Control: tags -1 moreinfo On 2023-03-19 18:14:29 +0530, Pirate Praveen wrote: > Control: tags -1 -moreinfo > > > On Sun, Mar 19 2023 at 01:40:57 PM +01:00:00 +01:00:00, Sebastian Ramacher > <sramac...@debian.org> wrote: > > Control: tags -1 moreinfo > > > > Please provide a debdiff > > debdiff attached. >
> diff -Nru ruby-asciidoctor-include-ext-0.3.1/asciidoctor-include-ext.gemspec > ruby-asciidoctor-include-ext-0.4.0/asciidoctor-include-ext.gemspec > --- ruby-asciidoctor-include-ext-0.3.1/asciidoctor-include-ext.gemspec > 2019-08-22 14:40:31.000000000 +0530 > +++ ruby-asciidoctor-include-ext-0.4.0/asciidoctor-include-ext.gemspec > 2022-05-06 12:42:42.000000000 +0530 > @@ -1,4 +1,4 @@ > -require File.expand_path('../lib/asciidoctor/include_ext/version', __FILE__) > +require File.expand_path('lib/asciidoctor/include_ext/version', __dir__) > > Gem::Specification.new do |s| > s.name = 'asciidoctor-include-ext' > @@ -9,24 +9,22 @@ > s.license = 'MIT' > > s.summary = "Asciidoctor's standard include::[] processor > reimplemented as an extension" > - s.description = <<EOF > -This is a reimplementation of the Asciidoctor's built-in (pre)processor for > the > -include::[] directive in extensible and more clean way. It provides the same > -features, but you can easily adjust it or extend for your needs. For example, > -you can change how it loads included files or add another ways how to select > -portions of the document to include. > -EOF > + s.description = <<~EOF > + This is a reimplementation of the Asciidoctor's built-in (pre)processor > for the > + include::[] directive in extensible and more clean way. It provides the > same > + features, but you can easily adjust it or extend for your needs. For > example, > + you can change how it loads included files or add another ways how to > select > + portions of the document to include. > + EOF > > s.files = Dir['lib/**/*', '*.gemspec', 'LICENSE*', 'README*'] > - s.has_rdoc = 'yard' > > - s.required_ruby_version = '>= 2.1' > + s.required_ruby_version = '>= 2.3' > > s.add_runtime_dependency 'asciidoctor', '>= 1.5.6', '< 3.0.0' > > - s.add_development_dependency 'corefines', '~> 1.11' > - s.add_development_dependency 'kramdown', '~> 1.16' > - s.add_development_dependency 'rake', '~> 12.0' > + s.add_development_dependency 'kramdown', '~> 2.0' > + s.add_development_dependency 'rake', '~> 13.0' > s.add_development_dependency 'rspec', '~> 3.7' > s.add_development_dependency 'rubocop', '~> 0.51.0' > s.add_development_dependency 'simplecov', '~> 0.15' > diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/changelog > ruby-asciidoctor-include-ext-0.4.0/debian/changelog > --- ruby-asciidoctor-include-ext-0.3.1/debian/changelog 2019-09-04 > 13:58:01.000000000 +0530 > +++ ruby-asciidoctor-include-ext-0.4.0/debian/changelog 2023-03-19 > 17:22:18.000000000 +0530 > @@ -1,3 +1,36 @@ > +ruby-asciidoctor-include-ext (0.4.0-2) unstable; urgency=medium > + > + * Team Upload > + * Reupload to unstable (gitlab is only reverse dependency, which is not in > + testing) > + * Bump Standards-Version to 4.6.2 (no changes needed) > + * Switch to ${ruby:Depends} for ruby dependencies > + > + -- Pirate Praveen <prav...@debian.org> Sun, 19 Mar 2023 17:22:18 +0530 > + > +ruby-asciidoctor-include-ext (0.4.0-1) experimental; urgency=medium > + > + * Team upload > + > + [ Debian Janitor ] > + * Bump debhelper from old 11 to 12. > + * Set debhelper-compat version in Build-Depends. > + * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, > + Repository-Browse. > + * Update standards version to 4.5.0, no changes needed. > + * Update watch file format version to 4. > + * Remove constraints unnecessary since buster: > + + Build-Depends: Drop versioned constraint on ruby-asciidoctor. > + + ruby-asciidoctor-include-ext: Drop versioned constraint on > + ruby-asciidoctor in Depends. > + > + [ Pirate Praveen ] > + * New upstream version 0.4.0 > + * Bump Standards-Version to 4.6.1 (no changes needed) > + * Bump debhelper compatibility level to 13 This type of change is not acceptable during hard freeze. Please revert. Cheers > + > + -- Pirate Praveen <prav...