1
=== modified file '.pc/applied-patches'
2
--- .pc/applied-patches	2012-11-18 12:24:24 +0000
3
+++ .pc/applied-patches	2013-01-21 22:49:21 +0000
4
@@ -3,3 +3,6 @@
5
3
logrotate_as_couchdb.patch
3
logrotate_as_couchdb.patch
6
4
couchdb_sighup.patch
4
couchdb_sighup.patch
7
5
wait_for_couchdb_stop.patch
5
wait_for_couchdb_stop.patch
8
6
improve_parsing_of_mochiweb_relative_paths.patch
9
7
improve_script_url_validation.patch
10
8
include_a_comment_before_jsonp_output.patch
11
6
9
12
=== modified file 'debian/changelog'
13
--- debian/changelog	2012-12-25 03:35:04 +0000
14
+++ debian/changelog	2013-01-21 22:49:21 +0000
15
@@ -1,3 +1,28 @@
16
1
couchdb (1.2.0-5ubuntu1) raring; urgency=low
17
2
18
3
  * Merge from Debian unstable. Remaining changes:
19
4
    - debian/rules, debian/control: Split couchdb and couchdb-bin.
20
5
    - debian/postinst: Rename to couchdb-bin.postinst.
21
6
    - debian/couchdb-bin.postrm: Don't try to delete couchdb system
22
7
      user/group.
23
8
24
9
 -- Logan Rosen <logatronico@gmail.com>  Mon, 21 Jan 2013 17:26:25 -0500
25
10
26
11
couchdb (1.2.0-5) unstable; urgency=high
27
12
28
13
  * Fix debian/patches/series for CVE-2012-5649 and CVE-2012-5650 fixes.
29
14
30
15
 -- Laszlo Boszormenyi (GCS) <gcs@debian.hu>  Fri, 18 Jan 2013 22:04:32 +0100
31
16
32
17
couchdb (1.2.0-4) unstable; urgency=high
33
18
34
19
  * Fix CVE-2012-5649 and CVE-2012-5650 with adding upstream fixes as patches:
35
20
    improve_parsing_of_mochiweb_relative_paths.patch ,
36
21
    improve_script_url_validation.patch and
37
22
    include_a_comment_before_jsonp_output.patch (closes: #698439).
38
23
39
24
 -- Laszlo Boszormenyi (GCS) <gcs@debian.hu>  Fri, 18 Jan 2013 20:04:01 +0100
40
25
41
1
couchdb (1.2.0-3ubuntu1) raring; urgency=low
26
couchdb (1.2.0-3ubuntu1) raring; urgency=low
42
2
27
43
3
  * Merge from Debian unstable. Remaining changes:
28
  * Merge from Debian unstable. Remaining changes:
44
4
29
45
=== added file 'debian/patches/improve_parsing_of_mochiweb_relative_paths.patch'
46
--- debian/patches/improve_parsing_of_mochiweb_relative_paths.patch	1970-01-01 00:00:00 +0000
47
+++ debian/patches/improve_parsing_of_mochiweb_relative_paths.patch	2013-01-21 22:49:21 +0000
48
@@ -0,0 +1,40 @@
49
1
Description: improve parsing of mochiweb relative paths
50
2
 Patch adapted from http://www.couchbase.com/issues/browse/MB-7390
51
3
Author: Sriram Melkote <siri@couchbase.com>
52
4
Bug-Debian: http://bugs.debian.org/698439
53
5
Last-Update: 2012-12-15
54
6
55
7
---
56
8
57
9
diff --git a/src/mochiweb/mochiweb_util.erl b/src/mochiweb/mochiweb_util.erl
58
10
index 3b50fe7..6b88818 100644
59
11
--- a/src/mochiweb/mochiweb_util.erl
60
12
+++ b/src/mochiweb/mochiweb_util.erl
61
13
@@ -68,11 +68,17 @@ partition2(_S, _Sep) ->
62
14
 %% @spec safe_relative_path(string()) -> string() | undefined
63
15
 %% @doc Return the reduced version of a relative path or undefined if it
64
16
 %%      is not safe. safe relative paths can be joined with an absolute path
65
17
-%%      and will result in a subdirectory of the absolute path.
66
18
+%%      and will result in a subdirectory of the absolute path. Safe paths
67
19
+%%      never contain a backslash character.
68
20
 safe_relative_path("/" ++ _) ->
69
21
     undefined;
70
22
 safe_relative_path(P) ->
71
23
-    safe_relative_path(P, []).
72
24
+    case string:chr(P, $\\) of
73
25
+        0 ->
74
26
+           safe_relative_path(P, []);
75
27
+        _ ->
76
28
+           undefined
77
29
+    end.
