From 3c598646ce963dd4c0d2ef4c767509696db412da Mon Sep 17 00:00:00 2001 From: tron Date: Wed, 9 Mar 2011 20:01:47 +0000 Subject: Pullup ticket #3386 - requested by gls www/py-moin: security patch Revisions pulled up: - www/py-moin/Makefile 1.16 - www/py-moin/distinfo 1.7 - www/py-moin/patches/patch-MoinMoin_parser_text__rst.py 1.1 --- Module Name: pkgsrc Committed By: gls Date: Mon Mar 7 20:51:41 UTC 2011 Modified Files: pkgsrc/www/py-moin: Makefile distinfo Added Files: pkgsrc/www/py-moin/patches: patch-MoinMoin_parser_text__rst.py Log Message: Add a fix for CVE CVE 2011-1058. Taken from http://moinmo.in/SecurityFixes --- www/py-moin/Makefile | 3 ++- www/py-moin/distinfo | 3 ++- www/py-moin/patches/patch-MoinMoin_parser_text__rst.py | 17 +++++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 www/py-moin/patches/patch-MoinMoin_parser_text__rst.py diff --git a/www/py-moin/Makefile b/www/py-moin/Makefile index 62363c2fdc0..f95fbc1f21c 100644 --- a/www/py-moin/Makefile +++ b/www/py-moin/Makefile @@ -1,9 +1,10 @@ -# $NetBSD: Makefile,v 1.14 2010/07/09 11:38:36 obache Exp $ +# $NetBSD: Makefile,v 1.14.4.1 2011/03/09 20:01:47 tron Exp $ # VER= 1.9.3 DISTNAME= moin-${VER} PKGNAME= ${PYPKGPREFIX}-moin-${VER} +PKGREVISION= 1 CATEGORIES= www python MASTER_SITES= http://static.moinmo.in/files/ diff --git a/www/py-moin/distinfo b/www/py-moin/distinfo index 148a692a808..4c6b6ea0fb5 100644 --- a/www/py-moin/distinfo +++ b/www/py-moin/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.6 2010/07/09 11:38:36 obache Exp $ +$NetBSD: distinfo,v 1.6.4.1 2011/03/09 20:01:47 tron Exp $ SHA1 (moin-1.9.3.tar.gz) = e019c2742f42d4d1f32b0f86f985ce938b821f1b RMD160 (moin-1.9.3.tar.gz) = c8679c9440768906c47048f2544a26b77b1ca061 Size (moin-1.9.3.tar.gz) = 30514897 bytes +SHA1 (patch-MoinMoin_parser_text__rst.py) = 21876302d8ecef85295cc6c24ef4e3823f578556 diff --git a/www/py-moin/patches/patch-MoinMoin_parser_text__rst.py b/www/py-moin/patches/patch-MoinMoin_parser_text__rst.py new file mode 100644 index 00000000000..f8f8829c68a --- /dev/null +++ b/www/py-moin/patches/patch-MoinMoin_parser_text__rst.py @@ -0,0 +1,17 @@ +$NetBSD: patch-MoinMoin_parser_text__rst.py,v 1.1.2.2 2011/03/09 20:01:48 tron Exp $ + +Security fix: XSS issue in rst parser CVE-2011-1058 +http://hg.moinmo.in/moin/1.9/rev/97208f67798f + +--- MoinMoin/parser/text_rst.py.orig 2010-06-26 21:46:42.000000000 +0000 ++++ MoinMoin/parser/text_rst.py +@@ -391,6 +391,9 @@ class MoinTranslator(html4css1.HTMLTrans + # for images with targets). + if not [i for i in node.children if i.__class__ == docutils.nodes.image]: + node['classes'].append('interwiki') ++ elif prefix == 'javascript': ++ # is someone trying to do XSS with javascript? ++ node['refuri'] = 'javascript:alert("it does not work")' + elif prefix != '': + # Some link scheme (http, file, https, mailto, etc.), add class + # information if the reference doesn't have a child image (don't -- cgit v1.2.3