This commit was manufactured by cvs2svn to create tag 'V0_9_3'.

git-svn-id: http://viewvc.tigris.org/svn/viewvc/tags/V0_9_3@1068 8cb11bc2-c004-0410-86c3-e597b4017df7

CHANGES

@@ -1,3 +1,14 @@
+Version 0.9.3 (released 17-May-2005)
+
+  * security fix: disallow bad "content-type" input [CAN-2004-1062]
+  * security fix: disallow bad "sortby" and "cvsroot" input [CAN-2002-0771]
+  * security fix: omit forbidden/hidden modules from tarballs [CAN-2002-0771]
+
+Version 0.9.2 (released 15-Jan-2001)
+
+  * fix redirects to Attic for diffs
+  * fix diffs that have no changes (causing an infinite loop)
+
 Version 0.9.1 (released 26-Dec-2001)
 
   * fix a problem with some syntax in ndiff.py which isn't compatible

lib/viewcvs.py

@@ -25,7 +25,7 @@
 # -----------------------------------------------------------------------
 #
 
-__version__ = '0.9.1'
+__version__ = '0.9.3'
 
 #########################################################################
 #
@@ -248,9 +248,10 @@ def redirect(location):
   sys.exit(0)
 
 def error(msg, status='500 Internal Server Error'):
+  print 'Content-type: text/html'
   print 'Status:', status
   print
-  print msg
+  print cgi.escape(msg)
   sys.exit(0)
 
 def generate_page(request, tname, data):
@@ -1105,7 +1106,8 @@ def view_directory(request):
   view_tag = query_dict.get('only_with_tag')
   hideattic = int(query_dict.get('hideattic'))  ### watch for errors in int()?
   sortby = query_dict.get('sortby', 'file')
-
+  if not re.match('^[a-z]+$', sortby):
+    raise 'illegal value for sortby parameter'
   search_re = query_dict.get('search')
  
   # Search current directory
@@ -1841,8 +1843,8 @@ def process_checkout(full_name, where, query_dict, default_mime_type):
 
   mime_type = query_dict.get('content-type')
   if mime_type:
-    ### validate it?
+    if not re.match('^[-_.a-zA-Z0-9/]+$', mime_type):
-    pass
+      raise 'illegal value for content-type parameter'
   else:
     mime_type = default_mime_type
 
@@ -2184,6 +2186,8 @@ class DiffSource:
     self.left = None
     self.right = None
     self.state = 'no-changes'
+    self.left_col = [ ]
+    self.right_col = [ ]
 
   def __getitem__(self, idx):
     if idx == self.idx:
@@ -2213,9 +2217,10 @@ class DiffSource:
       self.save_line = None
     else:
       line = self.fp.readline()
+
     if not line:
       if self.state == 'no-changes':
-        self.state == 'done'
+        self.state = 'done'
         return _item(type='no-changes')
 
       # see if there are lines to flush
@@ -2449,6 +2454,9 @@ def generate_tarball(out, relative, directory, tag, stack=[]):
   for file, pathname, isdir in get_file_data(directory):
     if pathname == _UNREADABLE_MARKER:
       continue
+    if (file == 'CVSROOT' and cfg.options.hide_cvsroot) \
+           or cfg.is_forbidden(file):
+      continue
     if isdir:
       subdirs.append(file)
     else:
@@ -2606,10 +2614,12 @@ def main():
   else:
     # if the file is in the Attic, then redirect
     idx = string.rfind(full_name, '/')
-    attic_name = full_name[:idx] + '/Attic' + full_name[idx:] + ',v'
+    attic_name = full_name[:idx] + '/Attic' + full_name[idx:]
-    if os.path.isfile(attic_name):
+    if os.path.isfile(attic_name + ',v') or \
+       full_name[-5:] == '.diff' and os.path.isfile(attic_name[:-5] + ',v'):
       idx = string.rfind(url, '/')
-      redirect(url[:idx] + '/Attic' + url[idx:])
+      redirect(url[:idx] + '/Attic' + url[idx:] + \
+	       '?' + compat.urlencode(query_dict))
 
     error('%s: unknown location' % request.url, '404 Not Found')
 

website/index.html

@@ -13,7 +13,7 @@
       </td>
       <td align=center valign=top bgcolor="white" width="1%">
 	<b>Quickstart:</b>
-	<a href="viewcvs-0.9.1.tar.gz">download</a>
+	<a href="viewcvs-0.9.3.tar.gz">download</a>
       </td>
       <td width="1%"><a href="http://sourceforge.net/"><img border=0
 	    src="http://sourceforge.net/sflogo.php?group_id=18760&type=1"></a><br><a href="http://sourceforge.net/projects/viewcvs/">ViewCVS&nbsp;project&nbsp;page</a>
@@ -210,10 +210,10 @@
       The software is available for download:
     </p>
     <blockquote>
-      <a href="viewcvs-0.9.1.tar.gz">Version 0.9.1 of ViewCVS as a gzipped
+      <a href="viewcvs-0.9.3.tar.gz">Version 0.9.3 of ViewCVS as a gzipped
       tar</a>
       <br>
-      <a href="viewcvs-0.9.1.zip">Version 0.9.1 of ViewCVS as a ZIP
+      <a href="viewcvs-0.9.3.zip">Version 0.9.3 of ViewCVS as a ZIP
       file</a>
     </blockquote>
     <p>
@@ -299,7 +299,7 @@
   <address><a href="mailto:viewcvs@lyra.org">ViewCVS Users Group</a></address>
 <!-- Created: Fri Dec  3 02:51:37 PST 1999 -->
 <!-- hhmts start -->
-Last modified: Wed Dec 26 21:15:40 PST 2001
+Last modified: Tue Jan 15 01:51:03 PST 2002
 <!-- hhmts end -->
   </body>
 </html>