Add patches for security problem of webrick.

http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/ Bump PKGREVISION.
author: taca <taca> 2010-01-10 15:33:28 +0000
committer: taca <taca> 2010-01-10 15:33:28 +0000
commit: 06b25688bff6fb53ff5f725747a691878719e7b5 (patch)
tree: e4aac332c76b48bd6cdc5ddd706463c5c385b586 /lang
parent: 00acf331af2600ba124a2a82c98d1757de2a14a8 (diff)
download: pkgsrc-06b25688bff6fb53ff5f725747a691878719e7b5.tar.gz
6 files changed, 144 insertions, 3 deletions
diff --git a/lang/ruby18-base/Makefile b/lang/ruby18-base/Makefile
index 15e42b32416..77c7da2d6dd 100644
--- a/lang/ruby18-base/Makefile
+++ b/lang/ruby18-base/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.52 2009/08/11 14:26:58 taca Exp $
+# $NetBSD: Makefile,v 1.53 2010/01/10 15:33:28 taca Exp $
 #
 
 DISTNAME=	${RUBY_DISTNAME}
 PKGNAME=	${RUBY_PKGPREFIX}-base-${RUBY_VERSION_SUFFIX}
 CATEGORIES=	lang ruby
 MASTER_SITES=	${MASTER_SITE_RUBY}
-PKGREVISION=	2
+PKGREVISION=	3
 
 MAINTAINER=	taca@NetBSD.org
 HOMEPAGE=	${RUBY_HOMEPAGE}
diff --git a/lang/ruby18-base/distinfo b/lang/ruby18-base/distinfo
index e874af623df..f053fdb04cb 100644
--- a/lang/ruby18-base/distinfo
+++ b/lang/ruby18-base/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.40 2009/08/11 14:26:58 taca Exp $
+$NetBSD: distinfo,v 1.41 2010/01/10 15:33:28 taca Exp $
 
