Version bump; added patch to fix weak file extension validation (see bug 84570) until upstream releases a new version.

(Portage version: 2.0.51.19)

5 files changed, 326 insertions, 5 deletions

diff --git a/www-apps/xoops/ChangeLog b/www-apps/xoops/ChangeLog
index d921c446ca57..c5ca36b5bc2a 100644
--- a/www-apps/xoops/ChangeLog
+++ b/www-apps/xoops/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for www-apps/xoops
-# Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/xoops/ChangeLog,v 1.2 2004/10/18 12:32:56 dholm Exp $
+# Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/www-apps/xoops/ChangeLog,v 1.3 2005/03/11 17:43:26 ka0ttic Exp $
+
+*xoops-2.0.9.2 (11 Mar 2005)
+
+  11 Mar 2005; Aaron Walker <ka0ttic@gentoo.org>
+  +files/xoops-2.0.9.2-fix-file-ext-validation.diff, +xoops-2.0.9.2.ebuild:
+  Version bump; added patch to fix weak file extension validation (see bug
+  84570) until upstream releases a new version.
 
   18 Oct 2004; David Holm <dholm@gentoo.org> xoops-2.0.7.3.ebuild:
   Added to ~ppc.
diff --git a/www-apps/xoops/Manifest b/www-apps/xoops/Manifest
index a98ce11327dd..d14aeae70dbd 100644
--- a/www-apps/xoops/Manifest
+++ b/www-apps/xoops/Manifest
@@ -1,5 +1,8 @@
-MD5 37c4d05cd9443a3b985233810e9dd469 ChangeLog 502
-MD5 f61bfa064e3acdfcd826e4a38b121196 metadata.xml 161
+MD5 fde199d663dc1c3d2a98dca723317c34 xoops-2.0.9.2.ebuild 1121
 MD5 ddf09d8b137bd0a52811cecf3f3d0ca6 xoops-2.0.7.3.ebuild 1041
-MD5 9b1db386f585147b9692a8c6b62dc574 files/digest-xoops-2.0.7.3 63
+MD5 71587baee36f42e7958c1dcbe5ba53f2 ChangeLog 781
+MD5 f61bfa064e3acdfcd826e4a38b121196 metadata.xml 161
 MD5 5e4fc169f3bd7008c2fb1ac862675cae files/postinstall-en.txt 227
+MD5 a9ba3f7c610e345bd07f5c8b6964dc33 files/xoops-2.0.9.2-fix-file-ext-validation.diff 9322
+MD5 9b1db386f585147b9692a8c6b62dc574 files/digest-xoops-2.0.7.3 63
+MD5 b764bcab4a4628d34a4bc65f693f35bc files/digest-xoops-2.0.9.2 66
diff --git a/www-apps/xoops/files/digest-xoops-2.0.9.2 b/www-apps/xoops/files/digest-xoops-2.0.9.2
new file mode 100644
index 000000000000..2381276bf7f5
--- /dev/null
+++ b/www-apps/xoops/files/digest-xoops-2.0.9.2
@@ -0,0 +1 @@
+MD5 10c620da751aa1b709b2b6f7985021c2 xoops-2.0.9.2.tar.gz 1118423
diff --git a/www-apps/xoops/files/xoops-2.0.9.2-fix-file-ext-validation.diff b/www-apps/xoops/files/xoops-2.0.9.2-fix-file-ext-validation.diff
new file mode 100644
index 000000000000..3e3335fc574e
--- /dev/null
+++ b/www-apps/xoops/files/xoops-2.0.9.2-fix-file-ext-validation.diff
@@ -0,0 +1,273 @@
+diff --exclude='*~' -urN xoops-2.0.9.2.orig/html/class/mimetypes.inc.php xoops-2.0.9.2/html/class/mimetypes.inc.php
+--- xoops-2.0.9.2.orig/html/class/mimetypes.inc.php	1969-12-31 19:00:00.000000000 -0500
++++ xoops-2.0.9.2/html/class/mimetypes.inc.php	2005-03-11 12:37:12.081298241 -0500
+@@ -0,0 +1,117 @@
++<?php
++/**
++* Extension to mimetype lookup table
++*
++* This file is provided as an helper for objects who need to perform filename to mimetype translations.
++* Common types have been provided, but feel free to add your own one if you need it.
++* <br /><br />
++* See the enclosed file LICENSE for licensing information.
++* If you did not receive this file, get it at http://www.fsf.org/copyleft/gpl.html
++*
++* @copyright    The Xoops project http://www.xoops.org/
++* @license      http://www.fsf.org/copyleft/gpl.html GNU public license
++* @author       Skalpa Keo <skalpa@xoops.org>
++* @since        2.0.9.3
++*/
++return array(
++     "hqx"		=> "application/mac-binhex40",
++     "doc"		=> "application/msword",
++     "dot"		=> "application/msword",
++     "bin"		=> "application/octet-stream",
++     "lha"		=> "application/octet-stream",
++     "lzh"		=> "application/octet-stream",
++     "exe"		=> "application/octet-stream",
