--- loggerhead-1.17.orig/setup.py +++ loggerhead-1.17/setup.py @@ -40,28 +40,6 @@ package_data = {"loggerhead": ["templates/*.pt", "static/css/*.css", "static/javascript/*.js", - "static/javascript/yui/build/anim/*", - "static/javascript/yui/build/base/*", - "static/javascript/yui/build/cssbase/*", - "static/javascript/yui/build/cssgrids/*", - "static/javascript/yui/build/dd/*", - "static/javascript/yui/build/dump/*", - "static/javascript/yui/build/get/*", - "static/javascript/yui/build/json/*", - "static/javascript/yui/build/node/*", - "static/javascript/yui/build/queue/*", - "static/javascript/yui/build/yui/*", - "static/javascript/yui/build/attribute/*", - "static/javascript/yui/build/cookie/*", - "static/javascript/yui/build/cssfonts/*", - "static/javascript/yui/build/cssreset/*", - "static/javascript/yui/build/dom/*", - "static/javascript/yui/build/event/*", - "static/javascript/yui/build/io/*", - "static/javascript/yui/build/loader/*", - "static/javascript/yui/build/oop/*", - "static/javascript/yui/build/substitute/*", - "static/javascript/yui/build/yui-base/*", "static/images/*"]}, data_files = [ ('share/man/man1', ['start-loggerhead.1', --- loggerhead-1.17.orig/debian/loggerhead.init +++ loggerhead-1.17/debian/loggerhead.init @@ -0,0 +1,66 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: loggerhead +# Required-Start: $local_fs $remote_fs $network +# Required-Stop: $local_fs $remote_fs $network +# Default-Start: 2 3 4 5 +# Default-Stop: 1 +### END INIT INFO +# +# Init script for loggerhead Debian package. Based on skeleton init script: +# +# Version: @(#)skeleton 2.85-23 28-Jul-2004 miquels@cistron.nl +# + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DESC="Loggerhead Bazaar Branch Browser" +NAME=loggerhead +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/$NAME + +# Gracefully exit if the package has been removed. +[ -x /usr/bin/start-loggerhead ] || exit 0 + +# Check if configuration file is present +[ ! -f /etc/loggerhead.conf ] && exit 0 + +# +# Function that starts the daemon/service. +# +d_start() { + start-stop-daemon -p $PIDFILE -S --startas /usr/bin/start-loggerhead -- -p $PIDFILE -c /etc/loggerhead.conf -L /var/log/loggerhead 2>/dev/null +} + +# +# Function that stops the daemon/service. +# +d_stop() { + start-stop-daemon -p $PIDFILE -K --startas /usr/bin/stop-loggerhead -- -p $PIDFILE +} + + +case "$1" in + start) + echo -n "Starting $DESC: $NAME" + d_start + echo "." + ;; + stop) + echo -n "Stopping $DESC: $NAME" + d_stop + echo "." + ;; + restart|force-reload) + echo -n "Restarting $DESC: $NAME" + d_stop + sleep 1 + d_start + echo "." + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 --- loggerhead-1.17.orig/debian/rules +++ loggerhead-1.17/debian/rules @@ -0,0 +1,11 @@ +#!/usr/bin/make -f + +DEB_PYTHON_SYSTEM=pycentral + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/class/python-distutils.mk +include /usr/share/cdbs/1/rules/simple-patchsys.mk + +clean:: + -rm -rf build test*.tmp + find . -name "*.pyc" -print0 | xargs -0 rm -f --- loggerhead-1.17.orig/debian/copyright +++ loggerhead-1.17/debian/copyright @@ -0,0 +1,58 @@ +This package was debianized by Jelmer Vernooij + on Fr 25. Jul 22:45:27 CEST 2008. + +It was downloaded from http://launchpad.net/loggerhead +The tarball was