jengelh/cgit
SHA256
1
0
Fork 0
forked from pool/cgit
Code Pull Requests Activity

revert last commit

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cgit?expand=0&rev=5
This commit is contained in:
Stephan Kulow 2011-10-18 11:42:50 +00:00 committed by Git OBS Bridge
parent 8e0bad85f4
commit bd71d7a431
6 changed files with 319 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
cgit-CVE-2011-2711-fix.diff Normal file
View File

@ -0,0 +1,35 @@
From bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <cgit@cryptocrack.de>
Date: Fri, 22 Jul 2011 11:47:19 +0000
Subject: Fix potential XSS vulnerability in rename hint
The file name displayed in the rename hint should be escaped to avoid
XSS. Note that this vulnerability is only applicable when an attacker
has gained push access to the repository.
Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
---
---
ui-diff.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/ui-diff.c
+++ b/ui-diff.c
@@ -97,10 +97,12 @@
htmlf("</td><td class='%s'>", class);
cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1,
ctx.qry.sha2, info->new_path, 0);
- if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED)
- htmlf(" (%s from %s)",
- info->status == DIFF_STATUS_COPIED ? "copied" : "renamed",
- info->old_path);
+ if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) {
+ htmlf(" (%s from ",
+ info->status == DIFF_STATUS_COPIED ? "copied" : "renamed");
+ html_txt(info->old_path);
+ html(")");
+ }
html("</td><td class='right'>");
if (info->binary) {
htmlf("bin</td><td class='graph'>%ld -> %ld bytes",

14
cgit-optflags.diff Normal file
View File

@ -0,0 +1,14 @@
---
Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/Makefile
+++ b/Makefile
@@ -134,6 +134,7 @@
CFLAGS += -g -Wall -Igit
+CFLAGS += $(RPM_OPT_FLAGS)
CFLAGS += -DSHA1_HEADER='$(SHA1_HEADER)'
CFLAGS += -DCGIT_VERSION='"$(CGIT_VERSION)"'
CFLAGS += -DCGIT_CONFIG='"$(CGIT_CONFIG)"'

120
cgit.changes Normal file
View File

@ -0,0 +1,120 @@
-------------------------------------------------------------------
Fri Oct 14 10:13:03 CEST 2011 - tiwai@suse.de
- split from OBS git repo to an individual repo (since cgit-0.9
doesn't build with git-1.7.7)
- merged fixes in git repo back to cgit repo
- updated to git 1.7.6.4
-------------------------------------------------------------------
Wed Aug 3 21:35:48 UTC 2011 - asn@cryptomilk.org
- updated to cgit 0.9.0.2
- fixed potential XSS vulnerability in rename hint
- fixed a segfault with git 1.7.6
-------------------------------------------------------------------
Mon Jun 27 18:22:11 CEST 2011 - tiwai@suse.de
- updated to git 1.7.6: see git changelog for more details
-------------------------------------------------------------------
Mon Jun 6 16:03:34 CEST 2011 - tiwai@suse.de
- updated to git 1.7.5.4: see git changelog for more details
-------------------------------------------------------------------
Mon Jun 6 12:24:02 CEST 2011 - tiwai@suse.de
- Fix incompatibilies with git 1.7.5.x to build cgit again
-------------------------------------------------------------------
Wed Jun 1 12:41:12 UTC 2011 - mmarek@novell.com
- Do not buildrequire git, the package builds it's own git and the
buildrequires line only makes backporting harder.
-------------------------------------------------------------------
Fri May 27 11:54:43 CEST 2011 - tiwai@suse.de
- updated git 1.7.5.3:
See git changelog for more details
-------------------------------------------------------------------
Mon Mar 28 18:26:17 CEST 2011 - tiwai@suse.de
- updated to git 1.7.4.2:
documentation updates, small bug fixes;
see included Documentation/RelNotes/1.7.4.2.txt
- updated to cgit 0.9:
major updates; using git-1.7.4.x
-------------------------------------------------------------------
Fri Dec 17 17:51:32 CET 2010 - tiwai@suse.de
- updated to git 1.7.3.3:
In addition to the usual fixes, this release also includes
support for the new "add.ignoreErrors" name given to the
existing "add.ignore-errors" configuration variable.
- updated to git 1.7.3.4:
Among many fixes since v1.7.3.3, it contains a fix to a recently
discovered XSS vulnerability in Gitweb (CVE 2010-3906)
-------------------------------------------------------------------
Thu Sep 30 08:21:27 CEST 2010 - tiwai@suse.de
- updated to git 1.7.3:
major version update; new options and behavior for git-rebase,
git-clean, git-checkout, git-gui.
See release note:
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.3.txt
- updated to git 1.7.3.1:
fix git-stash breakages
- Set NO_CROSS_DIRECTORY_HARDLINKS=1 to satisfy BS
-------------------------------------------------------------------
Fri Aug 20 17:41:32 CEST 2010 - anschneider@exsuse.de
- fixed more segfaults in cgit.
-------------------------------------------------------------------
Fri Aug 20 16:29:03 CEST 2010 - anschneider@exsuse.de
- fix cgit segfault when using git > 1.7
- update to version 0.8.3.3
- get debuginfo working, don't strip binaries.
-------------------------------------------------------------------
Fri Aug 20 10:02:44 CEST 2010 - tiwai@suse.de
- updated to git 1.7.2.2
-------------------------------------------------------------------
Thu Jul 29 13:52:36 CEST 2010 - tiwai@suse.de
- fix missing link with libpthread
-------------------------------------------------------------------
Thu Jul 29 13:43:28 CEST 2010 - tiwai@suse.de
- updated to git 1.7.2.1: minor fixes for git-instaweb, git-web,
git-config. See release note:
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.2.1.txt
-------------------------------------------------------------------
Thu Jul 22 12:19:02 CEST 2010 - tiwai@suse.de
- updated to git 1.7.2: mostly bug fixes and small enhancements;
see the release note:
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.2.txt
- gitweb stuff is moved to /usr/share/gitweb
-------------------------------------------------------------------
Sun Apr 25 18:29:34 UTC 2010 - poletti.marco@gmail.com
- Build against version 1.7.0.3 of git instead of 1.6.4.3.
-------------------------------------------------------------------
Fri Feb 5 16:37:58 UTC 2010 - poletti.marco@gmail.com
- Initial release, version 0.8.3.1

