[gentoo-commits] repo/gentoo:master commit in: www-apps/websvn/, www-apps/websvn/files/, profiles/

[Jakov Smolić]

commit: 35123aec38bbe8638bdfd2c6606b65fdd25a04b6
Author: Jakov Smolić  gentoo  org>
AuthorDate: Sat Dec 11 16:09:17 2021 +
Commit: Jakov Smolić  gentoo  org>
CommitDate: Sat Dec 11 16:09:17 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35123aec

www-apps/websvn: treeclean

Closes: https://bugs.gentoo.org/672352
Bug: https://bugs.gentoo.org/794511
Signed-off-by: Jakov Smolić  gentoo.org>

 profiles/package.mask  |  5 --
 www-apps/websvn/Manifest   |  1 -
 .../websvn/files/13_security_CVE-2013-6892.patch   | 39 --
 www-apps/websvn/files/30_CVE-2016-2511.patch   | 11 
 www-apps/websvn/files/31_CVE-2016-1236.patch   | 61 --
 www-apps/websvn/metadata.xml   | 13 -
 www-apps/websvn/websvn-2.3.3-r1.ebuild | 53 ---
 7 files changed, 183 deletions(-)

diff --git a/profiles/package.mask b/profiles/package.mask
index 15b0289eead3..fc05bf0806df 100644
--- a/profiles/package.mask
+++ b/profiles/package.mask
@@ -389,11 +389,6 @@ dev-java/trident
 dev-java/okio
 dev-java/moshi
 
-# John Helmert III  (2021-11-12)
-# Unfixed code execution bug, unmaintained in Gentoo.
-# Removal on 2021-12-11, bugs #672352, #794511.
-www-apps/websvn
-
 # Mart Raudsepp  (2021-11-11)
 # Needs testing to ensure valac-0.54 works for existing packages
 >=dev-libs/vala-common-0.53

diff --git a/www-apps/websvn/Manifest b/www-apps/websvn/Manifest
deleted file mode 100644
index e7b9173421a2..
--- a/www-apps/websvn/Manifest
+++ /dev/null
@@ -1 +0,0 @@
-DIST websvn-2.3.3.tar.gz 882779 BLAKE2B 
e851bdd8cf42c34202c8416b5f63d0b4b6731f082d1103eaf21689bd65ddb11d8ed2d9d1a8e476d2c342db9b59bc7dea37ae0c9eb929a8c8298dfa3965da34ce
 SHA512 
8c77a9770dfc3c9487793cd71c460d4048aa4aa7b8520a53eea8ae872f30e06d885f849d63fa0e9f61ed5923f9dd9c5ef1f3c4f020afaa83d7815a99d64818a0

diff --git a/www-apps/websvn/files/13_security_CVE-2013-6892.patch 
b/www-apps/websvn/files/13_security_CVE-2013-6892.patch
deleted file mode 100644
index ffb14e84aa11..
--- a/www-apps/websvn/files/13_security_CVE-2013-6892.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Arbitrary files with a known path can be accessed in websvn by committing a
-symlink to a repository and then downloading the file (using the download
-link).
-
-Author: Thijs Kinkhorst 
-
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
-
-diff -ur oud/dl.php nieuw/dl.php
 oud/dl.php 2015-01-18 16:03:30.688791512 +0100
-+++ nieuw/dl.php   2015-01-18 16:27:00.950897749 +0100
-@@ -137,6 +137,18 @@
-   exit(0);
-   }
- 
-+  // For security reasons, disallow direct downloads of filenames that
-+  // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
-+  // Deciding whether the symlink is relative and legal within the
-+  // repository would be nice but seems to error prone at this moment.
-+  if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
-+  header('HTTP/1.x 500 Internal Server Error', true, 500);
-+  error_log('to be downloaded file is symlink, aborting: 
'.$archiveName);
-+  print 'Download of symlinks disallowed: 
"'.xml_entities($archiveName).'".';
-+  removeDirectory($tempDir);
-+  exit(0);
-+  }
-+
-   // Set timestamp of exported directory (and subdirectories) to 
timestamp of
-   // the revision so every archive of a given revision has the same 
timestamp.
-   $revDate = $logEntry->date;
-@@ -180,7 +192,7 @@
-   $downloadMimeType = 'application/x-zip';
-   $downloadArchive .= '.zip';
-   // Create zip file
--  $cmd = $config->zip.' -r '.quote($downloadArchive).' 
'.quote($archiveName);
-+  $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' 
'.quote($archiveName);
-   execCommand($cmd, $retcode);
-   if ($retcode != 0) {
-   error_log('Unable to call zip command: '.$cmd);

