Your message dated Tue, 04 Nov 2008 11:32:09 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#498542: fixed in darcs 2.1.0-1
has caused the Debian Bug report #498542,
regarding darcs-server: Doesn't work with Perl 5.10's stricter taint checks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
498542: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498542
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: darcs-server
Version: 2.0.2-2
Severity: important
The heart of this package is a Perl CGI script.
Perl's taint checking has become stricter between 5.8 and 5.10:
perl#45671: printf should check taintedness of its template
http://rt.perl.org/rt3/Public/Bug/Display.html?id=45671
In this CGI script, $name is tainted in:
line 231: printf $fh qq( <$type name="$name" modified="$mtime" ts="$ts"
/>\n);
line 250: printf $fh qq( <repository name="$name" />\n);
With those two fixed, it's showing the list of repositories, but only giving
a blank page when I browse in to them. I'll log another bug if I work out
what else is wrong.
There are other printfs in it that look problematic, but I'm not hitting them
yet.
darcs-server appears to be completely broken with Perl 5.10. Setting this
bug non-RC as it shares the source package with the main darcs binary.
Steve
Two patches attached - one fixes the printfs that I have hit, one should fix
a couple of others which look problematic, but I haven't hit them yet.
Please remember that it's not working properly for me yet.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26 (SMP w/1 CPU core; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages darcs-server depends on:
ii darcs 2.0.2-2 an advanced revision control syste
ii sudo 1.6.9p17-1 Provide limited super user privile
ii xsltproc 1.1.24-2 XSLT command line processor
Versions of packages darcs-server recommends:
ii apache2 2.2.9-7 Apache HTTP Server metapackage
ii apache2-mpm-worker [httpd] 2.2.9-7 Apache HTTP Server - high speed th
ii exim4 4.69-6 metapackage to ease Exim MTA (v4)
ii exim4-daemon-light [mail-tran 4.69-6 lightweight Exim MTA (v4) daemon
ii gnupg 1.4.9-3 GNU privacy guard - a free PGP rep
darcs-server suggests no packages.
-- no debconf information
Thu Sep 11 00:06:59 BST 2008 Steve Cotton <[EMAIL PROTECTED]>
* insecure printfs - fix the two that I can currently hit
diff -rN -u old-unstable/tools/cgi/darcs.cgi.in
new-unstable/tools/cgi/darcs.cgi.in
--- old-unstable/tools/cgi/darcs.cgi.in 2008-09-11 00:13:35.000000000 +0100
+++ new-unstable/tools/cgi/darcs.cgi.in 2008-09-11 00:13:35.000000000 +0100
@@ -228,7 +228,7 @@
} else {
($name, $type) = (basename($file), 'file');
}
- printf $fh qq( <$type name="$name" modified="$mtime" ts="$ts" />\n);
+ print $fh qq( <$type name="$name" modified="$mtime" ts="$ts" />\n);
}
closedir(DH);
print $fh "</files>\n";
@@ -247,7 +247,7 @@
while( defined (my $name = readdir(DH)) ) {
next if $name =~ /^\.\.?$/;
if (-d "$repository_root/$name/_darcs") {
- printf $fh qq( <repository name="$name" />\n);
+ print $fh qq( <repository name="$name" />\n);
}
}
closedir(DH);
Thu Sep 11 00:08:32 BST 2008 Steve Cotton <[EMAIL PROTECTED]>
* insecure printfs - fix the two that I have not yet hit
diff -rN -u old-unstable/tools/cgi/darcs.cgi.in
new-unstable/tools/cgi/darcs.cgi.in
--- old-unstable/tools/cgi/darcs.cgi.in 2008-09-11 00:13:48.000000000 +0100
+++ new-unstable/tools/cgi/darcs.cgi.in 2008-09-11 00:13:48.000000000 +0100
@@ -139,10 +139,10 @@
my ($fh, $repo, $dir, $file) = @_;
my ($full_path, $path) = '/';
- printf $fh qq(<?xml version="1.0" encoding="$xml_encoding"?>\n);
+ print $fh qq(<?xml version="1.0" encoding="$xml_encoding"?>\n);
