Add two patches to fix CVE-2009-4405, taken from upstream.

Bump PKGREVISION.
author: obache <obache@pkgsrc.org> 2010-01-06 13:19:45 +0000
committer: obache <obache@pkgsrc.org> 2010-01-06 13:19:45 +0000
commit: 5cccbcdaa84623f895dfff46a04d094e9b3908a3 (patch)
tree: 63f48935c2bebf18ba1b3b969f60ccb5c7d36d7b /www/ja-trac
parent: f455fe41c2658d78f89218827393c1d33bcf8cde (diff)
download: pkgsrc-5cccbcdaa84623f895dfff46a04d094e9b3908a3.tar.gz
4 files changed, 74 insertions, 2 deletions
diff --git a/www/ja-trac/Makefile b/www/ja-trac/Makefile
index 6743dd1c680..1b2566b1e3d 100644
--- a/www/ja-trac/Makefile
+++ b/www/ja-trac/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.27 2009/07/28 00:25:16 obache Exp $
+# $NetBSD: Makefile,v 1.28 2010/01/06 13:19:45 obache Exp $
 #
 
 DISTNAME=	Trac-0.11.5.ja1
 PKGNAME=	ja-${DISTNAME:tl:S/.ja/pl/}
+PKGREVISION=	1
 CATEGORIES=	www devel
 MASTER_SITES=	http://www.i-act.co.jp/project/products/downloads/
 EXTRACT_SUFX=	.zip
diff --git a/www/ja-trac/distinfo b/www/ja-trac/distinfo
index a1847bfba8d..24a6d587b93 100644
--- a/www/ja-trac/distinfo
+++ b/www/ja-trac/distinfo
@@ -1,5 +1,7 @@
-$NetBSD: distinfo,v 1.18 2009/07/28 00:25:16 obache Exp $
+$NetBSD: distinfo,v 1.19 2010/01/06 13:19:45 obache Exp $
 
 SHA1 (Trac-0.11.5.ja1.zip) = e2a53ac73fad0751587313a41267f70410359372
 RMD160 (Trac-0.11.5.ja1.zip) = e5f12051270b355d1e07a361e0378372f807cbe8
 Size (Trac-0.11.5.ja1.zip) = 1008558 bytes
+SHA1 (patch-ab) = 572537f6531dcaa793da288465e01e73f107d969
+SHA1 (patch-ac) = 326b50fb8e190b285d609b3e437787c069edf613
diff --git a/www/ja-trac/patches/patch-ab b/www/ja-trac/patches/patch-ab
new file mode 100644
index 00000000000..52d944f5cab
--- /dev/null
+++ b/www/ja-trac/patches/patch-ab
@@ -0,0 +1,32 @@
+$NetBSD: patch-ab,v 1.1 2010/01/06 13:19:45 obache Exp $
+
+CVE-2009-4405
+http://trac.edgewall.org/changeset/8813
+
+--- trac/mimeview/rst.py.orig	2009-02-24 20:53:20.000000000 +0000
++++ trac/mimeview/rst.py
+@@ -43,6 +43,24 @@ from trac.web.href import Href
+ from trac.wiki.api import WikiSystem
+ from trac.wiki.formatter import WikiProcessor, Formatter, extract_link
+ 
++if has_docutils and StrictVersion(__version__) < StrictVersion('0.6'):
++    # Monkey-patch "raw" role handler in docutils to add a missing check
++    # See docutils bug #2845002 on SourceForge
++    def raw_role(role, rawtext, text, lineno, inliner, options={}, content=[]):
++        if not inliner.document.settings.raw_enabled:
++            msg = inliner.reporter.warning('raw (and derived) roles disabled')
++            prb = inliner.problematic(rawtext, rawtext, msg)
++            return [prb], [msg]
++        return _raw_role(role, rawtext, text, lineno, inliner, options,
++                         content)
++    
++    from docutils.parsers.rst import roles
++    raw_role.options = roles.raw_role.options
++    _raw_role = roles.raw_role
++    roles.raw_role = raw_role
++    roles.register_canonical_role('raw', raw_role)
++
++
+ class ReStructuredTextRenderer(Component):
+     """
+     Renders plain text in reStructuredText format as HTML.
diff --git a/www/ja-trac/patches/patch-ac b/www/ja-trac/patches/patch-ac
new file mode 100644
index 00000000000..0664cb0f1b3
--- /dev/null
+++ b/www/ja-trac/patches/patch-ac
@@ -0,0 +1,37 @@
+$NetBSD: patch-ac,v 1.1 2010/01/06 13:19:45 obache Exp $
+
+CVE-2009-4405
+http://trac.edgewall.org/changeset/8816
+
+--- trac/ticket/report.py.orig	2009-07-02 17:01:40.000000000 +0000
++++ trac/ticket/report.py
+@@ -400,6 +400,7 @@ class ReportModule(Component):
+         #  - group rows according to __group__ value, if defined
+         #  - group cells the same way headers are grouped
+         row_groups = []
++        authorized_results = [] 
+         prev_group_value = None
+         for row_idx, result in enumerate(results):
+             col_idx = 0
+@@ -439,6 +440,7 @@ class ReportModule(Component):
+             # FIXME: for now, we still need to hardcode the realm in the action
+             if resource.realm.upper()+'_VIEW' not in req.perm(resource):
+                 continue
++            authorized_results.append(result)
+             if email_cells:
+                 for cell in email_cells:
+                     emails = Chrome(self.env).format_emails(context(resource),
+@@ -474,11 +476,11 @@ class ReportModule(Component):
+             return 'report.rss', data, 'application/rss+xml'
+         elif format == 'csv':
+             filename = id and 'report_%s.csv' % id or 'report.csv'
+-            self._send_csv(req, cols, results, mimetype='text/csv',
++            self._send_csv(req, cols, authorized_results, mimetype='text/csv',
+                            filename=filename)
+         elif format == 'tab':
+             filename = id and 'report_%s.tsv' % id or 'report.tsv'
+-            self._send_csv(req, cols, results, '\t',
++            self._send_csv(req, cols, authorized_results, '\t',
+                            mimetype='text/tab-separated-values',
+                            filename=filename)
+         else:
author	obache <obache@pkgsrc.org>	2010-01-06 13:19:45 +0000
committer	obache <obache@pkgsrc.org>	2010-01-06 13:19:45 +0000
commit	5cccbcdaa84623f895dfff46a04d094e9b3908a3 (patch)
tree	63f48935c2bebf18ba1b3b969f60ccb5c7d36d7b /www/ja-trac
parent	f455fe41c2658d78f89218827393c1d33bcf8cde (diff)
download	pkgsrc-5cccbcdaa84623f895dfff46a04d094e9b3908a3.tar.gz