diff --git a/www-apps/websvn/files/30_CVE-2016-2511.patch 
b/www-apps/websvn/files/30_CVE-2016-2511.patch
deleted file mode 100644
index 9c270bbc4582..
--- a/www-apps/websvn/files/30_CVE-2016-2511.patch
+++ /dev/null
@@ -1,11 +0,0 @@
 orig/include/setup.php 2016-02-19 16:02:05.674756241 +0100
-+++ new/include/setup.php  2016-02-19 16:02:10.166832543 +0100
-@@ -467,7 +467,7 @@
- $vars['validationurl'] = 
getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + 
array('template' => $template, 'language' => $language), '%26');
- 
- // To avoid a possible XSS exploit, need to clean up the passed-in path first
--$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
-+$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
- if ($path === null || $path === '')
-   $path = '/';
- $vars['safepath'] = escape($path);

diff --git 

[gentoo-commits] repo/gentoo:master commit in: www-apps/websvn/

[Sam James]

commit: 5153f7feef7cba5dd3de9b254ee1f7f0139021ba
Author: Sam James  gentoo  org>
AuthorDate: Sun Jan 10 22:14:10 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Sun Jan 10 22:27:51 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5153f7fe

www-apps/websvn: mark ALLARCHES

Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Sam James  gentoo.org>

 www-apps/websvn/metadata.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www-apps/websvn/metadata.xml b/www-apps/websvn/metadata.xml
index b925333babf..6acd325f386 100644
--- a/www-apps/websvn/metadata.xml
+++ b/www-apps/websvn/metadata.xml
@@ -5,6 +5,7 @@
web-a...@gentoo.org
Gentoo Webapps

+   

Add enscript support to colorize code
stored in the repository

[gentoo-commits] repo/gentoo:master commit in: www-apps/websvn/

[Michał Górny]

commit: 4da6387ff82c57eb97f10c7ec1edbb6dbb45b457
Author: Michał Górny  gentoo  org>
AuthorDate: Tue Nov 13 11:41:24 2018 +
Commit: Michał Górny  gentoo  org>
CommitDate: Wed Nov 28 09:58:23 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4da6387f

www-apps/websvn: Make USE=enscript a local flag

Signed-off-by: Michał Górny  gentoo.org>

 www-apps/websvn/metadata.xml | 4 
 1 file changed, 4 insertions(+)

diff --git a/www-apps/websvn/metadata.xml b/www-apps/websvn/metadata.xml
index 23492929dea..bcf1012b79d 100644
--- a/www-apps/websvn/metadata.xml
+++ b/www-apps/websvn/metadata.xml
@@ -5,6 +5,10 @@
web-a...@gentoo.org
Gentoo Webapps

+   
+   Add enscript support to colorize code
+   stored in the repository
+   

Web based Subversion repository browser written in PHP

[gentoo-commits] repo/gentoo:master commit in: www-apps/websvn/

[Aaron Bauman]

commit: 804196e1f28457f9538c4b234b43e21befb83dcf
Author: Aaron Bauman  gentoo  org>
AuthorDate: Mon Jan 16 04:37:29 2017 +
Commit: Aaron Bauman  gentoo  org>
CommitDate: Mon Jan 16 04:37:29 2017 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804196e1

www-apps/websvn: security cleanup wrt bug #552684

Package-Manager: portage-2.3.0

 www-apps/websvn/Manifest|  1 -
 www-apps/websvn/websvn-2.3.2.ebuild | 54 -
 2 files changed, 55 deletions(-)

