===================================================================
RCS file: /cvs/cvsweb/cvsweb.cgi,v
retrieving revision 1.1.1.32
retrieving revision 1.1.1.36
diff -u -p -r1.1.1.32 -r1.1.1.36
--- cvsweb/cvsweb.cgi	2002/07/07 04:31:41	1.1.1.32
+++ cvsweb/cvsweb.cgi	2002/09/30 19:48:52	1.1.1.36
@@ -3,14 +3,15 @@
 # cvsweb - a CGI interface to CVS trees.
 #
 # Written in their spare time by
-#             Bill Fenner      <fenner@FreeBSD.org>   (original work)
-# extended by Henner Zeller    <zeller@think.de>,
-#             Henrik Nordstrom <hno@hem.passagen.se>
-#             Ken Coar         <coar@Apache.Org>
-#             Dick Balaska     <dick@buckosoft.com>
-#             Akinori MUSHA    <knu@FreeBSD.org>
-#             Jens-Uwe Mager   <jum@helios.de>
-#             Ville Skyttä     <scop@FreeBSD.org>
+#             Bill Fenner          <fenner@FreeBSD.org>   (original work)
+# extended by Henner Zeller        <zeller@think.de>,
+#             Henrik Nordstrom     <hno@hem.passagen.se>
+#             Ken Coar             <coar@Apache.Org>
+#             Dick Balaska         <dick@buckosoft.com>
+#             Akinori MUSHA        <knu@FreeBSD.org>
+#             Jens-Uwe Mager       <jum@helios.de>
+#             Ville Skyttä         <scop@FreeBSD.org>
+#             Vassilii Khachaturov <vassilii@tarunz.org>
 #
 # Based on:
 # * Bill Fenners cvsweb.cgi revision 1.28 available from:
@@ -44,7 +45,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: projects/cvsweb/cvsweb.cgi,v 1.112 2002/07/06 18:15:19 scop Exp $
+# $FreeBSD: projects/cvsweb/cvsweb.cgi,v 1.119.2.6 2002/09/26 20:56:05 scop Exp $
 # $zId: cvsweb.cgi,v 1.112 2001/07/24 13:03:16 hzeller Exp $
 # $Idaemons: /home/cvs/cvsweb/cvsweb.cgi,v 1.84 2001/10/07 20:50:10 knu Exp $
 #
@@ -92,7 +93,7 @@ use vars qw (
     $module $use_descriptions %descriptions @mytz $dwhere $moddate
     $use_moddate $has_zlib $gzip_open
     $allow_tar @tar_options @gzip_options @zip_options @cvs_options
-    $LOG_FILESEPARATOR $LOG_REVSEPARATOR
+    @annotate_options $LOG_FILESEPARATOR $LOG_REVSEPARATOR
     $tmpdir $HTML_DOCTYPE $HTML_META
 );
 
@@ -148,7 +149,7 @@ sub forbidden_module($);
 ##### Start of Configuration Area ########
 delete $ENV{PATH};
 
-$cvsweb_revision = '2.0.4';
+$cvsweb_revision = '2.0.6';
 
 use File::Basename ();
 
@@ -343,7 +344,8 @@ $input{only_with_tag} = $input{only_on_branch}
 
 # Prevent cross-site scripting
 foreach (@unsafevars) {
-	if (defined($input{$_}) && $input{$_} =~ /[^\w\-.]/) {
+	# Colons are needed in diffs between tags.
+	if (defined($input{$_}) && $input{$_} =~ /[^\w\-.:]/) {
 		fatal("500 Internal Error",
 		      'Malformed query (%s=%s)',
 		      $_, $input{$_});
@@ -466,8 +468,7 @@ if ($input{'cvsroot'} && $CVSROOT{$input{'cvsroot'}}) 
 $cvsroot = $CVSROOT{$cvstree};
 
 # create icons out of description
-my $k;
-foreach $k (keys %ICONS) {
+foreach my $k (keys %ICONS) {
 	no strict 'refs';
 	my ($itxt, $ipath, $iwidth, $iheight) = @{$ICONS{$k}};
 	if ($ipath) {
@@ -479,7 +480,6 @@ foreach $k (keys %ICONS) {
 		${"${k}icon"} = $itxt;
 	}
 }
-undef $k;
 
 my $config_cvstree = "$config-$cvstree";
 
@@ -810,39 +810,37 @@ if (-d $fullname) {
 	my $filesexists;
 	my $filesfound;
 