 SHA1 (ruby-1.8.7-p174.tar.bz2) = 9e84b49ad545ad54b8e7dc3c227eaaefeb1041aa
 RMD160 (ruby-1.8.7-p174.tar.bz2) = f854d456003af1e31d50330c88c3cb152c434249
@@ -21,3 +21,7 @@ SHA1 (patch-ds) = 5344a63980b88d83e279cee50398312b90d5c2da
 SHA1 (patch-dt) = 3dd34a91cbffcb8e432d926c9490372f238e7f2e
 SHA1 (patch-du) = 55f021e2eb780743e35ecf70141f7738b04f4b62
 SHA1 (patch-dv) = 25e779444c16717c7aaf800ebf68988878ed636f
+SHA1 (patch-dw) = 4937ee0f2b79cfc93f378b415d1a81cbf997b8d4
+SHA1 (patch-dx) = d25267d700f997b951a65c016f45347a8b1a1517
+SHA1 (patch-dy) = 6c2f978b1803d2939377a4904cfc71e71a3b5fea
+SHA1 (patch-dz) = 52af1fbf17b6e6df6112d08c291215d54a25af67
diff --git a/lang/ruby18-base/patches/patch-dw b/lang/ruby18-base/patches/patch-dw
new file mode 100644
index 00000000000..1866e6bb5dc
--- /dev/null
+++ b/lang/ruby18-base/patches/patch-dw
@@ -0,0 +1,34 @@
+$NetBSD: patch-dw,v 1.1 2010/01/10 15:33:28 taca Exp $
+
+webrick security fix.
+
+http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/
+
+--- lib/webrick/accesslog.rb.orig	2007-02-12 23:01:19.000000000 +0000
++++ lib/webrick/accesslog.rb
+@@ -53,15 +53,23 @@ module WEBrick
+          when ?e, ?i, ?n, ?o
+            raise AccessLogError,
+              "parameter is required for \"#{spec}\"" unless param
+-           params[spec][param] || "-"
++           param = params[spec][param] ? escape(param) : "-"
+          when ?t
+            params[spec].strftime(param || CLF_TIME_FORMAT)
+          when ?%
+            "%"
+          else
+-           params[spec]
++           escape(params[spec].to_s)
+          end
+       }
+     end
++
++    def escape(data)
++      if data.tainted?
++        data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint
++      else
++        data
++      end
++    end
+   end
+ end
diff --git a/lang/ruby18-base/patches/patch-dx b/lang/ruby18-base/patches/patch-dx
new file mode 100644
index 00000000000..4a1a217fa3a
--- /dev/null
+++ b/lang/ruby18-base/patches/patch-dx
@@ -0,0 +1,21 @@
+$NetBSD: patch-dx,v 1.1 2010/01/10 15:33:28 taca Exp $
+
+webrick security fix.
+
+http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/
+
+--- lib/webrick/httprequest.rb.orig	2009-02-14 19:17:52.000000000 +0000
++++ lib/webrick/httprequest.rb
+@@ -242,11 +242,7 @@ module WEBrick
+           @raw_header << line
+         end
+       end
+-      begin
+-        @header = HTTPUtils::parse_header(@raw_header)
+-      rescue => ex
+-        raise  HTTPStatus::BadRequest, ex.message
+-      end
++      @header = HTTPUtils::parse_header(@raw_header.join)
+     end
+ 
+     def parse_uri(str, scheme="http")
diff --git a/lang/ruby18-base/patches/patch-dy b/lang/ruby18-base/patches/patch-dy
new file mode 100644
index 00000000000..279c053ccb1
--- /dev/null
+++ b/lang/ruby18-base/patches/patch-dy
@@ -0,0 +1,60 @@
+$NetBSD: patch-dy,v 1.1 2010/01/10 15:33:28 taca Exp $
+
+webrick security fix.
+
+http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/
+
+--- lib/webrick/httpstatus.rb.orig	2007-02-12 23:01:19.000000000 +0000
++++ lib/webrick/httpstatus.rb
+@@ -12,7 +12,17 @@ module WEBrick
+ 
+   module HTTPStatus
+ 
+-    class Status      < StandardError; end
++    class Status      < StandardError
++      def initialize(message=self.class, *rest)
++        super(AccessLog.escape(message), *rest)
++      end
++      class << self
++        attr_reader :code, :reason_phrase
++      end
++      def code() self::class::code end
++      def reason_phrase() self::class::reason_phrase end
++      alias to_i code
++    end
+     class Info        < Status; end
+     class Success     < Status; end
+     class Redirect    < Status; end
+@@ -68,6 +78,7 @@ module WEBrick
+     CodeToError = {}
+ 
+     StatusMessage.each{|code, message|
++      message.freeze
+       var_name = message.gsub(/[ \-]/,'_').upcase
+       err_name = message.gsub(/[ \-]/,'')
+ 
+@@ -79,18 +90,12 @@ module WEBrick
+       when 500...600; parent = ServerError
+       end
+ 
+-      eval %-
+-        RC_#{var_name} = #{code}
+-        class #{err_name} < #{parent}
+-          def self.code() RC_#{var_name} end
+-          def self.reason_phrase() StatusMessage[code] end
+-          def code() self::class::code end 
+-          def reason_phrase() self::class::reason_phrase end
+-          alias to_i code
+-        end
+-      -
+-
+-      CodeToError[code] = const_get(err_name)
++      const_set("RC_#{var_name}", code)
++      err_class = Class.new(parent)
++      err_class.instance_variable_set(:@code, code)
++      err_class.instance_variable_set(:@reason_phrase, message)
++      const_set(err_name, err_class)
++      CodeToError[code] = err_class
+     }
+ 
+     def reason_phrase(code)
diff --git a/lang/ruby18-base/patches/patch-dz b/lang/ruby18-base/patches/patch-dz
new file mode 100644
index 00000000000..2433b248b9c
--- /dev/null
+++ b/lang/ruby18-base/patches/patch-dz
@@ -0,0 +1,22 @@
+$NetBSD: patch-dz,v 1.1 2010/01/10 15:33:28 taca Exp $
+
+webrick security fix.
+
+http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/
+
+--- lib/webrick/httputils.rb.orig	2008-08-04 05:21:05.000000000 +0000
++++ lib/webrick/httputils.rb
+@@ -128,11 +128,11 @@ module WEBrick
+         when /^\s+(.*?)\s*\z/om
+           value = $1
+           unless field
+-            raise "bad header '#{line.inspect}'."
++            raise HTTPStatus::BadRequest, "bad header '#{line}'."
+           end
+           header[field][-1] << " " << value
+         else
+-          raise "bad header '#{line.inspect}'."
++          raise HTTPStatus::BadRequest, "bad header '#{line}'."
+         end
+       }
+       header.each{|key, values|
author	taca <taca>	2010-01-10 15:33:28 +0000
committer	taca <taca>	2010-01-10 15:33:28 +0000
commit	06b25688bff6fb53ff5f725747a691878719e7b5 (patch)
tree	e4aac332c76b48bd6cdc5ddd706463c5c385b586 /lang
parent	00acf331af2600ba124a2a82c98d1757de2a14a8 (diff)
download	pkgsrc-06b25688bff6fb53ff5f725747a691878719e7b5.tar.gz