diff --git a/www-apps/websvn/Manifest b/www-apps/websvn/Manifest
index c23ef53..d275104 100644
--- a/www-apps/websvn/Manifest
+++ b/www-apps/websvn/Manifest
@@ -1,2 +1 @@
-DIST websvn-2.3.2.tar.gz 846511 SHA256 
d2e6e65c1ca8c51e036b2229f144fe22cd13c005a080326a99eef48453855bdc SHA512 
fd5b902c8d9c518ca5800e259fdc4d3f0e59753db8efb63fc91baea4dae6ca3a537f04b70e928427e07da9868855826686e094885b671cf578b7f50e8da39df3
 WHIRLPOOL 
25478ae264ecd7c13d02eea8fbadf1c856b078961ce56647036c0cc5ce8b2d0187a973f13c05f1f7ca9a76200827f09e1a71e5502f0a158b987d5e8bc08b481b
 DIST websvn-2.3.3.tar.gz 882779 SHA256 
67d5cb7ffb087f8a92e3dcad10f16612baac4d15a60d659aa8b6e06200ac8742 SHA512 
8c77a9770dfc3c9487793cd71c460d4048aa4aa7b8520a53eea8ae872f30e06d885f849d63fa0e9f61ed5923f9dd9c5ef1f3c4f020afaa83d7815a99d64818a0
 WHIRLPOOL 
efd59ddbe6a84d2b0bce9286271627e485c77b93dd0ad998ecaa4bad8bfb246f62508c3e1d6183194b9f64313f223bb44fc8d8fdf0c1f176efb808b3cbf7e7d9

diff --git a/www-apps/websvn/websvn-2.3.2.ebuild 
b/www-apps/websvn/websvn-2.3.2.ebuild
deleted file mode 100644
index f6cb952..
--- a/www-apps/websvn/websvn-2.3.2.ebuild
+++ /dev/null
@@ -1,54 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="2"
-
-inherit eutils webapp
-
-MY_P="${P//_/}"
-
-DESCRIPTION="Web-based browsing tool for Subversion (SVN) repositories in PHP"
-HOMEPAGE="http://www.websvn.info/ http://websvn.tigris.org/;
-DOWNLOAD_NUMBER="48737"
-SRC_URI="http://websvn.tigris.org/files/documents/1380/${DOWNLOAD_NUMBER}/${MY_P}.tar.gz;
-
-LICENSE="GPL-2"
-IUSE="enscript"
-KEYWORDS="amd64 ppc ppc64 ~sparc x86"
-
-DEPEND="virtual/httpd-php"
-RDEPEND="dev-vcs/subversion
-   enscript? ( app-text/enscript )
-   virtual/httpd-php"
-RESTRICT="mirror"
-
-need_httpd_cgi
-
-S="${WORKDIR}/${MY_P}"
-
-pkg_setup() {
-   webapp_pkg_setup
-   has_php
-   require_php_with_use xml
-}
-
-src_install() {
-   webapp_src_preinst
-
-   mv include/{dist,}config.php
-
-   dodoc changes.txt || die "dodoc failed"
-   dohtml doc/* || die "dohtml failed"
-   rm -rf license.txt changes.txt doc/
-
-   insinto "${MY_HTDOCSDIR}"
-   doins -r . || die "doins failed"
-
-   webapp_configfile "${MY_HTDOCSDIR}"/include/config.php
-   webapp_configfile "${MY_HTDOCSDIR}"/wsvn.php
-
-   webapp_serverowned "${MY_HTDOCSDIR}"/cache
-
-   webapp_src_install
-}

[gentoo-commits] repo/gentoo:master commit in: www-apps/websvn/

[Jeroen Roovers]

commit: b57cf7f122206d924675cbf201d9fc3a1cbcba49
Author: Jeroen Roovers  gentoo  org>
AuthorDate: Fri Nov  4 13:19:11 2016 +
Commit: Jeroen Roovers  gentoo  org>
CommitDate: Fri Nov  4 13:19:11 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b57cf7f1

www-apps/websvn: Stable for PPC64 (bug #552684).

