Control: tags -1 -moreinfo

On Sun, Mar 19 2023 at 01:40:57 PM +01:00:00 +01:00:00, Sebastian Ramacher <sramac...@debian.org> wrote:
Control: tags -1 moreinfo

Please provide a debdiff

debdiff attached.

diff -Nru ruby-asciidoctor-include-ext-0.3.1/asciidoctor-include-ext.gemspec ruby-asciidoctor-include-ext-0.4.0/asciidoctor-include-ext.gemspec
--- ruby-asciidoctor-include-ext-0.3.1/asciidoctor-include-ext.gemspec	2019-08-22 14:40:31.000000000 +0530
+++ ruby-asciidoctor-include-ext-0.4.0/asciidoctor-include-ext.gemspec	2022-05-06 12:42:42.000000000 +0530
@@ -1,4 +1,4 @@
-require File.expand_path('../lib/asciidoctor/include_ext/version', __FILE__)
+require File.expand_path('lib/asciidoctor/include_ext/version', __dir__)
 
 Gem::Specification.new do |s|
   s.name        = 'asciidoctor-include-ext'
@@ -9,24 +9,22 @@
   s.license     = 'MIT'
 
   s.summary     = "Asciidoctor's standard include::[] processor reimplemented as an extension"
-  s.description = <<EOF
-This is a reimplementation of the Asciidoctor's built-in (pre)processor for the
-include::[] directive in extensible and more clean way. It provides the same
-features, but you can easily adjust it or extend for your needs. For example,
-you can change how it loads included files or add another ways how to select
-portions of the document to include.
-EOF
+  s.description = <<~EOF
+    This is a reimplementation of the Asciidoctor's built-in (pre)processor for the
+    include::[] directive in extensible and more clean way. It provides the same
+    features, but you can easily adjust it or extend for your needs. For example,
+    you can change how it loads included files or add another ways how to select
+    portions of the document to include.
+  EOF
 
   s.files       = Dir['lib/**/*', '*.gemspec', 'LICENSE*', 'README*']
-  s.has_rdoc    = 'yard'
 
-  s.required_ruby_version = '>= 2.1'
+  s.required_ruby_version = '>= 2.3'
 
   s.add_runtime_dependency 'asciidoctor', '>= 1.5.6', '< 3.0.0'
 
-  s.add_development_dependency 'corefines', '~> 1.11'
-  s.add_development_dependency 'kramdown', '~> 1.16'
-  s.add_development_dependency 'rake', '~> 12.0'
+  s.add_development_dependency 'kramdown', '~> 2.0'
+  s.add_development_dependency 'rake', '~> 13.0'
   s.add_development_dependency 'rspec', '~> 3.7'
   s.add_development_dependency 'rubocop', '~> 0.51.0'
   s.add_development_dependency 'simplecov', '~> 0.15'
diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/changelog ruby-asciidoctor-include-ext-0.4.0/debian/changelog
--- ruby-asciidoctor-include-ext-0.3.1/debian/changelog	2019-09-04 13:58:01.000000000 +0530
+++ ruby-asciidoctor-include-ext-0.4.0/debian/changelog	2023-03-19 17:22:18.000000000 +0530
@@ -1,3 +1,36 @@
+ruby-asciidoctor-include-ext (0.4.0-2) unstable; urgency=medium
+
+  * Team Upload
+  * Reupload to unstable (gitlab is only reverse dependency, which is not in
+    testing)
+  * Bump Standards-Version to 4.6.2 (no changes needed)
+  * Switch to ${ruby:Depends} for ruby dependencies
+
+ -- Pirate Praveen <prav...@debian.org>  Sun, 19 Mar 2023 17:22:18 +0530
+
+ruby-asciidoctor-include-ext (0.4.0-1) experimental; urgency=medium
+
+  * Team upload
+
+  [ Debian Janitor ]
+  * Bump debhelper from old 11 to 12.
+  * Set debhelper-compat version in Build-Depends.
+  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
+    Repository-Browse.
+  * Update standards version to 4.5.0, no changes needed.
+  * Update watch file format version to 4.
+  * Remove constraints unnecessary since buster:
+    + Build-Depends: Drop versioned constraint on ruby-asciidoctor.
+    + ruby-asciidoctor-include-ext: Drop versioned constraint on
+      ruby-asciidoctor in Depends.
+
+  [ Pirate Praveen ]
+  * New upstream version 0.4.0
+  * Bump Standards-Version to 4.6.1 (no changes needed)
+  * Bump debhelper compatibility level to 13
+
+ -- Pirate Praveen <prav...@debian.org>  Sun, 26 Jun 2022 22:48:20 +0530
+
 ruby-asciidoctor-include-ext (0.3.1-2) unstable; urgency=medium
 
