rpms/html2ps/EL-5 html2ps-1.0b5-ssi_traversal.patch, NONE, 1.1 html2ps.spec, 1.2, 1.3
Petr Pisar
ppisar at fedoraproject.org
Mon May 3 08:49:13 UTC 2010
Author: ppisar
Update of /cvs/pkgs/rpms/html2ps/EL-5
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv15941
Modified Files:
html2ps.spec
Added Files:
html2ps-1.0b5-ssi_traversal.patch
Log Message:
Resolves #530403 - fix SSI directory traversal
html2ps-1.0b5-ssi_traversal.patch:
html2ps | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE html2ps-1.0b5-ssi_traversal.patch ---
commit 8f751cd2b814da09aa98b66478c5d9d3e1f3db9b
Author: Petr Písař <petr.pisar at atlas.cz>
Date: Wed Apr 28 17:33:05 2010 +0200
Fix SSI directory traversal bug
html2ps-1.0b5 allows to step up with ".." to any directory. See
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548633>. This flaw has been
fixed by upstream 1.0b6 version but introduced a regression. This patch solves
the bug in better way.
Because this is a backport, we will not disbale SSI by default as upstream did
in newer version.
diff --git a/html2ps b/html2ps
index c9eb875..ec86bd5 100755
--- a/html2ps
+++ b/html2ps
@@ -2525,7 +2525,8 @@ sub Subst{
while(/<!--#(include|config|echo)\s+(\w+)\s*="([^"]+)"\s*-->/) {
$inc="";
$file=$3;
- if($1 eq "include" && (substr($file,0,1) ne "/" || $opt_r)) {
+ my ($prefix, $suffix) = ($`,$');
+ if($1 eq "include" && ($file !~m"^/|\.\." || $opt_r)) {
if(substr($file,0,1) ne "/") {
$file=$B2.$file;
} elsif($2 eq "virtual") {
@@ -2545,7 +2546,7 @@ sub Subst{
} elsif ($1 eq "echo") {
$inc=$var{$3};
}
- $_=$`.$inc.$';
+ $_=$prefix.$inc.$suffix;
}
}
s/(­?|­?|<!--hy-->)/)HY(/g;
Index: html2ps.spec
===================================================================
RCS file: /cvs/pkgs/rpms/html2ps/EL-5/html2ps.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- html2ps.spec 16 May 2008 21:16:16 -0000 1.2
+++ html2ps.spec 3 May 2010 08:49:13 -0000 1.3
@@ -1,25 +1,27 @@
Name: html2ps
Version: 1.0
-Release: 0.1.b5%{?dist}.1
+Release: 0.2.b5%{?dist}
Summary: HTML to PostScript converter
Group: Applications/Publishing
License: GPLv2+
-URL: http://user.it.uu.se/~jan/html2ps.html
-Source0: http://user.it.uu.se/~jan/html2ps-1.0b5.tar.gz
+URL: http://user.it.uu.se/~jan/%{name}.html
+Source0: http://user.it.uu.se/~jan/%{name}-1.0b5.tar.gz
Source1: xhtml2ps.desktop
-Patch0: http://ftp.de.debian.org/debian/pool/main/h/html2ps/html2ps_1.0b5-5.diff.gz
+Patch0: http://ftp.de.debian.org/debian/pool/main/h/%{name}/%{name}_1.0b5-5.diff.gz
# use xdg-open in xhtml2ps
-Patch1: html2ps-1.0b5-xdg-open.patch
+Patch1: %{name}-1.0b5-xdg-open.patch
# patch config file from debian to use dvips, avoid using weblint
# don't set letter as default page type, paperconf will set the default
-Patch2: html2ps-1.0b5-config.patch
+Patch2: %{name}-1.0b5-config.patch
+# Backport security fix from 1.0b6 but do not inhibit SSI (#530403)
+Patch3: %{name}-1.0b5-ssi_traversal.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: desktop-file-utils
-# libpaper is required for paperconf
-Requires: tetex tetex-dvips ghostscript libpaper
+# Depend on paperconf directly (instead of libpaper package) for rpmlint sake
+Requires: tetex tetex-dvips ghostscript /usr/bin/paperconf
# not autodetected since they are called by require not at the beginning of
# line
Requires: perl(LWP::UserAgent) perl(HTTP::Cookies) perl(HTTP::Request)
@@ -34,13 +36,13 @@ An HTML to PostScript converter written
%package -n xhtml2ps
-Summary: GUI frontend for html2ps
+Summary: GUI front-end for html2ps
Group: User Interface/X
Requires: html2ps = %{version}-%{release}
Requires: xdg-utils
%description -n xhtml2ps
-X-html2ps is freely-available GUI frontend for html2ps, a HTML-to-PostScript
+X-html2ps is freely-available GUI front-end for html2ps, a HTML-to-PostScript
converter.
@@ -49,6 +51,7 @@ converter.
%patch0 -p1
%patch1 -p1 -b .xdg-open
%patch2 -p1 -b .config
+%patch3 -p1 -b .ssi_traversal
# convert README to utf8
iconv -f latin1 -t utf8 < README > README.utf8
@@ -96,11 +99,18 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man5/html2psrc.5*
%files -n xhtml2ps
+%defattr(-,root,root,-)
%doc contrib/xhtml2ps/README contrib/xhtml2ps/LICENSE
%{_bindir}/xhtml2ps
%{_datadir}/applications/*xhtml2ps.desktop
%changelog
+* Mon May 3 2010 Petr Pisar <ppisar at redhat.com> - 1.0-0.2.b5
+- Fix SSI directory traversal (#530403)
+- Fix spelling
+- Default attributes for xhtml2ps %%files
+- Replace libpaper dependency with paperconf binary to make rpmlint happy
+
* Fri May 16 2008 Patrice Dumas <pertusus at free.fr> 1.0-0.1.b5.1
- in EL use tetex requires
More information about the scm-commits
mailing list