Control: tags -1 moreinfo
On 2023-03-19 18:14:29 +0530, Pirate Praveen wrote:
> Control: tags -1 -moreinfo
>
>
> On Sun, Mar 19 2023 at 01:40:57 PM +01:00:00 +01:00:00, Sebastian Ramacher
> <sramac...@debian.org> wrote:
> > Control: tags -1 moreinfo
> >
> > Please provide a debdiff
>
> debdiff attached.
>
> diff -Nru ruby-asciidoctor-include-ext-0.3.1/asciidoctor-include-ext.gemspec
> ruby-asciidoctor-include-ext-0.4.0/asciidoctor-include-ext.gemspec
> --- ruby-asciidoctor-include-ext-0.3.1/asciidoctor-include-ext.gemspec
> 2019-08-22 14:40:31.000000000 +0530
> +++ ruby-asciidoctor-include-ext-0.4.0/asciidoctor-include-ext.gemspec
> 2022-05-06 12:42:42.000000000 +0530
> @@ -1,4 +1,4 @@
> -require File.expand_path('../lib/asciidoctor/include_ext/version', __FILE__)
> +require File.expand_path('lib/asciidoctor/include_ext/version', __dir__)
>
> Gem::Specification.new do |s|
> s.name = 'asciidoctor-include-ext'
> @@ -9,24 +9,22 @@
> s.license = 'MIT'
>
> s.summary = "Asciidoctor's standard include::[] processor
> reimplemented as an extension"
> - s.description = <<EOF
> -This is a reimplementation of the Asciidoctor's built-in (pre)processor for
> the
> -include::[] directive in extensible and more clean way. It provides the same
> -features, but you can easily adjust it or extend for your needs. For example,
> -you can change how it loads included files or add another ways how to select
> -portions of the document to include.
> -EOF
> + s.description = <<~EOF
> + This is a reimplementation of the Asciidoctor's built-in (pre)processor
> for the
> + include::[] directive in extensible and more clean way. It provides the
> same
> + features, but you can easily adjust it or extend for your needs. For
> example,
> + you can change how it loads included files or add another ways how to
> select
> + portions of the document to include.
> + EOF
>
> s.files = Dir['lib/**/*', '*.gemspec', 'LICENSE*', 'README*']
> - s.has_rdoc = 'yard'
>
> - s.required_ruby_version = '>= 2.1'
> + s.required_ruby_version = '>= 2.3'
>
> s.add_runtime_dependency 'asciidoctor', '>= 1.5.6', '< 3.0.0'
>
> - s.add_development_dependency 'corefines', '~> 1.11'
> - s.add_development_dependency 'kramdown', '~> 1.16'
> - s.add_development_dependency 'rake', '~> 12.0'
> + s.add_development_dependency 'kramdown', '~> 2.0'
> + s.add_development_dependency 'rake', '~> 13.0'
> s.add_development_dependency 'rspec', '~> 3.7'
> s.add_development_dependency 'rubocop', '~> 0.51.0'
> s.add_development_dependency 'simplecov', '~> 0.15'
> diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/changelog
> ruby-asciidoctor-include-ext-0.4.0/debian/changelog
> --- ruby-asciidoctor-include-ext-0.3.1/debian/changelog 2019-09-04
> 13:58:01.000000000 +0530
> +++ ruby-asciidoctor-include-ext-0.4.0/debian/changelog 2023-03-19
> 17:22:18.000000000 +0530
> @@ -1,3 +1,36 @@
> +ruby-asciidoctor-include-ext (0.4.0-2) unstable; urgency=medium
> +
> + * Team Upload
> + * Reupload to unstable (gitlab is only reverse dependency, which is not in
> + testing)
> + * Bump Standards-Version to 4.6.2 (no changes needed)
> + * Switch to ${ruby:Depends} for ruby dependencies
> +
> + -- Pirate Praveen <prav...@debian.org> Sun, 19 Mar 2023 17:22:18 +0530
> +
> +ruby-asciidoctor-include-ext (0.4.0-1) experimental; urgency=medium
> +
> + * Team upload
> +
> + [ Debian Janitor ]
> + * Bump debhelper from old 11 to 12.
> + * Set debhelper-compat version in Build-Depends.
> + * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
> + Repository-Browse.
> + * Update standards version to 4.5.0, no changes needed.
> + * Update watch file format version to 4.
> + * Remove constraints unnecessary since buster:
> + + Build-Depends: Drop versioned constraint on ruby-asciidoctor.
> + + ruby-asciidoctor-include-ext: Drop versioned constraint on
> + ruby-asciidoctor in Depends.
> +
> + [ Pirate Praveen ]
> + * New upstream version 0.4.0
> + * Bump Standards-Version to 4.6.1 (no changes needed)
> + * Bump debhelper compatibility level to 13
This type of change is not acceptable during hard freeze. Please revert.
