Retroactively "peg" the svn:externals property on these tags which

pulls in the 'templates-contrib' area.

git-svn-id: http://viewvc.tigris.org/svn/viewvc/tags/1.1.6@2451 8cb11bc2-c004-0410-86c3-e597b4017df7

CHANGES

@@ -1,3 +1,15 @@
+Version 1.1.6 (released 02-Jun-2010)
+
+  * add rudimentary support for WSGI-based deployments (issue #397)
+  * fix exception caused by trying to HTML-escape non-string data (issue #454)
+  * fix incorrect RSS feed Content-Type header (issue #449)
+  * fix RSS <title> encoding problem (issue #451)
+  * allow 'svndbadmin purge' to work on missing repositories (issue #452)
+
+Version 1.1.5 (released 29-Mar-2010)
+
+  * security fix: escape user-provided search_re input to avoid XSS attack
+
 Version 1.1.4 (released 10-Mar-2010)
 
   * security fix: escape user-provided query form input to avoid XSS attack

INSTALL

@@ -213,9 +213,9 @@ APACHE CONFIGURATION
      Options +ExecCGI
      AddHandler cgi-script .cgi
      
-   (Note: For this to work mod_cgi has to be loaded. And for the .htaccess file
+   Note: For this to work mod_cgi has to be loaded.  And for the .htaccess file
    to be effective, "AllowOverride All" or "AllowOverride Options FileInfo"
-   need to have been specified for the directory.)
+   needs to have been specified for the directory.
    
    ------------------------------------------
    METHOD D:  Using mod_python (if installed)
@@ -232,6 +232,25 @@ APACHE CONFIGURATION
    feature may not work because it uses multithreading.  This works fine
    under Apache 2.
    
+   ----------------------------------------
+   METHOD E:  Using mod_wsgi (if installed)
+   ----------------------------------------
+   Copy the Python scripts file from
+   <VIEWVC_INSTALLATION_DIRECTORY>/bin/mod_python/
+   to the directory of your choosing.  Modify httpd.conf with the
+   following directives:
+
+      WSGIScriptAlias /viewvc <VIEWVC_INSTALLATION_DIRECTORY>/bin/wsgi/viewvc.wsgi
+      WSGIScriptAlias /query <VIEWVC_INSTALLATION_DIRECTORY>/bin/wsgi/query.wsgi
+
+   You'll probably also need the following directive because of the
+   not-quite-sanctioned way that ViewVC manipulates Python objects.
+
+      WSGIApplicationGroup %{GLOBAL}
+
+   Note: WSGI support in ViewVC is at this time quite rudimentary,
+   bordering on downright experimental.  Your mileage may vary.
+
 3) Restart Apache.
 
    The commands to do this vary.  "httpd -k restart" and "apache -k

LICENSE.html

@@ -15,7 +15,7 @@
 
 <blockquote>
 
-<p><strong>Copyright &copy; 1999-2009 The ViewCVS Group.  All rights
+<p><strong>Copyright &copy; 1999-2010 The ViewCVS Group.  All rights
    reserved.</strong></p>
 
 <p>By using ViewVC, you agree to the terms and conditions set forth
@@ -60,6 +60,7 @@
   <li>April 10, 2007 &mdash; copyright years updated</li>
   <li>February 22, 2008 &mdash; copyright years updated</li>
   <li>March 18, 2009 &mdash; copyright years updated</li>
+  <li>March 29, 2010 &mdash; copyright years updated</li>
 </ul>
 
 </body>

bin/svndbadmin

@@ -242,6 +242,7 @@ def main(command, repository, revs=[], verbose=0, force=0):
     cfg = viewvc.load_config(CONF_PATHNAME)
     db = cvsdb.ConnectDatabase(cfg)
 
+    # Purge what must be purged.
     if command in ('rebuild', 'purge'):
         if verbose:
             print "Purging commit info for repository root `%s'" % repository
@@ -252,18 +253,24 @@ def main(command, repository, revs=[], verbose=0, force=0):
                 sys.stderr.write("ERROR: " + str(e) + "\n")
                 sys.exit(1)
 