-	foreach (sort { &fileSortCmp } @dir) {
-		if ($_ eq '.') {
-			next;
-		}
+	foreach my $file (sort { &fileSortCmp } @dir) {
 
+		next if ($file eq '.');
+
 		# ignore CVS lock and stale NFS files
-		next if (/^#cvs\.|^,|^\.nfs/);
+		next if ($file =~ /^#cvs\.|^,|^\.nfs/);
 
 		# Check whether to show the CVSROOT path
-		next if ($input{'hidecvsroot'} && ($_ eq 'CVSROOT'));
+		next if ($input{'hidecvsroot'} && $file eq 'CVSROOT');
 
 		# Check whether the module is in the restricted list
-		next if ($_ && &forbidden_module($_));
+		next if ($file && &forbidden_module($file));
 
 		# Ignore non-readable files
-		next if ($input{'hidenonreadable'} && !(-r "$fullname/$_"));
+		next if ($input{'hidenonreadable'} && !(-r "$fullname/$file"));
 
-		if (s|^Attic/||) {
+		if ($file =~ s|^Attic/||) {
 			$attic = " (in the Attic)&nbsp;" . $hideAtticToggleLink;
 		} else {
 			$attic = "";
 		}
 
-		if ($_ eq '..' || -d "$fullname/$_") {
-			next if ($_ eq '..' && $where eq '/');
-			my ($rev, $date, $log, $author, $filename);
-			($rev, $date, $log, $author, $filename) =
-			    @{$fileinfo{$_}}
-			    if (defined($fileinfo{$_}));
+		if ($file eq '..' || -d "$fullname/$file") {
+			next if ($file eq '..' && $where eq '/');
+			my ($rev, $date, $log, $author, $filename) =
+			    @{$fileinfo{$file}}
+			    if (defined($fileinfo{$file}));
 			printf "<tr style=\"background-color: %s\">\n<td>",
 			     $tabcolors[$dirrow % 2] if $dirtable;
 
-			if ($_ eq '..') {
+			if ($file eq '..') {
 				$url = "../$query";
 				if ($nofilelinks) {
 					print $backicon;
@@ -851,17 +849,17 @@ if (-d $fullname) {
 				}
 				print '&nbsp;', &link("Parent Directory", $url);
 			} else {
-				$url = './' . urlencode($_) . "/$query";
-				print "<a name=\"$_\"></a>";
+				$url = './' . urlencode($file) . "/$query";
+				print "<a name=\"$file\"></a>";
 
 				if ($nofilelinks) {
 					print $diricon;
 				} else {
 					print &link($diricon, $url);
 				}
-				print '&nbsp;', &link("$_/", $url), $attic;
+				print '&nbsp;', &link("$file/", $url), $attic;
 
-				if ($_ eq "Attic") {
+				if ($file eq "Attic") {
 					print "&nbsp; ";
 					print &link(
 						"[Don't hide]",
@@ -904,7 +902,7 @@ if (-d $fullname) {
 				}
 			} else {
 				my ($dwhere) =
-				    ($where ne "/" ? $where : "") . $_;
+				    ($where ne "/" ? $where : "") . $file;
 
 				if ($use_descriptions
 				    && defined $descriptions{$dwhere})
@@ -931,27 +929,29 @@ if (-d $fullname) {
 				print "<br>\n";
 			}
 			$dirrow++;
-		} elsif (s/,v$//) {
-			$fileurl = ($attic ? "Attic/" : "") . urlencode($_);
+		} elsif ($file =~ s/,v$//) {
+
+			# Skip forbidden files now so we'll give no hint
+			# about their existence.  This should probably have
+			# been done earlier, but it's straightforward here.
+			next if forbidden_file("$fullname/$file");
+
+			$fileurl = ($attic ? "Attic/" : "") . urlencode($file);
 			$url = './' . $fileurl . $query;
-			my $rev    = '';
-			my $date   = '';
-			my $log    = '';
-			my $author = '';
 			$filesexists++;
-			next if (!defined($fileinfo{$_}));
-			($rev, $date, $log, $author) = @{$fileinfo{$_}};
+			next if (!defined($fileinfo{$file}));
+			my ($rev, $date, $log, $author) = @{$fileinfo{$file}};
 			$filesfound++;
 			printf "<tr style=\"background-color: %s\">\n<td>",
 			    $tabcolors[$dirrow % 2] if $dirtable;
-			print "<a name=\"$_\"></a>";
+			print "<a name=\"$file\"></a>";
 
