Retroactively "peg" the svn:externals property on these tags which

pulls in the 'templates-contrib' area.

git-svn-id: http://viewvc.tigris.org/svn/viewvc/tags/1.0.11@2451 8cb11bc2-c004-0410-86c3-e597b4017df7

CHANGES

@@ -1,4 +1,8 @@
-Version 1.1.10 (released 10-Mar-2010)
+Version 1.0.11 (released 29-Mar-2010)
+
+  * security fix: escape user-provided search_re input to avoid XSS attack
+
+Version 1.0.10 (released 10-Mar-2010)
 
   * security fix: escape user-provided query form input to avoid XSS attack
   * fix errors viewing remote Subversion paths with URI-unsafe characters

LICENSE.html

@@ -15,7 +15,7 @@
 
 <blockquote>
 
-<p><strong>Copyright &copy; 1999-2008 The ViewCVS Group.  All rights
+<p><strong>Copyright &copy; 1999-2010 The ViewCVS Group.  All rights
    reserved.</strong></p>
 
 <p>By using ViewVC, you agree to the terms and conditions set forth
@@ -59,6 +59,7 @@
   <li>March 17, 2006 &mdash; software renamed from "ViewCVS"</li>
   <li>April 10, 2007 &mdash; copyright years updated</li>
   <li>February 22, 2008 &mdash; copyright years updated</li>
+  <li>March 29, 2010 &mdash; copyright years updated</li>
 </ul>
 
 </body>

lib/blame.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # -*-python-*-
 #
-# Copyright (C) 1999-2008 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 # Copyright (C) 2000 Curt Hagenlocher <curt@hagenlocher.org>
 #
 # By using this file, you agree to the terms and conditions set forth in
@@ -31,9 +31,8 @@ import os
 import re
 import time
 import math
-import cgi
 import vclib
-
+import sapi
 
 re_includes = re.compile('\\#(\\s*)include(\\s*)"(.*?)"')
 
@@ -81,7 +80,7 @@ class HTMLBlameSource:
     diff_url = None
     if item.prev_rev:
       diff_url = '%sr1=%s&amp;r2=%s' % (self.diff_url, item.prev_rev, item.rev)
-    thisline = link_includes(cgi.escape(item.text), self.repos,
+    thisline = link_includes(sapi.escape(item.text), self.repos,
                              self.path_parts, self.include_url)
     return _item(text=thisline, line_number=item.line_number,
                  rev=item.rev, prev_rev=item.prev_rev,

lib/idiff.py

@@ -1,6 +1,6 @@
 # -*-python-*-
 #
-# Copyright (C) 1999-2006 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 #
 # By using this file, you agree to the terms and conditions set forth in
 # the LICENSE.html file which can be found at the top level of the ViewVC
@@ -20,7 +20,7 @@ import difflib
 import sys
 import re
 import ezt
-import cgi
+import sapi
 
 def sidebyside(fromlines, tolines, context):
   """Generate side by side diff"""
@@ -49,18 +49,18 @@ def _mdiff_split(flag, (line_number, text)):
   while True:
     m = _re_mdiff.search(text, pos)
     if not m:
-      segments.append(_item(text=cgi.escape(text[pos:]), type=None))
+      segments.append(_item(text=sapi.escape(text[pos:]), type=None))
       break
 
     if m.start() > pos:
-      segments.append(_item(text=cgi.escape(text[pos:m.start()]), type=None))
+      segments.append(_item(text=sapi.escape(text[pos:m.start()]), type=None))
 
     if m.group(1) == "+":
-      segments.append(_item(text=cgi.escape(m.group(2)), type="add"))
+      segments.append(_item(text=sapi.escape(m.group(2)), type="add"))
     elif m.group(1) == "-":
-      segments.append(_item(text=cgi.escape(m.group(2)), type="remove"))
+      segments.append(_item(text=sapi.escape(m.group(2)), type="remove"))
     elif m.group(1) == "^":
-      segments.append(_item(text=cgi.escape(m.group(2)), type="change"))
+      segments.append(_item(text=sapi.escape(m.group(2)), type="change"))
 
     pos = m.end()
 
@@ -166,12 +166,12 @@ def _differ_split(row, guide):
 
     for m in _re_differ.finditer(guide, pos):
       if m.start() > pos:
-        segments.append(_item(text=cgi.escape(line[pos:m.start()]), type=None))
-      segments.append(_item(text=cgi.escape(line[m.start():m.end()]),
+        segments.append(_item(text=sapi.escape(line[pos:m.start()]), type=None))
+      segments.append(_item(text=sapi.escape(line[m.start():m.end()]),
                             type="change"))
       pos = m.end()
 
-  segments.append(_item(text=cgi.escape(line[pos:]), type=None))
+  segments.append(_item(text=sapi.escape(line[pos:]), type=None))
 
   return _item(gap=ezt.boolean(gap), type=type, segments=segments,
                left_number=left_number, right_number=right_number)

lib/query.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # -*-python-*-
 #
-# Copyright (C) 1999-2008 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 #
 # By using this file, you agree to the terms and conditions set forth in
 # the LICENSE.html file which can be found at the top level of the ViewVC
@@ -398,12 +398,11 @@ def main(server, cfg, viewvc_link):
       'cfg' : cfg,
       'address' : cfg.general.address,
       'vsn' : viewvc.__version__,
-
-      'repository' : server.escape(form_data.repository, 1),
-      'branch' : server.escape(form_data.branch, 1),
-      'directory' : server.escape(form_data.directory, 1),
-      'file' : server.escape(form_data.file, 1),
-      'who' : server.escape(form_data.who, 1),
+      'repository' : server.escape(form_data.repository),
+      'branch' : server.escape(form_data.branch),
+      'directory' : server.escape(form_data.directory),
+      'file' : server.escape(form_data.file),
+      'who' : server.escape(form_data.who),
       'docroot' : cfg.options.docroot is None \
                   and viewvc_link + '/' + viewvc.docroot_magic_path \
                   or cfg.options.docroot,

lib/sapi.py

@@ -1,6 +1,6 @@
 # -*-python-*-
 #
-# Copyright (C) 1999-2006 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 #
 # By using this file, you agree to the terms and conditions set forth in
 # the LICENSE.html file which can be found at the top level of the ViewVC
@@ -20,6 +20,7 @@ import string
 import os
 import sys
 import re
+import cgi
 
