Hello community,
here is the log from the commit of package viewvc for openSUSE:Factory checked
in at 2012-10-26 17:36:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/viewvc (Old)
and /work/SRC/openSUSE:Factory/.viewvc.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "viewvc", Maintainer is "dmuel...@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/viewvc/viewvc.changes 2012-07-24
17:22:52.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.viewvc.new/viewvc.changes 2012-10-26
17:36:17.000000000 +0200
@@ -1,0 +2,11 @@
+Fri Oct 26 09:25:45 UTC 2012 - dmuel...@suse.com
+
+- update to 1.1.17:
+ * fix exception caused by uninitialized variable usage (issue #516)
+ * security fix: escape "extra" diff info to avoid XSS attack (issue #515)
+ * add 'binary_mime_types' configuration option and handling (issue #510)
+ * fix 'select for diffs' persistence across log pages (issue #512)
+ * remove lock status and filesize check on directories in remote SVN views
+ * fix bogus 'Annotation of' page title for non-annotated view (issue #514)
+
+-------------------------------------------------------------------
Old:
----
viewvc-1.1.15.tar.gz
New:
----
viewvc-1.1.17.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ viewvc.spec ++++++
--- /var/tmp/diff_new_pack.WrAC7m/_old 2012-10-26 17:36:18.000000000 +0200
+++ /var/tmp/diff_new_pack.WrAC7m/_new 2012-10-26 17:36:18.000000000 +0200
@@ -19,7 +19,7 @@
Name: viewvc
BuildRequires: apache2-devel
BuildRequires: python-devel
-Version: 1.1.15
+Version: 1.1.17
Release: 0
#
%define apxs /usr/sbin/apxs2
++++++ viewvc-1.1.15.tar.gz -> viewvc-1.1.17.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/viewvc-1.1.15/CHANGES new/viewvc-1.1.17/CHANGES
--- old/viewvc-1.1.15/CHANGES 2012-06-22 20:41:47.000000000 +0200
+++ new/viewvc-1.1.17/CHANGES 2012-10-25 15:48:46.000000000 +0200
@@ -1,3 +1,15 @@
+Version 1.1.17 (released 25-Oct-2012)
+
+ * fix exception caused by uninitialized variable usage (issue #516)
+
+Version 1.1.16 (released 24-Oct-2012)
+
+ * security fix: escape "extra" diff info to avoid XSS attack (issue #515)
+ * add 'binary_mime_types' configuration option and handling (issue #510)
+ * fix 'select for diffs' persistence across log pages (issue #512)
+ * remove lock status and filesize check on directories in remote SVN views
+ * fix bogus 'Annotation of' page title for non-annotated view (issue #514)
+
Version 1.1.15 (released 22-Jun-2012)
* security fix: complete authz support for remote SVN views (issue #353)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/viewvc-1.1.15/conf/viewvc.conf.dist
new/viewvc-1.1.17/conf/viewvc.conf.dist
--- old/viewvc-1.1.15/conf/viewvc.conf.dist 2012-06-12 13:16:18.000000000
+0200
+++ new/viewvc-1.1.17/conf/viewvc.conf.dist 2012-10-24 15:29:49.000000000
+0200
@@ -391,6 +391,24 @@
##
#allowed_views = annotate, diff, markup, roots
+## Comma-delimited list of MIME content types (with support for fnmatch-
+## style glob characters) which are considered not-human-readable and for
+## which ViewVC will neither generate links to, nor support the direct
+## display of, non-checkout views which carry the file's content (the
+## 'markup', 'annotate', 'diff', and 'patch' views).
+##
+## NOTE: Handling of this option is given priority over ViewVC's
+## longstanding support for showing web-friendly file formats -- even
+## binary ones such as "image/jpeg" and "image/gif" -- in the 'markup'
+## view. Thus, if you add "image/*" to this list, 'markup'-view
+## display of JPEG, GIF, and PNG images will be disabled.
+##
+## Example:
+## binary_mime_types = application/octet-stream, image/*, application/pdf,
+## application/vnd*, application/msword, audio/*
+#
+#binary_mime_types =
+
## authorizer: The name of the ViewVC authorizer plugin to use when
## authorizing access to repository contents. This value must be the
## name of a Python module addressable as vcauth.MODULENAME (most
@@ -561,7 +579,7 @@
## (Only works well for C source files, otherwise diff's heuristic falls
short.)
