Retroactively "peg" the svn:externals property on these tags which

pulls in the 'templates-contrib' area.

git-svn-id: http://viewvc.tigris.org/svn/viewvc/tags/1.0.11@2451 8cb11bc2-c004-0410-86c3-e597b4017df7

CHANGES

@@ -1,3 +1,18 @@
+Version 1.0.11 (released 29-Mar-2010)
+
+  * security fix: escape user-provided search_re input to avoid XSS attack
+
+Version 1.0.10 (released 10-Mar-2010)
+
+  * security fix: escape user-provided query form input to avoid XSS attack
+  * fix errors viewing remote Subversion paths with URI-unsafe characters
+  * fix regexp input validation (issue #426, #427, #440)
+
+Version 1.0.9 (released 11-Aug-2009)
+
+  * security fix: validate the 'view' parameter to avoid XSS attack
+  * security fix: avoid printing illegal parameter names and values
+
 Version 1.0.8 (released 05-May-2009)
 
   * fix directory view sorting UI

LICENSE.html

@@ -15,7 +15,7 @@
 
 <blockquote>
 
-<p><strong>Copyright &copy; 1999-2008 The ViewCVS Group.  All rights
+<p><strong>Copyright &copy; 1999-2010 The ViewCVS Group.  All rights
    reserved.</strong></p>
 
 <p>By using ViewVC, you agree to the terms and conditions set forth
@@ -59,6 +59,7 @@
   <li>March 17, 2006 &mdash; software renamed from "ViewCVS"</li>
   <li>April 10, 2007 &mdash; copyright years updated</li>
   <li>February 22, 2008 &mdash; copyright years updated</li>
+  <li>March 29, 2010 &mdash; copyright years updated</li>
 </ul>
 
 </body>

docs/url-reference.html

@@ -867,7 +867,7 @@ th.caption {
     <td>file query string</td>
   </tr>
   <tr>
-    <td><code>file_match=FILE_MATCH</code></td>
+    <td><code>file_match=<var>FILE_MATCH</var></code></td>
     <td>optional</td>
     <td>"exact" "like" "glob" "regex" or "notregex" determining type of file match</td>
   </tr>
@@ -877,37 +877,37 @@ th.caption {
     <td>author query string</td>
   </tr>
   <tr>
-    <td><code>who_match=WHO_MATCH</code></td>
+    <td><code>who_match=<var>WHO_MATCH</var></code></td>
     <td>optional</td>
     <td>"exact" "like" "glob" "regex" or "notregex" determining type of author match</td>
   </tr>
   <tr>
-    <td><code>querysort=SORT</code></td>
+    <td><code>querysort=<var>SORT</var></code></td>
     <td>optional</td>
     <td>"date" "author" or "file" determining order of query results</td>
   </tr>
   <tr>
-    <td><code>date=DATE</code></td>
+    <td><code>date=<var>DATE</var></code></td>
     <td>optional</td>
     <td>"hours" "day" "week" "month" "all" or "explicit" to filter query results by date</td>
   </tr>
   <tr>
-    <td><code>hours=HOURS</code></td>
+    <td><code>hours=<var>HOURS</var></code></td>
     <td>optional</td>
     <td>number of hours back to include results from when <code><var>DATE</var></code> is "hours"</td>
   </tr>
   <tr>
-    <td><code>mindate=MINDATE</code></td>
+    <td><code>mindate=<var>MINDATE</var></code></td>
     <td>optional</td>
     <td>earliest date to include results from when <code><var>DATE</var></code> is "explicit"</td>
   </tr>
   <tr>
-    <td><code>maxdate=MAXDATE</code></td>
+    <td><code>maxdate=<var>MAXDATE</var></code></td>
     <td>optional</td>
     <td>latest date to include results from when <code><var>DATE</var></code> is "explicit"</td>
   </tr>
   <tr>
-    <td><code>limit_changes=LIMIT_CHANGES</code></td>
+    <td><code>limit_changes=<var>LIMIT_CHANGES</var></code></td>
     <td>optional</td>
     <td>maximum number of files to list per commit in query results. Default is value of <code>limit_changes</code> configuration option</td>
   </tr>
@@ -965,7 +965,7 @@ th.caption {
     <td>branch query string</td>
   </tr>
   <tr>
-    <td><code>branch_match=BRANCH_MATCH</code></td>
+    <td><code>branch_match=<var>BRANCH_MATCH</var></code></td>
     <td>optional</td>
     <td>"exact" "like" "glob" "regex" or "notregex" determining type of branch match</td>
   </tr>
@@ -980,7 +980,7 @@ th.caption {
     <td>file query string</td>
   </tr>
   <tr>
-    <td><code>file_match=FILE_MATCH</code></td>
+    <td><code>file_match=<var>FILE_MATCH</var></code></td>
     <td>optional</td>
     <td>"exact" "like" "glob" "regex" or "notregex" determining type of file match</td>
   </tr>
@@ -990,47 +990,47 @@ th.caption {
     <td>author query string</td>
   </tr>
   <tr>
-    <td><code>who_match=WHO_MATCH</code></td>
+    <td><code>who_match=<var>WHO_MATCH</var></code></td>
     <td>optional</td>
     <td>"exact" "like" "glob" "regex" or "notregex" determining type of author match</td>
   </tr>
   <tr>
-    <td><code>querysort=SORT</code></td>
+    <td><code>querysort=<var>SORT</var></code></td>
     <td>optional</td>
     <td>"date" "author" or "file" determining order of query results</td>
   </tr>
   <tr>
-    <td><code>date=DATE</code></td>
+    <td><code>date=<var>DATE</var></code></td>
     <td>optional</td>
     <td>"hours" "day" "week" "month" "all" or "explicit" to filter query results by date</td>
   </tr>
   <tr>
-    <td><code>hours=HOURS</code></td>
+    <td><code>hours=<var>HOURS</var></code></td>
     <td>optional</td>
     <td>number of hours back to include results from when <code><var>DATE</var></code> is "hours"</td>
   </tr>
   <tr>
-    <td><code>mindate=MINDATE</code></td>
+    <td><code>mindate=<var>MINDATE</var></code></td>
     <td>optional</td>
     <td>earliest date to include results from when <code><var>DATE</var></code> is "explicit"</td>
   </tr>
   <tr>
-    <td><code>maxdate=MAXDATE</code></td>
+    <td><code>maxdate=<var>MAXDATE</var></code></td>
     <td>optional</td>
     <td>latest date to include results from when <code><var>DATE</var></code> is "explicit"</td>
   </tr>
   <tr>
-    <td><code>format=FORMAT</code></td>
+    <td><code>format=<var>FORMAT</var></code></td>
     <td>optional</td>
     <td>"rss" or "backout" values to generate an rss feed or list of commands to back out changes instead showing a normal query result page</td>
   </tr>
   <tr>
-    <td><code>limit=LIMIT</code></td>
+    <td><code>limit=<var>LIMIT</var></code></td>
     <td>optional</td>
     <td>maximum number of file-revisions to process during a query. Default is value of <code>row_limit</code> configuration option</td>
   </tr>
   <tr>
-    <td><code>limit_changes=LIMIT_CHANGES</code></td>
+    <td><code>limit_changes=<var>LIMIT_CHANGES</var></code></td>
     <td>optional</td>
     <td>maximum number of files to list per commit in query results. Default is value of <code>limit_changes</code> configuration option</td>
   </tr>
@@ -1082,7 +1082,7 @@ th.caption {
     <td><a href="#revision-param"><code>revision</code> parameter</a></td>
   </tr>
   <tr>
-    <td><code>limit_changes=LIMIT_CHANGES</code></td>
+    <td><code>limit_changes=<var>LIMIT_CHANGES</var></code></td>
     <td>optional</td>
     <td>maximum number of files to list per commit. Default is value of <code>limit_changes</code> configuration option</td>
   </tr>

lib/blame.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # -*-python-*-
 #
-# Copyright (C) 1999-2008 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 # Copyright (C) 2000 Curt Hagenlocher <curt@hagenlocher.org>
 #
 # By using this file, you agree to the terms and conditions set forth in
@@ -31,9 +31,8 @@ import os
 import re
 import time
 import math
-import cgi
 import vclib
-
+import sapi
 
 re_includes = re.compile('\\#(\\s*)include(\\s*)"(.*?)"')
 