-    repo = SvnRepo(repository)
-    if command == 'rebuild' or (command == 'update' and not revs):
-        for rev in range(repo.rev_max+1):
-            handle_revision(db, command, repo, rev, verbose)
-    elif command == 'update':
-        if revs[0] is None:
-            revs[0] = repo.rev_max
-        if revs[1] is None:
-            revs[1] = repo.rev_max
-        revs.sort()
-        for rev in range(revs[0], revs[1]+1):
-            handle_revision(db, command, repo, rev, verbose, force)
+    # Record what must be recorded.
+    if command in ('rebuild', 'update'):
+        if not os.path.exists(repository):
+            sys.stderr.write('ERROR: could not find repository %s\n'
+                             % (repository))
+            sys.exit(1)
+        repo = SvnRepo(repository)
+        if command == 'rebuild' or (command == 'update' and not revs):
+            for rev in range(repo.rev_max+1):
+                handle_revision(db, command, repo, rev, verbose)
+        elif command == 'update':
+            if revs[0] is None:
+                revs[0] = repo.rev_max
+            if revs[1] is None:
+                revs[1] = repo.rev_max
+            revs.sort()
+            for rev in range(revs[0], revs[1]+1):
+                handle_revision(db, command, repo, rev, verbose, force)
 
 def _rev2int(r):
     if r == 'HEAD':
@@ -330,12 +337,6 @@ if __name__ == '__main__':
         sys.stderr.write('ERROR: unknown command %s\n' % command)
         usage()
 
-    repository = args[2]
-    if not os.path.exists(repository):
-        sys.stderr.write('ERROR: could not find repository %s\n' % args[2])
-        usage()
-    repository = vclib.svn.canonicalize_rootpath(repository)
-
     revs = []
     if len(sys.argv) > 3:
         if command == 'rebuild':
@@ -358,6 +359,7 @@ if __name__ == '__main__':
         rev = None
 
     try:
+        repository = vclib.svn.canonicalize_rootpath(args[2])
         repository = cvsdb.CleanRepository(os.path.abspath(repository))
         main(command, repository, revs, verbose, force)
     except KeyboardInterrupt:

bin/wsgi/query.wsgi

@@ -0,0 +1,42 @@
+# -*-python-*-
+#
+# Copyright (C) 1999-2009 The ViewCVS Group. All Rights Reserved.
+#
+# By using this file, you agree to the terms and conditions set forth in
+# the LICENSE.html file which can be found at the top level of the ViewVC
+# distribution or at http://viewvc.org/license-1.html.
+#
+# For more information, visit http://viewvc.org/
+#
+# -----------------------------------------------------------------------
+#
+# viewvc: View CVS/SVN repositories via a web browser
+#
+# -----------------------------------------------------------------------
+#
+# This is a wsgi entry point for the query ViewVC app. It's appropriate
+# for use with mod_wsgi. It defines a single application function that
+# is a walid wsgi entry point.
+#
+# -----------------------------------------------------------------------
+
+import sys, os
+
+LIBRARY_DIR = None
+CONF_PATHNAME = None
+
+if LIBRARY_DIR:
+  sys.path.insert(0, LIBRARY_DIR)
+else:
+  sys.path.insert(0, os.path.abspath(os.path.join(sys.argv[0],
+                                                  "../../../lib")))
+
+import sapi
+import viewvc
+import query
+
+def application(environ, start_response):
+  server = sapi.WsgiServer(environ, start_response)
+  cfg = viewvc.load_config(CONF_PATHNAME, server)
+  query.main(server, cfg, "viewvc.wsgi")
+  return []

bin/wsgi/viewvc.wsgi

@@ -0,0 +1,41 @@
+# -*-python-*-
+#
+# Copyright (C) 1999-2009 The ViewCVS Group. All Rights Reserved.
+#
+# By using this file, you agree to the terms and conditions set forth in
+# the LICENSE.html file which can be found at the top level of the ViewVC
+# distribution or at http://viewvc.org/license-1.html.
+#
+# For more information, visit http://viewvc.org/
+#
+# -----------------------------------------------------------------------
+#
+# viewvc: View CVS/SVN repositories via a web browser
+#
+# -----------------------------------------------------------------------
+#
+# This is a wsgi entry point for the main ViewVC app. It's appropriate
+# for use with mod_wsgi. It defines a single application function that
+# is a walid wsgi entry point.
+#
+# -----------------------------------------------------------------------
+
+import sys, os
+
+LIBRARY_DIR = None
+CONF_PATHNAME = None
+
+if LIBRARY_DIR:
+  sys.path.insert(0, LIBRARY_DIR)
+else:
+  sys.path.insert(0, os.path.abspath(os.path.join(sys.argv[0],
+                                                  "../../../lib")))
+
+import sapi
+import viewvc
+
+def application(environ, start_response):
+  server = sapi.WsgiServer(environ, start_response)
+  cfg = viewvc.load_config(CONF_PATHNAME, server)
+  viewvc.main(server, cfg)
+  return []

lib/blame.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # -*-python-*-
 #
-# Copyright (C) 1999-2008 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 # Copyright (C) 2000 Curt Hagenlocher <curt@hagenlocher.org>
 #
 # By using this file, you agree to the terms and conditions set forth in
@@ -32,9 +32,8 @@ import os
 import re
 import time
 import math
-import cgi
 import vclib
-
+import sapi
 
 re_includes = re.compile('\\#(\\s*)include(\\s*)"(.*?)"')
 
