Re: security update: www/git 1.1 to 1.2.1

2018-08-04 Thread Klemens Nanni 
On Sat, Aug 04, 2018 at 09:16:08AM +0200, Landry Breuil wrote:
> And it is fixed by the update, which returns a 400 error code now.
Thanks for testing, committed now.

Re: security update: www/git 1.1 to 1.2.1

2018-08-04 Thread Landry Breuil 
On Sat, Aug 04, 2018 at 09:10:09AM +0200, Landry Breuil wrote:
> On Fri, Aug 03, 2018 at 10:45:46PM +0200, Klemens Nanni wrote:
> > 1.2.1 fixes a directory traversal bug:
> > https://bugs.chromium.org/p/project-zero/issues/detail?id=1627
> 
> I've tried exploiting the bug locally and didnt manage to read files
> from /var/www, but whatever. cgit still works with the update, so ok.
> 

Whoops, spoke too fast, it is indeed pretty bad:

$curl https://fqdn/repo/objects/?path=../../../../etc/resolv.conf


And it is fixed by the update, which returns a 400 error code now.

Re: security update: www/git 1.1 to 1.2.1

2018-08-04 Thread Landry Breuil 
On Fri, Aug 03, 2018 at 10:45:46PM +0200, Klemens Nanni wrote:
> 1.2.1 fixes a directory traversal bug:
> https://bugs.chromium.org/p/project-zero/issues/detail?id=1627

I've tried exploiting the bug locally and didnt manage to read files
from /var/www, but whatever. cgit still works with the update, so ok.

security update: www/git 1.1 to 1.2.1

2018-08-03 Thread Klemens Nanni 
1.2.1 fixes a directory traversal bug:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1627

While here:

* in README refer to an installed manual page instead of the
online version
* use simpler and AF agnostic httpd.conf(5) syntax in our example

I'd be happy to hear feedback from regular cgit users.

Index: Makefile
===
RCS file: /cvs/ports/www/cgit/Makefile,v
retrieving revision 1.23
diff -u -p -r1.23 Makefile
--- Makefile5 Jan 2018 08:31:26 -   1.23
+++ Makefile3 Aug 2018 20:32:26 -
@@ -2,12 +2,11 @@
 
 COMMENT =  web frontend for git repositories
 
-DISTNAME = cgit-1.1
+DISTNAME = cgit-1.2.1
 CATEGORIES =   www devel
-REVISION = 0
 
-DISTFILES =${DISTNAME}.tar.gz:0 \
-   git-2.10.2.tar.gz:1
+DISTFILES =${DISTNAME}.tar.xz:0 \
+   git-2.18.0.tar.gz:1
 
 MASTER_SITES0 =https://git.zx2c4.com/cgit/snapshot/
 MASTER_SITES1 =https://www.kernel.org/pub/software/scm/git/
Index: distinfo
===
RCS file: /cvs/ports/www/cgit/distinfo,v
retrieving revision 1.11
diff -u -p -r1.11 distinfo
--- distinfo22 Mar 2017 20:23:52 -  1.11
+++ distinfo3 Aug 2018 20:32:37 -
@@ -1,4 +1,4 @@
-SHA256 (cgit-1.1.tar.gz) = 9A3soz5VbJohi73Ce9nEd62ZxwhjkjCWhtIWkB3RDTs=
-SHA256 (git-2.10.2.tar.gz) = PX7yddgLl6qmHztr6dPcUWIC5vb12IXywJtZ66WS3MQ=
-SIZE (cgit-1.1.tar.gz) = 105738
-SIZE (git-2.10.2.tar.gz) = 6065116
+SHA256 (cgit-1.2.1.tar.xz) = PFR8FGNA+xbUE0Mm51JL+yj/poEoTx45FL3hwnqRgr8=
+SHA256 (git-2.18.0.tar.gz) = lPrywLAqeSCwtG9JYdjpytCOgUGGFBAomKVfmA+j5+Q=
+SIZE (cgit-1.2.1.tar.xz) = 89648
+SIZE (git-2.18.0.tar.gz) = 7498807
Index: patches/patch-Makefile
===
RCS file: /cvs/ports/www/cgit/patches/patch-Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 patch-Makefile
--- patches/patch-Makefile  22 Mar 2017 20:23:52 -  1.8
+++ patches/patch-Makefile  3 Aug 2018 20:10:00 -
@@ -1,9 +1,10 @@
 $OpenBSD: patch-Makefile,v 1.8 2017/03/22 20:23:52 landry Exp $
 Makefile.orig  Thu Feb 23 10:40:08 2017
-+++ Makefile   Thu Feb 23 10:42:15 2017
+Index: Makefile
+--- Makefile.orig
 Makefile
 @@ -2,11 +2,11 @@ all::
  