@@ -81,7 +80,7 @@ class HTMLBlameSource:
     diff_url = None
     if item.prev_rev:
       diff_url = '%sr1=%s&amp;r2=%s' % (self.diff_url, item.prev_rev, item.rev)
-    thisline = link_includes(cgi.escape(item.text), self.repos,
+    thisline = link_includes(sapi.escape(item.text), self.repos,
                              self.path_parts, self.include_url)
     return _item(text=thisline, line_number=item.line_number,
                  rev=item.rev, prev_rev=item.prev_rev,

lib/idiff.py

@@ -1,6 +1,6 @@
 # -*-python-*-
 #
-# Copyright (C) 1999-2006 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 #
 # By using this file, you agree to the terms and conditions set forth in
 # the LICENSE.html file which can be found at the top level of the ViewVC
@@ -20,7 +20,7 @@ import difflib
 import sys
 import re
 import ezt
-import cgi
+import sapi
 
 def sidebyside(fromlines, tolines, context):
   """Generate side by side diff"""
@@ -49,18 +49,18 @@ def _mdiff_split(flag, (line_number, text)):
   while True:
     m = _re_mdiff.search(text, pos)
     if not m:
-      segments.append(_item(text=cgi.escape(text[pos:]), type=None))
+      segments.append(_item(text=sapi.escape(text[pos:]), type=None))
       break
 
     if m.start() > pos:
-      segments.append(_item(text=cgi.escape(text[pos:m.start()]), type=None))
+      segments.append(_item(text=sapi.escape(text[pos:m.start()]), type=None))
 
     if m.group(1) == "+":
-      segments.append(_item(text=cgi.escape(m.group(2)), type="add"))
+      segments.append(_item(text=sapi.escape(m.group(2)), type="add"))
     elif m.group(1) == "-":
-      segments.append(_item(text=cgi.escape(m.group(2)), type="remove"))
+      segments.append(_item(text=sapi.escape(m.group(2)), type="remove"))
     elif m.group(1) == "^":
-      segments.append(_item(text=cgi.escape(m.group(2)), type="change"))
+      segments.append(_item(text=sapi.escape(m.group(2)), type="change"))
 
     pos = m.end()
 
@@ -166,12 +166,12 @@ def _differ_split(row, guide):
 
     for m in _re_differ.finditer(guide, pos):
       if m.start() > pos:
-        segments.append(_item(text=cgi.escape(line[pos:m.start()]), type=None))
-      segments.append(_item(text=cgi.escape(line[m.start():m.end()]),
+        segments.append(_item(text=sapi.escape(line[pos:m.start()]), type=None))
+      segments.append(_item(text=sapi.escape(line[m.start():m.end()]),
                             type="change"))
       pos = m.end()
 
-  segments.append(_item(text=cgi.escape(line[pos:]), type=None))
+  segments.append(_item(text=sapi.escape(line[pos:]), type=None))
 
   return _item(gap=ezt.boolean(gap), type=type, segments=segments,
                left_number=left_number, right_number=right_number)

lib/query.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # -*-python-*-
 #
-# Copyright (C) 1999-2008 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 #
 # By using this file, you agree to the terms and conditions set forth in
 # the LICENSE.html file which can be found at the top level of the ViewVC
@@ -398,12 +398,11 @@ def main(server, cfg, viewvc_link):
       'cfg' : cfg,
       'address' : cfg.general.address,
       'vsn' : viewvc.__version__,
-
-      'repository' : server.escape(form_data.repository, 1),
-      'branch' : server.escape(form_data.branch, 1),
-      'directory' : server.escape(form_data.directory, 1),
-      'file' : server.escape(form_data.file, 1),
-      'who' : server.escape(form_data.who, 1),
+      'repository' : server.escape(form_data.repository),
+      'branch' : server.escape(form_data.branch),
+      'directory' : server.escape(form_data.directory),
+      'file' : server.escape(form_data.file),
+      'who' : server.escape(form_data.who),
       'docroot' : cfg.options.docroot is None \
                   and viewvc_link + '/' + viewvc.docroot_magic_path \
                   or cfg.options.docroot,

lib/sapi.py

@@ -1,6 +1,6 @@
 # -*-python-*-
 #
-# Copyright (C) 1999-2006 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 #
 # By using this file, you agree to the terms and conditions set forth in
 # the LICENSE.html file which can be found at the top level of the ViewVC
@@ -20,6 +20,7 @@ import string
 import os
 import sys
 import re
+import cgi
 
 
 # global server object. It will be either a CgiServer or a proxy to
@@ -27,6 +28,18 @@ import re
 server = None
 
 
+# Simple HTML string escaping.  Note that we always escape the
+# double-quote character -- ViewVC shouldn't ever need to preserve
+# that character as-is, and sometimes needs to embed escaped values
+# into HTML attributes.
+def escape(s):
+  s = string.replace(s, '&', '&')
+  s = string.replace(s, '>', '>')
+  s = string.replace(s, '<', '&lt;')
+  s = string.replace(s, '"', "&quot;")
+  return s
+
+  
 class Server:
   def __init__(self):
     self.pageGlobals = {}
@@ -34,6 +47,9 @@ class Server:
   def self(self):
     return self
 
+  def escape(self, s):
+    return escape(s)
+    
   def close(self):
     pass
 
@@ -129,9 +145,6 @@ class CgiServer(Server):
     global server
     server = self
 
-    global cgi
-    import cgi
-
   def addheader(self, name, value):
     self.headers.append((name, value))
 
@@ -161,9 +174,6 @@ class CgiServer(Server):
     print 'This document is located <a href="%s">here</a>.' % url
     sys.exit(0)
 
-  def escape(self, s, quote = None):
-    return cgi.escape(s, quote)
-
   def getenv(self, name, value=None):
     ret = os.environ.get(name, value)
     if self.iis and name == 'PATH_INFO' and ret:
@@ -221,9 +231,6 @@ class AspServer(ThreadedServer):
     self.response.Redirect(url)
     sys.exit()
 
-  def escape(self, s, quote = None):
-    return self.server.HTMLEncode(str(s))
-
   def getenv(self, name, value = None):
     ret = self.request.ServerVariables(name)()
     if not type(ret) is types.UnicodeType:
@@ -285,9 +292,6 @@ class ModPythonServer(ThreadedServer):
     self.request = request
     self.headerSent = 0
     
-    global cgi
-    import cgi
-
   def addheader(self, name, value):
     self.request.headers_out.add(name, value)
 
@@ -311,9 +315,6 @@ class ModPythonServer(ThreadedServer):
       % (url, url))
     sys.exit()
 
-  def escape(self, s, quote = None):
-    return cgi.escape(s, quote)
-
   def getenv(self, name, value = None):
     try:
       return self.request.subprocess_env[name]

lib/vclib/svn_ra/__init__.py

@@ -20,6 +20,7 @@ import re
 import tempfile
 import popen2
 import time
+import urllib
 from vclib.svn import Revision, ChangedPath, _datestr_to_date, _compare_paths, _cleanup_path
 from svn import core, delta, client, wc, ra
 
@@ -234,7 +235,7 @@ def temp_checkout(svnrepos, path, rev, pool):
   """Check out file revision to temporary file"""
   temp = tempfile.mktemp()
   stream = core.svn_stream_from_aprfile(temp, pool)
-  url = svnrepos.rootpath + (path and '/' + path)
+  url = svnrepos._geturl(path)
   client.svn_client_cat(core.Stream(stream), url, _rev2optrev(rev),
                         svnrepos.ctx, pool)
   core.svn_stream_close(stream)
@@ -323,10 +324,10 @@ class SubversionRepository(vclib.Repository):
       raise vclib.ItemNotFound(path_parts)
 
   def openfile(self, path_parts, rev):
+    path = self._getpath(path_parts)
     rev = self._getrev(rev)
-    url = self.rootpath
-    if len(path_parts):
-      url = self.rootpath + '/' + self._getpath(path_parts)
+    url = self._geturl(path)
+    
     tmp_file = tempfile.mktemp()
     stream = core.svn_stream_from_aprfile(tmp_file, self.pool)
     ### rev here should be the last history revision of the URL
@@ -353,18 +354,15 @@ class SubversionRepository(vclib.Repository):
     get_logs(self, self._getpath(path_parts), self._getrev(rev), entries)
 
   def itemlog(self, path_parts, rev, options):
-    full_name = self._getpath(path_parts)
+    path = self._getpath(path_parts)
     rev = self._getrev(rev)
+    url = self._geturl(path)
 
