:15 tron Exp $
2# 2#
 3# used by www/geeklog/Makefile
3 4
4GEEKLOG_BASE= share/geeklog 5GEEKLOG_BASE= share/geeklog
5GEEKLOG_PUB= share/httpd/geeklog 6GEEKLOG_PUB= share/httpd/geeklog
6GEEKLOG_ADMIN= ${GEEKLOG_BASE}/admin 7GEEKLOG_ADMIN= ${GEEKLOG_BASE}/admin
7GEEKLOG_TMPL= ${GEEKLOG_BASE}/default 8GEEKLOG_TMPL= ${GEEKLOG_BASE}/default
8 9
9# Geeklog system 10# Geeklog system
10GEEKLOG_DIR= ${PREFIX}/${GEEKLOG_BASE} 11GEEKLOG_DIR= ${PREFIX}/${GEEKLOG_BASE}
11 12
12# Geeklog public area 13# Geeklog public area
13GEEKLOG_PUBDIR= ${PREFIX}/${GEEKLOG_PUB} 14GEEKLOG_PUBDIR= ${PREFIX}/${GEEKLOG_PUB}
14GEEKLOG_ADMIN_DIR= ${PREFIX}/${GEEKLOG_ADMIN} 15GEEKLOG_ADMIN_DIR= ${PREFIX}/${GEEKLOG_ADMIN}
15GEEKLOG_TMPL_DIR= ${PREFIX}/${GEEKLOG_TMPL} 16GEEKLOG_TMPL_DIR= ${PREFIX}/${GEEKLOG_TMPL}
cvs diff -r1.6 -r1.6.8.1 pkgsrc/www/geeklog/distinfo (expand / switch to unified diff)

--- pkgsrc/www/geeklog/distinfo 2007/05/20 15:56:44 1.6
+++ pkgsrc/www/geeklog/distinfo 2008/06/24 12:50:15 1.6.8.1
@@ -1,9 +1,10 @@ @@ -1,9 +1,10 @@
1$NetBSD: distinfo,v 1.6 2007/05/20 15:56:44 taca Exp $ 1$NetBSD: distinfo,v 1.6.8.1 2008/06/24 12:50:15 tron Exp $
2 2
3SHA1 (geeklog-1.4.1.tar.gz) = c323c29b523598b97d7e0957435c0ec0c31cb290 3SHA1 (geeklog-1.4.1.tar.gz) = c323c29b523598b97d7e0957435c0ec0c31cb290
4RMD160 (geeklog-1.4.1.tar.gz) = bfac9946b34d0254fedd3a54cf742b044d347a3c 4RMD160 (geeklog-1.4.1.tar.gz) = bfac9946b34d0254fedd3a54cf742b044d347a3c
5Size (geeklog-1.4.1.tar.gz) = 3631405 bytes 5Size (geeklog-1.4.1.tar.gz) = 3631405 bytes
6SHA1 (patch-aa) = f96a2391925ae66c9629ee4480053b71dc33d587 6SHA1 (patch-aa) = f96a2391925ae66c9629ee4480053b71dc33d587
7SHA1 (patch-ab) = 3cbc5f3845eaaf78c349e1bc82e8e792627a12db 7SHA1 (patch-ab) = 3cbc5f3845eaaf78c349e1bc82e8e792627a12db
8SHA1 (patch-ac) = e5523aab7a13f014ecb961a53f8d962115c4d7b4 8SHA1 (patch-ac) = e5523aab7a13f014ecb961a53f8d962115c4d7b4
9SHA1 (patch-ag) = 207ef0801d865ff16d2a99f0732ea0cb49ce2ad5 9SHA1 (patch-ag) = 207ef0801d865ff16d2a99f0732ea0cb49ce2ad5
 10SHA1 (patch-ah) = 376e1208f0ec332e9da243a9a475d5569158d6d3
File Added: pkgsrc/www/geeklog/patches/Attic/patch-ah
$NetBSD: patch-ah,v 1.1.2.2 2008/06/24 12:50:15 tron Exp $

A security fix for HTML filter: http://www.geeklog.net/article.php/kses.
This problem will be fixed in Geeklog 1.5.0.

--- system/classes/kses.class.php.orig	2006-05-15 14:49:44.000000000 +0900
+++ system/classes/kses.class.php
@@ -941,12 +941,12 @@
 			 */
 			function _bad_protocol_once($string)
 			{
-				return preg_replace(
-					'/^((&[^;]*;|[\sA-Za-z0-9])*)'.
-					'(:|:|&#[Xx]3[Aa];)\s*/e',
-					'\$this->_bad_protocol_once2("\\1")',
-					$string
-				);
+                 $string2 = preg_split('/:|:|:/i', $string, 2);
+                 if(isset($string2[1]) && !preg_match('%/\?%',$string2[0]))
+                 {
+                   $string = $this->_bad_protocol_once2($string2[0]).trim($string2[1]);
+                 }
+                 return $string;
 			}
 
 			/**