 			if ($nofilelinks) {
 				print $fileicon;
 			} else {
 				print &link($fileicon, $url);
 			}
-			print '&nbsp;', &link($_, $url), $attic;
+			print '&nbsp;', &link(htmlquote($file), $url), $attic;
 			print "</td>\n<td>&nbsp;" if ($dirtable);
 			download_link($fileurl, $rev, $rev,
 				$defaultViewable ? "text/x-cvsweb-markup" :
@@ -1104,6 +1104,13 @@ if (-d $fullname) {
 # View Files
 ###############################
 elsif (-f $fullname . ',v') {
+
+	if (forbidden_file($fullname)) {
+		fatal('403 Forbidden',
+		      'Access forbidden.  This file is mentioned in @ForbiddenFiles');
+		return;
+	}
+
 	if (defined($input{'rev'}) || $doCheckout) {
 		&doCheckout($fullname, $input{'rev'});
 		gzipclose();
@@ -1251,6 +1258,11 @@ sub findLastModifiedSubdirs(@) {
 			$filename = "$dirname/$filename";
 			my ($file) = "$fullname/$filename";
 			next if ($filename !~ /,v$/ || !-f $file);
+
+			# Skip forbidden files.
+			(my $f = $file) =~ s/,v$//;
+			next if forbidden_file($f);
+
 			$filename =~ s/,v$//;
 			my $modtime = -M $file;
 
@@ -1393,6 +1405,7 @@ sub spacedHtmlText($;$) {
 	return $_;
 }
 
+# Note that this doesn't htmlquote the first argument...
 sub link($$) {
 	my ($name, $url) = @_;
 
@@ -1587,12 +1600,6 @@ sub doAnnotate($$) {
 		      $ENV{QUERY_STRING});
 	}
 
-	if (&forbidden_file($fullname)) {
-		fatal("403 Forbidden",
-		      'Access forbidden.  This file is mentioned in @ForbiddenFiles');
-		return;
-	}
-
 	($pathname = $where) =~ s/(Attic\/)?[^\/]*$//;
 	($filename = $where) =~ s/^.*\///;
 
@@ -1600,16 +1607,27 @@ sub doAnnotate($$) {
 	$| = 1;
 	$| = 0;    # Flush
 
+	# Work around a mod_perl bug (?) in order to make open2() work.
+	# Search for "untie STDIN" in mod_perl mailing list archives.
+	my $old_stdin;
+	if ($is_mod_perl && ($old_stdin = tied *STDIN)) {
+	  local $^W = undef;
+	  untie *STDIN;
+	}
+
 	# this annotate version is based on the
 	# cvs annotate-demo Perl script by Cyclic Software
 	# It was written by Cyclic Software, http://www.cyclic.com/, and is in
 	# the public domain.
 	# we could abandon the use of rlog, rcsdiff and co using
 	# the cvsserver in a similiar way one day (..after rewrite)
-	$pid = open2($reader, $writer, $CMD{cvs}, @cvs_options, "server")
+	$pid = open2($reader, $writer, $CMD{cvs}, @annotate_options, 'server')
 	    or fatal("500 Internal Error",
 		     'Fatal Error - unable to open cvs for annotation');
 
+	# Re-tie STDIN if we fiddled around with it earlier, just to be sure.
+	tie(*STDIN, ref($old_stdin), $old_stdin) if ($old_stdin && !tied(*STDIN));
+
 	# OK, first send the request to the server.  A simplified example is:
 	#     Root /home/kingdon/zwork/cvsroot
 	#     Argument foo/xx
@@ -1753,6 +1771,8 @@ sub doAnnotate($$) {
 	} else {
 		print "</pre>";
 	}
+	html_footer();
+
 	close($reader) or warn "cannot close: $!";
 	wait;
 }
@@ -1777,12 +1797,6 @@ sub doCheckout($$) {
 		      $ENV{QUERY_STRING});
 	}
 
-	if (&forbidden_file($fullname)) {
-		fatal("403 Forbidden",
-		      'Access forbidden.  This file is mentioned in @ForbiddenFiles');
-		return;
-	}
-
 	# get mimetype
 	if (defined($input{"content-type"})
 	    && ($input{"content-type"} =~ /\S\/\S/))
@@ -2101,7 +2115,7 @@ sub getDirLogs($$@) {
 	push (@files, &safeglob("$DirName/*,v"));
 	push (@files, &safeglob("$DirName/Attic/*,v"))
 	    if (!$input{'hideattic'});
-	foreach $file (@otherFiles) {
+	foreach my $file (@otherFiles) {
 		push (@files, "$DirName/$file");
 	}
 