     # It's okay if we're told to not show all logs on a file -- all
     # the revisions should match correctly anyway.
-    lc = LogCollector(full_name, options.get('svn_show_all_dir_logs', 0))
-    dir_url = self.rootpath
-    if full_name:
-      dir_url = dir_url + '/' + full_name
-
+    lc = LogCollector(path, options.get('svn_show_all_dir_logs', 0))
     cross_copies = options.get('svn_cross_copies', 0)
-    client.svn_client_log([dir_url], _rev2optrev(rev), _rev2optrev(1),
+    client.svn_client_log([url], _rev2optrev(rev), _rev2optrev(1),
                           1, not cross_copies, lc.add_log,
                           self.ctx, self.pool)
     revs = lc.logs
@@ -379,7 +377,7 @@ class SubversionRepository(vclib.Repository):
   def annotate(self, path_parts, rev):
     path = self._getpath(path_parts)
     rev = self._getrev(rev)
-    url = self.rootpath + (path and '/' + path)
+    url = self._geturl(path)
 
     blame_data = []
 
@@ -429,13 +427,17 @@ class SubversionRepository(vclib.Repository):
       raise vclib.InvalidRevision(rev)
     return rev
 
+  def _geturl(self, path=None):
+    if not path:
+      return self.rootpath
+    return self.rootpath + '/' + urllib.quote(path, "/*~")
+
   def _get_dirents(self, path, rev):
+    dir_url = self._geturl(path)
     if path:
       key = str(rev) + '/' + path
-      dir_url = self.rootpath + '/' + path
     else:
       key = str(rev)
-      dir_url = self.rootpath
     dirents = self._dirent_cache.get(key)
     if dirents:
       return dirents

lib/viewvc.py

@@ -1,6 +1,6 @@
 # -*-python-*-
 #
-# Copyright (C) 1999-2009 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 #
 # By using this file, you agree to the terms and conditions set forth in
 # the LICENSE.html file which can be found at the top level of the ViewVC
@@ -14,7 +14,7 @@
 #
 # -----------------------------------------------------------------------
 
-__version__ = '1.0.8-dev'
+__version__ = '1.0.11'
 
 # this comes from our library; measure the startup time
 import debug
@@ -25,7 +25,6 @@ debug.t_start('imports')
 import sys
 import os
 import sapi
-import cgi
 import string
 import urllib
 import mimetypes
@@ -150,6 +149,9 @@ class Request:
 
     # Process the query params
     for name, values in self.server.params().items():
+      # we only care about the first value
+      value = values[0]
+      
       # patch up old queries that use 'cvsroot' to look like they used 'root'
       if name == 'cvsroot':
         name = 'root'
@@ -161,21 +163,12 @@ class Request:
         needs_redirect = 1
 
       # validate the parameter
-      _validate_param(name, values[0])
-
-      # Only allow the magic ViewVC MIME types (the ones used for
-      # requesting the markup as as-text views) to be declared via CGI
-      # params.  Ignore disallowed values.
-      if (name == 'content-type') and \
-         (not values[0] in (viewcvs_mime_type,
-                            alt_mime_type,
-                            'text/plain')):
-        continue
+      _validate_param(name, value)
       
       # if we're here, then the parameter is okay
-      self.query_dict[name] = values[0]
+      self.query_dict[name] = value
 
-    # handle view parameter
+    # Resolve the view parameter into a handler function.
     self.view_func = _views.get(self.query_dict.get('view', None), 
                                 self.view_func)
 
@@ -608,34 +601,48 @@ def _validate_param(name, value):
   this function throws an exception. Otherwise, it simply returns None.
   """
 
+  # First things first -- check that we have a legal parameter name.
   try:
     validator = _legal_params[name]
   except KeyError:
     raise debug.ViewVCException(
-      'An illegal parameter name ("%s") was passed.' % name,
+      'An illegal parameter name was provided.',
       '400 Bad Request')
 
+  # Is there a validator?  Is it a regex or a function?  Validate if
+  # we can, returning without incident on valid input.
   if validator is None:
     return
+  elif hasattr(validator, 'match'):
+    if validator.match(value):
+      return
+  else:
+    if validator(value):
+      return
 
-  # is the validator a regex?
-  if hasattr(validator, 'match'):
-    if not validator.match(value):
-      raise debug.ViewVCException(
-        'An illegal value ("%s") was passed as a parameter.' %
-        value, '400 Bad Request')
-    return
-
-  # the validator must be a function
-  validator(value)
+  # If we get here, the input value isn't valid.
+  raise debug.ViewVCException(
+    'An illegal value was provided for the "%s" parameter.' % (name),
+    '400 Bad Request')
 
 def _validate_regex(value):
-  # hmm. there isn't anything that we can do here.
-
   ### we need to watch the flow of these parameters through the system
   ### to ensure they don't hit the page unescaped. otherwise, these
   ### parameters could constitute a CSS attack.
-  pass
+  try:
+    re.compile(value)
+    return True
+  except:
+    return None
+
+def _validate_view(value):
+  # Return true iff VALUE is one of our allowed views.
+  return _views.has_key(value)
+
+def _validate_mimetype(value):
+  # For security purposes, we only allow mimetypes from a predefined set
+  # thereof.
+  return value in (viewcvs_mime_type, alt_mime_type, 'text/plain')
 
 # obvious things here. note that we don't need uppercase for alpha.
 _re_validate_alpha = re.compile('^[a-z]+$')
@@ -644,17 +651,13 @@ _re_validate_number = re.compile('^[0-9]+$')
 # when comparing two revs, we sometimes construct REV:SYMBOL, so ':' is needed
 _re_validate_revnum = re.compile('^[-_.a-zA-Z0-9:~\\[\\]/]*$')
 
-# it appears that RFC 2045 also says these chars are legal: !#$%&'*+^{|}~`
-# but woah... I'll just leave them out for now
-_re_validate_mimetype = re.compile('^[-_.a-zA-Z0-9/]+$')
-
 # date time values
 _re_validate_datetime = re.compile(r'^(\d\d\d\d-\d\d-\d\d(\s+\d\d:\d\d(:\d\d)?)?)?$')
 
 # the legal query parameters and their validation functions
 _legal_params = {
   'root'          : None,
-  'view'          : None,
+  'view'          : _validate_view,
   'search'        : _validate_regex,
   'p1'            : None,
   'p2'            : None,
@@ -680,7 +683,7 @@ _legal_params = {
   'tr2'           : _re_validate_revnum,
   'rev'           : _re_validate_revnum,
   'revision'      : _re_validate_revnum,
-  'content-type'  : _re_validate_mimetype,
+  'content-type'  : _validate_mimetype,
 
   # for query
   'branch'        : _validate_regex,
@@ -995,7 +998,7 @@ def get_file_view_info(request, where, rev=None, mime_type=None, pathrev=-1):
 _re_rewrite_url = re.compile('((http|https|ftp|file|svn|svn\+ssh)(://[-a-zA-Z0-9%.~:_/]+)((\?|\&)([-a-zA-Z0-9%.~:_]+)=([-a-zA-Z0-9%.~:_])+)*(#([-a-zA-Z0-9%.~:_]+)?)?)')
 _re_rewrite_email = re.compile('([-a-zA-Z0-9_.\+]+)@(([-a-zA-Z0-9]+\.)+[A-Za-z]{2,4})')
 def htmlify(html):
-  html = cgi.escape(html)
+  html = sapi.escape(html)
   html = re.sub(_re_rewrite_url, r'<a href="\1">\1</a>', html)
   html = re.sub(_re_rewrite_email, r'<a href="mailto:\1&#64;\2">\1&#64;\2</a>', html)
   return html
@@ -1006,7 +1009,7 @@ def format_log(log, cfg, htmlize=1):
   if htmlize:
     s = htmlify(log[:cfg.options.short_log_len])
   else:
-    s = cgi.escape(log[:cfg.options.short_log_len])
+    s = sapi.escape(log[:cfg.options.short_log_len])
   if len(log) > cfg.options.short_log_len:
     s = s + '...'
   return s
@@ -1330,7 +1333,7 @@ def markup_stream_python(fp, cfg):
 
