CVS log for cvsweb/cvsweb.cgi

[BACK] Up to [cvsweb.bsd.lv] / cvsweb

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: FreeBSD-cvsweb-2_0-branch


Revision 3.119.2.25 / (download) - annotate - [select for diffs], Tue Nov 12 09:26:20 2019 UTC (4 years, 4 months ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.24: +3 -2 lines
Diff to previous 3.119.2.24 (colored) to branchpoint 3.119 (colored) next main 3.120 (colored) to selected 3.119.2.9 (colored)

make empty SCRIPT_NAME work as expected

Revision 3.119.2.24 / (download) - annotate - [select for diffs], Fri Nov 8 08:51:21 2019 UTC (4 years, 4 months ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
CVS Tags: cvsweb-2_1
Changes since 3.119.2.23: +5 -5 lines
Diff to previous 3.119.2.23 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

fix typo in the Content-Security-Policy "image-src",
and no need to allow external style sheets at this time

Revision 3.119.2.23 / (download) - annotate - [select for diffs], Thu Nov 7 22:58:18 2019 UTC (4 years, 4 months ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.22: +7 -1 lines
Diff to previous 3.119.2.22 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

For defense-in-depth against XSS attacks, add a Content-Security-Policy
Response header as a second layer mitigation.  Basic idea suggested
by sthen@.

Revision 3.119.2.22 / (download) - annotate - [select for diffs], Thu Nov 7 21:20:44 2019 UTC (4 years, 4 months ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.21: +12 -4 lines
Diff to previous 3.119.2.21 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

Fix the QUERY_STRING parts of the XSS vulnerabilities found by Ezio Paglia
in a more robust way: do very strict whitelist-based input validation on
the characters occurring in the QUERY_STRING, such that everything
stored in the %input hash table is safe in the first place without
requiring any kind of escaping later.  When finding unexpected characters
in the QUERY_STRING, it is safest to simply error out fatal()ly.

Revision 3.119.2.21 / (download) - annotate - [select for diffs], Thu Nov 7 17:18:22 2019 UTC (4 years, 4 months ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.20: +6 -11 lines
Diff to previous 3.119.2.20 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

Partial revert of rev. 3.119.2.15:
The variables $barequery and $query typically contain literal "&"
characters separating multiple variable assignments; the cvsweb.cgi
program itself constructs them that way near the beginning of the
main program.  So they must not be passed through htmlquote() or
the URIs in question get broken.
I will have to fix the XSS issues differently.

Revision 3.119.2.20 / (download) - annotate - [select for diffs], Thu Nov 7 10:06:20 2019 UTC (4 years, 4 months ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.19: +2 -1 lines
Diff to previous 3.119.2.19 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

restore the latest CVS identifier from the ZELLER repository

Revision 3.119.2.19 / (download) - annotate - [select for diffs], Thu Nov 7 09:44:35 2019 UTC (4 years, 4 months ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.18: +3 -6 lines
Diff to previous 3.119.2.18 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

Fix CVS identifiers: remove "FreeBSD" ids that were never functional
in the KNU/SCOP repository, remove "Idaemons" ids that got frozen at
some random point in the history, add "knu" ids reporting the latest revision
from the KNU/SCOP repo merged into this branch, and add "Id" identifiers
to report the current revision in the SCHWARZE repository.