@@ -82,7 +81,7 @@ class HTMLBlameSource:
     diff_url = None
     if item.prev_rev:
       diff_url = '%sr1=%s&amp;r2=%s' % (self.diff_url, item.prev_rev, item.rev)
-    thisline = link_includes(cgi.escape(item.text), self.repos,
+    thisline = link_includes(sapi.escape(item.text), self.repos,
                              self.path_parts, self.include_url)
     return _item(text=thisline, line_number=item.line_number,
                  rev=item.rev, prev_rev=item.prev_rev,

lib/ezt.py

@@ -347,7 +347,7 @@ class Template:
       for_names = [ ]
 
     if base_format:
-      program.append((self._cmd_format, _printers[base_format]))
+      program.append((self._cmd_format, _formatters[base_format]))
 
     for i in range(len(parts)):
       piece = parts[i]
@@ -405,13 +405,13 @@ class Template:
           elif cmd == 'format':
             if args[1][0]:
               # argument is a variable reference
-              printer = args[1]
+              formatter = args[1]
             else:
-              # argument is a string constant referring to built-in printer
-              printer = _printers.get(args[1][1])
-              if not printer:
+              # argument is a string constant referring to built-in formatter
+              formatter = _formatters.get(args[1][1])
+              if not formatter:
                 raise UnknownFormatConstantError(str(args[1:]))
-            program.append((self._cmd_format, printer))
+            program.append((self._cmd_format, formatter))
 
           # remember the cmd, current pos, args, and a section placeholder
           stack.append([cmd, len(program), args[1:], None])
@@ -465,13 +465,13 @@ class Template:
     except TypeError:
       raise Exception("Unprintable value type for '%s'" % (str(valrefs[0][0])))
 
-  def _cmd_format(self, printer, ctx):
-    if type(printer) is TupleType:
-      printer = _get_value(printer, ctx)
-    ctx.printers.append(printer)
+  def _cmd_format(self, formatter, ctx):
+    if type(formatter) is TupleType:
+      formatter = _get_value(formatter, ctx)
+    ctx.formatters.append(formatter)
 
   def _cmd_end_format(self, valref, ctx):
-    ctx.printers.pop()
+    ctx.formatters.pop()
 
   def _cmd_include(self, (valref, reader), ctx):
     fname = _get_value(valref, ctx)
@@ -637,14 +637,23 @@ def _get_value((refname, start, rest), ctx):
   # string or a sequence
   return ob
 
+def _print_formatted(formatters, ctx, chunk):
+  # print chunk to ctx.fp after running it sequentially through formatters
+  for formatter in formatters:
+    chunk = formatter(chunk)
+  ctx.fp.write(chunk)
+  
 def _write_value(value, args, ctx):
   # value is a callback function, generates its own output
   if callable(value):
     apply(value, [ctx] + list(args))
     return
 
-  # pop printer in case it recursively calls _write_value
-  printer = ctx.printers.pop()
+  # squirrel away formatters in case one of them recursively calls
+  # _write_value() -- we'll use them (in reverse order) to format our
+  # output.
+  formatters = ctx.formatters[:]
+  formatters.reverse()
 
   try:
     # if the value has a 'read' attribute, then it is a stream: copy it
@@ -653,7 +662,7 @@ def _write_value(value, args, ctx):
         chunk = value.read(16384)
         if not chunk:
           break
-        printer(ctx, chunk)
+        _print_formatted(formatters, ctx, chunk)
 
     # value is a substitution pattern
     elif args:
@@ -666,14 +675,16 @@ def _write_value(value, args, ctx):
             piece = args[idx]
           else:
             piece = '<undef>'
-        printer(ctx, piece)
+        _print_formatted(formatters, ctx, piece)
 
     # plain old value, write to output
     else:
-      printer(ctx, value)
+      _print_formatted(formatters, ctx, value)
 
   finally:
-    ctx.printers.append(printer)
+    # restore our formatters
+    formatters.reverse()
+    ctx.formatters = formatters
 
 
 class TemplateData:
@@ -715,7 +726,7 @@ class Context:
   """A container for the execution context"""
   def __init__(self, fp):
     self.fp = fp
-    self.printers = []
+    self.formatters = []
   def write(self, value, args=()):
     _write_value(value, args, self)
 
@@ -828,20 +839,26 @@ class BaseUnavailableError(EZTException):
 class UnknownFormatConstantError(EZTException):
   """The format specifier is an unknown value."""
 