   * Team upload
diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/compat ruby-asciidoctor-include-ext-0.4.0/debian/compat
--- ruby-asciidoctor-include-ext-0.3.1/debian/compat	2019-09-04 13:58:01.000000000 +0530
+++ ruby-asciidoctor-include-ext-0.4.0/debian/compat	1970-01-01 05:30:00.000000000 +0530
@@ -1 +0,0 @@
-11
diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/control ruby-asciidoctor-include-ext-0.4.0/debian/control
--- ruby-asciidoctor-include-ext-0.3.1/debian/control	2019-09-04 13:58:01.000000000 +0530
+++ ruby-asciidoctor-include-ext-0.4.0/debian/control	2023-03-19 17:22:18.000000000 +0530
@@ -1,13 +1,13 @@
 Source: ruby-asciidoctor-include-ext
 Section: ruby
 Priority: optional
-Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org>
+Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org>
 Uploaders: Sruthi Chandran <s...@debian.org>
-Build-Depends: debhelper (>= 11~),
+Build-Depends: debhelper-compat (= 13),
                gem2deb,
                ruby-asciidoctor (<< 3.0.0),
-               ruby-asciidoctor (>= 1.5.6)
-Standards-Version: 4.3.0
+               ruby-asciidoctor
+Standards-Version: 4.6.2
 Vcs-Git: https://salsa.debian.org/ruby-team/ruby-asciidoctor-include-ext.git
 Vcs-Browser: https://salsa.debian.org/ruby-team/ruby-asciidoctor-include-ext
 Homepage: https://github.com/jirutka/asciidoctor-include-ext
@@ -18,9 +18,7 @@
 Package: ruby-asciidoctor-include-ext
 Architecture: all
 XB-Ruby-Versions: ${ruby:Versions}
-Depends: ruby | ruby-interpreter,
-         ruby-asciidoctor (<< 3.0.0),
-         ruby-asciidoctor (>= 1.5.6),
+Depends: ${ruby:Depends},
          ${misc:Depends},
          ${shlibs:Depends}
 Description: Asciidoctor's standard include::[] processor reimplemented as an extension
diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/upstream/metadata ruby-asciidoctor-include-ext-0.4.0/debian/upstream/metadata
--- ruby-asciidoctor-include-ext-0.3.1/debian/upstream/metadata	1970-01-01 05:30:00.000000000 +0530
+++ ruby-asciidoctor-include-ext-0.4.0/debian/upstream/metadata	2023-03-19 17:22:18.000000000 +0530
@@ -0,0 +1,5 @@
+---
+Bug-Database: https://github.com/jirutka/asciidoctor-include-ext/issues
+Bug-Submit: https://github.com/jirutka/asciidoctor-include-ext/issues/new
+Repository: https://github.com/jirutka/asciidoctor-include-ext.git
+Repository-Browse: https://github.com/jirutka/asciidoctor-include-ext
diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/watch ruby-asciidoctor-include-ext-0.4.0/debian/watch
--- ruby-asciidoctor-include-ext-0.3.1/debian/watch	2019-09-04 13:58:01.000000000 +0530
+++ ruby-asciidoctor-include-ext-0.4.0/debian/watch	2023-03-19 17:22:18.000000000 +0530
@@ -1,2 +1,2 @@
-version=3
+version=4
 https://gemwatch.debian.net/asciidoctor-include-ext .*/asciidoctor-include-ext-(.*).tar.gz
diff -Nru ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/include_processor.rb ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/include_processor.rb
--- ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/include_processor.rb	2019-08-22 14:40:31.000000000 +0530
+++ ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/include_processor.rb	2022-05-06 12:42:42.000000000 +0530
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require 'logger'
 require 'open-uri'
+require 'uri'
 
 require 'asciidoctor/include_ext/version'
 require 'asciidoctor/include_ext/reader_ext'
@@ -86,7 +87,7 @@
 
       return false if doc.safe >= ::Asciidoctor::SafeMode::SECURE
       return false if doc.attributes.fetch('max-include-depth', 64).to_i < 1
-      return false if target_uri?(target) && !doc.attributes.key?('allow-uri-read')
+      return false if target_http?(target) && !doc.attributes.key?('allow-uri-read')
       true
     end
 
@@ -94,7 +95,7 @@
     # @param reader (see #process)
     # @return [String, nil] file path or URI of the *target*, or `nil` if not found.
     def resolve_target_path(target, reader)
-      return target if target_uri? target
+      return target if target_http? target
 