Package-Manager: portage-2.3.2
RepoMan-Options: --ignore-arches

 www-apps/websvn/websvn-2.3.3-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www-apps/websvn/websvn-2.3.3-r1.ebuild 
b/www-apps/websvn/websvn-2.3.3-r1.ebuild
index 0b5b357..f0cd0dc 100644
--- a/www-apps/websvn/websvn-2.3.3-r1.ebuild
+++ b/www-apps/websvn/websvn-2.3.3-r1.ebuild
@@ -15,7 +15,7 @@ 
SRC_URI="http://websvn.tigris.org/files/documents/1380/${DOWNLOAD_NUMBER}/${MY_P
 
 LICENSE="GPL-2"
 IUSE="enscript"
-KEYWORDS="amd64 ~ppc ~ppc64 ~sparc x86"
+KEYWORDS="amd64 ~ppc ppc64 ~sparc x86"
 
 DEPEND=""
 RDEPEND="dev-lang/php:*[xml]

[gentoo-commits] repo/gentoo:master commit in: www-apps/websvn/

[Agostino Sarubbo]

commit: 7c747d5c999150159d3f722de58d9932ee63ef14
Author: Agostino Sarubbo  gentoo  org>
AuthorDate: Wed Oct 26 10:13:23 2016 +
Commit: Agostino Sarubbo  gentoo  org>
CommitDate: Wed Oct 26 10:13:23 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c747d5c

www-apps/websvn: x86 stable wrt bug #552684

Package-Manager: portage-2.3.0
RepoMan-Options: --include-arches="x86"
Signed-off-by: Agostino Sarubbo  gentoo.org>

 www-apps/websvn/websvn-2.3.3-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www-apps/websvn/websvn-2.3.3-r1.ebuild 
b/www-apps/websvn/websvn-2.3.3-r1.ebuild
index 676b7db..0b5b357 100644
--- a/www-apps/websvn/websvn-2.3.3-r1.ebuild
+++ b/www-apps/websvn/websvn-2.3.3-r1.ebuild
@@ -15,7 +15,7 @@ 
SRC_URI="http://websvn.tigris.org/files/documents/1380/${DOWNLOAD_NUMBER}/${MY_P
 
 LICENSE="GPL-2"
 IUSE="enscript"
-KEYWORDS="amd64 ~ppc ~ppc64 ~sparc ~x86"
+KEYWORDS="amd64 ~ppc ~ppc64 ~sparc x86"
 
 DEPEND=""
 RDEPEND="dev-lang/php:*[xml]

[gentoo-commits] repo/gentoo:master commit in: www-apps/websvn/

[Agostino Sarubbo]

commit: 5aab8e3bb2a9e33a873899754c2c5355749d676f
Author: Agostino Sarubbo  gentoo  org>
AuthorDate: Wed Oct 26 10:12:23 2016 +
Commit: Agostino Sarubbo  gentoo  org>
CommitDate: Wed Oct 26 10:12:23 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5aab8e3b

www-apps/websvn: amd64 stable wrt bug #552684

Package-Manager: portage-2.3.0
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo  gentoo.org>

 www-apps/websvn/websvn-2.3.3-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www-apps/websvn/websvn-2.3.3-r1.ebuild 
b/www-apps/websvn/websvn-2.3.3-r1.ebuild
index 27275ad..676b7db 100644
--- a/www-apps/websvn/websvn-2.3.3-r1.ebuild
+++ b/www-apps/websvn/websvn-2.3.3-r1.ebuild
@@ -15,7 +15,7 @@ 
SRC_URI="http://websvn.tigris.org/files/documents/1380/${DOWNLOAD_NUMBER}/${MY_P
 
 LICENSE="GPL-2"
 IUSE="enscript"
-KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86"
+KEYWORDS="amd64 ~ppc ~ppc64 ~sparc ~x86"
 
 DEPEND=""
 RDEPEND="dev-lang/php:*[xml]

[gentoo-commits] repo/gentoo:master commit in: www-apps/websvn/

[Brian Evans]

commit: 64a932e34afd0526899980ba45fd887e0c4cf813
Author: Brian Evans  gentoo  org>
AuthorDate: Mon Aug 15 13:02:05 2016 +
Commit: Brian Evans  gentoo  org>
CommitDate: Mon Aug 15 13:02:05 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64a932e3

www-apps/websvn: Drop depend.php eclass and insert the DEPENDs it added

This effectively does not change the vdb as the DEPEND and RDEPEND values
are the same as they were previously

Package-Manager: portage-2.3.0

 www-apps/websvn/websvn-2.3.2.ebuild | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/www-apps/websvn/websvn-2.3.2.ebuild 
b/www-apps/websvn/websvn-2.3.2.ebuild
index b01c38a..f6cb952 100644
--- a/www-apps/websvn/websvn-2.3.2.ebuild
+++ b/www-apps/websvn/websvn-2.3.2.ebuild
@@ -1,10 +1,10 @@
-# Copyright 1999-2011 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 # $Id$
 
