[SRM] New Trac package uploaded to stable

[Otavio Salvador]

Hello,

I've done the upload fixing CVE-2007-1405 and CVE-2007-1406 issues and
together a copyright typo. Please find the interdiff attached.

 debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch |  115 +++++++++++++++++++
 trac-0.10.3/debian/changelog                         |    8 +
 trac-0.10.3/debian/copyright                         |    2 
 trac-0.10.3/debian/patches/00list                    |    1 
 4 files changed, 125 insertions(+), 1 deletion(-)


diff -u trac-0.10.3/debian/copyright trac-0.10.3/debian/copyright
--- trac-0.10.3/debian/copyright
+++ trac-0.10.3/debian/copyright
@@ -3,7 +3,7 @@
 Trac can be downloaded from:
 http://projects.edgewall.com/trac/wiki/TracDownload
 
-Tras is licensed under a modified BSD license, which follows:
+Trac is licensed under a modified BSD license, which follows:
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
diff -u trac-0.10.3/debian/changelog trac-0.10.3/debian/changelog
--- trac-0.10.3/debian/changelog
+++ trac-0.10.3/debian/changelog
@@ -1,3 +1,11 @@
+trac (0.10.3-1etch1) stable; urgency=low
+
+  * Add 02_CVE-2007-1405_CVE-2007-1406.dpatch patch to fix CVE-2007-1405
+    and CVE-2007-1406 security issues. (Closes: #414134, #420219)
+  * Fixed typo in debian/copyright. (Closes: #422409)
+
+ -- Otavio Salvador <[EMAIL PROTECTED]>  Wed, 23 May 2007 21:18:41 -0300
+
 trac (0.10.3-1) unstable; urgency=low
 
