debian/0000775000000000000000000000000012735534022007173 5ustar debian/config0000664000000000000000000000163712713654133010374 0ustar #!/bin/sh # websvn package configuration script set -e # Source debconf library -- we have a Depends line # to make sure it is there... . /usr/share/debconf/confmodule db_version 2.0 db_title WebSVN if [ "$1" = configure ] || [ "$1" = reconfigure ] ; then db_input "critical" "websvn/configuration" || true db_go db_get "websvn/configuration" if [ "$RET" = "true" ]; then webservers="" for i in apache apache-ssl apache-perl ; do if [ -f /etc/$i/httpd.conf ] ; then webservers="$webservers $i" fi done webservers="$(echo $webservers | sed -e 's/ /, /g' -e 's/, *$$//')" db_subst "websvn/webservers" webservers $webservers db_input "high" "websvn/webservers" || true db_input "high" "websvn/parentpath" || true db_input "high" "websvn/repositories" || true # TODO warn users www-data user MUST have WRITE permission ! fi db_input "high" "websvn/permissions" || true db_go fi exit 0 debian/compat0000664000000000000000000000000212713654133010373 0ustar 5 debian/watch0000664000000000000000000000011012713654133010216 0ustar version=3 http://www.websvn.info/download/ \ .*?/websvn-(.*).tar.gz debian/postrm0000664000000000000000000000214612713654133010447 0ustar #! /bin/sh # post remove script for websvn set -e if [ -f /usr/share/debconf/confmodule ]; then . /usr/share/debconf/confmodule db_version 2.0 || [ $? -lt 30 ] fi case "$1" in purge) if [ -e /etc/websvn/svn_deb_conf.inc ]; then rm /etc/websvn/svn_deb_conf.inc fi ucf -p /etc/websvn/svn_deb_conf.inc || true rm -rf /var/cache/websvn/ if [ -f /usr/share/debconf/confmodule ]; then db_get "websvn/webservers" webservers="$RET" restart="" for webserver in $webservers; do webserver=${webserver%,} case "$webserver" in apache|apache-perl|apache-ssl|apache2) rm -f /etc/$webserver/conf.d/websvn test -x /usr/sbin/$webserver || continue restart="$restart $webserver" ;; esac done fi ;; esac for webserver in $restart; do webserver=${webserver%,} if [ -x /usr/sbin/invoke-rc.d ]; then invoke-rc.d $webserver restart else /etc/init.d/$webserver restart fi done # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# if [ -f /usr/share/debconf/confmodule ]; then db_stop fi exit 0 debian/patches/0000775000000000000000000000000012713654133010624 5ustar debian/patches/series0000664000000000000000000000022412713654133012037 0ustar 13_security_CVE-2013-6892.patch 21_fix_conf_file.patch 22_use_global_geshi.patch 25_readme_multiviews 30_CVE-2016-2511.patch 31_CVE-2016-1236.patch debian/patches/23_make_enscript_quiet.patch0000664000000000000000000000111612713654133016203 0ustar Index: websvn/include/configclass.php =================================================================== --- websvn.orig/include/configclass.php 2010-01-30 15:57:08.000000000 +0100 +++ websvn/include/configclass.php 2010-01-30 16:08:19.000000000 +0100 @@ -1165,7 +1165,7 @@ // Define the location of the enscript command function setEnscriptPath($path) { - $this->_setPath($this->enscript, $path, 'enscript'); + $this->_setPath($this->enscript, $path, "enscript", "-q"); } function getEnscriptCommand() { @@ -1483,4 +1483,4 @@ // }}} } - \ No newline at end of file + debian/patches/31_CVE-2016-1236.patch0000664000000000000000000000473312713654133013553 0ustar Description: CVE-2016-1236: XSS via directory or file in a repository containing XSS payload Origin: vendor Forwarded: no Author: Nitin Venkatesh Reviewed-by: Salvatore Bonaccorso Last-Update: 2016-05-08 --- a/revision.php +++ b/revision.php @@ -145,7 +145,7 @@ if ($rep) { } $resourceExisted = $change->action == 'M' || $change->copyfrom; $listing[] = array( - 'path' => $change->path, + 'path' => escape($change->path), 'oldpath' => $change->copyfrom ? $change->copyfrom.' @ '.$change->copyrev : '', 'action' => $change->action, 'added' => $change->action == 'A', --- a/log.php +++ b/log.php @@ -323,6 +323,9 @@ if ($rep) { $listing[$index]['revadded'] = (isset($modpaths['A'])) ? implode('
', $modpaths['A']) : ''; $listing[$index]['revdeleted'] = (isset($modpaths['D'])) ? implode('
', $modpaths['D']) : ''; $listing[$index]['revmodified'] = (isset($modpaths['M'])) ? implode('
', $modpaths['M']) : ''; + $listing[$index]['revadded'] = escape($listing[$index]['revadded']); + $listing[$index]['revdeleted'] = escape($listing[$index]['revdeleted']); + $listing[$index]['revmodified'] = escape($listing[$index]['revmodified']); } $row = 1 - $row; --- a/comp.php +++ b/comp.php @@ -381,7 +381,7 @@ if ($rep) { $absnode .= $node; } - $listing[$index]['newpath'] = $absnode; + $listing[$index]['newpath'] = escape($absnode); $listing[$index]['fileurl'] = $config->getURL($rep, $absnode, 'file').'rev='.$rev2; --- a/listing.php +++ b/listing.php @@ -123,7 +123,7 @@ function showDirFiles($svnrep, $subs, $l $listing[$index]['level'] = ($treeview) ? $level : 0; $listing[$index]['node'] = 0; // t-node $listing[$index]['path'] = $path.$file; - $listing[$index]['filename'] = $file; + $listing[$index]['filename'] = escape($file); if ($isDir) { $listing[$index]['fileurl'] = urlForPath($path.$file, $passRevString); } else { @@ -137,7 +137,7 @@ function showDirFiles($svnrep, $subs, $l } if ($treeview) { - $listing[$index]['compare_box'] = ''; + $listing[$index]['compare_box'] = ''; } if ($config->showLastModInListing()) { $listing[$index]['committime'] = $entry->committime; debian/patches/11_security_css.patch0000664000000000000000000000333612713654133014672 0ustar Index: websvn-2.0/include/setup.php =================================================================== --- websvn-2.0.orig/include/setup.php 2008-11-12 13:12:10.000000000 +0100 +++ websvn-2.0/include/setup.php 2008-11-12 13:12:26.000000000 +0100 @@ -314,7 +314,7 @@ $vars['lang_code'] = $userLang; -$url = getParameterisedSelfUrl(true); +$url = '?'.buildQuery($_GET + $_POST); $vars["lang_form"] = "
"; $vars["lang_select"] = "