===================================================================
RCS file: /cvs/cvsweb/cvsweb.cgi,v
retrieving revision 4.1
retrieving revision 4.13
diff -u -p -r4.1 -r4.13
--- cvsweb/cvsweb.cgi 2019/11/08 21:08:26 4.1
+++ cvsweb/cvsweb.cgi 2019/11/11 12:40:12 4.13
@@ -1,5 +1,5 @@
-#!/usr/bin/perl -T
-# $Id: cvsweb.cgi,v 4.1 2019/11/08 21:08:26 schwarze Exp $
+#!/usr/bin/perl
+# $Id: cvsweb.cgi,v 4.13 2019/11/11 12:40:12 schwarze Exp $
# $knu: cvsweb.cgi,v 1.299 2010/11/13 16:37:18 simon
#
# cvsweb - a CGI interface to CVS trees.
@@ -50,7 +50,6 @@
require 5.006;
use strict;
-
use warnings;
use filetest qw(access);
@@ -65,7 +64,7 @@ use vars qw (
@revisions %state %difflines %log %branchpoint @revorder $keywordsubstitution
$prcgi @prcategories $re_prcategories $prkeyword $re_prkeyword $mancgi
$doCheckout $scriptname $scriptwhere
- $where $Browser $nofilelinks $maycompress @stickyvars %funcline_regexp
+ $where $Browser $nofilelinks $maycompress @stickyvars
$is_links $is_lynx $is_w3m $is_msie $is_mozilla3 $is_textbased
%input $query $barequery $sortby $bydate $byrev $byauthor
$bylog $byfile $defaultDiffType $logsort $cvstree $cvsroot
@@ -87,8 +86,8 @@ use vars qw (
$allow_enscript @enscript_options %enscript_types
);
+require Compress::Zlib;
use Cwd qw(abs_path);
-use File::Basename qw(dirname);
use File::Path qw(rmtree);
use File::Spec::Functions qw(canonpath catdir catfile curdir devnull rootdir
tmpdir updir);
@@ -104,7 +103,6 @@ use constant CVSWEBMARKUP => qr{^text/(x-cvsweb|vnd\.v
use constant LOG_FILESEPR => qr/^={77}$/o;
use constant LOG_REVSEPR => qr/^-{28}$/o;
-use constant HAS_ZLIB => eval { require Compress::Zlib; };
use constant HAS_EDIFF => eval { require String::Ediff; };
# -----------------------------------------------------------------------------
@@ -115,7 +113,7 @@ use constant HAS_EDIFF => eval { require String::Ed
BEGIN
{
- $VERSION = '3.0.6';
+ $VERSION = '3.1';
$HTML_DOCTYPE =
' 'colored',
@@ -259,12 +243,6 @@ $allow_version_select = $allow_mailtos = $allow_log_ex
'opts' => ['-c'],
'colored' => 0,
},
- {
- 'descr' => 'side by side',
- # width=168 should be enough to support 80 character line lengths
- 'opts' => ['--side-by-side', '--width=168'],
- 'colored' => 0,
- },
);
@LOGSORTKEYS = qw(cvs date rev);
@@ -339,7 +317,7 @@ $maycompress = (
&& $ENV{HTTP_ACCEPT_ENCODING} =~ /gzip/)
|| $is_mozilla3)
&& !$is_msie
- && !(defined($ENV{MOD_PERL}) && !HAS_ZLIB)
+ && !(defined($ENV{MOD_PERL}))
);
# Parameters that will be sticky in all constructed links/query strings.
@@ -380,9 +358,17 @@ if (defined($ENV{QUERY_STRING})) {
$p =~ y/+/ /;
my ($key, $val) = split(/=/, $p, 2);
next unless defined($key);
- $val = 1 unless defined($val);
- ($key = uri_unescape($key)) =~ /[[:graph:]]/ or next;
- ($val = uri_unescape($val)) =~ /[[:graph:]]/ or next;
+ $key = uri_unescape($key);
+ $key =~ /([^a-z_12-])/ and fatal('404 Not Found',
+ 'Invalid character "%s" in query parameter "%s"', $1, $key);
+ if (defined $val) {
+ $val = uri_unescape($val);
+ $val =~ /([^a-zA-Z_01-9.\/-])/ and fatal('404 Not Found',
+ 'Invalid character "%s" in the value "%s" of the query parameter "%s"',
+ $1, $value, $key);
+ } else {
+ $val = 1;
+ }
$query{$key} = $val;
}
}
@@ -555,8 +541,8 @@ foreach (@stickyvars) {
}
if ($allow_enscript) {
- push(@DIFFTYPES, qw(uc cc sc));
- @DIFFTYPES{qw(uc cc sc)} = (
+ push(@DIFFTYPES, qw(uc cc));
+ @DIFFTYPES{qw(uc cc)} = (
{
'descr' => 'unified, colored',
'opts' => ['-u'],
@@ -567,12 +553,6 @@ if ($allow_enscript) {
'opts' => ['-c'],
'colored' => 0,
},
- {
- 'descr' => 'side by side, colored',
- # width=168 should be enough to support 80 character line lengths
- 'opts' => ['--side-by-side', '--width=168'],
- 'colored' => 0,
- },
);