@debian.org> Sun, 26 Jun 2022 22:48:20 +0530 > + > ruby-asciidoctor-include-ext (0.3.1-2) unstable; urgency=medium > > * Team upload > diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/compat > ruby-asciidoctor-include-ext-0.4.0/debian/compat > --- ruby-asciidoctor-include-ext-0.3.1/debian/compat 2019-09-04 > 13:58:01.000000000 +0530 > +++ ruby-asciidoctor-include-ext-0.4.0/debian/compat 1970-01-01 > 05:30:00.000000000 +0530 > @@ -1 +0,0 @@ > -11 > diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/control > ruby-asciidoctor-include-ext-0.4.0/debian/control > --- ruby-asciidoctor-include-ext-0.3.1/debian/control 2019-09-04 > 13:58:01.000000000 +0530 > +++ ruby-asciidoctor-include-ext-0.4.0/debian/control 2023-03-19 > 17:22:18.000000000 +0530 > @@ -1,13 +1,13 @@ > Source: ruby-asciidoctor-include-ext > Section: ruby > Priority: optional > -Maintainer: Debian Ruby Extras Maintainers > <pkg-ruby-extras-maintain...@lists.alioth.debian.org> > +Maintainer: Debian Ruby Team > <pkg-ruby-extras-maintain...@lists.alioth.debian.org> > Uploaders: Sruthi Chandran <s...@debian.org> > -Build-Depends: debhelper (>= 11~), > +Build-Depends: debhelper-compat (= 13), > gem2deb, > ruby-asciidoctor (<< 3.0.0), > - ruby-asciidoctor (>= 1.5.6) > -Standards-Version: 4.3.0 > + ruby-asciidoctor > +Standards-Version: 4.6.2 > Vcs-Git: https://salsa.debian.org/ruby-team/ruby-asciidoctor-include-ext.git > Vcs-Browser: https://salsa.debian.org/ruby-team/ruby-asciidoctor-include-ext > Homepage: https://github.com/jirutka/asciidoctor-include-ext > @@ -18,9 +18,7 @@ > Package: ruby-asciidoctor-include-ext > Architecture: all > XB-Ruby-Versions: ${ruby:Versions} > -Depends: ruby | ruby-interpreter, > - ruby-asciidoctor (<< 3.0.0), > - ruby-asciidoctor (>= 1.5.6), > +Depends: ${ruby:Depends}, > ${misc:Depends}, > ${shlibs:Depends} > Description: Asciidoctor's standard include::[] processor reimplemented as > an extension > diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/upstream/metadata > ruby-asciidoctor-include-ext-0.4.0/debian/upstream/metadata > --- ruby-asciidoctor-include-ext-0.3.1/debian/upstream/metadata > 1970-01-01 05:30:00.000000000 +0530 > +++ ruby-asciidoctor-include-ext-0.4.0/debian/upstream/metadata > 2023-03-19 17:22:18.000000000 +0530 > @@ -0,0 +1,5 @@ > +--- > +Bug-Database: https://github.com/jirutka/asciidoctor-include-ext/issues > +Bug-Submit: https://github.com/jirutka/asciidoctor-include-ext/issues/new > +Repository: https://github.com/jirutka/asciidoctor-include-ext.git > +Repository-Browse: https://github.com/jirutka/asciidoctor-include-ext > diff -Nru ruby-asciidoctor-include-ext-0.3.1/debian/watch > ruby-asciidoctor-include-ext-0.4.0/debian/watch > --- ruby-asciidoctor-include-ext-0.3.1/debian/watch 2019-09-04 > 13:58:01.000000000 +0530 > +++ ruby-asciidoctor-include-ext-0.4.0/debian/watch 2023-03-19 > 17:22:18.000000000 +0530 > @@ -1,2 +1,2 @@ > -version=3 > +version=4 > https://gemwatch.debian.net/asciidoctor-include-ext > .*/asciidoctor-include-ext-(.*).tar.gz > diff -Nru > ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/include_processor.rb > > ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/include_processor.rb > --- > ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/include_processor.rb > 2019-08-22 14:40:31.000000000 +0530 > +++ > ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/include_processor.rb > 2022-05-06 12:42:42.000000000 +0530 > @@ -1,6 +1,7 @@ > # frozen_string_literal: true > require 'logger' > require 'open-uri' > +require 'uri' > > require 'asciidoctor/include_ext/version' > require 'asciidoctor/include_ext/reader_ext' > @@ -86,7 +87,7 @@ > > return false if doc.safe >= ::Asciidoctor::SafeMode::SECURE > return false if doc.attributes.fetch('max-include-depth', 64).to_i < 1 > - return false if target_uri?(target) && > !doc.attributes.key?('allow-uri-read') > + return false if target_http?(target) && > !doc.attributes.key?