   ### It doesn't escape stuff quite right, nor does it munge URLs and
   ### mailtos as well as we do.
-  html = cgi.escape(fp.read())
+  html = sapi.escape(fp.read())
   pp = py2html.PrettyPrint(PyFontify.fontify, "rawhtml", "color")
   pp.set_mode_rawhtml_color()
   html = pp.fontify(html)
@@ -1483,7 +1486,7 @@ def prepare_hidden_values(params):
   hidden_values = []
   for name, value in params.items():
     hidden_values.append('<input type="hidden" name="%s" value="%s" />' %
-                         (name, value))
+                         (sapi.escape(name), sapi.escape(value)))
   return string.join(hidden_values, '')
 
 def sort_file_data(file_data, roottype, sortdir, sortby, group_dirs):
@@ -3164,19 +3167,22 @@ def view_queryform(request):
   data['query_action'], data['query_hidden_values'] = \
     request.get_form(view_func=view_query, params={'limit_changes': None})
 
+  def escaped_query_dict_get(itemname, itemdefault=''):
+    return request.server.escape(request.query_dict.get(itemname, itemdefault))
+
   # default values ...
-  data['branch'] = request.query_dict.get('branch', '')
-  data['branch_match'] = request.query_dict.get('branch_match', 'exact')
-  data['dir'] = request.query_dict.get('dir', '')
-  data['file'] = request.query_dict.get('file', '')
-  data['file_match'] = request.query_dict.get('file_match', 'exact')
-  data['who'] = request.query_dict.get('who', '')
-  data['who_match'] = request.query_dict.get('who_match', 'exact')
-  data['querysort'] = request.query_dict.get('querysort', 'date')
-  data['date'] = request.query_dict.get('date', 'hours')
-  data['hours'] = request.query_dict.get('hours', '2')
-  data['mindate'] = request.query_dict.get('mindate', '')
-  data['maxdate'] = request.query_dict.get('maxdate', '')
+  data['branch'] = escaped_query_dict_get('branch', '')
+  data['branch_match'] = escaped_query_dict_get('branch_match', 'exact')
+  data['dir'] = escaped_query_dict_get('dir', '')
+  data['file'] = escaped_query_dict_get('file', '')
+  data['file_match'] = escaped_query_dict_get('file_match', 'exact')
+  data['who'] = escaped_query_dict_get('who', '')
+  data['who_match'] = escaped_query_dict_get('who_match', 'exact')
+  data['querysort'] = escaped_query_dict_get('querysort', 'date')
+  data['date'] = escaped_query_dict_get('date', 'hours')
+  data['hours'] = escaped_query_dict_get('hours', '2')
+  data['mindate'] = escaped_query_dict_get('mindate', '')
+  data['maxdate'] = escaped_query_dict_get('maxdate', '')
   data['limit_changes'] = int(request.query_dict.get('limit_changes',
                                            request.cfg.options.limit_changes))
 
@@ -3406,27 +3412,29 @@ def build_commit(request, files, max_files, dir_strip, format):
   return commit
 
 def query_backout(request, commits):
-  request.server.header('text/plain')
-  if commits:
-    print '# This page can be saved as a shell script and executed.'
-    print '# It should be run at the top of your work area.  It will update'
-    print '# your working copy to back out the changes selected by the'
-    print '# query.'
-    print
-  else:
-    print '# No changes were selected by the query.'
-    print '# There is nothing to back out.'
+  server_fp = get_writeready_server_file(request, 'text/plain')
+  if not commits:
+    server_fp.write("""\
+# No changes were selected by the query.
+# There is nothing to back out.
+""")
     return
+  server_fp.write("""\
+# This page can be saved as a shell script and executed.
+# It should be run at the top of your work area.  It will update
+# your working copy to back out the changes selected by the
+# query.
+""")
   for commit in commits:
     for fileinfo in commit.files:
       if request.roottype == 'cvs':
-        print 'cvs update -j %s -j %s %s/%s' \
-              % (fileinfo.rev, prev_rev(fileinfo.rev),
-                 fileinfo.dir, fileinfo.file)
+        server_fp.write('cvs update -j %s -j %s %s/%s\n'
+                        % (fileinfo.rev, prev_rev(fileinfo.rev),
+                           fileinfo.dir, fileinfo.file))
       elif request.roottype == 'svn':
-        print 'svn merge -r %s:%s %s/%s' \
-              % (fileinfo.rev, prev_rev(fileinfo.rev),
-                 fileinfo.dir, fileinfo.file)
+        server_fp.write('svn merge -r %s:%s %s/%s\n'
+                        % (fileinfo.rev, prev_rev(fileinfo.rev),
+                           fileinfo.dir, fileinfo.file))
 
 def view_query(request):
   if not is_query_supported(request):
@@ -3724,9 +3732,9 @@ def view_error(server, cfg):
   exc_dict = debug.GetExceptionData()
   status = exc_dict['status']
   if exc_dict['msg']:
-    exc_dict['msg'] = htmlify(exc_dict['msg'])
+    exc_dict['msg'] = server.escape(exc_dict['msg'])
   if exc_dict['stacktrace']:
-    exc_dict['stacktrace'] = htmlify(exc_dict['stacktrace'])
+    exc_dict['stacktrace'] = server.escape(exc_dict['stacktrace'])
   handled = 0
   
   # use the configured error template if possible

viewvc.org/.cvsignore

@@ -1,2 +0,0 @@
-*.tar.gz
-*.zip

viewvc.org/contact.html

@@ -1,68 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<title>ViewVC: Contact</title>
-<link rel="stylesheet" type="text/css" href="./styles.css"/>
-</head>
-
-<body>
-
-<div id="title">
-<a href="http://www.viewvc.org/"><img 
-   src="./images/title.jpg" alt="ViewVC: Repository Browsing"/></a>
-</div>
-
-<div id="menu">
-<p><a href="./index.html">Home</a> |
-   <a href="http://viewvc.tigris.org/">Project Page</a> |
-   <a href="./download.html">Download</a> |
-   <a href="./upgrading.html">Upgrading</a> |
-   <a href="./contributing.html">Contributing</a> |
-   <a href="http://viewvc.tigris.org/nonav/source/browse/*checkout*/viewvc/trunk/LICENSE.html">License</a> |
-   <a href="./contact.html">Contact</a> |
-   <a href="./who.html">About</a>
-</p>
-</div>
-
-<table id="pagetable">
-<tr>
-<td id="pagecolumn1">
-
-<h4>On this page:</h4>
-
-<ul id="bookmarks">
-  <li><a href="#sec-contacting-us">Contacting Us</a></li>
-</ul>
-
-<hr/>
-
-<address><a href="mailto:&#117&#115&#101&#114&#115&#64&#118&#105&#101&#119&#118&#99&#46&#116&#105&#103&#114&#105&#115&#46&#111&#114&#103">ViewVC Users Group</a></address>
-
-</td>
-<td id="pagecolumn2">
-
-<div class="section">
-
-<h2 id="sec-contacting-us">Contacting Us</h2>
-
-<p>Please send any comments, questions, or suggestions to the <a
-   href="mailto:&#117&#115&#101&#114&#115&#64&#118&#105&#101&#119&#118&#99&#46&#116&#105&#103&#114&#105&#115&#46&#111&#114&#103">ViewVC users mailing
-   list</a>.  There is also a <a
-   href="mailto:&#100&#101&#118&#64&#118&#105&#101&#119&#118&#99&#46&#116&#105&#103&#114&#105&#115&#46&#111&#114&#103">mailing list specifically for
-   ViewVC developers</a>.  You can subscribe to these lists, as well
-   view the list archives, (and other
-   project lists) <a
-   href="http://viewvc.tigris.org/servlets/ProjectMailingListList"
-   >here</a>.</p>
-
-<p>ViewVC is an <a href="http://www.opensource.org/">Open
-   Source</a> project, and all <a href="./contributing.html">contributions</a> 
-   are welcome.</p>
-
-</div>
-
-</td>
-</tr>
-</table>
-</body>
-</html>