78
30
 
79
31
 safe_relative_path("", Acc) ->
80
32
     case Acc of
81
33
@@ -809,6 +815,7 @@ safe_relative_path_test() ->
82
34
     undefined = safe_relative_path("../foo"),
83
35
     undefined = safe_relative_path("foo/../.."),
84
36
     undefined = safe_relative_path("foo//"),
85
37
+    undefined = safe_relative_path("foo\\bar"),
86
38
     ok.
87
39
 
88
40
 parse_qvalues_test() ->
89
0
41
90
=== added file 'debian/patches/improve_script_url_validation.patch'
91
--- debian/patches/improve_script_url_validation.patch	1970-01-01 00:00:00 +0000
92
+++ debian/patches/improve_script_url_validation.patch	2013-01-21 22:49:21 +0000
93
@@ -0,0 +1,26 @@
94
1
Description: Improve script url validation
95
2
Author: Robert Newson <rnewson@apache.org>
96
3
Bug-Debian: http://bugs.debian.org/698439
97
4
Last-Update: 2012-12-18
98
5
99
6
---
100
7
101
8
diff --git a/share/www/script/couch_test_runner.js b/share/www/script/couch_test_runner.js
102
9
index c1e7a72..60ba11c 100644
103
10
--- a/share/www/script/couch_test_runner.js
104
11
+++ b/share/www/script/couch_test_runner.js
105
12
@@ -15,11 +15,9 @@
106
13
 
107
14
 function loadScript(url) {
108
15
   // disallow loading remote URLs
109
16
-  if((url.substr(0, 7) == "http://")
110
17
-    || (url.substr(0, 2) == "//")
111
18
-    || (url.substr(0, 5) == "data:")
112
19
-    || (url.substr(0, 11) == "javascript:")) {
113
20
-        throw "Not loading remote test scripts";
114
21
+  var re = /^[a-z0-9_]+(\/[a-z0-9_]+)*\.js#?$/;
115
22
+  if (!re.test(url)) {
116
23
+      throw "Not loading remote test scripts";
117
24
   }
118
25
   if (typeof document != "undefined") document.write('<script src="'+url+'"></script>');
119
26
 };
120
0
27
121
=== added file 'debian/patches/include_a_comment_before_jsonp_output.patch'
122
--- debian/patches/include_a_comment_before_jsonp_output.patch	1970-01-01 00:00:00 +0000
123
+++ debian/patches/include_a_comment_before_jsonp_output.patch	2013-01-21 22:49:21 +0000
124
@@ -0,0 +1,20 @@
125
1
Description: Include a comment before jsonp output
126
2
Author: Robert Newson <rnewson@apache.org>
127
3
Bug-Debian: http://bugs.debian.org/698439
128
4
Last-Update: 2012-12-19
129
5
130
6
---
131
7
132
8
diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
133
9
index 0be7126..58f5ec6 100644
134
10
--- a/src/couchdb/couch_httpd.erl
135
11
+++ b/src/couchdb/couch_httpd.erl
136
12
@@ -746,7 +746,7 @@ start_jsonp() ->
137
13
     case get(jsonp) of
138
14
         no_jsonp -> [];
139
15
         [] -> [];
140
16
-        CallBack -> CallBack ++ "("
141
17
+        CallBack -> ["/* CouchDB */", CallBack, "("]
142
18
     end.
143
19
 
144
20
 end_jsonp() ->
145
0
21
146
=== modified file 'debian/patches/series'
147
--- debian/patches/series	2012-11-18 12:24:24 +0000
148
+++ debian/patches/series	2013-01-21 22:49:21 +0000
149
@@ -3,3 +3,6 @@
150
3
logrotate_as_couchdb.patch
3
logrotate_as_couchdb.patch
151
4
couchdb_sighup.patch
4
couchdb_sighup.patch
152
5
wait_for_couchdb_stop.patch
5
wait_for_couchdb_stop.patch
153
6
improve_parsing_of_mochiweb_relative_paths.patch
154
7
improve_script_url_validation.patch
155
8
include_a_comment_before_jsonp_output.patch
156
6
9
157
=== modified file 'share/www/script/couch_test_runner.js'
158
--- share/www/script/couch_test_runner.js	2012-07-30 22:49:59 +0000
159
+++ share/www/script/couch_test_runner.js	2013-01-21 22:49:21 +0000
160
@@ -15,11 +15,9 @@
161
15
15
162
16
function loadScript(url) {
16
function loadScript(url) {
163
17
  // disallow loading remote URLs
17
  // disallow loading remote URLs
169
18
  if((url.substr(0, 7) == "http://")
18
  var re = /^[a-z0-9_]+(\/[a-z0-9_]+)*\.js#?$/;
170
19
    || (url.substr(0, 2) == "//")
19
  if (!re.test(url)) {
171
20
    || (url.substr(0, 5) == "data:")
20
      throw "Not loading remote test scripts";
167
21
    || (url.substr(0, 11) == "javascript:")) {
168
22
        throw "Not loading remote test scripts";
172
23
  }
21
  }
173
24
  if (typeof document != "undefined") document.write('<script src="'+url+'"></script>');
22
  if (typeof document != "undefined") document.write('<script src="'+url+'"></script>');
174
25
};
23
};
175
26
24
176
=== modified file 'src/couchdb/couch_httpd.erl'
177
--- src/couchdb/couch_httpd.erl	2012-07-30 22:49:59 +0000
178
+++ src/couchdb/couch_httpd.erl	2013-01-21 22:49:21 +0000
179
@@ -746,7 +746,7 @@
180
746
    case get(jsonp) of
746
    case get(jsonp) of
181
747
        no_jsonp -> [];
747
        no_jsonp -> [];
182
748
        [] -> [];
748
        [] -> [];
184
749
        CallBack -> CallBack ++ "("
749
        CallBack -> ["/* CouchDB */", CallBack, "("]
185
750
    end.
