Pullup ticket #3386 - requested by gls www/py-moin: security patch Revisions pulled up: - www/py-moin/Makefile 1.16 - www/py-moin/distinfo 1.7 - www/py-moin/patches/patch-MoinMoin_parser_text__rst.py 1.1 --- Module Name: pkgsrc Committed By: gls Date: Mon Mar 7 20:51:41 UTC 2011 Modified Files: pkgsrc/www/py-moin: Makefile distinfo Added Files: pkgsrc/www/py-moin/patches: patch-MoinMoin_parser_text__rst.py Log Message: Add a fix for CVE CVE 2011-1058. Taken from http://moinmo.in/SecurityFixesdiff -r1.14 -r1.14.4.1 pkgsrc/www/py-moin/Makefile
(tron)
@@ -1,19 +1,20 @@ | @@ -1,19 +1,20 @@ | |||
1 | # $NetBSD: Makefile,v 1.14 2010/07/09 11:38:36 obache Exp $ | 1 | # $NetBSD: Makefile,v 1.14.4.1 2011/03/09 20:01:47 tron Exp $ | |
2 | # | 2 | # | |
3 | 3 | |||
4 | VER= 1.9.3 | 4 | VER= 1.9.3 | |
5 | DISTNAME= moin-${VER} | 5 | DISTNAME= moin-${VER} | |
6 | PKGNAME= ${PYPKGPREFIX}-moin-${VER} | 6 | PKGNAME= ${PYPKGPREFIX}-moin-${VER} | |
7 | PKGREVISION= 1 | |||
7 | CATEGORIES= www python | 8 | CATEGORIES= www python | |
8 | MASTER_SITES= http://static.moinmo.in/files/ | 9 | MASTER_SITES= http://static.moinmo.in/files/ | |
9 | 10 | |||
10 | MAINTAINER= pkgsrc-users@NetBSD.org | 11 | MAINTAINER= pkgsrc-users@NetBSD.org | |
11 | HOMEPAGE= http://moinmo.in/ | 12 | HOMEPAGE= http://moinmo.in/ | |
12 | COMMENT= MoinMoin, a Python clone of WikiWiki | 13 | COMMENT= MoinMoin, a Python clone of WikiWiki | |
13 | LICENSE= gnu-gpl-v2 | 14 | LICENSE= gnu-gpl-v2 | |
14 | 15 | |||
15 | PKG_DESTDIR_SUPPORT= user-destdir | 16 | PKG_DESTDIR_SUPPORT= user-destdir | |
16 | 17 | |||
17 | #Only for Python 2.4, which isn't recommended anyway | 18 | #Only for Python 2.4, which isn't recommended anyway | |
18 | #DEPENDS+= ${PYPKGPREFIX}-xml-[0-9]*:../../textproc/py-xml | 19 | #DEPENDS+= ${PYPKGPREFIX}-xml-[0-9]*:../../textproc/py-xml | |
19 | 20 |
@@ -1,5 +1,6 @@ | @@ -1,5 +1,6 @@ | |||
1 | $NetBSD: distinfo,v 1.6 2010/07/09 11:38:36 obache Exp $ | 1 | $NetBSD: distinfo,v 1.6.4.1 2011/03/09 20:01:47 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (moin-1.9.3.tar.gz) = e019c2742f42d4d1f32b0f86f985ce938b821f1b | 3 | SHA1 (moin-1.9.3.tar.gz) = e019c2742f42d4d1f32b0f86f985ce938b821f1b | |
4 | RMD160 (moin-1.9.3.tar.gz) = c8679c9440768906c47048f2544a26b77b1ca061 | 4 | RMD160 (moin-1.9.3.tar.gz) = c8679c9440768906c47048f2544a26b77b1ca061 | |
5 | Size (moin-1.9.3.tar.gz) = 30514897 bytes | 5 | Size (moin-1.9.3.tar.gz) = 30514897 bytes | |
6 | SHA1 (patch-MoinMoin_parser_text__rst.py) = 21876302d8ecef85295cc6c24ef4e3823f578556 |
$NetBSD: patch-MoinMoin_parser_text__rst.py,v 1.1.2.2 2011/03/09 20:01:48 tron Exp $
Security fix: XSS issue in rst parser CVE-2011-1058
http://hg.moinmo.in/moin/1.9/rev/97208f67798f
--- MoinMoin/parser/text_rst.py.orig 2010-06-26 21:46:42.000000000 +0000
+++ MoinMoin/parser/text_rst.py
@@ -391,6 +391,9 @@ class MoinTranslator(html4css1.HTMLTrans
# for images with targets).
if not [i for i in node.children if i.__class__ == docutils.nodes.image]:
node['classes'].append('interwiki')
+ elif prefix == 'javascript':
+ # is someone trying to do XSS with javascript?
+ node['refuri'] = 'javascript:alert("it does not work")'
elif prefix != '':
# Some link scheme (http, file, https, mailto, etc.), add class
# information if the reference doesn't have a child image (don't