- printf $fh qq(<darcs repository="$repo" target="%s/%s%s">\n),
- $repo, ($dir ? "$dir/" : ''), ($file ? "$file" : '');
+ print $fh qq(<darcs repository="$repo" target="), $repo, "/",
+ ($dir ? "$dir/" : ''), ($file ? "$file" : ''), qq(">\n);
print $fh qq(<path>\n);
foreach $path (split('/', "$repo/$dir")) {
--- End Message ---
--- Begin Message ---
Source: darcs
Source-Version: 2.1.0-1
We believe that the bug you reported is fixed in the latest version of
darcs, which is due to be installed in the Debian FTP archive:
darcs_2.1.0-1.diff.gz
to pool/main/d/darcs/darcs_2.1.0-1.diff.gz
darcs_2.1.0-1.dsc
to pool/main/d/darcs/darcs_2.1.0-1.dsc
darcs_2.1.0-1_i386.deb
to pool/main/d/darcs/darcs_2.1.0-1_i386.deb
darcs_2.1.0.orig.tar.gz
to pool/main/d/darcs/darcs_2.1.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Trent W. Buck <[EMAIL PROTECTED]> (supplier of updated darcs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 19 Oct 2008 13:48:20 +1100
Source: darcs
Binary: darcs
Architecture: source i386
Version: 2.1.0-1
Distribution: unstable
Urgency: low
Maintainer: Petr Rockai <[EMAIL PROTECTED]>
Changed-By: Trent W. Buck <[EMAIL PROTECTED]>
Description:
darcs - a distributed, interactive, smart revision control system
Closes: 339770 458629 462917 486192 489131 491875 494109 498542
Changes:
darcs (2.1.0-1) unstable; urgency=low
.
* New upstream release.
* Manpage patch included upstream, so remove patch support.
It can be re-added later if necessary.
* Warn user when remote host has darcs1 (Closes: #494109).
* fix fix_filepath to work with --repodir (Closes: #458629).
* darcs trackdown --set-scripts-executable (Closes: #462917).
* Abolish darcs-server binary package
(Closes: #498542, #489131, #339770, #486192).
* Symlink identical HTML files (Closes: #491875).
* Adopt "standard" copyright file format.
Note that this patch only changes the format! The
copyright and license information still needs to be
checked against current releases of Darcs; corrections
will be a separate patch.
* Correctly munge prerelease version strings.
* control:
* fix VCS URL.
* enable DMs listed in Uploaders to upload directly. For more
information, see http://wiki.debian.org/Maintainers
* refactor description field based on darcs homepage.
* bump Standards-Version to 3.8.0.
Add a Homepage field.
Hard-wrap long fields (Uploads, Build-Depends) for readability.
* Bump debhelper dependency so debian/clean works.
Checksums-Sha1:
134fac1538ff22e69161226626e908f9449c30ba 1334 darcs_2.1.0-1.dsc
738a063e67b90f5f831b7164969f285692250cee 1851395 darcs_2.1.0.orig.tar.gz
8b1937c1a4075840f6991719b5cdda4e4334aad3 32677 darcs_2.1.0-1.diff.gz
5c80ea1ded13a3a3503d2cff173178bce923b214 2877096 darcs_2.1.0-1_i386.deb
Checksums-Sha256:
c1529e4d46a858c39a2ee4068f8fd3a28752b454dd8068a0045b42115ad9423c 1334
darcs_2.1.0-1.dsc
d5a63e62bceb45905163d508c6b25158dab6aca367015566d8c539ec37107ab4 1851395
darcs_2.1.0.orig.tar.gz
2c47fcc6bb0e5843a67b7d24fe606b732f8af7658e9a92ef6bff0f1a9c9bab30 32677
darcs_2.1.0-1.diff.gz
084d43d6f29beb045c094aa29b67d1ed56573063db3f052be283a4003d440c33 2877096
darcs_2.1.0-1_i386.deb
Files:
defb8ca0055881802b6c3aeb4a2f3d38 1334 devel optional darcs_2.1.0-1.dsc
81c1400f45391347e3f0df487e779fdd 1851395 devel optional darcs_2.1.0.orig.tar.gz
0513b38328bdb7e64867b89613734360 32677 devel optional darcs_2.1.0-1.diff.gz
09723b3689e1f0b69d06b42088150502 2877096 devel optional darcs_2.1.0-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkQLNEACgkQvQmfopLcAqllkgCfRFyZ1DmJ7IU07sATPCHKPVVQ
mHoAoKZUVPB+sOYkSc/wxT9MgRvlWoVF
=EwEf
-----END PGP SIGNATURE-----
--- End Message ---
