Hello community, here is the log from the commit of package viewvc for openSUSE:Factory checked in at 2012-10-26 17:36:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/viewvc (Old) and /work/SRC/openSUSE:Factory/.viewvc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "viewvc", Maintainer is "dmuel...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/viewvc/viewvc.changes 2012-07-24 17:22:52.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.viewvc.new/viewvc.changes 2012-10-26 17:36:17.000000000 +0200 @@ -1,0 +2,11 @@ +Fri Oct 26 09:25:45 UTC 2012 - dmuel...@suse.com + +- update to 1.1.17: + * fix exception caused by uninitialized variable usage (issue #516) + * security fix: escape "extra" diff info to avoid XSS attack (issue #515) + * add 'binary_mime_types' configuration option and handling (issue #510) + * fix 'select for diffs' persistence across log pages (issue #512) + * remove lock status and filesize check on directories in remote SVN views + * fix bogus 'Annotation of' page title for non-annotated view (issue #514) + +------------------------------------------------------------------- Old: ---- viewvc-1.1.15.tar.gz New: ---- viewvc-1.1.17.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ viewvc.spec ++++++ --- /var/tmp/diff_new_pack.WrAC7m/_old 2012-10-26 17:36:18.000000000 +0200 +++ /var/tmp/diff_new_pack.WrAC7m/_new 2012-10-26 17:36:18.000000000 +0200 @@ -19,7 +19,7 @@ Name: viewvc BuildRequires: apache2-devel BuildRequires: python-devel -Version: 1.1.15 +Version: 1.1.17 Release: 0 # %define apxs /usr/sbin/apxs2 ++++++ viewvc-1.1.15.tar.gz -> viewvc-1.1.17.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.15/CHANGES new/viewvc-1.1.17/CHANGES --- old/viewvc-1.1.15/CHANGES 2012-06-22 20:41:47.000000000 +0200 +++ new/viewvc-1.1.17/CHANGES 2012-10-25 15:48:46.000000000 +0200 @@ -1,3 +1,15 @@ +Version 1.1.17 (released 25-Oct-2012) + + * fix exception caused by uninitialized variable usage (issue #516) + +Version 1.1.16 (released 24-Oct-2012) + + * security fix: escape "extra" diff info to avoid XSS attack (issue #515) + * add 'binary_mime_types' configuration option and handling (issue #510) + * fix 'select for diffs' persistence across log pages (issue #512) + * remove lock status and filesize check on directories in remote SVN views + * fix bogus 'Annotation of' page title for non-annotated view (issue #514) + Version 1.1.15 (released 22-Jun-2012) * security fix: complete authz support for remote SVN views (issue #353) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.15/conf/viewvc.conf.dist new/viewvc-1.1.17/conf/viewvc.conf.dist --- old/viewvc-1.1.15/conf/viewvc.conf.dist 2012-06-12 13:16:18.000000000 +0200 +++ new/viewvc-1.1.17/conf/viewvc.conf.dist 2012-10-24 15:29:49.000000000 +0200 @@ -391,6 +391,24 @@ ## #allowed_views = annotate, diff, markup, roots +## Comma-delimited list of MIME content types (with support for fnmatch- +## style glob characters) which are considered not-human-readable and for +## which ViewVC will neither generate links to, nor support the direct +## display of, non-checkout views which carry the file's content (the +## 'markup', 'annotate', 'diff', and 'patch' views). +## +## NOTE: Handling of this option is given priority over ViewVC's +## longstanding support for showing web-friendly file formats -- even +## binary ones such as "image/jpeg" and "image/gif" -- in the 'markup' +## view. Thus, if you add "image/*" to this list, 'markup'-view +## display of JPEG, GIF, and PNG images will be disabled. +## +## Example: +## binary_mime_types = application/octet-stream, image/*, application/pdf, +## application/vnd*, application/msword, audio/* +# +#binary_mime_types = + ## authorizer: The name of the ViewVC authorizer plugin to use when ## authorizing access to repository contents. This value must be the ## name of a Python module addressable as vcauth.MODULENAME (most @@ -561,7 +579,7 @@ ## (Only works well for C source files, otherwise diff's heuristic falls short.) ## ('-p' option to diff) ## -#hr_funout = 0 +#hr_funout = 1 ## hr_ignore_white: Ignore whitespace (indendation and stuff) for human ## readable diffs. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.15/lib/config.py new/viewvc-1.1.17/lib/config.py --- old/viewvc-1.1.15/lib/config.py 2012-06-12 13:16:18.000000000 +0200 +++ new/viewvc-1.1.17/lib/config.py 2012-09-05 16:55:05.000000000 +0200 @@ -112,6 +112,7 @@ _force_multi_value = ( # Configuration values with multiple, comma-separated values. 'allowed_views', + 'binary_mime_types', 'custom_log_formatting', 'cvs_roots', 'kv_files', @@ -401,6 +402,7 @@ self.options.mangle_email_addresses = 0 self.options.custom_log_formatting = [] self.options.default_file_view = "log" + self.options.binary_mime_types = [] self.options.http_expiration_time = 600 self.options.generate_etags = 1 self.options.svn_ignore_mimetype = 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.15/lib/vclib/svn/svn_ra.py new/viewvc-1.1.17/lib/vclib/svn/svn_ra.py --- old/viewvc-1.1.15/lib/vclib/svn/svn_ra.py 2012-06-19 20:50:01.000000000 +0200 +++ new/viewvc-1.1.17/lib/vclib/svn/svn_ra.py 2012-06-22 22:23:27.000000000 +0200 @@ -313,14 +313,18 @@ rev = self._getrev(rev) url = self._geturl(path) - # Use ls3 to fetch the lock status and size (as of REV) for this item. - lockinfo = None - basename = path_parts and path_parts[-1] or "" - dirents, locks = list_directory(url, _rev2optrev(rev), - _rev2optrev(rev), 0, self.ctx) - if locks.has_key(basename): - lockinfo = locks[basename].owner - size_in_rev = dirents[basename].size + # If this is a file, fetch the lock status and size (as of REV) + # for this item. + lockinfo = size_in_rev = None + if path_type == vclib.FILE: + basename = path_parts[-1] + list_url = self._geturl(self._getpath(path_parts[:-1])) + dirents, locks = list_directory(list_url, _rev2optrev(rev), + _rev2optrev(rev), 0, self.ctx) + if locks.has_key(basename): + lockinfo = locks[basename].owner + if dirents.has_key(basename): + size_in_rev = dirents[basename].size # Special handling for the 'svn_latest_log' scenario. ### FIXME: Don't like this hack. We should just introduce diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.15/lib/viewvc.py new/viewvc-1.1.17/lib/viewvc.py --- old/viewvc-1.1.15/lib/viewvc.py 2012-06-22 20:43:12.000000000 +0200 +++ new/viewvc-1.1.17/lib/viewvc.py 2012-10-25 15:58:00.000000000 +0200 @@ -14,7 +14,7 @@ # # ----------------------------------------------------------------------- -__version__ = '1.1.15' +__version__ = '1.1.17' # this comes from our library; measure the startup time import debug @@ -24,6 +24,7 @@ # standard modules that we know are in the path or builtin import sys import os +import fnmatch import gzip import mimetypes import re @@ -1017,6 +1018,15 @@ return view_markup return view_checkout +def is_binary_file_mime_type(mime_type, cfg): + """Return True iff MIME_TYPE is set and matches one of the binary + file mime type patterns in CFG.""" + if mime_type: + for pattern in cfg.options.binary_mime_types: + if fnmatch.fnmatch(mime_type, pattern): + return True + return False + def get_file_view_info(request, where, rev=None, mime_type=None, pathrev=-1): """Return an object holding common hrefs and a viewability flag used for various views of FILENAME at revision REV whose MIME type is @@ -1077,7 +1087,12 @@ params={'revision': rev}, escape=1) - prefer_markup = default_view(mime_type, request.cfg) == view_markup + is_binary_file = is_binary_file_mime_type(mime_type, request.cfg) + if is_binary_file: + download_text_href = annotate_href = view_href = None + prefer_markup = False + else: + prefer_markup = default_view(mime_type, request.cfg) == view_markup return _item(view_href=view_href, download_href=download_href, @@ -1831,6 +1846,11 @@ revision = None mime_type, encoding = calculate_mime_type(request, path, rev) + # Is this display blocked by 'binary_mime_types' configuration? + if is_binary_file_mime_type(mime_type, cfg): + raise debug.ViewVCException('Display of binary file content disabled ' + 'by configuration', '403 Forbidden') + # Is this a viewable image type? if is_viewable_image(mime_type) \ and 'co' in cfg.options.allowed_views: @@ -2531,6 +2551,7 @@ sortby = vclib.SORTBY_DEFAULT first = last = 0 + log_pagestart = None if cfg.options.log_pagesize: log_pagestart = int(request.query_dict.get('log_pagestart', 0)) total = cfg.options.log_pagesextra * cfg.options.log_pagesize @@ -2654,7 +2675,8 @@ if selected_rev != entry.rev: entry.sel_for_diff_href = \ request.get_url(view_func=view_log, - params={'r1': entry.rev}, + params={'r1': entry.rev, + 'log_pagestart': log_pagestart}, escape=1) if entry.prev is not None: entry.diff_to_prev_href = \ @@ -2795,7 +2817,9 @@ if cfg.options.log_pagesize: data['log_paging_action'], data['log_paging_hidden_values'] = \ - request.get_form(params={'log_pagestart': None}) + request.get_form(params={'log_pagestart': None, + 'r1': selected_rev, + }) data['log_pagestart'] = int(request.query_dict.get('log_pagestart',0)) data['entries'] = paging_sws(data, 'entries', data['log_pagestart'], 'rev', cfg.options.log_pagesize, @@ -3061,7 +3085,7 @@ return _item(type='header', line_info_left=match.group(1), line_info_right=match.group(2), - line_info_extra=match.group(3)) + line_info_extra=self._format_text(match.group(3))) if line[0] == '\\': # \ No newline at end of file @@ -3276,6 +3300,13 @@ query_dict = request.query_dict p1, p2, rev1, rev2, sym1, sym2 = setup_diff(request) + mime_type1, encoding1 = calculate_mime_type(request, p1, rev1) + mime_type2, encoding2 = calculate_mime_type(request, p2, rev2) + if is_binary_file_mime_type(mime_type1, cfg) or \ + is_binary_file_mime_type(mime_type2, cfg): + raise debug.ViewVCException('Display of binary file content disabled ' + 'by configuration', '403 Forbidden') + # In the absence of a format dictation in the CGI params, we'll let # use the configured diff format, allowing 'c' to mean 'c' and # anything else to mean 'u'. @@ -3316,6 +3347,13 @@ query_dict = request.query_dict p1, p2, rev1, rev2, sym1, sym2 = setup_diff(request) + mime_type1, encoding1 = calculate_mime_type(request, p1, rev1) + mime_type2, encoding2 = calculate_mime_type(request, p2, rev2) + if is_binary_file_mime_type(mime_type1, cfg) or \ + is_binary_file_mime_type(mime_type2, cfg): + raise debug.ViewVCException('Display of binary file content disabled ' + 'by configuration', '403 Forbidden') + # since templates are in use and subversion allows changes to the dates, # we can't provide a strong etag if check_freshness(request, None, '%s-%s' % (rev1, rev2), weak=1): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/viewvc-1.1.15/templates/file.ezt new/viewvc-1.1.17/templates/file.ezt --- old/viewvc-1.1.15/templates/file.ezt 2009-09-09 16:34:55.000000000 +0200 +++ new/viewvc-1.1.17/templates/file.ezt 2012-10-24 19:01:40.000000000 +0200 @@ -9,7 +9,11 @@ [# ------------------------------------------------------------------------- ] [# setup page definitions] - [define page_title]Contents of /[where][end] + [is annotation "annotated"] + [define page_title]Annotation of /[where][end] + [else] + [define page_title]Contents of /[where][end] + [end] [define help_href][docroot]/help_rootview.html[end] [# end] -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org