--- /dev/null
+Arbitrary files with a known path can be accessed in websvn by committing a
+symlink to a repository and then downloading the file (using the download
+link).
+
+Author: Thijs Kinkhorst <thijs@debian.org>
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
+
+diff -ur oud/dl.php nieuw/dl.php
+--- oud/dl.php 2015-01-18 16:03:30.688791512 +0100
++++ nieuw/dl.php 2015-01-18 16:27:00.950897749 +0100
+@@ -137,6 +137,18 @@
+ exit(0);
+ }
+
++ // For security reasons, disallow direct downloads of filenames that
++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++ // Deciding whether the symlink is relative and legal within the
++ // repository would be nice but seems to error prone at this moment.
++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++ header('HTTP/1.x 500 Internal Server Error', true, 500);
++ error_log('to be downloaded file is symlink, aborting: '.$archiveName);
++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
++ removeDirectory($tempDir);
++ exit(0);
++ }
++
+ // Set timestamp of exported directory (and subdirectories) to timestamp of
+ // the revision so every archive of a given revision has the same timestamp.
+ $revDate = $logEntry->date;
+@@ -180,7 +192,7 @@
+ $downloadMimeType = 'application/x-zip';
+ $downloadArchive .= '.zip';
+ // Create zip file
+- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
+ execCommand($cmd, $retcode);
+ if ($retcode != 0) {
+ error_log('Unable to call zip command: '.$cmd);
--- /dev/null
+--- orig/include/setup.php 2016-02-19 16:02:05.674756241 +0100
++++ new/include/setup.php 2016-02-19 16:02:10.166832543 +0100
+@@ -467,7 +467,7 @@
+ $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26');
+
+ // To avoid a possible XSS exploit, need to clean up the passed-in path first
+-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
++$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
+ if ($path === null || $path === '')
+ $path = '/';
+ $vars['safepath'] = escape($path);
--- /dev/null
+Description: CVE-2016-1236: XSS via directory or file in a repository containing XSS payload
+Origin: vendor
+Forwarded: no
+Author: Nitin Venkatesh <venkatesh.nitin@gmail.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-05-08
+
+--- a/revision.php
++++ b/revision.php
+@@ -145,7 +145,7 @@ if ($rep) {
+ }
+ $resourceExisted = $change->action == 'M' || $change->copyfrom;
+ $listing[] = array(
+- 'path' => $change->path,
++ 'path' => escape($change->path),
+ 'oldpath' => $change->copyfrom ? $change->copyfrom.' @ '.$change->copyrev : '',
+ 'action' => $change->action,
+ 'added' => $change->action == 'A',
+--- a/log.php
++++ b/log.php
+@@ -323,6 +323,9 @@ if ($rep) {
+ $listing[$index]['revadded'] = (isset($modpaths['A'])) ? implode('<br/>', $modpaths['A']) : '';
+ $listing[$index]['revdeleted'] = (isset($modpaths['D'])) ? implode('<br/>', $modpaths['D']) : '';
+ $listing[$index]['revmodified'] = (isset($modpaths['M'])) ? implode('<br/>', $modpaths['M']) : '';
++ $listing[$index]['revadded'] = escape($listing[$index]['revadded']);
++ $listing[$index]['revdeleted'] = escape($listing[$index]['revdeleted']);
++ $listing[$index]['revmodified'] = escape($listing[$index]['revmodified']);
+ }
+
+ $row = 1 - $row;
+--- a/comp.php
++++ b/comp.php
+@@ -381,7 +381,7 @@ if ($rep) {
+ $absnode .= $node;
+ }
+
+- $listing[$index]['newpath'] = $absnode;
++ $listing[$index]['newpath'] = escape($absnode);
+
+ $listing[$index]['fileurl'] = $config->getURL($rep, $absnode, 'file').'rev='.$rev2;
+
+--- a/listing.php
++++ b/listing.php
+@@ -123,7 +123,7 @@ function showDirFiles($svnrep, $subs, $l
+ $listing[$index]['level'] = ($treeview) ? $level : 0;
+ $listing[$index]['node'] = 0; // t-node
+ $listing[$index]['path'] = $path.$file;
+- $listing[$index]['filename'] = $file;
++ $listing[$index]['filename'] = escape($file);
+ if ($isDir) {
+ $listing[$index]['fileurl'] = urlForPath($path.$file, $passRevString);
+ } else {
+@@ -137,7 +137,7 @@ function showDirFiles($svnrep, $subs, $l
+ }
+
+ if ($treeview) {
+- $listing[$index]['compare_box'] = '<input type="checkbox" name="compare[]" value="'.$path.$file.'@'.$passrev.'" onclick="checkCB(this)" />';
++ $listing[$index]['compare_box'] = '<input type="checkbox" name="compare[]" value="'.escape($path.$file).'@'.$passrev.'" onclick="checkCB(this)" />';
+ }
+ if ($config->showLastModInListing()) {
+ $listing[$index]['committime'] = $entry->committime;
--- /dev/null
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="6"
+
+inherit webapp
+
+MY_P="${P//_/}"
+
+DESCRIPTION="Web-based browsing tool for Subversion (SVN) repositories in PHP"
+HOMEPAGE="http://www.websvn.info/ http://websvn.tigris.org/"
+DOWNLOAD_NUMBER="49056"
+SRC_URI="http://websvn.tigris.org/files/documents/1380/${DOWNLOAD_NUMBER}/${MY_P}.tar.gz"
+
+LICENSE="GPL-2"
+IUSE="enscript"
+KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86"
+
+DEPEND=""
+RDEPEND="dev-lang/php:*[xml]
+ dev-vcs/subversion
+ virtual/httpd-php:*
+ enscript? ( app-text/enscript )"
+RESTRICT="mirror"
+
+PATCHES=(
+ "${FILESDIR}/13_security_CVE-2013-6892.patch"
+ "${FILESDIR}/30_CVE-2016-2511.patch"
+ "${FILESDIR}/31_CVE-2016-1236.patch"
+)
+
+S="${WORKDIR}/${MY_P}"
+
+src_install() {
+ webapp_src_preinst
+
+ DOCS=( changes.txt )
+ HTML_DOCS=( doc/* )
+ einstalldocs
+
+ mv include/{dist,}config.php
+ rm -rf license.txt changes.txt doc/
+
+ insinto "${MY_HTDOCSDIR}"
+ doins -r .
+
+ webapp_configfile "${MY_HTDOCSDIR}"/include/config.php
+ webapp_configfile "${MY_HTDOCSDIR}"/wsvn.php
+
+ webapp_serverowned "${MY_HTDOCSDIR}"/cache
+
+ webapp_src_install
+}
projects / gentoo.git / commitdiff