-def _raw_printer(ctx, s):
-  ctx.fp.write(s)
-  
-def _html_printer(ctx, s):
-  ctx.fp.write(cgi.escape(s))
+def _raw_formatter(s):
+  return s
 
-def _uri_printer(ctx, s):
-  ctx.fp.write(urllib.quote(s))
+def _html_formatter(s):
+  return cgi.escape(s)
 
-_printers = {
-  FORMAT_RAW  : _raw_printer,
-  FORMAT_HTML : _html_printer,
-  FORMAT_XML  : _html_printer,
-  FORMAT_URI  : _uri_printer,
+def _xml_formatter(s):
+  s = s.replace('&', '&#x26;')
+  s = s.replace('<', '&#x3C;')
+  s = s.replace('>', '&#x3E;')
+  return s
+
+def _uri_formatter(s):
+  return urllib.quote(s)
+
+_formatters = {
+  FORMAT_RAW  : _raw_formatter,
+  FORMAT_HTML : _html_formatter,
+  FORMAT_XML  : _xml_formatter,
+  FORMAT_URI  : _uri_formatter,
 }
 
 # --- standard test environment ---

lib/idiff.py

@@ -1,6 +1,6 @@
 # -*-python-*-
 #
-# Copyright (C) 1999-2006 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 #
 # By using this file, you agree to the terms and conditions set forth in
 # the LICENSE.html file which can be found at the top level of the ViewVC
@@ -20,7 +20,7 @@ import difflib
 import sys
 import re
 import ezt
-import cgi
+import sapi
 
 def sidebyside(fromlines, tolines, context):
   """Generate side by side diff"""
@@ -49,18 +49,18 @@ def _mdiff_split(flag, (line_number, text)):
   while True:
     m = _re_mdiff.search(text, pos)
     if not m:
-      segments.append(_item(text=cgi.escape(text[pos:]), type=None))
+      segments.append(_item(text=sapi.escape(text[pos:]), type=None))
       break
 
     if m.start() > pos:
-      segments.append(_item(text=cgi.escape(text[pos:m.start()]), type=None))
+      segments.append(_item(text=sapi.escape(text[pos:m.start()]), type=None))
 
     if m.group(1) == "+":
-      segments.append(_item(text=cgi.escape(m.group(2)), type="add"))
+      segments.append(_item(text=sapi.escape(m.group(2)), type="add"))
     elif m.group(1) == "-":
-      segments.append(_item(text=cgi.escape(m.group(2)), type="remove"))
+      segments.append(_item(text=sapi.escape(m.group(2)), type="remove"))
     elif m.group(1) == "^":
-      segments.append(_item(text=cgi.escape(m.group(2)), type="change"))
+      segments.append(_item(text=sapi.escape(m.group(2)), type="change"))
 
     pos = m.end()
 
@@ -166,12 +166,12 @@ def _differ_split(row, guide):
 
     for m in _re_differ.finditer(guide, pos):
       if m.start() > pos:
-        segments.append(_item(text=cgi.escape(line[pos:m.start()]), type=None))
-      segments.append(_item(text=cgi.escape(line[m.start():m.end()]),
+        segments.append(_item(text=sapi.escape(line[pos:m.start()]), type=None))
+      segments.append(_item(text=sapi.escape(line[m.start():m.end()]),
                             type="change"))
       pos = m.end()
 
-  segments.append(_item(text=cgi.escape(line[pos:]), type=None))
+  segments.append(_item(text=sapi.escape(line[pos:]), type=None))
 
   return _item(gap=ezt.boolean(gap), type=type, segments=segments,
                left_number=left_number, right_number=right_number)