created by running: + +bzr export -r100 loggerhead-0.0.1~bzr100.tar.gz http://launchpad.net/loggerhead + +Copyright (C) 2005 Matt Mackall +Copyright (C) 2005 Jake Edge +Copyright (C) 2006 Robey Pointer +Copyright (C) 2006 Goffredo Baroncelli +Copyright (C) 2005-2008 Canonical Ltd +Copyright (C) 2008 Robert Collins + +License: + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License with +the Debian GNU/Linux distribution in file /usr/share/common-licenses/GPL; +if not, write to the Free Software Foundation, Inc., 51 Franklin St, +Fifth Floor, Boston, MA 02110-1301, USA. + +On Debian systems, the full text of the GPL can be found in +/usr/share/common-licenses/GPL + +The included Mootools JavaScript library is: + +Copyright (c) 2006-2008 Valerio Proietti, . + +License: + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. --- loggerhead-1.17.orig/debian/README.Debian +++ loggerhead-1.17/debian/README.Debian @@ -0,0 +1,10 @@ +loggerhead for Debian +===================== + +To use loggerhead, please copy the example configuration file from +/usr/share/doc/loggerhead/examples to /etc/loggerhead.conf and modify it for +your local environment. + +After this, you should be able to start loggerhead. + + -- Jelmer Vernooij , Mo 25. Aug 15:06:25 CEST 2008 --- loggerhead-1.17.orig/debian/changelog +++ loggerhead-1.17/debian/changelog @@ -0,0 +1,56 @@ +loggerhead (1.17-0ubuntu1.1) karmic-security; urgency=low + + * SECURITY UPDATE: Cross-site scripting vulnerabilities by crafted branch + contents. (LP: #740142) + - debian/patches/bug-740142.diff: improve escaping of filenames. + - CVE-2011-0728 + + -- William Grant Thu, 24 Mar 2011 14:01:44 +1100 + +loggerhead (1.17-0ubuntu1) karmic; urgency=low + + [ Roland Mas ] + * Use the YUI library provided by libjs-yui. (Closes: #511286) + + [ Jelmer Vernooij ] + * Use my debian.org address in Uploaders field. + * Add ${misc:Depends} to please lintian. + * Suggest recent version of paste, which doesn't expose internal port + numbers in links. (Closes: #507000) + * Bump standards version to 3.8.1. + + [ James Westby ] + * New upstream release. + * Drop get-orig-source rule in favour of debian/watch. + * Add python-pkg-resources and python-paste to Build-Depends, + python-pkg-resources to Depends and python-simplejson to + Recommends due to dependency changes. + + -- James Westby Wed, 26 Aug 2009 13:18:03 +0100 + +loggerhead (1.10-1) unstable; urgency=low + + * New upstream release. + * Stop writing home directory to pid file. (Closes: #507002) + * Use objlib from bzr. (Closes: #506999) + * Fix dependency on python-paste. + + -- Jelmer Vernooij Tue, 09 Dec 2008 01:04:39 +0100 + +loggerhead (1.6+bzr245-1) unstable; urgency=low + + * New upstream snapshot. + + -- Jelmer Vernooij Fri, 21 Nov 2008 01:11:24 +0100 + +loggerhead (1.6+bzr241-1) unstable; urgency=low + + * New upstream snapshot. + + -- Jelmer Vernooij Fri, 07 Nov 2008 16:03:13 +0100 + +loggerhead (1.6-1) unstable; urgency=low + + * Initial release. (Closes: #492477) + + -- Jelmer Vernooij Fri, 25 Jul 2008 22:43:49 +0200 --- loggerhead-1.17.orig/debian/control +++ loggerhead-1.17/debian/control @@ -0,0 +1,24 @@ +Source: loggerhead +Section: devel +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Bazaar Maintainers +Uploaders: Jelmer