87
cgit.spec Normal file
View File

@ -0,0 +1,87 @@
#
# spec file for package cgit
#
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
%define git_version 1.7.6.4
Name: cgit
Url: http://hjemli.net/git/cgit/
License: GPLv2
Group: Development/Libraries/C and C++
AutoReqProv: on
Version: 0.9.0.2
Release: 7
Summary: A web frontend for git repositories
Source0: %{name}-%{version}.tar.bz2
Source1: git-%{git_version}.tar.gz
Source2: cgitrc
Patch: cgit-optflags.diff
Patch1: cgit-git-1.7.6_build_fix.patch
Patch2: cgit-CVE-2011-2711-fix.diff
# Requirements for cgit
BuildRequires: gnu-crypto libopenssl-devel libzip-devel
# Requirements for cgitrc man page generation
BuildRequires: asciidoc libxslt
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
This is an attempt to create a fast web interface for the git scm, using a
builtin cache to decrease server io-pressure.
Authors:
--------
Lars Hjemli (hjemli@gmail.com)
%prep
%setup -q
%setup -q -T -D -a 1
%patch -p1
%patch1 -p1
%patch2 -p1
rm -rf git
mv git-%{git_version} git
%build
make V=1
%install
make install DESTDIR="%{buildroot}" CGIT_SCRIPT_PATH=/srv/www/htdocs/cgit
make install-man DESTDIR="%{buildroot}"
mkdir -p "%{buildroot}"/srv/www/cgi-bin/cgit/
mv "%{buildroot}"/srv/www/{htdocs,cgi-bin}/cgit/cgit.cgi
mkdir -p "%{buildroot}"/etc
cp %{SOURCE2} "%{buildroot}"/etc/cgitrc
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root)
%doc README COPYING
%doc %{_mandir}/man5/cgitrc.5.gz
%dir /srv/www/htdocs/cgit
%dir /srv/www/cgi-bin/cgit
/srv/www/cgi-bin/cgit/cgit.cgi
/srv/www/htdocs/cgit/cgit.css
/srv/www/htdocs/cgit/cgit.png
/usr/lib/cgit
%config(noreplace) /etc/cgitrc
%changelog