viewvc.org/contributing.html

@@ -1,276 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<title>ViewVC: Contributing</title>
-<link rel="stylesheet" type="text/css" href="./styles.css"/>
-</head>
-
-<body>
-
-<div id="title">
-<a href="http://www.viewvc.org/"><img 
-   src="./images/title.jpg" alt="ViewVC: Repository Browsing"/></a>
-</div>
-
-<div id="menu">
-<p><a href="./index.html">Home</a> |
-   <a href="http://viewvc.tigris.org/">Project Page</a> |
-   <a href="./download.html">Download</a> |
-   <a href="./upgrading.html">Upgrading</a> |
-   <a href="./contributing.html">Contributing</a> |
-   <a href="http://viewvc.tigris.org/nonav/source/browse/*checkout*/viewvc/trunk/LICENSE.html">License</a> |
-   <a href="./contact.html">Contact</a> |
-   <a href="./who.html">About</a>
-</p>
-</div>
-
-<table id="pagetable">
-<tr>
-<td id="pagecolumn1">
-
-<h4>On this page:</h4>
-
-<ul id="bookmarks">
-  <li><a href="#sec-getting-started">Getting Started</a></li>
-  <li><a href="#sec-testing">Testing and Reporting</a></li>
-  <li><a href="#sec-coding-style">Coding Style</a></li>
-  <li><a href="#sec-patches">Submitting Patches</a></li>
-  <li><a href="#sec-security">Security</a></li>
-  <li><a href="#sec-adding-features">Adding Features</a></li>
-  <li><a href="#sec-templates">Hacking on Templates</a></li>
-  <li><a href="#sec-releasing">Release Management</a></li>
-</ul>
-
-<hr/>
-
-<address><a href="mailto:&#117&#115&#101&#114&#115&#64&#118&#105&#101&#119&#118&#99&#46&#116&#105&#103&#114&#105&#115&#46&#111&#114&#103">ViewVC Users Group</a></address>
-
-</td>
-<td id="pagecolumn2">
-
-<div class="section">
-
-<h2 id="sec-getting-started">Getting Started</h2>
-
-<p>Some basic knowledge about <a
-   href="http://www.python.org">Python</a> and development tools like
-   <code>diff</code> is required.  Your best bet is to start with a
-   fresh source code snapshot, which you may obtain from our
-   Subversion repository (see instructions <a
-   href="./download.html#sec-subversion">here</a>).</p>
-
-<p>Version control history can be obtained using Subversion clients,
-   but is also browsable using <a
-   href="http://viewvc.tigris.org/source/browse/viewvc/trunk/"
-   >tigris.org's integrated ViewVC tool</a>.</p>
-
-</div>
-<div class="section">
-
-<h2 id="sec-testing">Testing and Reporting</h2>
-
-<p>Testing usability and the installation process on different
-   platforms is also a valuable contribution.  Please report your
-   results back to us developers.  Bandwidth is getting cheaper daily,
-   so don't be afraid &mdash; in fact, feel encouraged &mdash; to dump
-   as much detail about the problems you are seeing as possible into
-   your bug reports.  Here are some things you definitely should
-   try to include:</p>
-
-<ul>
-
-  <li>What version of ViewVC you are using (if you are using a source
-      snapshot, tell us the date of that snapshot).</li>
-
-  <li>What operating system your ViewVC is running on.</li>
-
-  <li>What version of Python you are using.</li>
-
-  <li>Whether you are running ViewVC standalone, or as a CGI program
-      under a web server (and if so, what web server).</li>
-
-  <li>The URL of your ViewVC instantiation, if it is public.
-      Sometimes, letting developers see the problem for themselves can
-      save everyone alot of time.</li>
-
-</ul>
-
-</div>
-<div class="section">
-      
-<h2 id="sec-coding-style">Coding Style</h2>
-
-<p>Unlike its predecessor, CvsWeb, ViewVC is written in Python, so it
-   doesn't suffer from the "unmaintainable code effect" that hits most
-   Perl projects sooner or later:</p>
-
-<blockquote><em>&quot;[Perl] combines all the worst aspects of C and Lisp: a
-   billion different sublanguages in one monolithic executable.  It
-   combines the power of C with the readability of PostScript.&quot;</em>
-   &mdash;&nbsp;Jamie&nbsp;Zawinski
-</blockquote>
-
-<p>Of course, a symphony of insanity can be composed in any language,
-   so we do try to stick to some basic guiding principles.  Maintain
-   whatever style is present in the code being modified.  New code can
-   use anything sane (which generally means <a
-   href="http://python.sourceforge.net/peps/pep-0008.html">PEP&nbsp;8</a>).
-   Our only real peeve is if someone writes a function call as:
-   <code>some_func&nbsp;(args)</code> &mdash; that space between the
-   function name and opening parenthesis is Huge Badness.  Oh, and we
-   do <strong>not</strong> use Subversion keywords (such as
-   <code>$</code><code>Id$</code>) within the source.</p>
-
-<p>Otherwise&hellip; <em>shrug</em>.</p>
-
-</div>
-<div class="section">
-
-<h2 id="sec-patches">Submitting Patches</h2>
-
-<p>Nothing speaks more loudly when bugs or features are the topic than
-   a patch.  And quite frankly, sometimes if you want something done,
-   you gotta do it yourself.  So, patches are always welcome.  If you
-   aren't sure what exactly a &quot;patch&quot; is, or don't know how
-   to generate one, but you've got code contributions to make, please
-   don't hesitate to ask questions on the mailing lists.  Patch
-   generation and application are pretty easy thing to get the hang of,
-   and drastically simplify code submission and review.</p>
-
-<p>Please use the <a
-   href="http://viewvc.tigris.org/servlets/ProjectIssues">Issue
-   Tracker</a> to submit your patches.  Unified contextual diffs
-   against the latest development snapshot are preferred.</p>
-
-<p>If you have commit access, then you should know what you're doing.
-   Just make changes directly.  Subscribing to the <a
-   href="http://viewvc.tigris.org/servlets/ProjectMailingListList"
-   ><tt>dev@</tt> developer mailing list</a> is recommended in any
-   case.</p>
-
-</div>
-<div class="section">
-
-<h2 id="sec-security">Security</h2>
-
-<p>Since ViewVC is used on the Internet, security is a major concern.
-   If you need to pass data from the request into an external program,
-   please don't use <code>os.system()</code> or
-   <code>os.popen()</code>.  Please use the module
-   <code>lib/popen.py</code> that is included in the ViewVC
-   distribution instead.</p>
-
-</div>
-<div class="section">
-
-<h2 id="sec-adding-features">Adding Features</h2>
-
-<p>If you need a new configuration option think carefully, into which
-   section it belongs.  Try to keep the content of
-   <code>cgi/viewvc.conf.dist</code> file and the library module
-   <code>lib/config.py</code> in sync.</p>
-
-<p>Because ViewVC is a Web-based application, people will have ViewVC
-   URLs hyperlinked from other sites, embedded in emails, bookmarked
-   in their browsers, etc.  It is very important to ensure that those
-   URLs continue to retrieve the information they were intended to
-   retrieve even if ViewVC is upgraded on the hosting server.  In
-   other words, as new features require modifications to the <a
-   href="./url-reference.html">ViewVC URL schema</a>, make sure those
-   modifications preserve the existing functionality of all ViewVC
-   URLs.</p>
-
-<p>The library subdirectory contains a module <code>debug.py</code>,
-   which you may find useful for performance testing.</p>
-
-<p>If a new file or module is added, a new line in the installer
-   program <code>viewvc-install</code> is required.</p>
-
-</div>
-<div class="section">
-
-<h2 id="sec-templates">Hacking on Templates</h2>
-
-<p>The library module <code>ezt.py</code> contains a module docstring
-   which describes the directives used in the HTML templates used by
-   ViewVC.  The templates themselves can be found in the
-   <code>templates</code> subdirectory.  We're currently developing a
-   how-to guide for <a href="./template-authoring-guide.html">ViewVC
-   template customization</a>.</p>
-
-</div>
-<div class="section">
-
-<h2 id="sec-releasing">Release Management</h2>
-
-<p>There is a script, <code>tools/make-release</code>, which creates a
-   release directory and the various archive files that we distribute.
-   All other steps required to get a ViewVC release out of the door
-   require manual execution (currently by C. Michael Pilato).  Those
-   steps are as follows:</p>
-
-<ol>
-
-  <li>Add a new subsection to the file
-      <code>website/upgrading.html</code> describing all user visible
-      changes for users of previous releases of ViewVC.</li>
-
-   <li>Update the <code>CHANGES</code> file</li>
-
-   <li>Update the <code>website/index.html</code> file to refer to the
-       new X.Y files. (there are three links to update)</li>
-
-   <li>Edit the file <code>lib/viewvc.py</code> and remove the
-       <tt>"-dev"</tt> suffix from <code>__version__</code>.  The
-       remainder should be of the form X.Y.Z, where X, Y, and Z are
-       positive integers.</li>
-
-   <li>Ensure all of the above changes have been committed.</li>
-
-   <li>Test, Test, Test!  At the time of this writing (1.0-dev) there
-       is no automatic testsuite available.  So just run with
-       permuting different <code>viewvc.conf</code> settings&hellip;
-       and pray.</li>
-
-   <li>Review any open <a
-       href="http://viewvc.tigris.org/servlets/ProjectIssues">bug
-       reports.</a></li>
-
-   <li>Use <code>svn cp</code> to tag the release to
-       <code>/tags/<i>X</i>.<i>Y</i>.<i>Z</i></code>, where
-       <i>X</i>, <i>Y</i>, and <i>Z</i> should be replaced by the
-       release number from above.  If a developer is willing to
-       volunteer as a bug fix patch release manager, it is now
-       possible to start here at this point with a feature-frozen
-       branch using <code>svn cp</code> to copy the tag to
-       <code>/branches/<i>X</i>.<i>Y</i>.x</code>.</li>
-
-   <li>Go into an empty directory and run <code>tools/make-release
-       viewvc-<i>X.Y.Z</i> <i>X.Y.Z</i></code>.  This step requires
-       read access to the Subversion source code repository.</li>
-
-   <li>Upload the created archive files (tar.gz and zip) into the
-       Files and Documents section of the Tigris.org project.</li>
-
-   <li>Edit the file <code>lib/viewvc.py</code> again and this time
-       increment the <code>__version__</code> for the next release
-       cycle, again append the <code>-dev</code> to the version and
-       again <code>svn commit -m "Begin a new release cycle."
-       lib/viewvc.py</code>.</li>
-
-   <li>Write an announcement explaining all the cool new features and
-       post it <a
-       href="mailto:&#97&#110&#110&#111&#117&#110&#99&#101&#64&#118&#105&#101&#119&#118&#99&#46&#116&#105&#103&#114&#105&#115&#46&#111&#114&#103">&#97&#110&#110&#111&#117&#110&#99&#101&#64&#118&#105&#101&#119&#118&#99&#46&#116&#105&#103&#114&#105&#115&#46&#111&#114&#103</a>,
-       to the project's News area, and to other places interested in
-       this sort of stuff (such as <a
-       href="http://www.freshmeat.net">Freshmeat</a>).</p>
-
-</ol>
-
-</div>
-
-</td>
-</tr>
-</table>
-</body>
-</html>