lib/query.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # -*-python-*-
 #
-# Copyright (C) 1999-2009 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 #
 # By using this file, you agree to the terms and conditions set forth in
 # the LICENSE.html file which can be found at the top level of the ViewVC
@@ -439,11 +439,11 @@ def main(server, cfg, viewvc_link):
       'cfg' : cfg,
       'address' : cfg.general.address,
       'vsn' : viewvc.__version__,
-      'repository' : server.escape(form_data.repository, 1),
-      'branch' : server.escape(form_data.branch, 1),
-      'directory' : server.escape(form_data.directory, 1),
-      'file' : server.escape(form_data.file, 1),
-      'who' : server.escape(form_data.who, 1),
+      'repository' : server.escape(form_data.repository),
+      'branch' : server.escape(form_data.branch),
+      'directory' : server.escape(form_data.directory),
+      'file' : server.escape(form_data.file),
+      'who' : server.escape(form_data.who),
       'docroot' : cfg.options.docroot is None \
                   and viewvc_link + '/' + viewvc.docroot_magic_path \
                   or cfg.options.docroot,

lib/sapi.py

@@ -1,6 +1,6 @@
 # -*-python-*-
 #
-# Copyright (C) 1999-2006 The ViewCVS Group. All Rights Reserved.
+# Copyright (C) 1999-2010 The ViewCVS Group. All Rights Reserved.
 #
 # By using this file, you agree to the terms and conditions set forth in
 # the LICENSE.html file which can be found at the top level of the ViewVC
@@ -20,13 +20,27 @@ import string
 import os
 import sys
 import re
+import cgi
 
 
-# global server object. It will be either a CgiServer or a proxy to
-# an AspServer or ModPythonServer object.
+# global server object. It will be either a CgiServer, a WsgiServer,
+# or a proxy to an AspServer or ModPythonServer object.
 server = None
 
 
+# Simple HTML string escaping.  Note that we always escape the
+# double-quote character -- ViewVC shouldn't ever need to preserve
+# that character as-is, and sometimes needs to embed escaped values
+# into HTML attributes.
+def escape(s):
+  s = str(s)
+  s = string.replace(s, '&', '&')
+  s = string.replace(s, '>', '>')
+  s = string.replace(s, '<', '&lt;')
+  s = string.replace(s, '"', "&quot;")
+  return s
+
+  
 class Server:
   def __init__(self):
     self.pageGlobals = {}
@@ -34,6 +48,9 @@ class Server:
   def self(self):
     return self
 
+  def escape(self, s):
+    return escape(s)
+    
   def close(self):
     pass
 
@@ -129,9 +146,6 @@ class CgiServer(Server):
     global server
     server = self
 
-    global cgi
-    import cgi
-
   def addheader(self, name, value):
     self.headers.append((name, value))
 
@@ -160,9 +174,6 @@ class CgiServer(Server):
     self.header(status='301 Moved')
     sys.stdout.write('This document is located <a href="%s">here</a>.\n' % url)
 
-  def escape(self, s, quote = None):
-    return cgi.escape(s, quote)
-
   def getenv(self, name, value=None):
     ret = os.environ.get(name, value)
     if self.iis and name == 'PATH_INFO' and ret:
@@ -187,6 +198,66 @@ class CgiServer(Server):
     return sys.stdout
 
 
+class WsgiServer(Server):
+  def __init__(self, environ, start_response):
+    Server.__init__(self)
+
+    self._environ = environ
+    self._start_response = start_response;
+    self._headers = []
+    self._wsgi_write = None
+    self.headerSent = False
+
+    global server
+    server = self
+
+    global cgi
+    import cgi
+
+  def addheader(self, name, value):
+    self._headers.append((name, value))
+
+  def header(self, content_type='text/html; charset=UTF-8', status=None):
+    if not status:
+      status = "200 OK"
+    if not self.headerSent:
+      self.headerSent = True
+      self._headers.insert(0, ("Content-Type", content_type),)
+      self._wsgi_write = self._start_response("%s" % status, self._headers)
+
+  def redirect(self, url):
+    """Redirect client to url. This discards any data that has been queued
+    to be sent to the user. But there should never by any anyway.
+    """
+    self.addheader('Location', url)
+    self.header(status='301 Moved')
+    self._wsgi_write('This document is located <a href="%s">here</a>.' % url)
+
+  def escape(self, s, quote = None):
+    return cgi.escape(s, quote)
+
+  def getenv(self, name, value=None):
+    return self._environ.get(name, value)
+
+  def params(self):
+    return cgi.parse(environ=self._environ, fp=self._environ["wsgi.input"])
+
+  def FieldStorage(self, fp=None, headers=None, outerboundary="",
+                   environ=os.environ, keep_blank_values=0, strict_parsing=0):
+    return cgi.FieldStorage(self._environ["wsgi.input"], self._headers,
+                            outerboundary, self._environ, keep_blank_values,
+                            strict_parsing)
+
+  def write(self, s):
+    self._wsgi_write(s)
+
+  def flush(self):
+    pass
+
+  def file(self):
+    return File(self)
+
+
 class AspServer(ThreadedServer):
   def __init__(self, Server, Request, Response, Application):
     ThreadedServer.__init__(self)
@@ -219,9 +290,6 @@ class AspServer(ThreadedServer):
   def redirect(self, url):
     self.response.Redirect(url)
 