++     "class"	=> "application/octet-stream",
++     "so"		=> "application/octet-stream",
++     "dll"		=> "application/octet-stream",
++     "pdf"		=> "application/pdf",
++     "ai"		=> "application/postscript",
++     "eps"		=> "application/postscript",
++     "ps"		=> "application/postscript",
++     "smi"		=> "application/smil",
++     "smil"		=> "application/smil",
++     "wbxml"	=> "application/vnd.wap.wbxml",
++     "wmlc"		=> "application/vnd.wap.wmlc",
++     "wmlsc"	=> "application/vnd.wap.wmlscriptc",
++     "xla"		=> "application/vnd.ms-excel",
++     "xls"		=> "application/vnd.ms-excel",
++     "xlt"		=> "application/vnd.ms-excel",
++     "ppt"		=> "application/vnd.ms-powerpoint",
++     "csh"		=> "application/x-csh",
++     "dcr"		=> "application/x-director",
++     "dir"		=> "application/x-director",
++     "dxr"		=> "application/x-director",
++     "spl"		=> "application/x-futuresplash",
++     "gtar"		=> "application/x-gtar",
++     "php"		=> "application/x-httpd-php",
++     "php3"		=> "application/x-httpd-php",
++     "php5"		=> "application/x-httpd-php",
++     "phtml"	=> "application/x-httpd-php",
++     "js"		=> "application/x-javascript",
++     "sh"		=> "application/x-sh",
++     "swf"		=> "application/x-shockwave-flash",
++     "sit"		=> "application/x-stuffit",
++     "tar"		=> "application/x-tar",
++     "tcl"		=> "application/x-tcl",
++     "xhtml"	=> "application/xhtml+xml",
++     "xht"		=> "application/xhtml+xml",
++     "xhtml"	=> "application/xml",
++     "ent"		=> "application/xml-external-parsed-entity",
++     "dtd"		=> "application/xml-dtd",
++     "mod"		=> "application/xml-dtd",
++     "gz"		=> "application/x-gzip",
++     "zip"		=> "application/zip",
++     "au"		=> "audio/basic",
++     "snd"		=> "audio/basic",
++     "mid"		=> "audio/midi",
++     "midi"		=> "audio/midi",
++     "kar"		=> "audio/midi",
++     "mp1"		=> "audio/mpeg",
++     "mp2"		=> "audio/mpeg",
++     "mp3"		=> "audio/mpeg",
++     "aif"		=> "audio/x-aiff",
++     "aiff"		=> "audio/x-aiff",
++     "m3u"		=> "audio/x-mpegurl",
++     "ram"		=> "audio/x-pn-realaudio",
++     "rm"		=> "audio/x-pn-realaudio",
++     "rpm"		=> "audio/x-pn-realaudio-plugin",
++     "ra"		=> "audio/x-realaudio",
++     "wav"		=> "audio/x-wav",
++     "bmp"		=> "image/bmp",
++     "gif"		=> "image/gif",
++     "jpeg"		=> "image/jpeg",
++     "jpg"		=> "image/jpeg",
++     "jpe"		=> "image/jpeg",
++     "png"		=> "image/png",
++     "tiff"		=> "image/tiff",
++     "tif"		=> "image/tif",
++     "wbmp"		=> "image/vnd.wap.wbmp",
++     "pnm"		=> "image/x-portable-anymap",
++     "pbm"		=> "image/x-portable-bitmap",
++     "pgm"		=> "image/x-portable-graymap",
++     "ppm"		=> "image/x-portable-pixmap",
++     "xbm"		=> "image/x-xbitmap",
++     "xpm"		=> "image/x-xpixmap",
++	 "ics"		=> "text/calendar",
++	 "ifb"		=> "text/calendar",
++     "css"		=> "text/css",
++     "html"		=> "text/html",
++     "htm"		=> "text/html",
++     "asc"		=> "text/plain",
++     "txt"		=> "text/plain",
++     "rtf"		=> "text/rtf",
++     "sgml"		=> "text/x-sgml",
++     "sgm"		=> "text/x-sgml",
++     "tsv"		=> "text/tab-seperated-values",
++     "wml"		=> "text/vnd.wap.wml",
++     "wmls"		=> "text/vnd.wap.wmlscript",
++     "xsl"		=> "text/xml",
++     "mpeg"		=> "video/mpeg",
++     "mpg"		=> "video/mpeg",
++     "mpe"		=> "video/mpeg",
++     "qt"		=> "video/quicktime",
++     "mov"		=> "video/quicktime",
++     "avi"		=> "video/x-msvideo",
++);
++
++?>
+diff --exclude='*~' -urN xoops-2.0.9.2.orig/html/class/uploader.php xoops-2.0.9.2/html/class/uploader.php
+--- xoops-2.0.9.2.orig/html/class/uploader.php	2005-03-11 12:34:09.527394373 -0500
++++ xoops-2.0.9.2/html/class/uploader.php	2005-03-11 12:38:27.795812193 -0500
+@@ -84,11 +84,17 @@
+  */