viewvc.org/download.html

@@ -1,79 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<title>ViewVC: Download</title>
-<link rel="stylesheet" type="text/css" href="./styles.css"/>
-</head>
-
-<body>
-
-<div id="title">
-<a href="http://www.viewvc.org/"><img 
-   src="./images/title.jpg" alt="ViewVC: Repository Browsing"/></a>
-</div>
-
-<div id="menu">
-<p><a href="./index.html">Home</a> |
-   <a href="http://viewvc.tigris.org/">Project Page</a> |
-   <a href="./download.html">Download</a> |
-   <a href="./upgrading.html">Upgrading</a> |
-   <a href="./contributing.html">Contributing</a> |
-   <a href="http://viewvc.tigris.org/nonav/source/browse/*checkout*/viewvc/trunk/LICENSE.html">License</a> |
-   <a href="./contact.html">Contact</a> |
-   <a href="./who.html">About</a>
-</p>
-</div>
-
-<table id="pagetable">
-<tr>
-<td id="pagecolumn1">
-
-<h4>On this page:</h4>
-
-<ul id="bookmarks">
-  <li><a href="#sec-download">Downloading</a></li>
-  <li><a href="#sec-subversion">Subversion</a></li>
-</ul>
-
-<hr/>
-
-<address><a href="mailto:&#117&#115&#101&#114&#115&#64&#118&#105&#101&#119&#118&#99&#46&#116&#105&#103&#114&#105&#115&#46&#111&#114&#103">ViewVC Users Group</a></address>
-
-</td>
-<td id="pagecolumn2">
-
-<div class="section">
-
-<h2 id="sec-download">Downloading</h2>
-
-<p>You can download the ViewVC (and the older ViewCVS releases, too)
-   from our <a
-   href="http://viewvc.tigris.org/servlets/ProjectDocumentList?folderID=6004"
-   >File and Documents</a> area.  For information about what has
-   changed in each release, see the <a
-   href="http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
-   >CHANGES</a> file.</p>
-
-<p>We are also making <a href="./nightly/">nightly snapshots</a>
-   available in tar.gz and zip formats.</p>
-
-</div>
-<div class="section">
-
-<h2 id="sec-subversion">Subversion</h2>
-
-<p>The source code for ViewVC is maintained in a Subversion repository
-   at Tigris.org.  You can checkout the trunk of our development tree
-   from <a href="http://viewvc.tigris.org/svn/viewvc/trunk/"
-   ><tt>http://viewvc.tigris.org/svn/viewvc/trunk/</tt></a>.  You'll
-   need to provide your Tigris.org username and password when so
-   prompted, or, if you don't have a Tigris.org account, use "guest"
-   as both the username and password.</p>
-  
-</div>
-
-</td>
-</tr>
-</table>
-</body>
-</html>