 EAPI="2"
 
-inherit depend.php eutils webapp
+inherit eutils webapp
 
 MY_P="${P//_/}"
 
@@ -17,13 +17,13 @@ LICENSE="GPL-2"
 IUSE="enscript"
 KEYWORDS="amd64 ppc ppc64 ~sparc x86"
 
-DEPEND=""
+DEPEND="virtual/httpd-php"
 RDEPEND="dev-vcs/subversion
-   enscript? ( app-text/enscript )"
+   enscript? ( app-text/enscript )
+   virtual/httpd-php"
 RESTRICT="mirror"
 
 need_httpd_cgi
-need_php_httpd
 
 S="${WORKDIR}/${MY_P}"
 

[gentoo-commits] repo/gentoo:master commit in: www-apps/websvn/

[Brian Evans]

commit: 035bbc024415e995d8ffb968a547dc28ca1cccf8
Author: Brian Evans  gentoo  org>
AuthorDate: Thu Aug 11 18:25:15 2016 +
Commit: Brian Evans  gentoo  org>
CommitDate: Thu Aug 11 18:26:32 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=035bbc02

www-apps/websvn: Drop old

Package-Manager: portage-2.3.0

 www-apps/websvn/websvn-2.3.3.ebuild | 54 -
 1 file changed, 54 deletions(-)

diff --git a/www-apps/websvn/websvn-2.3.3.ebuild 
b/www-apps/websvn/websvn-2.3.3.ebuild
deleted file mode 100644
index f49970f..000
--- a/www-apps/websvn/websvn-2.3.3.ebuild
+++ /dev/null
@@ -1,54 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="2"
-
-inherit depend.php eutils webapp
-
-MY_P="${P//_/}"
-
-DESCRIPTION="Web-based browsing tool for Subversion (SVN) repositories in PHP"
-HOMEPAGE="http://www.websvn.info/ http://websvn.tigris.org/;
-DOWNLOAD_NUMBER="49056"
-SRC_URI="http://websvn.tigris.org/files/documents/1380/${DOWNLOAD_NUMBER}/${MY_P}.tar.gz;
-
-LICENSE="GPL-2"
-IUSE="enscript"
-KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86"
-
-DEPEND=""
-RDEPEND="dev-vcs/subversion
-   enscript? ( app-text/enscript )"
-RESTRICT="mirror"
-
-need_httpd_cgi
-need_php_httpd
-
-S="${WORKDIR}/${MY_P}"
-
-pkg_setup() {
-   webapp_pkg_setup
-   has_php
-   require_php_with_use xml
-}
-
-src_install() {
-   webapp_src_preinst
-
-   mv include/{dist,}config.php
-
-   dodoc changes.txt || die "dodoc failed"
-   dohtml doc/* || die "dohtml failed"
-   rm -rf license.txt changes.txt doc/
-
-   insinto "${MY_HTDOCSDIR}"
-   doins -r . || die "doins failed"
-
-   webapp_configfile "${MY_HTDOCSDIR}"/include/config.php
-   webapp_configfile "${MY_HTDOCSDIR}"/wsvn.php
-
-   webapp_serverowned "${MY_HTDOCSDIR}"/cache
-
-   webapp_src_install
-}

[gentoo-commits] repo/gentoo:master commit in: www-apps/websvn/files/, www-apps/websvn/

[Brian Evans]

commit: 196fa9022f136bcbd82ab6f52a8d4c617b0603d6
Author: Brian Evans  gentoo  org>
AuthorDate: Thu Aug 11 18:21:29 2016 +
Commit: Brian Evans  gentoo  org>
CommitDate: Thu Aug 11 18:26:27 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196fa902

www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup

Remove the deprecated depend.php wrt bug 552838
Include Debian security patches wrt bug 552684, bug 575486, and bug 582234