       # Include file is resolved relative to dir of the current include,
       # or base_dir if within original docfile.
@@ -106,16 +107,22 @@
     # Reads the specified file as individual lines, filters them using the
     # *selector* (if provided) and returns those lines in an array.
     #
-    # @param filename [String] path of the file to be read.
+    # @param path [String] URL or path of the file to be read.
     # @param selector [#to_proc, nil] predicate to filter lines that should be
     #   included in the output. It must accept two arguments: line and
     #   the line number. If `nil` is given, all lines are passed.
     # @return [Array<String>] an array of read lines.
-    def read_lines(filename, selector)
-      if selector
-        IO.foreach(filename).select.with_index(1, &selector)
-      else
-        open(filename, &:read)
+    def read_lines(path, selector)
+      # IO.open is deliberately not used directly to avoid potential security risks.
+      # TODO: Get rid of 'open-uri' (URI.open).
+      io = target_http?(path) ? URI : File
+
+      io.open(path) do |f|
+        if selector
+          f.each.select.with_index(1, &selector)
+        else
+          f.read
+        end
       end
     end
 
@@ -142,9 +149,13 @@
     private
 
     # @param target (see #process)
-    # @return [Boolean] `true` if the *target* is an URI, `false` otherwise.
-    def target_uri?(target)
-      ::Asciidoctor::Helpers.uriish?(target)
+    # @return [Boolean] `true` if the *target* is a valid HTTP(S) URI, `false` otherwise.
+    def target_http?(target)
+      # First do a fast test, then try to parse it.
+      target.downcase.start_with?('http://', 'https://') \
+        && URI.parse(target).is_a?(URI::HTTP)
+    rescue URI::InvalidURIError
+      false
     end
   end
 end
diff -Nru ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/version.rb ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/version.rb
--- ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/version.rb	2019-08-22 14:40:31.000000000 +0530
+++ ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/version.rb	2022-05-06 12:42:42.000000000 +0530
@@ -3,6 +3,6 @@
 module Asciidoctor
   module IncludeExt
     # Version of the asciidoctor-include-ext gem.
-    VERSION = '0.3.1'.freeze
+    VERSION = '0.4.0'.freeze
   end
 end
diff -Nru ruby-asciidoctor-include-ext-0.3.1/LICENSE ruby-asciidoctor-include-ext-0.4.0/LICENSE
--- ruby-asciidoctor-include-ext-0.3.1/LICENSE	2019-08-22 14:40:31.000000000 +0530
+++ ruby-asciidoctor-include-ext-0.4.0/LICENSE	2022-05-06 12:42:42.000000000 +0530
@@ -1,6 +1,6 @@
 The MIT License
 
-Copyright 2017 Jakub Jirutka <ja...@jirutka.cz>.
+Copyright 2017-present Jakub Jirutka <ja...@jirutka.cz>.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff -Nru ruby-asciidoctor-include-ext-0.3.1/README.adoc ruby-asciidoctor-include-ext-0.4.0/README.adoc
--- ruby-asciidoctor-include-ext-0.3.1/README.adoc	2019-08-22 14:40:31.000000000 +0530
+++ ruby-asciidoctor-include-ext-0.4.0/README.adoc	2022-05-06 12:42:42.000000000 +0530
@@ -7,7 +7,7 @@
 :codacy-id: 45320444129044688ef6553821b083f1
 
 ifdef::env-github[]
-image:https://travis-ci.org/{gh-name}.svg?branch={gh-branch}[Build Status, link="https://travis-ci.org/{gh-name}";]
+image:https://github.com/{gh-name}/workflows/CI/badge.svg[CI Status, link=https://github.com/{gh-name}/actions?query=workflow%3A%22CI%22]
 image:https://api.codacy.com/project/badge/Coverage/{codacy-id}["Test Coverage", link="https://www.codacy.com/app/{gh-name}";]
 image:https://api.codacy.com/project/badge/Grade/{codacy-id}["Codacy Code quality", link="https://www.codacy.com/app/{gh-name}";]
 image:https://img.shields.io/gem/v/{gem-name}.svg?style=flat[Gem Version, link="https://rubygems.org/gems/{gem-name}";]
@@ -49,6 +49,9 @@
 gem install {gem-name} --pre
 
 
+WARNING: Versions *prior 0.4.0* are vulnerable for Command Injection (see https://github.com/{gh-name}/commit/c7ea001a597c7033575342c51483dab7b87ae155[c7ea001] for more information). If you use an older version, update to 0.4.0 immediately!
+
+
 == Usage
 
 Just `require '{gem-name}'`.

Reply via email to