viewvc.org/index.html

@@ -1,192 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<title>ViewVC: Repository Browsing</title>
-<link rel="stylesheet" type="text/css" href="./styles.css"/>
-</head>
-
-<body>
-
-<div id="title">
-<a href="http://www.viewvc.org/"><img 
-   src="./images/title.jpg" alt="ViewVC: Repository Browsing"/></a>
-</div>
-
-<div id="menu">
-<p><a href="./index.html">Home</a> |
-   <a href="http://viewvc.tigris.org/">Project Page</a> |
-   <a href="./download.html">Download</a> |
-   <a href="./upgrading.html">Upgrading</a> |
-   <a href="./contributing.html">Contributing</a> |
-   <a href="http://viewvc.tigris.org/nonav/source/browse/*checkout*/viewvc/trunk/LICENSE.html">License</a> |
-   <a href="./contact.html">Contact</a> |
-   <a href="./who.html">About</a>
-</p>
-</div>
-
-<table id="pagetable">
-<tr>
-<td id="pagecolumn1">
-
-<h4>On this page:</h4>
-
-<ul id="bookmarks">
-  <li><a href="#sec-what-is-viewvc">What Is ViewVC?</a></li>
-  <li><a href="#sec-requirements">Requirements</a></li>
-  <li><a href="#sec-future">Future Plans</a></li>
-</ul>
-
-<hr/>
-
-<address><a href="mailto:&#117&#115&#101&#114&#115&#64&#118&#105&#101&#119&#118&#99&#46&#116&#105&#103&#114&#105&#115&#46&#111&#114&#103">ViewVC Users Group</a></address>
-
-</td>
-<td id="pagecolumn2">
-
-<div class="section">
-
-<h2 id="sec-what-is-viewvc">What Is ViewVC?</h2>
-
-<p>ViewVC is a browser interface for CVS and Subversion version
-   control repositories.  It generates templatized HTML to present
-   navigable directory, revision, and change log listings.  It can
-   display specific versions of files as well as diffs between those
-   versions.  Basically, ViewVC provides the bulk of the report-like
-   functionality you expect out of your version control tool, but much
-   more prettily than the average textual command-line program
-   output.</p>
-
-<p>Here are some of the additional features of ViewVC:</p>
-
-<ul>
-
-  <li>Support for filesystem-accessible CVS and Subversion repositories.</li>
-
-  <li>Individually configurable virtual host support.</li>
-
-  <li>Line-based annotation/blame display.</li>
-
-  <li>Revision graph capabilities (via integration with <a
-      href="http://www.akhphd.au.dk/~bertho/cvsgraph/">CvsGraph</a>)
-      (<em>CVS only</em>).</li>
-
-  <li>Syntax highlighting support (via integration with <a
-      href="http://www.codento.com/people/mtr/genscript/">GNU
-      enscript</a> or
-      <a href="http://www.andre-simon.de/">Highlight</a>).</li>
-
-  <li><a href="http://www.mozilla.org/projects/bonsai/">Bonsai</a>-like
-      repository query facilities.</li>
-
-  <li>Template-driven output generation.</li>
-
-  <li>Colorized, side-by-side differences.</li>
-
-  <li>Tarball generation (by tag/branch for CVS, by revision for
-      Subversion).</li>
-
-  <li>I18N support based on the Accept-Language request header.</li>
-
-  <li>Ability to run either as CGI script or as a standalone
-      server.</li>
-  
-  <li>Regexp-based file searching.</li>
-
-  <li>INI-like configuration file (as opposed to requiring actual code
-      tweaks).</li>
-
-</ul>
-
-<p>For a complete list of changes present in each release, see
-   ViewVC's <a
-   href="http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
-   >CHANGES</a> file.</p>
-
-</div>
-<div class="section">
-
-<h2 id="sec-requirements">Requirements</h2>
-
-<p>The only hard software requirement for running ViewVC is <a
-   href="http://www.python.org/">Python 1.5.2</a> or later.  All other
-   requirements depend on what you want to do with the tool.</p>
-
-<p>If you plan to use ViewVC with CVS repositories, you need the
-   following things:</p>
-
-<ul>
-
-  <li><a href="http://www.cs.purdue.edu/homes/trinkle/RCS/">RCS</a>
-      (Revision Control System)</li>
-
-  <li><a href="http://www.gnu.org/software/diffutils/diffutils.html">GNU 
-      diff</a></li>
- 
-  <li>Read-only, physical access to a CVS repository.</li>
-
-</ul>
-
-<p>For use with Subversion repositories, you need these things:</p>
-
-<ul>
-
-  <li><a href="http://subversion.tigris.org/">Subversion</a> 1.2 or
-      later and its SWIG Python bindings.</li>
-
-  <li><a href="http://www.gnu.org/software/diffutils/diffutils.html">GNU 
-      diff</a></li>
-
-  <li>Physical access to a Subversion repository (though there is
-      limited, use-at-your-risk support for remote access, too).</li>
-
-</ul>
-
-<p>ViewVC integrates with additional pieces of software to provide
-   certain bits of optional functionality:</p>
-
-<ul>
-
-  <li><a href="http://www.mysql.com/">MySQL</a> &mdash; Needed to use
-      the commit database query functionality.</li>
-
-  <li><a href="http://www.codento.com/people/mtr/genscript/">GNU
-      enscript</a> &mdash; Needed for syntax highlighting in versioned
-      file contents displays</li>
-
-  <li><a href="http://www.akhphd.au.dk/~bertho/cvsgraph/">CvsGraph</a>
-      &mdash; Needed for version graph displays.</li>
-
-  <li><a href="http://httpd.apache.org/">Apache HTTP Server</a>, or
-      another server capable of running CGI programs &mdash; unless
-      you just want ViewVC to run in standalone server mode.</li>
-
-</ul>
-
-</div>
-<div class="section">
-
-<h2 id="sec-future">Future Plans</h2>
-
-<p>ViewVC is an Open Source project.  So any future development
-   depends on the <a href="./contributing.html">contributions</a> that
-   will be made by its user community.  Certainly working patches have
-   a greater chance to become realized quickly than feature requests,
-   but please don't hesitate to submit your suggestions to our <a
-   href="http://viewvc.tigris.org/servlets/ProjectIssues">issue
-   tracker</a>.</p>
-
-<p>Some things we're thinking about include:</p>
-
-<ul>
-  <li>UI streamlining/simplification.</li>
-  <li>Integration with CVS and Subversion commit mail scripts.</li>
-  <li>Integration with an indexer such as LXR.</li>
-</ul>
-
-</div>
-
-</td>
-</tr>
-</table>
-</body>
-</html>

viewvc.org/nightly/build-viewvc-snapshot

@@ -1,95 +0,0 @@
-#!/bin/sh
-
-DATE=`date +"%Y%m%d"`
-EXPORTDIR="viewvc-${DATE}"
-PUBLISH_DIR=/www/viewvc/nightly
-
-# export HEAD of trunk
-svn export --quiet http://viewvc.tigris.org/svn/viewvc/trunk ${EXPORTDIR} --username guest --password ""
-
-# use Python to determine the version number, reading it from 
-# viewvc.__version__
-cd $EXPORTDIR/lib
-VERSION=`python -c "import viewvc; print viewvc.__version__"`
-TARGET=viewvc-${VERSION}-${DATE}
-
-# make a release
-cd ../tools
-./make-release ${TARGET}
-
-# remove results of last build
-rm -rf ${PUBLISH_DIR}/viewvc*.tar.gz ${PUBLISH_DIR}/viewvc*.zip ${PUBLISH_DIR}/index.html
-
-# publish new build
-mv ${TARGET}.* ${PUBLISH_DIR}
-cd ../..
-
-cat > ${PUBLISH_DIR}/index.html <<EOF
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
-                      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html>
-<head>
-<title>ViewVC: Nightly Snapshots</title>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
-<link rel="stylesheet" type="text/css" href="../styles.css"/>
-</head>
-
-<body>
-
-<div id="title">
-<a href="http://www.viewvc.org/"><img 
-   src="../images/title.jpg" alt="ViewVC: Repository Browsing"/></a>
-</div>
-
-<div id="menu">
-<p><a href="../index.html">Home</a> |
-   <a href="http://viewvc.tigris.org/">Project Page</a> |
-   <a href="../download.html">Download</a> |
-   <a href="../contributing.html">Contributing</a> |
-   <a href="http://viewvc.tigris.org/nonav/source/browse/*checkout*/viewvc/trunk/LICENSE.html">License</a> |
-   <a href="../contact.html">Contact</a> |
-   <a href="../who.html">About</a>
-</p>
-</div>
-
-<table id="pagetable">
-<tr>
-<td id="pagecolumn1">
-
-<h4>On this page:</h4>
-
-<ul id="bookmarks">
-  <li><a href="#sec-snapshots">Snapshots</a></li>
-</ul>
-
-<p><a href="http://validator.w3.org/check?uri=referer"><img
-       src="http://www.w3.org/Icons/valid-xhtml10"
-       alt="Valid XHTML 1.0 Strict" height="31" width="88" /></a>
-</p>
-
-</td>
-<td id="pagecolumn2">
-
-<div class="section">
-
-<h2 id="sec-snapshots">Snapshots</h2>
-
-<ul>
-EOF
-
-echo "<li><a href=\"${TARGET}.tar.gz\">${TARGET}.tar.gz</a></li>" >> ${PUBLISH_DIR}/index.html
-echo "<li><a href=\"${TARGET}.zip\">${TARGET}.zip</a></li>" >> ${PUBLISH_DIR}/index.html
-
-cat >> ${PUBLISH_DIR}/index.html <<EOF
-</ul>
-</div>
-
-</td>
-</tr>
-</table>
-</body>
-</html>
-EOF
-
-# more cleanup
-rm -rf ${EXPORTDIR}