-  def escape(self, s, quote = None):
-    return self.server.HTMLEncode(str(s))
-
   def getenv(self, name, value = None):
     ret = self.request.ServerVariables(name)()
     if not type(ret) is types.UnicodeType:
@@ -283,9 +351,6 @@ class ModPythonServer(ThreadedServer):
     self.request = request
     self.headerSent = 0
     
-    global cgi
-    import cgi
-
   def addheader(self, name, value):
     self.request.headers_out.add(name, value)
 
@@ -308,9 +373,6 @@ class ModPythonServer(ThreadedServer):
     self.request.write("You are being redirected to <a href=\"%s\">%s</a>"
                        % (url, url))
 
-  def escape(self, s, quote = None):
-    return cgi.escape(s, quote)
-
   def getenv(self, name, value = None):
     try:
       return self.request.subprocess_env[name]

lib/vclib/ccvs/rcsparse/default.py

@@ -19,7 +19,11 @@ import string
 import common
 
 class _TokenStream:
-  token_term = string.whitespace + ';:'
+  token_term = string.whitespace + ";:"
+  try:
+    token_term = frozenset(token_term)
+  except NameError:
+    pass
 
   # the algorithm is about the same speed for any CHUNK_SIZE chosen.
   # grab a good-sized chunk, but not too large to overwhelm memory.
@@ -44,15 +48,17 @@ class _TokenStream:
     # out more complex solutions.
 
     buf = self.buf
+    lbuf = len(buf)
     idx = self.idx
 
     while 1:
-      if idx == len(buf):
+      if idx == lbuf:
         buf = self.rcsfile.read(self.CHUNK_SIZE)
         if buf == '':
           # signal EOF by returning None as the token
           del self.buf   # so we fail if get() is called again
           return None
+        lbuf = len(buf)
         idx = 0
 
       if buf[idx] not in string.whitespace:
@@ -60,7 +66,7 @@ class _TokenStream:
 
       idx = idx + 1
 
-    if buf[idx] == ';' or buf[idx] == ':':
+    if buf[idx] in ';:':
       self.buf = buf
       self.idx = idx + 1
       return buf[idx]
@@ -70,17 +76,18 @@ class _TokenStream:
       token = ''
       while 1:
         # find token characters in the current buffer
-        while end < len(buf) and buf[end] not in self.token_term:
+        while end < lbuf and buf[end] not in self.token_term:
           end = end + 1
         token = token + buf[idx:end]
 
-        if end < len(buf):
+        if end < lbuf:
           # we stopped before the end, so we have a full token
           idx = end
           break
 
         # we stopped at the end of the buffer, so we may have a partial token
         buf = self.rcsfile.read(self.CHUNK_SIZE)
+        lbuf = len(buf)
         idx = end = 0
 
       self.buf = buf
@@ -94,22 +101,24 @@ class _TokenStream:
     chunks = [ ]
 
     while 1:
-      if idx == len(buf):
+      if idx == lbuf:
         idx = 0
         buf = self.rcsfile.read(self.CHUNK_SIZE)
         if buf == '':
           raise RuntimeError, 'EOF'
+        lbuf = len(buf)
       i = string.find(buf, '@', idx)
       if i == -1:
         chunks.append(buf[idx:])
-        idx = len(buf)
+        idx = lbuf
         continue
-      if i == len(buf) - 1:
+      if i == lbuf - 1:
         chunks.append(buf[idx:i])
         idx = 0
         buf = '@' + self.rcsfile.read(self.CHUNK_SIZE)
         if buf == '@':
           raise RuntimeError, 'EOF'
+        lbuf = len(buf)
         continue
       if buf[i + 1] == '@':
         chunks.append(buf[idx:i+1])

lib/viewvc.py

@@ -14,7 +14,7 @@
 #
 # -----------------------------------------------------------------------
 
-__version__ = '1.1.4-dev'
+__version__ = '1.1.6'
 