Cheers
> +
> + -- Pirate Praveen <prav...@debian.org> Sun, 26 Jun 2022 22:48:20 +0530
> +
> ruby-asciidoctor-include-ext (0.3.1-2) unstable; urgency=medium
>
> * Team upload
> diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/compat
> ruby-asciidoctor-include-ext-0.4.0/debian/compat
> --- ruby-asciidoctor-include-ext-0.3.1/debian/compat 2019-09-04
> 13:58:01.000000000 +0530
> +++ ruby-asciidoctor-include-ext-0.4.0/debian/compat 1970-01-01
> 05:30:00.000000000 +0530
> @@ -1 +0,0 @@
> -11
> diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/control
> ruby-asciidoctor-include-ext-0.4.0/debian/control
> --- ruby-asciidoctor-include-ext-0.3.1/debian/control 2019-09-04
> 13:58:01.000000000 +0530
> +++ ruby-asciidoctor-include-ext-0.4.0/debian/control 2023-03-19
> 17:22:18.000000000 +0530
> @@ -1,13 +1,13 @@
> Source: ruby-asciidoctor-include-ext
> Section: ruby
> Priority: optional
> -Maintainer: Debian Ruby Extras Maintainers
> <pkg-ruby-extras-maintain...@lists.alioth.debian.org>
> +Maintainer: Debian Ruby Team
> <pkg-ruby-extras-maintain...@lists.alioth.debian.org>
> Uploaders: Sruthi Chandran <s...@debian.org>
> -Build-Depends: debhelper (>= 11~),
> +Build-Depends: debhelper-compat (= 13),
> gem2deb,
> ruby-asciidoctor (<< 3.0.0),
> - ruby-asciidoctor (>= 1.5.6)
> -Standards-Version: 4.3.0
> + ruby-asciidoctor
> +Standards-Version: 4.6.2
> Vcs-Git: https://salsa.debian.org/ruby-team/ruby-asciidoctor-include-ext.git
> Vcs-Browser: https://salsa.debian.org/ruby-team/ruby-asciidoctor-include-ext
> Homepage: https://github.com/jirutka/asciidoctor-include-ext
> @@ -18,9 +18,7 @@
> Package: ruby-asciidoctor-include-ext
> Architecture: all
> XB-Ruby-Versions: ${ruby:Versions}
> -Depends: ruby | ruby-interpreter,
> - ruby-asciidoctor (<< 3.0.0),
> - ruby-asciidoctor (>= 1.5.6),
> +Depends: ${ruby:Depends},
> ${misc:Depends},
> ${shlibs:Depends}
> Description: Asciidoctor's standard include::[] processor reimplemented as
> an extension
> diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/upstream/metadata
> ruby-asciidoctor-include-ext-0.4.0/debian/upstream/metadata
> --- ruby-asciidoctor-include-ext-0.3.1/debian/upstream/metadata
> 1970-01-01 05:30:00.000000000 +0530
> +++ ruby-asciidoctor-include-ext-0.4.0/debian/upstream/metadata
> 2023-03-19 17:22:18.000000000 +0530
> @@ -0,0 +1,5 @@
> +---
> +Bug-Database: https://github.com/jirutka/asciidoctor-include-ext/issues
> +Bug-Submit: https://github.com/jirutka/asciidoctor-include-ext/issues/new
> +Repository: https://github.com/jirutka/asciidoctor-include-ext.git
> +Repository-Browse: https://github.com/jirutka/asciidoctor-include-ext
> diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/watch
> ruby-asciidoctor-include-ext-0.4.0/debian/watch
> --- ruby-asciidoctor-include-ext-0.3.1/debian/watch 2019-09-04
> 13:58:01.000000000 +0530
> +++ ruby-asciidoctor-include-ext-0.4.0/debian/watch 2023-03-19
> 17:22:18.000000000 +0530
> @@ -1,2 +1,2 @@
> -version=3
> +version=4
> https://gemwatch.debian.net/asciidoctor-include-ext
> .*/asciidoctor-include-ext-(.*).tar.gz
> diff -Nru
> ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/include_processor.rb
>
> ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/include_processor.rb
> ---
> ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/include_processor.rb
> 2019-08-22 14:40:31.000000000 +0530
> +++
> ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/include_processor.rb
> 2022-05-06 12:42:42.000000000 +0530
> @@ -1,6 +1,7 @@
> # frozen_string_literal: true
> require 'logger'
> require 'open-uri'
> +require 'uri'
>
> require 'asciidoctor/include_ext/version'
> require 'asciidoctor/include_ext/reader_ext'
> @@ -86,7 +87,7 @@
>
> return false if doc.safe >= ::Asciidoctor::SafeMode::SECURE
> return false if doc.attributes.fetch('max-include-depth', 64).to_i < 1
> - return false if target_uri?(target) &&
> !doc.attributes.key?('allow-uri-read')
> + return false if target_http?(target) &&
> !doc.attributes.key?('allow-uri-read')
> true
> end
>
> @@ -94,7 +95,7 @@
> # @param reader (see #process)
> # @return [String, nil] file path or URI of the *target*, or `nil` if
> not found.