63
cgitrc Normal file
View File

@ -0,0 +1,63 @@
# Enable caching of up to 1000 output entriess
cache-size=1000
# Specify some default clone prefixes
clone-prefix=ssh://domain.com/var/git
# Specify the css url
css=/git/cgit.css
# Specify the logo url
logo=/git/cgit.png
# Show extra links for each repository on the index page
enable-index-links=1
# Show number of affected files per commit on the log pages
enable-log-filecount=1
# Show number of added/removed lines per commit on the log pages
enable-log-linecount=1
# Set the title and heading of the repository index page
root-title=git repositories
# Allow download of tar.gz, tar.bz2 and zip-files
snapshots=tar.gz tar.bz2 zip
##
## List of common mimetypes
##
mimetype.git=image/git
mimetype.html=text/html
mimetype.jpg=image/jpeg
mimetype.jpeg=image/jpeg
mimetype.pdf=application/pdf
mimetype.png=image/png
mimetype.svg=image/svg+xml
##
## List of repositories.
## PS: Any repositories listed when section is unset will not be
## displayed under a section heading
## PPS: This list could be kept in a different file (e.g. '/etc/cgitrepos')
## and included like this:
## include=/etc/cgitrepos
##
# Add your repositories here.
#
# Examples:
#
# repo.url=main
# repo.path=/var/git/main.git
# repo.desc=Main repository
# repo.owner=your.email@domain.com
#
# repo.url=secondary
# repo.path=/var/git/ut.git
# repo.desc=Secondary repository
# repo.owner=another.email@domain.com

68
project.diff
View File

@ -1,68 +0,0 @@
--- cgit.changes.orig
+++ cgit.changes
@@ -1,28 +1,17 @@
-------------------------------------------------------------------
-Tue Oct 4 20:27:08 CEST 2011 - tiwai@suse.de
+Fri Oct 14 10:13:03 CEST 2011 - tiwai@suse.de
-- updated to git 1.7.7; see git changelog for more details
+- split from OBS git repo to an individual repo (since cgit-0.9
+ doesn't build with git-1.7.7)
+- merged fixes in git repo back to cgit repo
+- updated to git 1.7.6.4
-------------------------------------------------------------------
-Mon Sep 26 12:57:01 CEST 2011 - tiwai@suse.de
+Wed Aug 3 21:35:48 UTC 2011 - asn@cryptomilk.org
-- updated to git 1.7.6.4; see git changelog for more details
-
--------------------------------------------------------------------
-Wed Sep 21 08:43:35 CEST 2011 - tiwai@suse.de
-
-- updated to 1.7.6.2, 1.7.6.3: see git changelog for more details
-
--------------------------------------------------------------------
-Thu Aug 25 12:23:22 CEST 2011 - tiwai@suse.de
-
-- update to git 1.7.6.1: see git changelog for more details
-
--------------------------------------------------------------------
-Fri Aug 5 15:13:43 CEST 2011 - tiwai@suse.de
-
-- Fix VUL-0: cgit: XSS flaw in rename hint (CVE-2011-2711,
- bnc#707929)
+- updated to cgit 0.9.0.2
+- fixed potential XSS vulnerability in rename hint
+- fixed a segfault with git 1.7.6
-------------------------------------------------------------------
Mon Jun 27 18:22:11 CEST 2011 - tiwai@suse.de
--- cgit.spec.orig
+++ cgit.spec
@@ -17,21 +17,21 @@
# norootforbuild
-%define git_version 1.7.7
+%define git_version 1.7.6.4
Name: cgit
Url: http://hjemli.net/git/cgit/
License: GPLv2
Group: Development/Libraries/C and C++
AutoReqProv: on
-Version: 0.9
-Release: 9
+Version: 0.9.0.2
+Release: 7
Summary: A web frontend for git repositories
Source0: %{name}-%{version}.tar.bz2
Source1: git-%{git_version}.tar.gz
Source2: cgitrc
Patch: cgit-optflags.diff
-Patch1: cgit-git-1.7.5.x-build-fix.diff
+Patch1: cgit-git-1.7.6_build_fix.patch
Patch2: cgit-CVE-2011-2711-fix.diff
# Requirements for cgit
BuildRequires: gnu-crypto libopenssl-devel libzip-devel