Fix a security related problem in tDiary 1.5.6, see

http://www.tdiary.org/20031119.html (Japanese-language) for details. It only happened in the following case: * "@secure = true" in setting file (tdiary.conf) * output_rdf.rb or tb-send.rb by plugin choice PR: ports/59451 Submitted by: Fumihiko Kimura <jfkimura@yahoo.co.jp> (maintainer)
svn path=/head/; revision=95448
2003-12-09 02:48:11 +00:00 · 2003-12-09 02:48:11 +00:00 · bde98a7340 · 2021-03-31 03:12:20 +00:00
commit bde98a7340
parent 31c1c5d1a4
6 changed files with 106 additions and 2 deletions
--- a/www/tdiary-devel/Makefile
+++ b/www/tdiary-devel/Makefile
@ -7,6 +7,7 @@

 PORTNAME=	tdiary
 PORTVERSION=	1.5.6
+PORTREVISION=	1
 CATEGORIES?=	www ruby
 MASTER_SITES=	\
 		${MASTER_SITE_SOURCEFORGE} \
@ -70,6 +71,7 @@ do-install:
 post-install:
 	@cd ${WRKSRC} && ${FIND} . -type f -o -type l | ${SED} -e 's,^\.,${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST}
 	@cd ${WRKSRC} && ${FIND} . -type d -depth  | ${SED} -e 's,^\.,@dirrm ${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST}
-	@${SED} -e "s,%%EXAMPLESDIR%%,${EXAMPLESDIR},g" ${PKGMESSAGE}
+	@${SED}	-e 's|%%EXAMPLESDIR%%|${EXAMPLESDIR}|' < ${FILESDIR}/pkg-message.in > ${PKGMESSAGE}
+	@${CAT} ${PKGMESSAGE}

 .include <bsd.port.mk>
--- a/www/tdiary-devel/files/patch-aa
+++ b/www/tdiary-devel/files/patch-aa
@ -0,0 +1,47 @@
+--- tdiary.rb	Thu Nov 13 15:34:22 2003
+++ tdiary.rb.new	Fri Nov 21 16:11:26 2003
+@@ -1,13 +1,13 @@
+ =begin
+ == NAME
+ tDiary: the "tsukkomi-able" web diary system.
+-tdiary.rb $Revision: 1.156 $
+tdiary.rb $Revision: 1.159 $
+ 
+ Copyright (C) 2001-2003, TADA Tadashi <sho@spc.gr.jp>
+ You can redistribute it and/or modify it under GPL2.
+ =end
+ 
+-TDIARY_VERSION = '1.5.6'
+TDIARY_VERSION = '1.5.6.20031118'
+ 
+ require 'cgi'
+ begin
+@@ -62,10 +62,14 @@
+ module Safe
+ 	def safe( level = 4 )
+ 		result = nil
+-		Thread.start {
+-			$SAFE = level
+		if $SAFE < level then
+			Thread.start {
+				$SAFE = level
+				result = yield
+			}.join
+		else
+ 			result = yield
+-		}.join
+		end
+ 		result
+   end
+   module_function :safe
+@@ -740,7 +744,9 @@
+ 			r = str.dup
+ 			if @options['apply_plugin'] and str.index( '<%' ) then
+ 				r = str.untaint if $SAFE < 3
+-				r = ERbLight.new( r ).result( binding )
+				Safe::safe( @conf.secure ? 4 : 1 ) do
+					r = ERbLight.new( r ).result( binding )
+				end
+ 			end
+ 			r.gsub!( /<.*?>/, '' ) if remove_tag
+ 			r
--- a/www/tdiary-devel/files/pkg-message.in
+++ b/www/tdiary-devel/files/pkg-message.in
@ -9,6 +9,9 @@ This script should be run manually.
   or
  % ruby %%EXAMPLESDIR%%/tdiaryinst.rb

+ * Option: --suexec Use suExec for CGI execution
+	   --help   Display Help information
+
 [Ruby 1.8.x]

  # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User
--- a/www/tdiary/Makefile
+++ b/www/tdiary/Makefile
@ -7,6 +7,7 @@

 PORTNAME=	tdiary
 PORTVERSION=	1.5.6
+PORTREVISION=	1
 CATEGORIES?=	www ruby
 MASTER_SITES=	\
 		${MASTER_SITE_SOURCEFORGE} \
@ -70,6 +71,7 @@ do-install:
 post-install:
 	@cd ${WRKSRC} && ${FIND} . -type f -o -type l | ${SED} -e 's,^\.,${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST}
 	@cd ${WRKSRC} && ${FIND} . -type d -depth  | ${SED} -e 's,^\.,@dirrm ${TDIARYDIR:S|${LOCALBASE}/||},' >> ${TMPPLIST}
-	@${SED} -e "s,%%EXAMPLESDIR%%,${EXAMPLESDIR},g" ${PKGMESSAGE}
+	@${SED}	-e 's|%%EXAMPLESDIR%%|${EXAMPLESDIR}|' < ${FILESDIR}/pkg-message.in > ${PKGMESSAGE}
+	@${CAT} ${PKGMESSAGE}

 .include <bsd.port.mk>
--- a/www/tdiary/files/patch-aa
+++ b/www/tdiary/files/patch-aa
@ -0,0 +1,47 @@
+--- tdiary.rb	Thu Nov 13 15:34:22 2003
+++ tdiary.rb.new	Fri Nov 21 16:11:26 2003
+@@ -1,13 +1,13 @@
+ =begin
+ == NAME
+ tDiary: the "tsukkomi-able" web diary system.
+-tdiary.rb $Revision: 1.156 $
+tdiary.rb $Revision: 1.159 $
+ 
+ Copyright (C) 2001-2003, TADA Tadashi <sho@spc.gr.jp>
+ You can redistribute it and/or modify it under GPL2.
+ =end
+ 
+-TDIARY_VERSION = '1.5.6'
+TDIARY_VERSION = '1.5.6.20031118'
+ 
+ require 'cgi'
+ begin
+@@ -62,10 +62,14 @@
+ module Safe
+ 	def safe( level = 4 )
+ 		result = nil
+-		Thread.start {
+-			$SAFE = level
+		if $SAFE < level then
+			Thread.start {
+				$SAFE = level
+				result = yield
+			}.join
+		else
+ 			result = yield
+-		}.join
+		end
+ 		result
+   end
+   module_function :safe
+@@ -740,7 +744,9 @@
+ 			r = str.dup
+ 			if @options['apply_plugin'] and str.index( '<%' ) then
+ 				r = str.untaint if $SAFE < 3
+-				r = ERbLight.new( r ).result( binding )
+				Safe::safe( @conf.secure ? 4 : 1 ) do
+					r = ERbLight.new( r ).result( binding )
+				end
+ 			end
+ 			r.gsub!( /<.*?>/, '' ) if remove_tag
+ 			r
--- a/www/tdiary/files/pkg-message.in
+++ b/www/tdiary/files/pkg-message.in
@ -9,6 +9,9 @@ This script should be run manually.
   or
  % ruby %%EXAMPLESDIR%%/tdiaryinst.rb

+ * Option: --suexec Use suExec for CGI execution
+	   --help   Display Help information
+
 [Ruby 1.8.x]

  # %%EXAMPLESDIR%%/tdiary-FreeBSD.sh User