+ class XoopsMediaUploader

+ {

++	/**

++	* Flag indicating if unrecognized mimetypes should be allowed (use with precaution ! may lead to security issues )

++	**/

++ 	var $allowUnknownTypes = false;

++

+     var $mediaName;

+     var $mediaType;

+     var $mediaSize;

+     var $mediaTmpName;

+     var $mediaError;

++    var $mediaRealType = '';

+ 

+     var $uploadDir = '';

+ 

+@@ -97,7 +103,7 @@
+     var $maxFileSize = 0;

+     var $maxWidth;

+     var $maxHeight;

+-    

++

+     var $targetFileName;

+ 

+     var $prefix;

+@@ -108,9 +114,12 @@
+ 

+     var $savedFileName;

+ 

++

++	var $extensionToMime = array();

++

+     /**

+      * Constructor

+-     * 

++     *

+      * @param   string  $uploadDir

+      * @param   array   $allowedMimeTypes

+      * @param   int     $maxFileSize

+@@ -118,8 +127,13 @@
+      * @param   int     $maxHeight

+      * @param   int     $cmodvalue

+      **/

+-    function XoopsMediaUploader($uploadDir, $allowedMimeTypes, $maxFileSize, $maxWidth=null, $maxHeight=null)

++    function XoopsMediaUploader($uploadDir, $allowedMimeTypes, $maxFileSize=0, $maxWidth=null, $maxHeight=null)

+     {

++		@$this->extensionToMime = include( XOOPS_ROOT_PATH . '/class/mimetypes.inc.php' );

++		if ( !is_array( $this->extensionToMime ) ) {

++		 	$this->extensionToMime = array();

++			return false;

++		}

+         if (is_array($allowedMimeTypes)) {

+             $this->allowedMimeTypes =& $allowedMimeTypes;

+         }

+@@ -135,14 +149,18 @@
+ 

+     /**

+      * Fetch the uploaded file

+-     * 

++     *

+      * @param   string  $media_name Name of the file field

+      * @param   int     $index      Index of the file (if more than one uploaded under that name)

+      * @return  bool

+      **/

+     function fetchMedia($media_name, $index = null)

+     {

+-        if (!isset($_FILES[$media_name])) {

++		if ( empty( $this->extensionToMime ) ) {

++			$this->setErrors( 'Error loading mimetypes definition' );

++			return false;

++		}

++		if (!isset($_FILES[$media_name])) {

+             $this->setErrors('File not found');

+             return false;

+         } elseif (is_array($_FILES[$media_name]['name']) && isset($index)) {

+@@ -161,6 +179,14 @@
+             $this->mediaTmpName = $media_name['tmp_name'];

