Index: Makefile =================================================================== --- Makefile (revision 410457) +++ Makefile (working copy) @@ -3,6 +3,7 @@ PORTNAME= websvn PORTVERSION= 2.3.3 +PORTREVISION= 1 CATEGORIES= devel www MASTER_SITES= http://websvn.tigris.org/files/documents/1380/49056/ Index: files/patch-CVE-2013-6892 =================================================================== --- files/patch-CVE-2013-6892 (nonexistent) +++ files/patch-CVE-2013-6892 (working copy) @@ -0,0 +1,37 @@ +Arbitrary files with a known path can be accessed in websvn by committing a +symlink to a repository and then downloading the file (using the download +link). + +Author: Thijs Kinkhorst + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682 +--- dl.php.orig 2011-06-27 09:02:52 UTC ++++ dl.php +@@ -137,6 +137,18 @@ if ($rep) { + exit(0); + } + ++ // For security reasons, disallow direct downloads of filenames that ++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd) ++ // Deciding whether the symlink is relative and legal within the ++ // repository would be nice but seems to error prone at this moment. ++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) { ++ header('HTTP/1.x 500 Internal Server Error', true, 500); ++ error_log('to be downloaded file is symlink, aborting: '.$archiveName); ++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".'; ++ removeDirectory($tempDir); ++ exit(0); ++ } ++ + // Set timestamp of exported directory (and subdirectories) to timestamp of + // the revision so every archive of a given revision has the same timestamp. + $revDate = $logEntry->date; +@@ -180,7 +192,7 @@ if ($rep) { + $downloadMimeType = 'application/x-zip'; + $downloadArchive .= '.zip'; + // Create zip file +- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName); ++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName); + execCommand($cmd, $retcode); + if ($retcode != 0) { + error_log('Unable to call zip command: '.$cmd); Property changes on: files/patch-CVE-2013-6892 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: files/patch-CVE-2016-2511 =================================================================== --- files/patch-CVE-2016-2511 (nonexistent) +++ files/patch-CVE-2016-2511 (working copy) @@ -0,0 +1,12 @@ +Obtained from: Debian +--- include/setup.php.orig 2011-06-27 09:12:51 UTC ++++ include/setup.php +@@ -467,7 +467,7 @@ $vars['indexurl'] = $config->getURL('', + $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26'); + + // To avoid a possible XSS exploit, need to clean up the passed-in path first +-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null; ++$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null; + if ($path === null || $path === '') + $path = '/'; + $vars['safepath'] = escape($path); Property changes on: files/patch-CVE-2016-2511 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property