 
 # global server object. It will be either a CgiServer or a proxy to
@@ -27,6 +28,18 @@ import re
 server = None
 
 
+# Simple HTML string escaping.  Note that we always escape the
+# double-quote character -- ViewVC shouldn't ever need to preserve
+# that character as-is, and sometimes needs to embed escaped values
+# into HTML attributes.
+def escape(s):
+  s = string.replace(s, '&', '&')
+  s = string.replace(s, '>', '>')
+  s = string.replace(s, '<', '&lt;')
+  s = string.replace(s, '"', "&quot;")
+  return s
+
+  
 class Server:
   def __init__(self):
     self.pageGlobals = {}
@@ -34,6 +47,9 @@ class Server:
   def self(self):
     return self
 
+  def escape(self, s):
+    return escape(s)
+    
   def close(self):
     pass
 
@@ -129,9 +145,6 @@ class CgiServer(Server):
     global server
     server = self
 
-    global cgi
-    import cgi
-
   def addheader(self, name, value):
     self.headers.append((name, value))
 
@@ -161,9 +174,6 @@ class CgiServer(Server):
     print 'This document is located <a href="%s">here</a>.' % url
     sys.exit(0)
 
-  def escape(self, s, quote = None):
-    return cgi.escape(s, quote)
-
   def getenv(self, name, value=None):
     ret = os.environ.get(name, value)
     if self.iis and name == 'PATH_INFO' and ret:
@@ -221,9 +231,6 @@ class AspServer(ThreadedServer):
     self.response.Redirect(url)
     sys.exit()
 
-  def escape(self, s, quote = None):
-    return self.server.HTMLEncode(str(s))
-
   def getenv(self, name, value = None):
     ret = self.request.ServerVariables(name)()
     if not type(ret) is types.UnicodeType:
@@ -285,9 +292,6 @@ class ModPythonServer(ThreadedServer):
     self.request = request
     self.headerSent = 0
     
-    global cgi
-    import cgi
-
   def addheader(self, name, value):
     self.request.headers_out.add(name, value)
 
@@ -311,9 +315,6 @@ class ModPythonServer(ThreadedServer):
       % (url, url))
     sys.exit()
 
-  def escape(self, s, quote = None):
-    return cgi.escape(s, quote)
-
   def getenv(self, name, value = None):
     try:
       return self.request.subprocess_env[name]

lib/viewvc.py

@@ -14,7 +14,7 @@
 #
 # -----------------------------------------------------------------------
 
-__version__ = '1.0.10-dev'
+__version__ = '1.0.11'
 
 # this comes from our library; measure the startup time
 import debug
@@ -25,7 +25,6 @@ debug.t_start('imports')
 import sys
 import os
 import sapi
-import cgi
 import string
 import urllib
 import mimetypes
@@ -999,7 +998,7 @@ def get_file_view_info(request, where, rev=None, mime_type=None, pathrev=-1):
 _re_rewrite_url = re.compile('((http|https|ftp|file|svn|svn\+ssh)(://[-a-zA-Z0-9%.~:_/]+)((\?|\&)([-a-zA-Z0-9%.~:_]+)=([-a-zA-Z0-9%.~:_])+)*(#([-a-zA-Z0-9%.~:_]+)?)?)')
 _re_rewrite_email = re.compile('([-a-zA-Z0-9_.\+]+)@(([-a-zA-Z0-9]+\.)+[A-Za-z]{2,4})')
 def htmlify(html):
-  html = cgi.escape(html)
+  html = sapi.escape(html)
   html = re.sub(_re_rewrite_url, r'<a href="\1">\1</a>', html)
   html = re.sub(_re_rewrite_email, r'<a href="mailto:\1&#64;\2">\1&#64;\2</a>', html)
   return html
@@ -1010,7 +1009,7 @@ def format_log(log, cfg, htmlize=1):
   if htmlize:
     s = htmlify(log[:cfg.options.short_log_len])
   else:
-    s = cgi.escape(log[:cfg.options.short_log_len])
+    s = sapi.escape(log[:cfg.options.short_log_len])
   if len(log) > cfg.options.short_log_len:
     s = s + '...'
   return s
@@ -1334,7 +1333,7 @@ def markup_stream_python(fp, cfg):
 
   ### It doesn't escape stuff quite right, nor does it munge URLs and
   ### mailtos as well as we do.
-  html = cgi.escape(fp.read())
+  html = sapi.escape(fp.read())
   pp = py2html.PrettyPrint(PyFontify.fontify, "rawhtml", "color")
   pp.set_mode_rawhtml_color()
   html = pp.fontify(html)
@@ -1487,7 +1486,7 @@ def prepare_hidden_values(params):
   hidden_values = []
   for name, value in params.items():
     hidden_values.append('<input type="hidden" name="%s" value="%s" />' %
-                         (name, value))
+                         (sapi.escape(name), sapi.escape(value)))
   return string.join(hidden_values, '')
 
 def sort_file_data(file_data, roottype, sortdir, sortby, group_dirs):