('allow-uri-read') > true > end > > @@ -94,7 +95,7 @@ > # @param reader (see #process) > # @return [String, nil] file path or URI of the *target*, or `nil` if > not found. > def resolve_target_path(target, reader) > - return target if target_uri? target > + return target if target_http? target > > # Include file is resolved relative to dir of the current include, > # or base_dir if within original docfile. > @@ -106,16 +107,22 @@ > # Reads the specified file as individual lines, filters them using the > # *selector* (if provided) and returns those lines in an array. > # > - # @param filename [String] path of the file to be read. > + # @param path [String] URL or path of the file to be read. > # @param selector [#to_proc, nil] predicate to filter lines that should > be > # included in the output. It must accept two arguments: line and > # the line number. If `nil` is given, all lines are passed. > # @return [Array<String>] an array of read lines. > - def read_lines(filename, selector) > - if selector > - IO.foreach(filename).select.with_index(1, &selector) > - else > - open(filename, &:read) > + def read_lines(path, selector) > + # IO.open is deliberately not used directly to avoid potential > security risks. > + # TODO: Get rid of 'open-uri' (URI.open). > + io = target_http?(path) ? URI : File > + > + io.open(path) do |f| > + if selector > + f.each.select.with_index(1, &selector) > + else > + f.read > + end > end > end > > @@ -142,9 +149,13 @@ > private > > # @param target (see #process) > - # @return [Boolean] `true` if the *target* is an URI, `false` otherwise. > - def target_uri?(target) > - ::Asciidoctor::Helpers.uriish?(target) > + # @return [Boolean] `true` if the *target* is a valid HTTP(S) URI, > `false` otherwise. > + def target_http?(target) > + # First do a fast test, then try to parse it. > + target.downcase.start_with?('http://', 'https://') \ > + && URI.parse(target).is_a?(URI::HTTP) > + rescue URI::InvalidURIError > + false > end > end > end > diff -Nru > ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/version.rb > ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/version.rb > --- ruby-asciidoctor-include-ext-0.3.1/lib/asciidoctor/include_ext/version.rb > 2019-08-22 14:40:31.000000000 +0530 > +++ ruby-asciidoctor-include-ext-0.4.0/lib/asciidoctor/include_ext/version.rb > 2022-05-06 12:42:42.000000000 +0530 > @@ -3,6 +3,6 @@ > module Asciidoctor > module IncludeExt > # Version of the asciidoctor-include-ext gem. > - VERSION = '0.3.1'.freeze > + VERSION = '0.4.0'.freeze > end > end > diff -Nru ruby-asciidoctor-include-ext-0.3.1/LICENSE > ruby-asciidoctor-include-ext-0.4.0/LICENSE > --- ruby-asciidoctor-include-ext-0.3.1/LICENSE 2019-08-22 > 14:40:31.000000000 +0530 > +++ ruby-asciidoctor-include-ext-0.4.0/LICENSE 2022-05-06 > 12:42:42.000000000 +0530 > @@ -1,6 +1,6 @@ > The MIT License > > -Copyright 2017 Jakub Jirutka <ja...@jirutka.cz>. > +Copyright 2017-present Jakub Jirutka <ja...@jirutka.cz>. > > Permission is hereby granted, free of charge, to any person obtaining a copy > of this software and associated documentation files (the "Software"), to deal > diff -Nru ruby-asciidoctor-include-ext-0.3.1/README.adoc > ruby-asciidoctor-include-ext-0.4.0/README.adoc > --- ruby-asciidoctor-include-ext-0.3.1/README.adoc 2019-08-22 > 14:40:31.000000000 +0530 > +++ ruby-asciidoctor-include-ext-0.4.0/README.adoc 2022-05-06 > 12:42:42.000000000 +0530 > @@ -7,7 +7,7 @@ > :codacy-id: 45320444129044688ef6553821b083f1 > > ifdef::env-github[] > -image:https://travis-ci.org/{gh-name}.svg?branch={gh-branch}[Build Status, > link="https://travis-ci.org/{gh-name}"] > +image:https://github.com/{gh-name}/workflows/CI/badge.svg[CI Status, > link=https://github.com/{gh-name}/actions?query=workflow%3A%22CI%22] > image:https://api.codacy.com/project/badge/Coverage/{codacy-id}["Test > Coverage", link="https://www.codacy.com/app/{gh-name}"] > image:https://api.codacy.com/project/badge/Grade/{codacy-id}["Codacy Code > quality", link="https://www.codacy.com/app/{gh-name}"] > image:https://img.shields.io/gem/v/{gem-name}.svg?style=flat[Gem Version, > link="https://rubygems.org/gems/{gem-name}"] > @@ -49,6 +49,9 @@ > gem install {gem-name} --pre > > > +WARNING: Versions *prior 0.4.0* are vulnerable for Command Injection (see > https://github.com/{gh-name}/commit/c7ea001a597c7033575342c51483dab7b87ae155[c7ea001] > for more information). If you use an older version, update to 0.4.0 > immediately! > + > + > == Usage > > Just `require '{gem-name}'`. -- Sebastian Ramacher