+             $this->mediaError = !empty($media_name['error']) ? $media_name['error'] : 0;

+         }

++		if ( ($ext = strrpos( $this->mediaName, '.' )) !== false ) {

++			$ext = substr( $this->mediaName, $ext + 1 );

++			if ( isset( $this->extensionToMime[$ext] ) ) {

++				$this->mediaRealType = $this->extensionToMime[$ext];

++				trigger_error( "XoopsMediaUploader: Set mediaRealType to {$this->mediaRealType} (file extension is $ext)", E_USER_NOTICE );

++			}

++		}

++

+         $this->errors = array();

+         if (intval($this->mediaSize) < 0) {

+             $this->setErrors('Invalid File Size');

+@@ -170,10 +196,6 @@
+             $this->setErrors('Filename Is Empty');

+             return false;

+         }

+-        if ( preg_match( '/\.(php|cgi|pl|py|asp)$/i', $this->mediaName ) ) {

+-            $this->setErrors('Filename rejected');

+-            return false;

+-		}

+         if ($this->mediaTmpName == 'none' || !is_uploaded_file($this->mediaTmpName)) {

+             $this->setErrors('No file uploaded');

+             return false;

+@@ -380,20 +402,19 @@
+     }

+ 

+     /**

+-     * Is the file the right Mime type 

+-     * 

+-     * (is there a right type of mime? ;-)

+-     * 

++     * Check whether or not the uploaded file type is allowed

++     *

+      * @return  bool

+      **/

+     function checkMimeType()

+     {

+-        if (count($this->allowedMimeTypes) > 0 && !in_array($this->mediaType, $this->allowedMimeTypes)) {

+-            return false;

+-        } else {

+-            return true;

+-        }

+-    }

++		if ( empty( $this->mediaRealType ) && !$this->allowUnknownTypes ) {

++			$this->setErrors( 'Unknown filetype rejected' );

++			return false;

++		}

++

++		return ( empty($this->allowedMimeTypes) || in_array($this->mediaRealType, $this->allowedMimeTypes) );

++	}

+ 

+     /**

+      * Add an error

+@@ -407,7 +428,7 @@
+ 

+     /**

+      * Get generated errors

+-     * 

++     *

+      * @param    bool    $ashtml Format using HTML?

+      * 

+      * @return    array|string    Array of array messages OR HTML string

+@@ -428,4 +449,4 @@
+         }

+     }

+ }

+-?>
+\ No newline at end of file
++?>

diff --git a/www-apps/xoops/xoops-2.0.9.2.ebuild b/www-apps/xoops/xoops-2.0.9.2.ebuild
new file mode 100644
index 000000000000..5b62ebcb806f
--- /dev/null
+++ b/www-apps/xoops/xoops-2.0.9.2.ebuild
@@ -0,0 +1,37 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apps/xoops/xoops-2.0.9.2.ebuild,v 1.1 2005/03/11 17:43:26 ka0ttic Exp $
+
+inherit webapp eutils
+
+DESCRIPTION="eXtensible Object Oriented Portal System (xoops) is an open-source Content Management System, including various portal features and supplemental modules."
+HOMEPAGE="http://www.xoops.org/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-2"
+KEYWORDS="~x86 ~ppc"
+
+RDEPEND=">=virtual/php-4.1.1
+	net-www/apache
+	>=dev-db/mysql-3.23"
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+	epatch ${FILESDIR}/${P}-fix-file-ext-validation.diff
+}
+
+src_install() {
+	webapp_src_preinst
+	dodoc docs/CHANGES.txt
+	dohtml docs/INSTALL.html
+	mv docs/images ${D}/usr/share/doc/${PF}/html
+
+	cp -a html/* "${D}/${MY_HTDOCSDIR}"
+	webapp_serverowned ${MY_HTDOCSDIR}/uploads
+	webapp_serverowned ${MY_HTDOCSDIR}/cache
+	webapp_serverowned ${MY_HTDOCSDIR}/templates_c
+	webapp_serverowned ${MY_HTDOCSDIR}/mainfile.php
+	webapp_postinst_txt en ${FILESDIR}/postinstall-en.txt
+	webapp_src_install
+}