Package-Manager: portage-2.3.0

 .../websvn/files/13_security_CVE-2013-6892.patch   | 39 ++
 www-apps/websvn/files/30_CVE-2016-2511.patch   | 11 
 www-apps/websvn/files/31_CVE-2016-1236.patch   | 61 ++
 www-apps/websvn/websvn-2.3.3-r1.ebuild | 54 +++
 4 files changed, 165 insertions(+)

diff --git a/www-apps/websvn/files/13_security_CVE-2013-6892.patch 
b/www-apps/websvn/files/13_security_CVE-2013-6892.patch
new file mode 100644
index 000..ffb14e8
--- /dev/null
+++ b/www-apps/websvn/files/13_security_CVE-2013-6892.patch
@@ -0,0 +1,39 @@
+Arbitrary files with a known path can be accessed in websvn by committing a
+symlink to a repository and then downloading the file (using the download
+link).
+
+Author: Thijs Kinkhorst 
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
+
+diff -ur oud/dl.php nieuw/dl.php
+--- oud/dl.php 2015-01-18 16:03:30.688791512 +0100
 nieuw/dl.php   2015-01-18 16:27:00.950897749 +0100
+@@ -137,6 +137,18 @@
+   exit(0);
+   }
+ 
++  // For security reasons, disallow direct downloads of filenames that
++  // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++  // Deciding whether the symlink is relative and legal within the
++  // repository would be nice but seems to error prone at this moment.
++  if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++  header('HTTP/1.x 500 Internal Server Error', true, 500);
++  error_log('to be downloaded file is symlink, aborting: 
'.$archiveName);
++  print 'Download of symlinks disallowed: 
"'.xml_entities($archiveName).'".';
++  removeDirectory($tempDir);
++  exit(0);
++  }
++
+   // Set timestamp of exported directory (and subdirectories) to 
timestamp of
+   // the revision so every archive of a given revision has the same 
timestamp.
+   $revDate = $logEntry->date;
+@@ -180,7 +192,7 @@
+   $downloadMimeType = 'application/x-zip';
+   $downloadArchive .= '.zip';
+   // Create zip file
+-  $cmd = $config->zip.' -r '.quote($downloadArchive).' 
'.quote($archiveName);
++  $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' 
'.quote($archiveName);
+   execCommand($cmd, $retcode);
+   if ($retcode != 0) {
+   error_log('Unable to call zip command: '.$cmd);

diff --git a/www-apps/websvn/files/30_CVE-2016-2511.patch 
b/www-apps/websvn/files/30_CVE-2016-2511.patch
new file mode 100644
index 000..9c270bb
--- /dev/null
+++ b/www-apps/websvn/files/30_CVE-2016-2511.patch
@@ -0,0 +1,11 @@
+--- orig/include/setup.php 2016-02-19 16:02:05.674756241 +0100
 new/include/setup.php  2016-02-19 16:02:10.166832543 +0100
+@@ -467,7 +467,7 @@
+ $vars['validationurl'] = 
getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + 
array('template' => $template, 'language' => $language), '%26');
+ 
+ // To avoid a possible XSS exploit, need to clean up the passed-in path first
+-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
++$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
+ if ($path === null || $path === '')
+   $path = '/';
+ $vars['safepath'] = escape($path);

diff --git a/www-apps/websvn/files/31_CVE-2016-1236.patch 
b/www-apps/websvn/files/31_CVE-2016-1236.patch
new file mode 100644
index 000..13ff2be
--- /dev/null
+++ b/www-apps/websvn/files/31_CVE-2016-1236.patch
@@ -0,0 +1,61 @@
+Description: CVE-2016-1236: XSS via directory or file in a repository 
containing XSS payload
+Origin: vendor
+Forwarded: no
+Author: Nitin Venkatesh 
+Reviewed-by: Salvatore Bonaccorso 
+Last-Update: 2016-05-08
+
+--- a/revision.php
 b/revision.php
+@@ -145,7 +145,7 @@ if ($rep) {
+   }
+   $resourceExisted = $change->action == 'M' || $change->copyfrom;
+   $listing[] = array(
+-  'path' => $change->path,
++  'path' => escape($change->path),
+   'oldpath' => $change->copyfrom ? $change->copyfrom.' @ 
'.$change->copyrev : '',
+   'action' => $change->action,
+   'added' => $change->action == 'A',
+--- a/log.php
 b/log.php
+@@ -323,6 +323,9 @@ if ($rep) {
+