## ('-p' option to diff)
##
-#hr_funout = 0
+#hr_funout = 1
## hr_ignore_white: Ignore whitespace (indendation and stuff) for human
## readable diffs.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/viewvc-1.1.15/lib/config.py
new/viewvc-1.1.17/lib/config.py
--- old/viewvc-1.1.15/lib/config.py 2012-06-12 13:16:18.000000000 +0200
+++ new/viewvc-1.1.17/lib/config.py 2012-09-05 16:55:05.000000000 +0200
@@ -112,6 +112,7 @@
_force_multi_value = (
# Configuration values with multiple, comma-separated values.
'allowed_views',
+ 'binary_mime_types',
'custom_log_formatting',
'cvs_roots',
'kv_files',
@@ -401,6 +402,7 @@
self.options.mangle_email_addresses = 0
self.options.custom_log_formatting = []
self.options.default_file_view = "log"
+ self.options.binary_mime_types = []
self.options.http_expiration_time = 600
self.options.generate_etags = 1
self.options.svn_ignore_mimetype = 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/viewvc-1.1.15/lib/vclib/svn/svn_ra.py
new/viewvc-1.1.17/lib/vclib/svn/svn_ra.py
--- old/viewvc-1.1.15/lib/vclib/svn/svn_ra.py 2012-06-19 20:50:01.000000000
+0200
+++ new/viewvc-1.1.17/lib/vclib/svn/svn_ra.py 2012-06-22 22:23:27.000000000
+0200
@@ -313,14 +313,18 @@
rev = self._getrev(rev)
url = self._geturl(path)
- # Use ls3 to fetch the lock status and size (as of REV) for this item.
- lockinfo = None
- basename = path_parts and path_parts[-1] or ""
- dirents, locks = list_directory(url, _rev2optrev(rev),
- _rev2optrev(rev), 0, self.ctx)
- if locks.has_key(basename):
- lockinfo = locks[basename].owner
- size_in_rev = dirents[basename].size
+ # If this is a file, fetch the lock status and size (as of REV)
+ # for this item.
+ lockinfo = size_in_rev = None
+ if path_type == vclib.FILE:
+ basename = path_parts[-1]
+ list_url = self._geturl(self._getpath(path_parts[:-1]))
+ dirents, locks = list_directory(list_url, _rev2optrev(rev),
+ _rev2optrev(rev), 0, self.ctx)
+ if locks.has_key(basename):
+ lockinfo = locks[basename].owner
+ if dirents.has_key(basename):
+ size_in_rev = dirents[basename].size
# Special handling for the 'svn_latest_log' scenario.
### FIXME: Don't like this hack. We should just introduce
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/viewvc-1.1.15/lib/viewvc.py
new/viewvc-1.1.17/lib/viewvc.py
--- old/viewvc-1.1.15/lib/viewvc.py 2012-06-22 20:43:12.000000000 +0200
+++ new/viewvc-1.1.17/lib/viewvc.py 2012-10-25 15:58:00.000000000 +0200
@@ -14,7 +14,7 @@
#
# -----------------------------------------------------------------------
-__version__ = '1.1.15'
+__version__ = '1.1.17'
# this comes from our library; measure the startup time
import debug
@@ -24,6 +24,7 @@
# standard modules that we know are in the path or builtin
import sys
import os
+import fnmatch
import gzip
import mimetypes
import re
@@ -1017,6 +1018,15 @@
return view_markup
return view_checkout
+def is_binary_file_mime_type(mime_type, cfg):
+ """Return True iff MIME_TYPE is set and matches one of the binary
+ file mime type patterns in CFG."""
+ if mime_type:
+ for pattern in cfg.options.binary_mime_types:
+ if fnmatch.fnmatch(mime_type, pattern):
+ return True
+ return False
+
def get_file_view_info(request, where, rev=None, mime_type=None, pathrev=-1):
"""Return an object holding common hrefs and a viewability flag used
for various views of FILENAME at revision REV whose MIME type is
@@ -1077,7 +1087,12 @@
params={'revision': rev},
escape=1)
- prefer_markup = default_view(mime_type, request.cfg) == view_markup
+ is_binary_file = is_binary_file_mime_type(mime_type, request.cfg)
+ if is_binary_file:
+ download_text_href = annotate_href = view_href = None
+ prefer_markup = False
+ else:
+ prefer_markup = default_view(mime_type, request.cfg) == view_markup
return _item(view_href=view_href,
download_href=download_href,
@@ -1831,6 +1846,11 @@
revision = None
mime_type, encoding = calculate_mime_type(request, path, rev)
+ # Is this display blocked by 'binary_mime_types' configuration?