 # this comes from our library; measure the startup time
 import debug
@@ -24,7 +24,6 @@ debug.t_start('imports')
 # standard modules that we know are in the path or builtin
 import sys
 import os
-import cgi
 import gzip
 import mimetypes
 import re
@@ -432,7 +431,8 @@ class Request:
     action = self.server.escape(urllib.quote(url, _URL_SAFE_CHARS))
     hidden_values = []
     for name, value in params.items():
-      hidden_values.append(_item(name=name, value=value))
+      hidden_values.append(_item(name=self.server.escape(name),
+                                 value=self.server.escape(value)))
     return action, hidden_values
 
   def get_link(self, view_func=None, where=None, pathtype=None, params=None):
@@ -915,7 +915,7 @@ def get_writeready_server_file(request, content_type=None):
   return fp
   
 def generate_page(request, view_name, data, content_type=None):
-  server_fp = get_writeready_server_file(request)
+  server_fp = get_writeready_server_file(request, content_type)
   template = get_view_template(request.cfg, view_name, request.language)
   template.generate(server_fp, data)
 
@@ -1075,9 +1075,6 @@ def get_file_view_info(request, where, rev=None, mime_type=None, pathrev=-1):
                revision_href=revision_href,
                prefer_markup=ezt.boolean(prefer_markup))
 
-def htmlify(html):
-  return html and cgi.escape(html) or html
-
 
 # Matches URLs
 _re_rewrite_url = re.compile('((http|https|ftp|file|svn|svn\+ssh)'
@@ -1110,8 +1107,8 @@ class HtmlFormatter:
     """
     s = mobj.group(0)
     trunc_s = maxlen and s[:maxlen] or s
-    return '<a href="%s">%s</a>' % (cgi.escape(s),
-                                    cgi.escape(trunc_s)), \
+    return '<a href="%s">%s</a>' % (sapi.escape(s),
+                                    sapi.escape(trunc_s)), \
            len(trunc_s)
 
   def format_email(self, mobj, userdata, maxlen=0):
@@ -1162,7 +1159,7 @@ class HtmlFormatter:
          - the number of characters returned.
     """   
     trunc_s = maxlen and s[:maxlen] or s
-    return cgi.escape(trunc_s), len(trunc_s)
+    return sapi.escape(trunc_s), len(trunc_s)
   
   def add_formatter(self, regexp, conv, userdata=None):
     """Register a formatter which finds instances of strings matching
@@ -1467,7 +1464,7 @@ def copy_stream(src, dst, htmlize=0):
     if not chunk:
       break
     if htmlize:
-      chunk = htmlify(chunk)
+      chunk = sapi.escape(chunk)
     dst.write(chunk)
 
 class MarkupPipeWrapper:
@@ -1496,7 +1493,7 @@ def markup_stream_pygments(request, cfg, blame_data, fp, filename, mime_type):
   blame_source = []
   if blame_data:
     for i in blame_data:
-      i.text = cgi.escape(i.text)
+      i.text = sapi.escape(i.text)
       i.diff_href = None
       if i.prev_rev:
         i.diff_href = request.get_url(view_func=view_diff,
@@ -1559,7 +1556,7 @@ def markup_stream_pygments(request, cfg, blame_data, fp, filename, mime_type):
         if not line:
           break
         line_no = line_no + 1
-        line = cgi.escape(string.expandtabs(line, cfg.options.tabsize))
+        line = sapi.escape(string.expandtabs(line, cfg.options.tabsize))
         item = vclib.Annotation(line, line_no, None, None, None, None)
         item.diff_href = None
         lines.append(item)
@@ -2034,7 +2031,7 @@ def view_directory(request):
     'entries' : rows,
     'sortby' : sortby,
     'sortdir' : sortdir,
-    'search_re' : htmlify(search_re),
+    'search_re' : request.server.escape(search_re),
     'dir_pagestart' : None,
     'sortby_file_href' :   request.get_url(params={'sortby': 'file',
                                                    'sortdir': None},
@@ -2766,7 +2763,7 @@ class DiffSource:
     hr_breakable = self.cfg.options.hr_breakable
     
     # in the code below, "\x01" will be our stand-in for "&". We don't want
-    # to insert "&" because it would get escaped by htmlify().  Similarly,
+    # to insert "&" because it would get escaped by sapi.escape().  Similarly,
     # we use "\x02" as a stand-in for "<br>"
   
     if hr_breakable > 1 and len(text) > hr_breakable:
@@ -2776,7 +2773,7 @@ class DiffSource:
       text = string.replace(text, '  ', ' \x01nbsp;')
     else:
       text = string.replace(text, ' ', '\x01nbsp;')
-    text = htmlify(text)
+    text = sapi.escape(text)
     text = string.replace(text, '\x01', '&')
     text = string.replace(text, '\x02',
                           '<span style="color:red">\</span><br />')
@@ -3157,7 +3154,7 @@ def view_diff(request):
       else:
         changes = DiffSource(fp, cfg)
     else:
-      raw_diff_fp = MarkupPipeWrapper(fp, htmlify(headers), None, 1)
+      raw_diff_fp = MarkupPipeWrapper(fp, request.server.escape(headers), None, 1)
 