Vernooij +Homepage: https://launchpad.net/loggerhead +Build-Depends-Indep: bzr (>= 1.5) +Build-Depends: python-central (>= 0.5), cdbs (>= 0.4.43), debhelper (>= 5.0.37.2), python-dev, python-pkg-resources, python-paste (>= 1.6) +Standards-Version: 3.8.1 +XS-Python-Version: >= 2.4 +Vcs-Bzr: http://bzr.debian.org/pkg-bazaar/loggerhead/unstable/ + +Package: loggerhead +Architecture: all +Depends: bzr (>= 1.5), ${python:Depends}, python-simpletal, python-pkg-resources, python-paste (>= 1.6), libjs-yui, ${misc:Depends} +Suggests: python-pastedeploy (>= 1.3.0) +Enhances: bzr +Recommends: bzr-search, python-simplejson +XB-Python-Version: ${python:Versions} +Description: Web viewer for Bazaar + This is a web viewer for projects in the Bazaar version control system. + It can be used to navigate a branch history, annotate files, view patches and + perform searches. --- loggerhead-1.17.orig/debian/postinst +++ loggerhead-1.17/debian/postinst @@ -0,0 +1,2 @@ +#!/bin/sh -e +#DEBHELPER# --- loggerhead-1.17.orig/debian/pycompat +++ loggerhead-1.17/debian/pycompat @@ -0,0 +1 @@ +2 --- loggerhead-1.17.orig/debian/postrm +++ loggerhead-1.17/debian/postrm @@ -0,0 +1,2 @@ +#!/bin/sh -e +#DEBHELPER# --- loggerhead-1.17.orig/debian/watch +++ loggerhead-1.17/debian/watch @@ -0,0 +1,2 @@ +version=3 +https://launchpad.net/loggerhead/+download http://launchpad.net/loggerhead/.*/loggerhead-(.+).tar.gz --- loggerhead-1.17.orig/debian/compat +++ loggerhead-1.17/debian/compat @@ -0,0 +1 @@ +5 --- loggerhead-1.17.orig/debian/prerm +++ loggerhead-1.17/debian/prerm @@ -0,0 +1,2 @@ +#!/bin/sh -e +#DEBHELPER# --- loggerhead-1.17.orig/debian/dirs +++ loggerhead-1.17/debian/dirs @@ -0,0 +1,2 @@ +var/log/loggerhead +etc/init.d --- loggerhead-1.17.orig/debian/examples +++ loggerhead-1.17/debian/examples @@ -0,0 +1 @@ +loggerhead.conf.example --- loggerhead-1.17.orig/debian/patches/bug-740142.diff +++ loggerhead-1.17/debian/patches/bug-740142.diff @@ -0,0 +1,191 @@ +Description: Fix for bug #740142 (CVE-2011-0728) + Changes backported from lp:~wgrant/loggerhead/1.18-bug-740142. +Bug: https://launchpad.net/bugs/740142 +Author: William Grant + +diff -Nur -x '*.orig' -x '*~' karmic-740142//loggerhead/controllers/annotate_ui.py karmic-740142.new//loggerhead/controllers/annotate_ui.py +--- karmic-740142//loggerhead/controllers/annotate_ui.py 2011-03-24 14:00:15.238434000 +1100 ++++ karmic-740142.new//loggerhead/controllers/annotate_ui.py 2011-03-24 14:01:01.015048000 +1100 +@@ -17,7 +17,6 @@ + # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + # + +-import cgi + import os + import time + +@@ -71,7 +70,7 @@ + hl_lines = highlight(file_name, file_text, encoding) + hl_lines.extend([u''] * (len(file_lines) - len(hl_lines))) + else: +- hl_lines = map(cgi.escape, file_lines) ++ hl_lines = map(util.html_escape, file_lines) + + change_cache = {} + +diff -Nur -x '*.orig' -x '*~' karmic-740142//loggerhead/templatefunctions.py karmic-740142.new//loggerhead/templatefunctions.py +--- karmic-740142//loggerhead/templatefunctions.py 2011-03-24 14:00:15.238434000 +1100 ++++ karmic-740142.new//loggerhead/templatefunctions.py 2011-03-24 14:01:01.015048000 +1100 +@@ -14,8 +14,8 @@ + # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + # + +-import cgi + import os ++import urllib + + import pkg_resources + +@@ -23,6 +23,7 @@ + + import loggerhead + from loggerhead.zptsupport import zpt ++from loggerhead.util import html_format + + + templatefunctions = {} +@@ -49,16 +50,21 @@ + if style == 'fragment': + def file_link(filename): + if currently_showing and filename == currently_showing: +- return '%s' % ( +- cgi.escape(filename), cgi.escape(filename)) ++ return html_format( ++ '%s', ++ urllib.quote(filename.encode('utf-8')), filename) + else: + return revision_link( +- url, entry.revno, filename, '#' + filename) ++ url, entry.revno, filename, ++ '#' + urllib.quote(filename.encode('utf-8'))) + else: + def file_link(filename): +- return '%s'%( +- url(['/revision', entry.revno]), '#' + filename, cgi.escape(filename), +- cgi.escape(entry.revno), cgi.escape(filename)) ++ return html_format( ++ '' ++ '%s', ++ url(['/revision', entry.revno]), ++ '#' + urllib.quote(filename.encode('utf-8')), ++ filename, entry.revno, filename) + return _pt('revisionfilechanges').expand( + entry=entry, file_changes=file_changes, file_link=file_link, **templatefunctions) + +@@ -122,14 +128,15 @@ + + @templatefunc + def annotate_link(url, revno, path): +- return '%s'%( +- url(['/annotate', revno, path]), cgi.escape(path), cgi.escape(path)) ++ return html_format( ++ '%s', ++ url(['/annotate', revno, path]), path, path) + + @templatefunc + def revision_link(url, revno, path, frag=''): +- return '%s'%( +- url(['/revision', revno, path]), frag, cgi.escape(path), +- cgi.escape(revno), cgi.escape(path)) ++ return html_format( ++ '%s', ++ url(['/revision', revno, path]), frag, path, revno, path) + + + @templatefunc +diff -Nur -x '*.orig' -x '*~' karmic-740142//loggerhead/tests/test_simple.py karmic-740142.new//loggerhead/tests/test_simple.py +--- karmic-740142//loggerhead/tests/test_simple.py 2011-03-24 14:00:15.238434000 +1100 ++++ karmic-740142.new//loggerhead/tests/test_simple.py 2011-03-24 14:01:01.015048000 +1100 +@@ -59,9 +59,11 @@ + + self.filecontents = ('some\nmultiline\ndata\n' + 'with", ">"), ++ ("<", "<"), ++ ] ++ ++ ++def html_escape(s): ++ """Transform dangerous (X)HTML characters into entities. ++ ++ Like cgi.escape, except also escaping " and '. This makes it safe to use ++ in both attribute and element content. ++ ++ If you want to safely fill a format string with escaped values, use ++ html_format instead ++ """ ++ for char, repl in html_entity_subs: ++ s = s.replace(char, repl) ++ return s ++ + ++def html_format(template, *args): ++ """Safely format an HTML template string, escaping the arguments. ++ ++ The template string must not be user-controlled; it will not be escaped. ++ """ ++ return template % tuple(html_escape(arg) for arg in args) ++ ++ ++# FIXME: get rid of this method; use fixed_width() and avoid XML(). + + def html_clean(s): + """ +@@ -202,7 +232,7 @@ + entities, and replace spaces with ' '. this is primarily for use + in displaying monospace text. + """ +- s = cgi.escape(s.expandtabs()) ++ s = html_escape(s.expandtabs()) + s = s.replace(' ', ' ') + return s + +@@ -250,7 +280,7 @@ + except UnicodeDecodeError: + s = s.decode('iso-8859-15') + +- s = cgi.escape(s).expandtabs().replace(' ', NONBREAKING_SPACE) ++ s = html_escape(s).expandtabs().replace(' ', NONBREAKING_SPACE) + + return HSC.clean(s).replace('\n', '
') +