+ if is_binary_file_mime_type(mime_type, cfg):
+ raise debug.ViewVCException('Display of binary file content disabled '
+ 'by configuration', '403 Forbidden')
+
# Is this a viewable image type?
if is_viewable_image(mime_type) \
and 'co' in cfg.options.allowed_views:
@@ -2531,6 +2551,7 @@
sortby = vclib.SORTBY_DEFAULT
first = last = 0
+ log_pagestart = None
if cfg.options.log_pagesize:
log_pagestart = int(request.query_dict.get('log_pagestart', 0))
total = cfg.options.log_pagesextra * cfg.options.log_pagesize
@@ -2654,7 +2675,8 @@
if selected_rev != entry.rev:
entry.sel_for_diff_href = \
request.get_url(view_func=view_log,
- params={'r1': entry.rev},
+ params={'r1': entry.rev,
+ 'log_pagestart': log_pagestart},
escape=1)
if entry.prev is not None:
entry.diff_to_prev_href = \
@@ -2795,7 +2817,9 @@
if cfg.options.log_pagesize:
data['log_paging_action'], data['log_paging_hidden_values'] = \
- request.get_form(params={'log_pagestart': None})
+ request.get_form(params={'log_pagestart': None,
+ 'r1': selected_rev,
+ })
data['log_pagestart'] = int(request.query_dict.get('log_pagestart',0))
data['entries'] = paging_sws(data, 'entries', data['log_pagestart'],
'rev', cfg.options.log_pagesize,
@@ -3061,7 +3085,7 @@
return _item(type='header',
line_info_left=match.group(1),
line_info_right=match.group(2),
- line_info_extra=match.group(3))
+ line_info_extra=self._format_text(match.group(3)))
if line[0] == '\\':
# \ No newline at end of file
@@ -3276,6 +3300,13 @@
query_dict = request.query_dict
p1, p2, rev1, rev2, sym1, sym2 = setup_diff(request)
+ mime_type1, encoding1 = calculate_mime_type(request, p1, rev1)
+ mime_type2, encoding2 = calculate_mime_type(request, p2, rev2)
+ if is_binary_file_mime_type(mime_type1, cfg) or \
+ is_binary_file_mime_type(mime_type2, cfg):
+ raise debug.ViewVCException('Display of binary file content disabled '
+ 'by configuration', '403 Forbidden')
+
# In the absence of a format dictation in the CGI params, we'll let
# use the configured diff format, allowing 'c' to mean 'c' and
# anything else to mean 'u'.
@@ -3316,6 +3347,13 @@
query_dict = request.query_dict
p1, p2, rev1, rev2, sym1, sym2 = setup_diff(request)
+ mime_type1, encoding1 = calculate_mime_type(request, p1, rev1)
+ mime_type2, encoding2 = calculate_mime_type(request, p2, rev2)
+ if is_binary_file_mime_type(mime_type1, cfg) or \
+ is_binary_file_mime_type(mime_type2, cfg):
+ raise debug.ViewVCException('Display of binary file content disabled '
+ 'by configuration', '403 Forbidden')
+
# since templates are in use and subversion allows changes to the dates,
# we can't provide a strong etag
if check_freshness(request, None, '%s-%s' % (rev1, rev2), weak=1):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/viewvc-1.1.15/templates/file.ezt
new/viewvc-1.1.17/templates/file.ezt
--- old/viewvc-1.1.15/templates/file.ezt 2009-09-09 16:34:55.000000000
+0200
+++ new/viewvc-1.1.17/templates/file.ezt 2012-10-24 19:01:40.000000000
+0200
@@ -9,7 +9,11 @@
[# ------------------------------------------------------------------------- ]
[# setup page definitions]
- [define page_title]Contents of /[where][end]
+ [is annotation "annotated"]
+ [define page_title]Annotation of /[where][end]
+ [else]
+ [define page_title]Contents of /[where][end]
+ [end]
[define help_href][docroot]/help_rootview.html[end]
[# end]
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