> def resolve_target_path(target, reader)
> - return target if target_uri? target
> + return target if target_http? target
>
> # Include file is resolved relative to dir of the current include,
> # or base_dir if within original docfile.
> @@ -106,16 +107,22 @@
> # Reads the specified file as individual lines, filters them using the
> # *selector* (if provided) and returns those lines in an array.
> #
> - # @param filename [String] path of the file to be read.
> + # @param path [String] URL or path of the file to be read.
> # @param selector [#to_proc, nil] predicate to filter lines that should
> be
> # included in the output. It must accept two arguments: line and
> # the line number. If `nil` is given, all lines are passed.
> # @return [Array<String>] an array of read lines.
> - def read_lines(filename, selector)
> - if selector
> - IO.foreach(filename).select.with_index(1, &selector)
> - else
> - open(filename, &:read)
> + def read_lines(path, selector)
> + # IO.open is deliberately not used directly to avoid potential
> security risks.
> + # TODO: Get rid of 'open-uri' (URI.open).
> + io = target_http?(path) ? URI : File
> +
> + io.open(path) do |f|
> + if selector
> + f.each.select.with_index(1, &selector)
> + else
> + f.read
> + end
> end
> end
>
> @@ -142,9 +149,13 @@
> private
>
> # @param target (see #process)
> - # @return [Boolean] `true` if the *target* is an URI, `false` otherwise.
> - def target_uri?(target)
> - ::Asciidoctor::Helpers.uriish?(target)
> + # @return [Boolean] `true` if the *target* is a valid HTTP(S) URI,
> `false` otherwise.
> + def target_http?(target)
> + # First do a fast test, then try to parse it.
> + target.downcase.start_with?('http://', 'https://') \
> + && URI.parse(target).is_a?(URI::HTTP)
> + rescue URI::InvalidURIError
> + false
> end
> end
> end
> diff -Nru
> ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/version.rb
> ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/version.rb
> --- ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/version.rb
> 2019-08-22 14:40:31.000000000 +0530
> +++ ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/version.rb
> 2022-05-06 12:42:42.000000000 +0530
> @@ -3,6 +3,6 @@
> module Asciidoctor
> module IncludeExt
> # Version of the asciidoctor-include-ext gem.
> - VERSION = '0.3.1'.freeze
> + VERSION = '0.4.0'.freeze
> end
> end
> diff -Nru ruby-asciidoctor-include-ext-0.3.1/LICENSE
> ruby-asciidoctor-include-ext-0.4.0/LICENSE
> --- ruby-asciidoctor-include-ext-0.3.1/LICENSE 2019-08-22
> 14:40:31.000000000 +0530
> +++ ruby-asciidoctor-include-ext-0.4.0/LICENSE 2022-05-06
> 12:42:42.000000000 +0530
> @@ -1,6 +1,6 @@
> The MIT License
>
> -Copyright 2017 Jakub Jirutka <ja...@jirutka.cz>.
> +Copyright 2017-present Jakub Jirutka <ja...@jirutka.cz>.
>
> Permission is hereby granted, free of charge, to any person obtaining a copy
> of this software and associated documentation files (the "Software"), to deal
> diff -Nru ruby-asciidoctor-include-ext-0.3.1/README.adoc
> ruby-asciidoctor-include-ext-0.4.0/README.adoc
> --- ruby-asciidoctor-include-ext-0.3.1/README.adoc 2019-08-22
> 14:40:31.000000000 +0530
> +++ ruby-asciidoctor-include-ext-0.4.0/README.adoc 2022-05-06
> 12:42:42.000000000 +0530
> @@ -7,7 +7,7 @@
> :codacy-id: 45320444129044688ef6553821b083f1
>
> ifdef::env-github[]
> -image:https://travis-ci.org/{gh-name}.svg?branch={gh-branch}[Build Status,
> link="https://travis-ci.org/{gh-name}";]
> +image:https://github.com/{gh-name}/workflows/CI/badge.svg[CI Status,
> link=https://github.com/{gh-name}/actions?query=workflow%3A%22CI%22]
> image:https://api.codacy.com/project/badge/Coverage/{codacy-id}["Test
> Coverage", link="https://www.codacy.com/app/{gh-name}";]
> image:https://api.codacy.com/project/badge/Grade/{codacy-id}["Codacy Code
> quality", link="https://www.codacy.com/app/{gh-name}";]
> image:https://img.shields.io/gem/v/{gem-name}.svg?style=flat[Gem Version,
> link="https://rubygems.org/gems/{gem-name}";]
> @@ -49,6 +49,9 @@
> gem install {gem-name} --pre
>
>
> +WARNING: Versions *prior 0.4.0* are vulnerable for Command Injection (see
> https://github.com/{gh-name}/commit/c7ea001a597c7033575342c51483dab7b87ae155[c7ea001]
> for more information). If you use an older version, update to 0.4.0
> immediately!
> +
> +
> == Usage
>
> Just `require '{gem-name}'`.
--
Sebastian Ramacher