@@ -3317,10 +3331,10 @@ sub chooseCVSRoot() {
 		print "CVS Root: <b>[$cvstree]</b>";
 	}
 
-	print " <label for=\"path\" accesskey=\"P\">Module path or alias:";
+	print " <label for=\"mpath\" accesskey=\"M\">Module path or alias:";
 	print "</label>\n";
-	print "<input type=\"text\" id=\"path\" name=\"path\" value=\"\" size=\"15\">\n";
-	print "<input type=\"submit\" value=\"Go\" accesskey=\"G\">";
+	print "<input type=\"text\" id=\"mpath\" name=\"path\" value=\"\" size=\"15\">\n";
+	print "<input type=\"submit\" value=\"Go\" accesskey=\"O\">";
 
 	if (2 <= @CVSROOT) {
 		print "</td>\n</tr>\n</table>";
@@ -3331,24 +3345,24 @@ sub chooseCVSRoot() {
 }
 
 sub chooseMirror() {
-	my ($mirror, $moremirrors);
-	$moremirrors = 0;
 
 	# This code comes from the original BSD-cvsweb
 	# and may not be useful for your site; If you don't
-	# set %MIRRORS this won't show up, anyway
-	#
-	# Should perhaps exlude the current site somehow..
-	if (keys %MIRRORS) {
-		print "\nThis CVSweb is mirrored in:\n";
+	# set %MIRRORS this won't show up, anyway.
+	scalar(%MIRRORS) or return;
 
-		foreach $mirror (keys %MIRRORS) {
-			print ", " if ($moremirrors);
-			print &link(htmlquote($mirror), $MIRRORS{$mirror});
-			$moremirrors = 1;
-		}
-		print "<p>\n";
+	# Should perhaps exclude the current site somehow...
+	print "\n<p>\nThis CVSweb is mirrored in\n";
+
+	my @tmp = map(&link(htmlquote($_), $MIRRORS{$_}),
+		      sort keys %MIRRORS);
+	my $tmp = pop(@tmp);
+
+	if (scalar(@tmp)) {
+	    print join(', ', @tmp), ' and ';
 	}
+
+	print "$tmp.\n</p>\n";
 }
 
 sub fileSortCmp() {
@@ -3376,10 +3390,14 @@ sub fileSortCmp() {
 
 	if ($comp == 0) {
 
-		# Directories first, then sorted on name if no other sort critera
-		# available.
-		my $ad = ((-d "$fullname/$a") ? "D" : "F");
-		my $bd = ((-d "$fullname/$b") ? "D" : "F");
+		# Directories first, then files under version control,
+		# then other, "rogue" files.
+		# Sort by filename if no other criteria available.
+
+		my $ad = ((-d "$fullname/$a") ? 'D'
+		    : (defined($fileinfo{$af}) ? 'F' : 'R'));
+		my $bd = ((-d "$fullname/$b") ? 'D'
+		    : (defined($fileinfo{$bf}) ? 'F' : 'R'));
 		($c = $a) =~ s|.*/||;
 		($d = $b) =~ s|.*/||;
 		$comp = ("$ad$c" cmp "$bd$d");
@@ -3439,7 +3457,7 @@ sub download_link($$$;$) {
 		# currently, the best way is to comment out the size parameters
 		# ($extern_window...) in cvsweb.conf.
 		if ($use_java_script) {
-			my @attr = qw(resizeable scrollbars);
+			my @attr = qw(resizable scrollbars);
 
 			push @attr, qw(status toolbar)
 			    if (defined($mimetype) && $mimetype eq "text/html");
@@ -3456,7 +3474,7 @@ sub download_link($$$;$) {
 			# the same window *twice*.
 			printf
 			    q` onclick="window.open('%s','cvs_checkout','%s');return false"`,
-			    hrefquote($fullurl), join (',', @attr);
+			    hrefquote("$fullurl$barequery"), join (',', @attr);
 		}
 	}
 	print "><b>$textlink</b></a>";
@@ -3619,7 +3637,8 @@ EOH
 }
 
 sub html_footer() {
-	print "<hr noshade>\n<address>$address</address>\n</body>\n</html>\n";
+	print "<hr noshade>\n<address>$address</address>\n" if $address;
+	print "</body>\n</html>\n";
 }
 
 sub link_tags($) {