viewvc.org/styles.css

@@ -1,151 +0,0 @@
-body {
-    background-color: rgb(180,193,205);
-    background-image: url('./images/bg-grad.jpg');
-    background-repeat: repeat-x;
-    color: black;
-    font-family: arial, sans-serif;
-    font-size: 90%;
-    margin: 0;
-}
-
-#title {
-    background-color: rgb(100,128,150);
-    height: 60px;
-}
-
-img {
-    border: none;
-}
-
-hr {
-    width: 95%;
-    height: 1px;
-}
-
-address {
-    text-align: center;
-    font-size: 60%;
-    font-style: normal;
-}
-
-h2 {
-    background-color: rgb(204,213,221);
-    padding: 2px 0.5em 2px 0.5em;
-    margin: 0;
-    border-bottom: dotted 1px rgb(180,193,205);
-    font-size: 110%;
-}
-
-h3 {
-    padding: 2px 0.5em 2px 0.5em;
-    margin: 0;
-    font-size: 100%;
-    font-weight: bold;
-}
-
-h4 {
-    padding: 2px 0.5em 2px 0.5em;
-    margin: 0;
-    font-size: 90%;
-    font-weight: bold;
-}
-
-p, dl, ul, ol {
-    padding: 0.5em;
-    margin: 0;
-    font-size: 90%;
-}
-
-ul, ol {
-    padding: 0.5em;
-    margin: 0 0 0 0.25in;
-}
-
-li {
-    font-size: 90%;
-}
-
-code {
-    font-size: 105%;
-    font-style: italic;
-    font-family: monospace;
-}
-
-blockquote {
-    padding: 0.5em;
-    margin: 0 0.25in 0 0.25in;
-    font-size: 80%;
-}
-
-.section {
-    background: white;
-    border-color: rgb(24,24,24);
-    border-width: 1px 2px 2px 1px;
-    border-style: solid;
-    padding: 0;
-    margin-bottom: 0.5em;
-}
-
-#menu {
-    background: black;
-    color: white;
-}
-
-#menu a, #menu a:visited {
-    background: black;
-    color: white;
-    text-decoration: none;
-}
-
-#menu a:hover {
-    background: black;
-    color: white;
-    text-decoration: underline;
-}
-
-#submenu {
-    background: rgb(90%,97%,99%);
-    font-size: 80%;
-}
-
-#pagetable tr {
-    vertical-align: top;
-}
-
-#pagetable {
-    width: 100%;
-}
-
-#pagecolumn1 {
-    width: 175px;
-    padding: 0;
-}
-
-#pagecolumn1 a, #pagecolumn1 a:visited {
-    color: rgb(0,0,164);
-    text-decoration: none;
-}
-
-#pagecolumn1 a:hover {
-    text-decoration: underline;
-}
-
-#pagecolumn2 {
-    padding: 0;
-}
-
-#pagecolumn2 a, #pagecolumn2 a:visited {
-    color: rgb(0,0,164);
-    text-decoration: underline;
-}
-
-#pagecolumn2 a:hover {
-    background-color: rgb(180,193,205);
-    text-decoration: underline;
-}
-
-#bookmarks {
-    padding-left: 0.25in;
-    font-size: 80%;
-    white-space: nowrap;
-}

viewvc.org/who.html

@@ -1,159 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<title>ViewVC: About</title>
-<link rel="stylesheet" type="text/css" href="./styles.css"/>
-</head>
-
-<body>
-
-<div id="title">
-<a href="http://www.viewvc.org/"><img 
-   src="./images/title.jpg" alt="ViewVC: Repository Browsing"/></a>
-</div>
-
-<div id="menu">
-<p><a href="./index.html">Home</a> |
-   <a href="http://viewvc.tigris.org/">Project Page</a> |
-   <a href="./download.html">Download</a> |
-   <a href="./upgrading.html">Upgrading</a> |
-   <a href="./contributing.html">Contributing</a> |
-   <a href="http://viewvc.tigris.org/nonav/source/browse/*checkout*/viewvc/trunk/LICENSE.html">License</a> |
-   <a href="./contact.html">Contact</a> |
-   <a href="./who.html">About</a>
-</p>
-</div>
-
-<table id="pagetable">
-<tr>
-<td id="pagecolumn1">
-
-<h4>On this page:</h4>
-
-<ul id="bookmarks">
-  <li><a href="#sec-history">The History of ViewVC</a></li>
-  <li><a href="#sec-viewcvs-group">The ViewCVS Group</a></li>
-  <li><a href="#sec-site-credits">About This Site</a></li>
-</ul>
-
-<hr/>
-
-<address><a href="mailto:&#117&#115&#101&#114&#115&#64&#118&#105&#101&#119&#118&#99&#46&#116&#105&#103&#114&#105&#115&#46&#111&#114&#103">ViewVC Users Group</a></address>
-
-</td>
-<td id="pagecolumn2">
-
-<div class="section">
-<h2 id="sec-history">The History of ViewVC</h2>
-
-<p>The ViewVC software was inspired by <a
-   href="http://people.freebsd.org/~fenner/cvsweb/">cvsweb</a>
-   (originally written by Bill Fenner and then further developed by <a
-   href="mailto:zeller@think.de">Henner Zeller</a>).  Greg Stein
-   wanted to make some changes and updates, but cvsweb was implemented
-   in Perl.  He wrote:</p>
-
-<blockquote style="font-style: italic;">&quot;While I can manage some
-   Perl, cvsweb was rather unmaintainable for me. So I undertook the
-   task to convert the software to Python. As a result, I've actually
-   been able to go <em>way</em> beyond the simple changes that I had
-   envisioned.&quot;</blockquote>
-
-<p>So ViewVC started out as just a port of the cvsweb script,
-   originally called ViewCVS.  Along the way, it has had numerous
-   cleanups and other modifications, a process simplified by the
-   elegance of the <a href="http://www.python.org/">Python</a>
-   language.</p>
-
-<p>In 2001, the ViewCVS project was moved to <a
-   href="http://www.sourceforge.net">SourceForge</a>, a popular
-   software collaboration environment.  There the project continued to
-   mature, releasing several stable-yet-pre-1.0 versions.  In 2002,
-   C. Michael Pilato began implementing support for Subversion in
-   ViewCVS, building atop the beginnings of a version control
-   abstraction layer begun by Lucas Bruand.  Along the way, Russell
-   Yanofsky delivered large improvements to that abstraction, and to
-   ViewCVS as whole.  ViewCVS was well on its way to releasing a 1.0
-   version.</p>
-
-<p>Of course, now that ViewCVS could browse Subversion repositories as
-   easily as CVS ones, the ViewCVS name seemed inappropriate.  Also,
-   SourceForge's lack of support for Subversion (which was already
-   well past its 1.0 release, and becoming hugely popular) in its
-   project version control offerings was annoying ViewCVS primary
-   developers.  So in late 2005, the decision was made to rename the
-   project to ViewVC, to convert the project's CVS data to Subversion,
-   and to move the project and its Subversion data to <a
-   href="http://www.tigris.org">Tigris.org</a>.</p>
-
-<p>Today, ViewVC is being developed at <a
-   href="http://viewvc.tigris.org">http://viewvc.tigris.org</a> by a
-   small community of folks</a>.</p>
-
-</div>
-<div class="section">
-<h2 id="sec-viewcvs-group">The ViewCVS Group</h2>
-
-<p>The ViewCVS Group is an informal group of people working on and
-   developing the ViewVC package. The current set of members are
-   listed below with some of their notable contributions:</p>
-
-<dl>
-  <dt><a href="http://www.lyra.org/greg/">Greg Stein</a></dt>
-  <dd>original python port of Henner Zeller's cvsweb, secure popen
-      implementation, configuration file implementation, rcsparse
-      module, and EZT template engine</dd>
-
-  <dt>Jay Painter</dt>
-  <dd>CVSdb query engine</dd>
-
-  <dt>Tanaka Akira</dt> 
-  <dd>enscript colorization and tarball generation
-      </dd>
-
-  <dt>Tim Cera</dt>
-  <dd>CvsGraph support, log_table template, regular expression search,
-      and paging capability</dd>
-
-  <dt>Peter Funk</dt> 
-  <dd>standalone server, blimp logo, and numerous improvements to
-      ViewVC's interfaces and documentation</dd>
-
-  <dt>Lucas Bruand</dt>
-
-  <dd>C++ RCS parser (tparse) and vclib module for supporting new
-      version control systems</dd>
-
-  <dt><a href="http://www.cmichaelpilato.com/">C. Michael Pilato</a></dt>
-  <dd>Subversion support, root_as_url alternative URL scheme,
-      templatization work, website design, documentation</dd>
-
-  <dt>Russell Yanofsky</dt>
-  <dd>Windows support and the sapi module for supporting multiple web
-      server interfaces, sweeping abstraction and UI improvements</dd>
-
-  <dt>James Henstridge</dt>
-  <dd>integrated query interface, support for querying Subversion
-      repositories, caching support, CSS formatting, and the EZT
-      &quot;define&quot; directive</dd>
-
-</dl>
-
-</div>
-<div class="section">
-<h2 id="sec-site-credits">About This Site</h2>
-
-<p>The ViewVC website was designed by <a
-   href="http://www.cmichaelpilato.com/">C. Michael Pilato</a>.  All
-   HTML was hand-edited in Emacs, and the little splashes of graphical
-   goodness owe their existence to Adobe PhotoShop.  Textual content
-   for the site is mostly the work of Greg Stein, but has been tweaked
-   through the ages by various ViewVC contributors.</p>
-
-</div>
-
-</td>
-</tr>
-</table>
-</body>
-</html>