Revision 3.119.2.18 / (download) - annotate - [select for diffs], Wed Nov 6 17:14:10 2019 UTC (4 years, 4 months ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.17: +3 -3 lines
Diff to previous 3.119.2.17 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

bump cvsweb_revision to 2.1

Revision 3.119.2.17 / (download) - annotate - [select for diffs], Wed Nov 6 17:11:00 2019 UTC (4 years, 4 months ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.16: +4 -3 lines
Diff to previous 3.119.2.16 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

two more instances of missing HTML quoting;
candidates found when i quickly scanned the code;
afresh1@ confirmed these two are potentially problematic

Revision 3.119.2.16 / (download) - annotate - [select for diffs], Thu Mar 21 23:08:14 2019 UTC (5 years ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.15: +5 -4 lines
Diff to previous 3.119.2.15 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

more XSS prevention; patch from afresh1@;
also triggered by the report from Ezio Paglia

Revision 3.119.2.15 / (download) - annotate - [select for diffs], Thu Mar 21 22:58:23 2019 UTC (5 years ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.14: +8 -6 lines
Diff to previous 3.119.2.14 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

Patch from Peter J. Philipp <pjp at centroid dot eu>
to fix some opportunities for XSS;
triggered by a report from Ezio Paglia

Revision 3.119.2.14 / (download) - annotate - [select for diffs], Thu Mar 21 19:32:07 2019 UTC (5 years ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.13: +2 -2 lines
Diff to previous 3.119.2.13 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

Switch the order of the name and the section
in the $mancgi configuration variable.
For the new man.openbsd.org URI syntax, the name must come first.
For the old query syntax, both orders work just fine.

Also switch the default man.cgi site to OpenBSD
because FreeBSD no longer uses CVSweb.

Revision 3.119.2.13 / (download) - annotate - [select for diffs], Thu Mar 21 16:40:27 2019 UTC (5 years ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.12: +2 -2 lines
Diff to previous 3.119.2.12 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

For more than 15 years, running cvsweb.cgi hasn't been tested
with Perl taint checks, and the following commit message from
patch-cvsweb_cgi rev. 1.11 from the OpenBSD port indicates that
there were already issues with Perl 5.8.
Very likely, things only got worse during all those years.

While re-auditing the whole program for taint safety would certainly
make sense, i'm not going to do that for the legacy 2.0 codebase.
So simply disable taint checks on this branch.  Hopefully, in the
not too distant future, we can get the 4.x trunk into shape, audit
*that*, and then get server admins to upgrade to 4.x.

Relevant part of the original commit message:
date: 2003/08/16 23:18:41;  author: naddy;
* upstreamer maintainer suggests that we run without taint checks on perl 5.8
* [...]

Revision 3.119.2.12 / (download) - annotate - [select for diffs], Thu Mar 21 16:31:46 2019 UTC (5 years ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.11: +4 -13 lines
Diff to previous 3.119.2.11 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

A web server should absolutely run chrooted, so storing a configuration
file below /usr/local/etc/ makes no sense whatsoever.  Also, the
configuration file should certainly not be in a directory where
files can get executed as CGI scripts, so looking in the same
directory as cvsweb.cgi is a bad idea, too.

Considerably simplify things by hardcoding a reasonable location.
The INSTALL file already instructs the user to check this.

Revision 3.119.2.11 / (download) - annotate - [select for diffs], Thu Mar 21 16:08:10 2019 UTC (5 years ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.10: +2 -2 lines
Diff to previous 3.119.2.10 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

merge patch-cvsweb_cgi rev. 1.13 from the OpenBSD port

relevant part of the original commit message:
date: 2013/04/07 20:07:24;  author: naddy;
More perl 5.16 fixes:
* [...]
* Fix a deprecation warning.
ok tobias@, sthen@

Revision 3.119.2.10 / (download) - annotate - [select for diffs], Thu Mar 21 15:53:09 2019 UTC (5 years ago) by schwarze
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.9: +4 -18 lines
Diff to previous 3.119.2.9 (colored) to branchpoint 3.119 (colored)

merge patch-cvsweb_cgi rev. 1.10 from the OpenBSD port, tweaked by me

original commit message:
date: 2003/08/16 18:12:10;  author: naddy;
excise functions that require GNU diff; prodding by jolan@

Revision 3.119.2.9 / (download) - annotate - [selected], Tue Feb 17 20:16:47 2004 UTC (20 years, 1 month ago) by scop
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.8: +1 -1 lines
Diff to previous 3.119.2.8 (colored) to branchpoint 3.119 (colored)

Fix background color of the description column in the directory view.