   no_format_params = request.query_dict.copy()
   no_format_params['diff_format'] = None
@@ -3553,6 +3550,11 @@ def view_revision(request):
     'first_changes_href': first_changes_href,
     'jump_rev_action' : jump_rev_action,
     'jump_rev_hidden_values' : jump_rev_hidden_values,
+    'revision_href' : request.get_url(view_func=view_revision,
+                                      where=None,
+                                      pathtype=None,
+                                      params={'revision': str(rev)},
+                                      escape=1),
   }))
   if rev == youngest_rev:
     request.server.addheader("Cache-control", "no-store")
@@ -3704,7 +3706,7 @@ def english_query(request):
     ret.append('on all branches ')
   comment = request.query_dict.get('comment', '')
   if comment:
-    ret.append('with comment <i>%s</i> ' % htmlify(comment))
+    ret.append('with comment <i>%s</i> ' % request.server.escape(comment))
   if who:
     ret.append('by <em>%s</em> ' % request.server.escape(who))
   date = request.query_dict.get('date', 'hours')

notes/releases.txt

@@ -44,9 +44,7 @@ numbers, and not literal):
 
 8.  Update your working copy to HEAD, and tag the release:
 
-       svn update
-       svn cp -m "Tag the X.Y.Z final release." . \
-                 http://viewvc.tigris.org/svn/viewvc/tags/X.Y.Z
+       svn up && svn cp -m "Tag the X.Y.Z final release." . ^/tags/X.Y.Z
 
 9.  Go into an empty directory and run the 'make-release' script:
 

templates/include/header.ezt

@@ -5,7 +5,7 @@
 <head>
   <title>[if-any rootname][[][rootname]][else]ViewVC[end] [page_title]</title>
   <meta name="generator" content="ViewVC [vsn]" />
-  <link rel="shortcut icon" href="[docroot]/images/favicon.ico" type="image/x-icon" />
+  <link rel="shortcut icon" href="[docroot]/images/favicon.ico" />
   <link rel="stylesheet" href="[docroot]/styles.css" type="text/css" />
   [if-any rss_href]<link rel="alternate" type="application/rss+xml" title="RSS [[][rootname]][where]" href="[rss_href]" />[end]
 </head>

templates/rss.ezt

@@ -7,11 +7,11 @@
     <description>[is roottype "svn"]Subversion[else]CVS[end] commits to the[if-any where] [where] directory of the[end] [rootname] repository</description>
 
 	[for commits]<item>
-        <title>[if-any commits.rev][commits.rev]: [end][[commits.author]] [commits.short_log]</title>
+        <title>[if-any commits.rev][commits.rev]: [end][[commits.author]] [format "xml"][commits.short_log][end]</title>
 		[if-any commits.rss_url]<link>[commits.rss_url]</link>[end]
 		<author>[commits.author]</author>
 		<pubDate>[if-any commits.rss_date][commits.rss_date][else](unknown date)[end]</pubDate>
-		<description>&lt;pre&gt;[format "xml"][commits.log][end]&lt;/pre&gt;</description>
+		<description>&#x3C;pre&#x3E;[format "xml"][format "html"][commits.log][end][end]&#x3C;/pre&#x3E;</description>
     </item>[end]
 </channel>	
 </rss>

viewvc-install

@@ -49,6 +49,8 @@ CLEAN_MODE = None
 FILE_INFO_LIST = [
     ("bin/cgi/viewvc.cgi",        "bin/cgi/viewvc.cgi",        0755, 1, 0, 0),
     ("bin/cgi/query.cgi",         "bin/cgi/query.cgi",         0755, 1, 0, 0),
+    ("bin/wsgi/viewvc.wsgi",      "bin/wsgi/viewvc.wsgi",      0755, 1, 0, 0),
+    ("bin/wsgi/query.wsgi",       "bin/wsgi/query.wsgi",       0755, 1, 0, 0),
     ("bin/mod_python/viewvc.py",  "bin/mod_python/viewvc.py",  0755, 1, 0, 0),
     ("bin/mod_python/query.py",   "bin/mod_python/query.py",   0755, 1, 0, 0),
     ("bin/mod_python/handler.py", "bin/mod_python/handler.py", 0755, 1, 0, 0),