   * New upstream upload. Final 0.10.3 release that will hopefully make it into
diff -u trac-0.10.3/debian/patches/00list trac-0.10.3/debian/patches/00list
--- trac-0.10.3/debian/patches/00list
+++ trac-0.10.3/debian/patches/00list
@@ -1,0 +2 @@
+02_CVE-2007-1405_CVE-2007-1406
only in patch2:
unchanged:
--- trac-0.10.3.orig/debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch
+++ trac-0.10.3/debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch
@@ -0,0 +1,115 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 02_CVE-2007-1405_CVE-2007-1406_issue.dpatch by Luis Matos <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixes CVE-2007-1405, CVE-2007-1406, closing #414134, #420219.
+
[EMAIL PROTECTED]@
+
+--- trac-0.10.3.orig/trac/attachment.py	2007-05-24 01:31:24.000000000 +0100
++++ trac-0.10.3/trac/attachment.py	2007-05-24 01:32:12.000000000 +0100
+@@ -291,10 +291,10 @@
+ 
+     render_unsafe_content = BoolOption('attachment', 'render_unsafe_content',
+                                        'false',
+-        """Whether non-binary attachments should be rendered in the browser, or
++        """Whether attachments should be rendered in the browser, or
+         only made downloadable.
+ 
+-        Pretty much any text file may be interpreted as HTML by the browser,
++        Pretty much any file may be interpreted as HTML by the browser,
+         which allows a malicious user to attach a file containing cross-site
+         scripting attacks.
+ 
+@@ -555,22 +555,24 @@
+             # Eventually send the file directly
+             format = req.args.get('format')
+             if format in ('raw', 'txt'):
+-                if not self.render_unsafe_content and not binary:
+-                    # Force browser to download HTML/SVG/etc pages that may
+-                    # contain malicious code enabling XSS attacks
+-                    req.send_header('Content-Disposition', 'attachment;' +
+-                                    'filename=' + attachment.filename)
+-                if not mime_type or (self.render_unsafe_content and \
+-                                     not binary and format == 'txt'):
+-                    mime_type = 'text/plain'
++                if not self.render_unsafe_content:
++                    # Force browser to download files instead of rendering
++                    # them, since they might contain malicious code enabling 
++                    # XSS attacks
++                    req.send_header('Content-Disposition', 'attachment')
++                if format == 'txt':
++                      mime_type = 'text/plain'
++                elif not mime_type:
++                    mime_type = 'application/octet-stream'
+                 if 'charset=' not in mime_type:
+                     charset = mimeview.get_charset(str_data, mime_type)
+                     mime_type = mime_type + '; charset=' + charset
++
+                 req.send_file(attachment.path, mime_type)
+ 
+             # add ''Plain Text'' alternate link if needed
+-            if self.render_unsafe_content and not binary and \
+-               mime_type and not mime_type.startswith('text/plain'):
++            if (self.render_unsafe_content and 
++                mime_type and not mime_type.startswith('text/plain')):
+                 plaintext_href = attachment.href(req, format='txt')
+                 add_link(req, 'alternate', plaintext_href, 'Plain Text',
+                          mime_type)
+diff -ur trac-0.10.3.orig/trac/mimeview/api.py trac-0.10.3/trac/mimeview/api.py
+--- trac-0.10.3.orig/trac/mimeview/api.py	2007-05-24 01:31:24.000000000 +0100
++++ trac-0.10.3/trac/mimeview/api.py	2007-05-24 01:32:12.000000000 +0100
+@@ -604,8 +604,8 @@
+                                                          content, selector)
+         req.send_response(200)
+         req.send_header('Content-Type', output_type)
+-        req.send_header('Content-Disposition', 'filename=%s.%s' % (filename,
+-                                                                   ext))
++        req.send_header('Content-Disposition', 'attachment; filename=%s.%s' % 
++                        (filename, ext))
+         req.end_headers()
+         req.write(content)
+         raise RequestDone        
+diff -ur trac-0.10.3.orig/trac/versioncontrol/web_ui/browser.py trac-0.10.3/trac/versioncontrol/web_ui/browser.py
+--- trac-0.10.3.orig/trac/versioncontrol/web_ui/browser.py	2007-05-24 01:31:24.000000000 +0100
++++ trac-0.10.3/trac/versioncontrol/web_ui/browser.py	2007-05-24 01:32:12.000000000 +0100
+@@ -21,7 +21,7 @@
+ from fnmatch import fnmatchcase
+ 
+ from trac import util
+-from trac.config import ListOption, Option
++from trac.config import ListOption, BoolOption, Option
+ from trac.core import *
+ from trac.mimeview import Mimeview, is_binary, get_mimetype
+ from trac.perm import IPermissionRequestor
+@@ -57,6 +57,18 @@
+         glob patterns, i.e. "*" can be used as a wild card)
+         (''since 0.10'')""")
+ 
++    render_unsafe_content = BoolOption('browser', 'render_unsafe_content',
++                                        'false',
++        """Whether attachments should be rendered in the browser, or
++        only made downloadable.
++ 
++        Pretty much any file may be interpreted as HTML by the browser,
++        which allows a malicious user to attach a file containing cross-site
++        scripting attacks.
++        
++        For public sites where anonymous users can create attachments it is
++        recommended to leave this option disabled (which is the default).""")
++ 
+     # INavigationContributor methods
+ 
+     def get_active_navigation_item(self, req):
+@@ -216,6 +228,11 @@
+                             format == 'txt' and 'text/plain' or mime_type)
+             req.send_header('Content-Length', node.content_length)
+             req.send_header('Last-Modified', http_date(node.last_modified))
++            if not self.render_unsafe_content:
++                # Force browser to download files instead of rendering
++                # them, since they might contain malicious code enabling 
++                # XSS attacks
++                req.send_header('Content-Disposition', 'attachment')
+             req.end_headers()
+ 
+             while 1:

-- 
        O T A V I O    S A L V A D O R
---------------------------------------------
 E-mail: [EMAIL PROTECTED]      UIN: 5906116
 GNU/Linux User: 239058     GPG ID: 49A5F855
 Home Page: http://otavio.ossystems.com.br
---------------------------------------------
"Microsoft sells you Windows ... Linux gives
 you the whole house."