750
    end.
186
751
751
187
752
end_jsonp() ->
752
end_jsonp() ->
188
753
753
189
=== modified file 'src/mochiweb/mochiweb_util.erl'
190
--- src/mochiweb/mochiweb_util.erl	2012-07-30 22:49:54 +0000
191
+++ src/mochiweb/mochiweb_util.erl	2013-01-21 22:49:21 +0000
192
@@ -68,11 +68,17 @@
193
68
%% @spec safe_relative_path(string()) -> string() | undefined
68
%% @spec safe_relative_path(string()) -> string() | undefined
194
69
%% @doc Return the reduced version of a relative path or undefined if it
69
%% @doc Return the reduced version of a relative path or undefined if it
195
70
%%      is not safe. safe relative paths can be joined with an absolute path
70
%%      is not safe. safe relative paths can be joined with an absolute path
197
71
%%      and will result in a subdirectory of the absolute path.
71
%%      and will result in a subdirectory of the absolute path. Safe paths
198
72
%%      never contain a backslash character.
199
72
safe_relative_path("/" ++ _) ->
73
safe_relative_path("/" ++ _) ->
200
73
    undefined;
74
    undefined;
201
74
safe_relative_path(P) ->
75
safe_relative_path(P) ->
203
75
    safe_relative_path(P, []).
76
    case string:chr(P, $\\) of
204
77
        0 ->
205
78
           safe_relative_path(P, []);
206
79
        _ ->
207
80
           undefined
208
81
    end.
209
76
82
210
77
safe_relative_path("", Acc) ->
83
safe_relative_path("", Acc) ->
211
78
    case Acc of
84
    case Acc of
212
@@ -809,6 +815,7 @@
213
809
    undefined = safe_relative_path("../foo"),
815
    undefined = safe_relative_path("../foo"),
214
810
    undefined = safe_relative_path("foo/../.."),
816
    undefined = safe_relative_path("foo/../.."),
215
811
    undefined = safe_relative_path("foo//"),
817
    undefined = safe_relative_path("foo//"),
216
818
    undefined = safe_relative_path("foo\\bar"),
217
812
    ok.
819
    ok.
218
813
820
219
814
parse_qvalues_test() ->
821
parse_qvalues_test() ->
Status:	Merged
Merge reported by:	Jamie Strandboge
Merged at revision:	not available
Proposed branch:	lp:~logan/ubuntu/raring/couchdb/1.2.0-5
Merge into:	lp:ubuntu/raring/couchdb
Diff against target:	219 lines (+130/-8) 9 files modified .pc/applied-patches (+3/-0) debian/changelog (+25/-0) debian/patches/improve_parsing_of_mochiweb_relative_paths.patch (+40/-0) debian/patches/improve_script_url_validation.patch (+26/-0) debian/patches/include_a_comment_before_jsonp_output.patch (+20/-0) debian/patches/series (+3/-0) share/www/script/couch_test_runner.js (+3/-5) src/couchdb/couch_httpd.erl (+1/-1) src/mochiweb/mochiweb_util.erl (+9/-2)
To merge this branch:	bzr merge lp:~logan/ubuntu/raring/couchdb/1.2.0-5
Related bugs:	Link a bug report
Reviewer	Date Requested	Status
Jamie Strandboge		Approve on 2013-01-22
Ubuntu branches	2013-01-21	Pending
Review via email: mp+144195@code.launchpad.net