Submitted by:	nono_99_fr@yahoo.fr
Approved by:	knu

Revision 3.119.2.8 / (download) - annotate - [select for diffs], Sun Apr 27 20:33:04 2003 UTC (20 years, 11 months ago) by scop
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.7: +1 -1 lines
Diff to previous 3.119.2.7 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

Don't link "man pages" that contain only numbers and punctuation.

Approved by:	knu

Revision 3.119.2.7 / (download) - annotate - [select for diffs], Tue Feb 11 11:42:17 2003 UTC (21 years, 1 month ago) by knu
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.6: +8 -4 lines
Diff to previous 3.119.2.6 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

Improve man page linking.

Requested by:	Yoshihiko SARUMARU <mistral@imasy.or.jp>

Revision 3.119.2.6 / (download) - annotate - [select for diffs], Thu Sep 26 20:56:05 2002 UTC (21 years, 6 months ago) by scop
Branch: FreeBSD-cvsweb-2_0-branch
CVS Tags: FreeBSD-cvsweb-2_0_6
Changes since 3.119.2.5: +1 -1 lines
Diff to previous 3.119.2.5 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

Release as FreeBSD-CVSweb 2.0.6.

Approved by:	knu (mentor)

Revision 3.119.2.5 / (download) - annotate - [select for diffs], Mon Sep 23 05:30:16 2002 UTC (21 years, 6 months ago) by scop
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.4: +2 -2 lines
Diff to previous 3.119.2.4 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

Add new configuration variable, @annotate_options.  One can use this e.g.
to make annotations work against a read only repository.

Approved by:	knu (mentor)
Idea from:	Debian bug tracking system (#117112)

Revision 3.119.2.4 / (download) - annotate - [select for diffs], Fri Aug 16 11:46:06 2002 UTC (21 years, 7 months ago) by scop
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.3: +2 -1 lines
Diff to previous 3.119.2.3 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

- Output address only if it's set.
- Add -u to cvs_options by default on NetBSD.

Approved by:	knu (mentor)
Obtained from:	NetBSD

Revision 3.119.2.3 / (download) - annotate - [select for diffs], Fri Aug 16 11:43:28 2002 UTC (21 years, 7 months ago) by scop
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.2: +11 -0 lines
Diff to previous 3.119.2.2 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

Make annotate work under mod_perl.

Approved by:	knu (mentor)

Revision 3.119.2.2 / (download) - annotate - [select for diffs], Sun Aug 4 18:50:12 2002 UTC (21 years, 7 months ago) by scop
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119.2.1: +2 -0 lines
Diff to previous 3.119.2.1 (colored) to branchpoint 3.119 (colored) to selected 3.119.2.9 (colored)

- Fix annotate HTML output.
- Bring README and TODO up to date regarding the stable branch.

Approved by:	knu (mentor)

Revision 3.119.2.1 / (download) - annotate - [select for diffs], Sat Aug 3 11:14:54 2002 UTC (21 years, 8 months ago) by scop
Branch: FreeBSD-cvsweb-2_0-branch
Changes since 3.119: +29 -36 lines
Diff to previous 3.119 (colored) to selected 3.119.2.9 (colored)

Escape file names in directory listings.

Approved by:	knu (mentor)

Revision 3.119 / (download) - annotate - [select for diffs], Tue Jul 23 13:58:32 2002 UTC (21 years, 8 months ago) by scop
CVS Tags: FreeBSD-cvsweb-2_0_5
Branch point for: FreeBSD-cvsweb-2_0-branch
Changes since 3.118: +2 -1 lines
Diff to previous 3.118 (colored) to selected 3.119.2.9 (colored)

Fix diffs between tags.

Approved by:	knu (mentor)

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb