reinit the tree, so we can have metadata

3 files changed, 111 insertions, 0 deletions

diff --git a/www-apps/websvn/files/13_security_CVE-2013-6892.patch b/www-apps/websvn/files/13_security_CVE-2013-6892.patch
new file mode 100644
index 000000000000..ffb14e84aa11
--- /dev/null
+++ b/www-apps/websvn/files/13_security_CVE-2013-6892.patch
@@ -0,0 +1,39 @@
+Arbitrary files with a known path can be accessed in websvn by committing a
+symlink to a repository and then downloading the file (using the download
+link).
+
+Author: Thijs Kinkhorst <thijs@debian.org>
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
+
+diff -ur oud/dl.php nieuw/dl.php
+--- oud/dl.php	2015-01-18 16:03:30.688791512 +0100
++++ nieuw/dl.php	2015-01-18 16:27:00.950897749 +0100
+@@ -137,6 +137,18 @@
+ 		exit(0);
+ 	}
+ 
++	// For security reasons, disallow direct downloads of filenames that
++	// are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++	// Deciding whether the symlink is relative and legal within the
++	// repository would be nice but seems to error prone at this moment.
++	if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++		header('HTTP/1.x 500 Internal Server Error', true, 500);
++		error_log('to be downloaded file is symlink, aborting: '.$archiveName);
++		print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
++		removeDirectory($tempDir);
++		exit(0);
++	}
++
+ 	// Set timestamp of exported directory (and subdirectories) to timestamp of
+ 	// the revision so every archive of a given revision has the same timestamp.
+ 	$revDate = $logEntry->date;
+@@ -180,7 +192,7 @@
+ 		$downloadMimeType = 'application/x-zip';
+ 		$downloadArchive .= '.zip';
+ 		// Create zip file
+-		$cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
++		$cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
+ 		execCommand($cmd, $retcode);
+ 		if ($retcode != 0) {
+ 			error_log('Unable to call zip command: '.$cmd);
diff --git a/www-apps/websvn/files/30_CVE-2016-2511.patch b/www-apps/websvn/files/30_CVE-2016-2511.patch
new file mode 100644
index 000000000000..9c270bbc4582
--- /dev/null
+++ b/www-apps/websvn/files/30_CVE-2016-2511.patch
@@ -0,0 +1,11 @@
+--- orig/include/setup.php	2016-02-19 16:02:05.674756241 +0100
++++ new/include/setup.php	2016-02-19 16:02:10.166832543 +0100
+@@ -467,7 +467,7 @@
+ $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26');
+ 
+ // To avoid a possible XSS exploit, need to clean up the passed-in path first
+-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
++$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
+ if ($path === null || $path === '')
+ 	$path = '/';
+ $vars['safepath'] = escape($path);
diff --git a/www-apps/websvn/files/31_CVE-2016-1236.patch b/www-apps/websvn/files/31_CVE-2016-1236.patch
new file mode 100644
index 000000000000..13ff2be66f86
--- /dev/null
+++ b/www-apps/websvn/files/31_CVE-2016-1236.patch
@@ -0,0 +1,61 @@
+Description: CVE-2016-1236: XSS via directory or file in a repository containing XSS payload
+Origin: vendor
+Forwarded: no
+Author: Nitin Venkatesh <venkatesh.nitin@gmail.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-05-08
+
+--- a/revision.php
++++ b/revision.php
+@@ -145,7 +145,7 @@ if ($rep) {
+ 		}
+ 		$resourceExisted = $change->action == 'M' || $change->copyfrom;
+ 		$listing[] = array(
+-			'path' => $change->path,
++			'path' => escape($change->path),
+ 			'oldpath' => $change->copyfrom ? $change->copyfrom.' @ '.$change->copyrev : '',
+ 			'action' => $change->action,
+ 			'added' => $change->action == 'A',
+--- a/log.php
++++ b/log.php
+@@ -323,6 +323,9 @@ if ($rep) {
+ 					$listing[$index]['revadded'] = (isset($modpaths['A'])) ? implode('<br/>', $modpaths['A']) : '';
+ 					$listing[$index]['revdeleted'] = (isset($modpaths['D'])) ? implode('<br/>', $modpaths['D']) : '';
+ 					$listing[$index]['revmodified'] = (isset($modpaths['M'])) ? implode('<br/>', $modpaths['M']) : '';
++					$listing[$index]['revadded'] = escape($listing[$index]['revadded']);
++					$listing[$index]['revdeleted'] = escape($listing[$index]['revdeleted']);
++					$listing[$index]['revmodified'] = escape($listing[$index]['revmodified']);
+ 				}
+ 
+ 				$row = 1 - $row;
+--- a/comp.php
++++ b/comp.php
+@@ -381,7 +381,7 @@ if ($rep) {
+ 						$absnode .= $node;
+ 					}
+ 
+-					$listing[$index]['newpath'] = $absnode;
++					$listing[$index]['newpath'] = escape($absnode);
+ 
+ 					$listing[$index]['fileurl'] = $config->getURL($rep, $absnode, 'file').'rev='.$rev2;
+ 
+--- a/listing.php
++++ b/listing.php
+@@ -123,7 +123,7 @@ function showDirFiles($svnrep, $subs, $l
+ 				$listing[$index]['level'] = ($treeview) ? $level : 0;
+ 				$listing[$index]['node'] = 0; // t-node
+ 				$listing[$index]['path'] = $path.$file;
+-				$listing[$index]['filename'] = $file;
++				$listing[$index]['filename'] = escape($file);
+ 				if ($isDir) {
+ 					$listing[$index]['fileurl'] = urlForPath($path.$file, $passRevString);
+ 				} else {
+@@ -137,7 +137,7 @@ function showDirFiles($svnrep, $subs, $l
+ 				}
+ 
+ 				if ($treeview) {
+-					$listing[$index]['compare_box'] = '<input type="checkbox" name="compare[]" value="'.$path.$file.'@'.$passrev.'" onclick="checkCB(this)" />';
++					$listing[$index]['compare_box'] = '<input type="checkbox" name="compare[]" value="'.escape($path.$file).'@'.$passrev.'" onclick="checkCB(this)" />';
+ 				}
+ 				if ($config->showLastModInListing()) {
+ 					$listing[$index]['committime'] = $entry->committime;