Hi, I attached a patch which includes the upstream fix. Building was tested with pbuilder in amd64 jessie.
Regards, Reiner
diff --git a/debian/changelog b/debian/changelog index b4d193f..d4ec757 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +git (1:2.1.3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Added patch for gitweb.perl to acknowledge usage of + CGI::param() in list context, which is considered dangerous. + This lets test t9500-gitweb-standalone-no-errors.sh pass + and fixes FTBFS (Closes: #770655). + + -- Reiner Herrmann <rei...@reiner-h.de> Wed, 10 Dec 2014 19:02:55 +0100 + git (1:2.1.3-1) unstable; urgency=low * new upstream point release. diff --git a/debian/patches/gitweb_cgi_param.patch b/debian/patches/gitweb_cgi_param.patch new file mode 100644 index 0000000..b4448e7 --- /dev/null +++ b/debian/patches/gitweb_cgi_param.patch @@ -0,0 +1,59 @@ +From: Jeff King <p...@peff.net> +Subject: gitweb: hack around CGI's list-context param() handling + + As of CGI.pm's 4.08 release, the behavior to call + CGI::param() in a list context is deprecated (because it can + be potentially unsafe if called inside a hash constructor). + This causes gitweb to issue a warning for some of our code, + which in turn causes the tests to fail. + + Our use is in fact _not_ one of the dangerous cases, as we + are intentionally using a list context. The recommended + route by 4.08 is to use the new CGI::multi_param() call to + make it explicit that we know what we are doing. + However, that function is only available in 4.08, which is + about a month old; we cannot rely on having it. + + One option would be to set $CGI::LIST_CONTEXT_WARN globally, + which turns off the warning. However, that would eliminate + the protection these newer releases are trying to provide. + We want to annotate each site as OK using the new function. + + So instead, let's check whether CGI provides the + multi_param() function, and if not, provide an + implementation that just wraps param(). That will work on + both old and new versions of CGI. Sadly, we cannot just + check defined(\&CGI::multi_param), because CGI uses the + autoload feature, which claims that all functions are + defined. Instead, we just do a version check. + + Signed-off-by: Jeff King <p...@peff.net> + Signed-off-by: Junio C Hamano <gits...@pobox.com> + +Origin: upstream, https://github.com/git/git/commit/13dbf46a397260675a16b506314b0b2ed9713bbb +Bug-Debian: https://bugs.debian.org/770655 + +diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl +index ccf7516..7a5b23a 100755 +--- a/gitweb/gitweb.perl ++++ b/gitweb/gitweb.perl +@@ -20,6 +20,10 @@ use File::Basename qw(basename); + use Time::HiRes qw(gettimeofday tv_interval); + binmode STDOUT, ':utf8'; + ++if (!defined($CGI::VERSION) || $CGI::VERSION < 4.08) { ++ eval 'sub CGI::multi_param { CGI::param(@_) }' ++} ++ + our $t0 = [ gettimeofday() ]; + our $number_of_git_cmds = 0; + +@@ -871,7 +875,7 @@ sub evaluate_query_params { + + while (my ($name, $symbol) = each %cgi_param_mapping) { + if ($symbol eq 'opt') { +- $input_params{$name} = [ map { decode_utf8($_) } $cgi->param($symbol) ]; ++ $input_params{$name} = [ map { decode_utf8($_) } $cgi->multi_param($symbol) ]; + } else { + $input_params{$name} = decode_utf8($cgi->param($symbol)); + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..f14c20f --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +gitweb_cgi_param.patch
signature.asc
Description: OpenPGP digital signature