} else {
# No Enscript -> respect difftype, but don't offer colorization.
@@ -785,6 +765,7 @@ if ($input{tarball}) {
}
# Clean up.
+ chdir("..");
rmtree($tmpexportdir);
&fatal(@fatal) if @fatal;
@@ -1568,7 +1549,7 @@ sub htmlify($;$)
}{
my($text, $name, $section) = ($1, $2, defined($3) ? $3 : $4);
($name =~ /[A-Za-z]/ && $name !~ /\.(:|$)/)
- ? &link($text, sprintf($mancgi, $section, uri_escape($name)))
+ ? &link($text, sprintf($mancgi, uri_escape($name), $section))
: $text;
}egx;
} $_;
@@ -2319,18 +2300,8 @@ sub doDiff($$$$$$)
my @difftype = @{$difftype->{opts}};
my $human_readable = $difftype->{colored};
- # Apply special diff options. -p and -F are not available with side by side
- # diffs and may cause problems with older (< 2.8) versions of diffutils if
- # used with --side-by-side.
- if ($showfunc && $f !~ /^s/) {
- push(@difftype, '-p');
- while (my ($re1, $re2) = each %funcline_regexp) {
- if ($fullname =~ $re1) {
- push(@difftype, '-F', $re2);
- last;
- }
- }
- }
+ # Apply special diff options.
+ push @difftype, '-p' if $showfunc;
if ($human_readable) {
push(@difftype, '-w') if $hr_ignwhite;
@@ -2956,7 +2927,7 @@ sub printLog($$$;$$)
print "
\n";
print '';
- if (defined @mytz) {
+ if (@mytz) {
my ($est) = $mytz[(localtime($date{$_}))[8]];
print scalar localtime($date{$_}), " $est (";
} else {
@@ -4232,6 +4203,7 @@ sub htmlquote($)
# Special Characters; RFC 1866
s/&/&/g;
s/\"/"/g;
+ s/%22/"/g;
s/</g;
s/>/>/g;
return $_;
@@ -4271,12 +4243,10 @@ sub http_header(;$$)
push(@headers, 'Last-Modified: ' . scalar gmtime($moddate) . ' GMT')
if $moddate;
push(@headers, 'Content-Type: ' . $content_type);
+ push(@headers, "Content-Security-Policy: default-src 'none'; " .
+ "img-src 'self'; style-src 'unsafe-inline'");
if ($allow_compress && $maycompress) {
- if (HAS_ZLIB
- || (defined($CMD{gzip}) && open(GZIP, "| $CMD{gzip} -1 -c")))
- {
-
push(@headers, 'Content-Encoding: gzip');
push(@headers, 'Vary: Accept-Encoding'); # RFC 2616, 14.44
print join("\r\n", @headers) . "\r\n\r\n";
@@ -4284,18 +4254,9 @@ sub http_header(;$$)
$| = 1;
$| = 0; # Flush header output.
- tie(*GZIP, __PACKAGE__, \*STDOUT) if HAS_ZLIB;
+ tie(*GZIP, __PACKAGE__, \*STDOUT);
select(GZIP);
$gzip_open = 1;
-
- } else {
-
- print join("\r\n", @headers) . "\r\n\r\n";
- printf
- 'Unable to find gzip binary in the $command_path (%s
) to compress output
',
- htmlquote(join(':', @command_path));
- }
-
} else {
print join("\r\n", @headers) . "\r\n\r\n";
}
@@ -4463,7 +4424,7 @@ sub TIEHANDLE
crc => 0,
len => 0,
};
- my ($header) = pack("c10",
+ my ($header) = pack("C10",
MAGIC1, MAGIC2, Compress::Zlib::Z_DEFLATED(),
0, 0, 0, 0, 0, 0, OSCODE);
print {$o->{handle}} $header;