rpms/git/F-8 0001-hotfix-1.5.456.X.txt, NONE, 1.1 .cvsignore, 1.48, 1.49 git.spec, 1.50, 1.51
Todd M. Zullinger
tmz at fedoraproject.org
Sat Dec 20 17:41:47 UTC 2008
- Previous message (by thread): rpms/git/F-9 .cvsignore, 1.58, 1.59 git.spec, 1.68, 1.69 sources, 1.60, 1.61
- Next message (by thread): rpms/vhd2vl/F-9 import.log, NONE, 1.1 vhd2vl-typo.patch, NONE, 1.1 vhd2vl-v2.01.patch, NONE, 1.1 vhd2vl.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmz
Update of /cvs/extras/rpms/git/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25979
Modified Files:
.cvsignore git.spec
Added Files:
0001-hotfix-1.5.456.X.txt
Log Message:
* Sat Dec 20 2008 Todd Zullinger <tmz at pobox.com> 1.5.4.3-3
- Fix local privilege escalation bug in gitweb
(http://article.gmane.org/gmane.comp.version-control.git/103624)
--- NEW FILE 0001-hotfix-1.5.456.X.txt ---
>From dfff4b7aa42de7e7d58caeebe2c6128449f09b76 Mon Sep 17 00:00:00 2001
From: Junio C Hamano <gitster at pobox.com>
Date: Tue, 16 Dec 2008 19:42:02 -0800
Subject: [PATCH] gitweb: do not run "git diff" that is Porcelain
Jakub says that legacy-style URI to view two blob differences are never
generated since 1.4.3. This codepath runs "git diff" Porcelain from the
gitweb, which is a no-no. It can trigger diff.external command that is
specified in the configuration file of the repository being viewed.
This patch applies to v1.5.4 and later.
Signed-off-by: Junio C Hamano <gitster at pobox.com>
---
gitweb/gitweb.perl | 38 ++------------------------------------
1 files changed, 2 insertions(+), 36 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index b582332..86a6ced 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -4809,43 +4809,9 @@ sub git_blobdiff {
or die_error(undef, "Open git-diff-tree failed");
}
- # old/legacy style URI
- if (!%diffinfo && # if new style URI failed
- defined $hash && defined $hash_parent) {
- # fake git-diff-tree raw output
- $diffinfo{'from_mode'} = $diffinfo{'to_mode'} = "blob";
- $diffinfo{'from_id'} = $hash_parent;
- $diffinfo{'to_id'} = $hash;
- if (defined $file_name) {
- if (defined $file_parent) {
- $diffinfo{'status'} = '2';
- $diffinfo{'from_file'} = $file_parent;
- $diffinfo{'to_file'} = $file_name;
- } else { # assume not renamed
- $diffinfo{'status'} = '1';
- $diffinfo{'from_file'} = $file_name;
- $diffinfo{'to_file'} = $file_name;
- }
- } else { # no filename given
- $diffinfo{'status'} = '2';
- $diffinfo{'from_file'} = $hash_parent;
- $diffinfo{'to_file'} = $hash;
- }
-
- # non-textual hash id's can be cached
- if ($hash =~ m/^[0-9a-fA-F]{40}$/ &&
- $hash_parent =~ m/^[0-9a-fA-F]{40}$/) {
- $expires = '+1d';
- }
-
- # open patch output
- open $fd, "-|", git_cmd(), "diff", @diff_opts,
- '-p', ($format eq 'html' ? "--full-index" : ()),
- $hash_parent, $hash, "--"
- or die_error(undef, "Open git-diff failed");
- } else {
+ # old/legacy style URI -- not generated anymore since 1.4.3.
+ if (!%diffinfo) {
die_error('404 Not Found', "Missing one of the blob diff parameters")
- unless %diffinfo;
}
# header
--
1.6.1.rc3.19.g66a9
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/git/F-8/.cvsignore,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- .cvsignore 27 Nov 2007 16:29:35 -0000 1.48
+++ .cvsignore 20 Dec 2008 17:41:16 -0000 1.49
@@ -1 +1 @@
-git-1.5.3.6.tar.gz
+git-1.5.4.3.tar.gz
Index: git.spec
===================================================================
RCS file: /cvs/extras/rpms/git/F-8/git.spec,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -r1.50 -r1.51
--- git.spec 26 Feb 2008 20:47:37 -0000 1.50
+++ git.spec 20 Dec 2008 17:41:16 -0000 1.51
@@ -1,7 +1,7 @@
# Pass --without docs to rpmbuild if you don't want the documentation
Name: git
Version: 1.5.4.3
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Git core and tools
License: GPLv2
Group: Development/Tools
@@ -11,6 +11,7 @@
Source2: git.xinetd
Source3: git.conf.httpd
Patch0: git-1.5-gitweb-home-link.patch
+Patch1: 0001-hotfix-1.5.456.X.txt
BuildRequires: zlib-devel >= 1.2, openssl-devel, curl-devel, expat-devel, emacs, gettext %{!?_without_docs:, xmlto, asciidoc > 6.0.3}
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -122,6 +123,7 @@
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
%build
make %{_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" \
@@ -244,6 +246,10 @@
%{!?_without_docs: %doc Documentation/technical}
%changelog
+* Sat Dec 20 2008 Todd Zullinger <tmz at pobox.com> 1.5.4.3-3
+- Fix local privilege escalation bug in gitweb
+ (http://article.gmane.org/gmane.comp.version-control.git/103624)
+
* Sun Feb 26 2008 Bernardo Innocenti <bernie at codewiz.org> 1.5.4.3-2
- Do not silently overwrite /etc/httpd/conf.d/git.conf
- Previous message (by thread): rpms/git/F-9 .cvsignore, 1.58, 1.59 git.spec, 1.68, 1.69 sources, 1.60, 1.61
- Next message (by thread): rpms/vhd2vl/F-9 import.log, NONE, 1.1 vhd2vl-typo.patch, NONE, 1.1 vhd2vl-v2.01.patch, NONE, 1.1 vhd2vl.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list