- CGIT_VERSION = v1.1
+ CGIT_VERSION = v1.2.1
  CGIT_SCRIPT_NAME = cgit.cgi
 -CGIT_SCRIPT_PATH = /var/www/htdocs/cgit
 -CGIT_DATA_PATH = $(CGIT_SCRIPT_PATH)
@@ -18,7 +19,7 @@ $OpenBSD: patch-Makefile,v 1.8 2017/03/2
  libdir = $(prefix)/lib
  filterdir = $(libdir)/cgit/filters
  docdir = $(prefix)/share/doc/cgit
-@@ -84,8 +84,6 @@ install: all
+@@ -90,8 +90,6 @@ install: all
$(INSTALL) -m 0644 cgit.png $(DESTDIR)$(CGIT_DATA_PATH)/cgit.png
$(INSTALL) -m 0644 favicon.ico $(DESTDIR)$(CGIT_DATA_PATH)/favicon.ico
$(INSTALL) -m 0644 robots.txt $(DESTDIR)$(CGIT_DATA_PATH)/robots.txt
Index: patches/patch-filter_c
===
RCS file: /cvs/ports/www/cgit/patches/patch-filter_c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-filter_c
--- patches/patch-filter_c  14 Jan 2016 22:09:15 -  1.2
+++ patches/patch-filter_c  3 Aug 2018 20:10:00 -
@@ -1,8 +1,9 @@
 $OpenBSD: patch-filter_c,v 1.2 2016/01/14 22:09:15 sthen Exp $
 Wtf.
 filter.c.orig  Thu Jan 14 14:43:54 2016
-+++ filter.c   Thu Jan 14 14:53:04 2016
-@@ -148,12 +148,13 @@ static struct cgit_filter *current_write_filter = NULL
+Index: filter.c
+--- filter.c.orig
 filter.c
+@@ -149,12 +149,13 @@ static struct cgit_filter *current_write_filter = NULL
  
  void cgit_init_filters(void)
  {
Index: pkg/PLIST
===
RCS file: /cvs/ports/www/cgit/pkg/PLIST,v
retrieving revision 1.4
diff -u -p -r1.4 PLIST
--- pkg/PLIST   5 Jan 2018 08:31:26 -   1.4
+++ pkg/PLIST   3 Aug 2018 20:35:53 -
@@ -8,5 +8,5 @@ cgit/cgit.png
 cgit/favicon.ico
 cgit/robots.txt
 @cwd ${LOCALBASE}
-share/doc/pkg-readmes/${FULLPKGNAME}
 @man man/man5/cgitrc.5
+share/doc/pkg-readmes/${FULLPKGNAME}
Index: pkg/README
===
RCS file: /cvs/ports/www/cgit/pkg/README,v
retrieving revision 1.3
diff -u -p -r1.3 README
--- pkg/README  22 Mar 2017 20:23:52 -  1.3
+++ pkg/README  3 Aug 2018 20:38:56 -
@@ -7,16 +7,15 @@ $OpenBSD: README,v 1.3 2017/03/22 20:23:
 Cgit config
 ===
 By default, the cgitrc config file is searched in ${PREFIX}/conf/cgitrc.
-Refer to http://git.zx2c4.com/cgit/tree/cgitrc.5.txt for the syntax.
+Refer to cgitrc(5) for the syntax.
 
 Webserver config
 
 
 OpenBSD httpd
 -
-ext_ip="0.0.0.0"
 server "default" {
-   listen on $ext_ip port 80
+   listen on egress port 80
 
# don't serve static files from cgit CGI: cgit.css and cgit.png
location "/cgit.*" {