Tue Jun 24 12:50:15 2008 UTC ()
Pullup ticket #2432 - requested by taca
Security patch for geeklog
Revisions pulled:
- www/geeklog/Makefile 1.17-1.18
- www/geeklog/Makefile.common 1.6
- www/geeklog/distinfo 1.7
- www/geeklog/patches/patch-ah 1.1
---
Module Name: pkgsrc
Committed By: joerg
Date: Mon May 26 00:40:24 UTC 2008
Modified Files:
pkgsrc/www/geeklog: Makefile
Log Message:
Needs full pax dependency. Bump revision.
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jun 19 14:08:42 UTC 2008
Modified Files:
pkgsrc/www/geeklog: Makefile Makefile.common distinfo
Added Files:
pkgsrc/www/geeklog/patches: patch-ah
Log Message:
Add a security fix for kses, HTML filter which isn't used with default
configuration: http://www.geeklog.net/article.php/kses.
Also fix one pkglint warning.
Bump PKGREVISION.
(tron)
diff -r1.16 -r1.16.6.1 pkgsrc/www/geeklog/Makefile
diff -r1.4 -r1.4.8.1 pkgsrc/www/geeklog/Makefile.common
diff -r1.6 -r1.6.8.1 pkgsrc/www/geeklog/distinfo
diff -r0 -r1.1.2.2 pkgsrc/www/geeklog/patches/patch-ah
--- pkgsrc/www/geeklog/Makefile 2007/07/04 20:55:04 1.16
+++ pkgsrc/www/geeklog/Makefile 2008/06/24 12:50:15 1.16.6.1
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.16 2007/07/04 20:55:04 jlam Exp $
+# $NetBSD: Makefile,v 1.16.6.1 2008/06/24 12:50:15 tron Exp $
#
DISTNAME= geeklog-${VER}
PKGNAME= geeklog-${VER:C/(sr|-)/./g}
+PKGREVISION= 2
CATEGORIES= www
MASTER_SITES= http://www.geeklog.net/filemgmt/upload_dir/
@@ -13,6 +14,8 @@
DEPENDS+= ${APACHE_PKG_PREFIX}-${PHP_PKG_PREFIX}>=4.3.3:../../www/ap-php
DEPENDS+= ${PHP_PKG_PREFIX}-mysql>=4.3.0:../../databases/php-mysql
+USE_TOOLS+= pax:run
+
VER= 1.4.1
NO_BUILD= YES
@@ -108,19 +111,19 @@
${INSTALL_SCRIPT} ${WRKDIR}/createdb.php ${GEEKLOG_DIR}
${INSTALL_DATA} ${WRKDIR}/geeklog.conf ${GEEKLOG_EXAMPLESDIR}
.for f in ${GEEKLOG_SYS}
- cd ${WRKSRC}; ${PAX} -rw ${f} ${GEEKLOG_DIR}
+ cd ${WRKSRC}; pax -rw ${f} ${GEEKLOG_DIR}
.endfor
cd ${WRKSRC}/public_html; \
- ${PAX} -rw admin ${GEEKLOG_DIR}; \
+ pax -rw admin ${GEEKLOG_DIR}; \
${RM} -rf admin
.for d in ${GEEKLOG_TMPL_SUB}
cd ${WRKSRC}/public_html; \
if [ -d ${d} ]; then \
- ${PAX} -rw ${d} ${GEEKLOG_TMPL_DIR}; \
+ pax -rw ${d} ${GEEKLOG_TMPL_DIR}; \
${RM} -rf ${d}; \
fi
.endfor
- cd ${WRKSRC}/public_html; ${PAX} -rw . ${GEEKLOG_PUBDIR}
+ cd ${WRKSRC}/public_html; pax -rw . ${GEEKLOG_PUBDIR}
.include "../../mk/apache.mk"
.include "../../lang/php/phpversion.mk"
--- pkgsrc/www/geeklog/Makefile.common 2007/05/20 15:56:44 1.4
+++ pkgsrc/www/geeklog/Makefile.common 2008/06/24 12:50:15 1.4.8.1
@@ -1,5 +1,6 @@
-# $NetBSD: Makefile.common,v 1.4 2007/05/20 15:56:44 taca Exp $
+# $NetBSD: Makefile.common,v 1.4.8.1 2008/06/24 12:50:15 tron Exp $
#
+# used by www/geeklog/Makefile
GEEKLOG_BASE= share/geeklog
GEEKLOG_PUB= share/httpd/geeklog
--- pkgsrc/www/geeklog/distinfo 2007/05/20 15:56:44 1.6
+++ pkgsrc/www/geeklog/distinfo 2008/06/24 12:50:15 1.6.8.1
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2007/05/20 15:56:44 taca Exp $
+$NetBSD: distinfo,v 1.6.8.1 2008/06/24 12:50:15 tron Exp $
SHA1 (geeklog-1.4.1.tar.gz) = c323c29b523598b97d7e0957435c0ec0c31cb290
RMD160 (geeklog-1.4.1.tar.gz) = bfac9946b34d0254fedd3a54cf742b044d347a3c
@@ -7,3 +7,4 @@
SHA1 (patch-ab) = 3cbc5f3845eaaf78c349e1bc82e8e792627a12db
SHA1 (patch-ac) = e5523aab7a13f014ecb961a53f8d962115c4d7b4
SHA1 (patch-ag) = 207ef0801d865ff16d2a99f0732ea0cb49ce2ad5
+SHA1 (patch-ah) = 376e1208f0ec332e9da243a9a475d5569158d6d3
$NetBSD: patch-ah,v 1.1.2.2 2008/06/24 12:50:15 tron Exp $
A security fix for HTML filter: http://www.geeklog.net/article.php/kses.
This problem will be fixed in Geeklog 1.5.0.
--- system/classes/kses.class.php.orig 2006-05-15 14:49:44.000000000 +0900
+++ system/classes/kses.class.php
@@ -941,12 +941,12 @@
*/
function _bad_protocol_once($string)
{
- return preg_replace(
- '/^((&[^;]*;|[\sA-Za-z0-9])*)'.
- '(:|:|&#[Xx]3[Aa];)\s*/e',
- '\$this->_bad_protocol_once2("\\1")',
- $string
- );
+ $string2 = preg_split('/:|:|:/i', $string, 2);
+ if(isset($string2[1]) && !preg_match('%/\?%',$string2[0]))
+ {
+ $string = $this->_bad_protocol_once2($string2[0]).trim($string2[1]);
+ }
+ return $string;
}
/**