From fc0fff1bfdefa2cb0a89ab51f64b56a391865e7a Mon Sep 17 00:00:00 2001 From: Martchus Date: Thu, 23 Nov 2017 23:31:18 +0100 Subject: [PATCH] Update Gogs to 0.11.34 --- ...Adjust-config-for-Arch-Linux-package.patch | 63 +++++++++++-------- ...-service-file-for-Arch-Linux-package.patch | 8 +-- ...TY-HTML-injection-in-user-search-API.patch | 34 ---------- ...URITY-fix-branch-name-persistent-XSS.patch | 41 ------------ gogs/default/PKGBUILD | 12 ++-- 5 files changed, 46 insertions(+), 112 deletions(-) delete mode 100644 gogs/default/0003-SECURITY-HTML-injection-in-user-search-API.patch delete mode 100644 gogs/default/0004-SECURITY-fix-branch-name-persistent-XSS.patch diff --git a/gogs/default/0001-Adjust-config-for-Arch-Linux-package.patch b/gogs/default/0001-Adjust-config-for-Arch-Linux-package.patch index a6e6bb62..8f9e7fe7 100644 --- a/gogs/default/0001-Adjust-config-for-Arch-Linux-package.patch +++ b/gogs/default/0001-Adjust-config-for-Arch-Linux-package.patch @@ -1,31 +1,17 @@ -From 73ef207e99b977f830e8a0d5fc98b8f8d25bb3f6 Mon Sep 17 00:00:00 2001 +From 70596ab48d0e1f0f1474bbc60a41b0e3cb5931d6 Mon Sep 17 00:00:00 2001 From: Martchus Date: Sun, 19 Mar 2017 18:03:36 +0100 -Subject: [PATCH 1/4] Adjust config for Arch Linux package +Subject: [PATCH 1/2] Adjust config for Arch Linux package --- - conf/app.ini | 31 +++++++++++++++++++------------ - 1 file changed, 19 insertions(+), 12 deletions(-) + conf/app.ini | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/conf/app.ini b/conf/app.ini -index fc43868e9..bc78b8d8c 100644 +index 8049ce3d..a64cd2ff 100644 --- a/conf/app.ini +++ b/conf/app.ini -@@ -1,11 +1,18 @@ --# !!! NEVER EVER MODIFY THIS FILE !!! --# !!! PLEASE MAKE CHANGES ON CORRESPONDING CUSTOM CONFIG FILE !!! --# !!! IF YOU ARE PACKAGING PROVIDER, PLEASE MAKE OWN COPY OF IT !!! -+# Feel free to modify this file! -+# In case a new version of this file is availabe, pacman will notify automatically when -+# updating and creates the new version as app.ini.pacnew. You can use diff or a similar -+# tool to see the changes between your configuration and the new default configuration. -+ -+# There is also a copy of this file under /usr/share/gogs/conf/app.ini in case -+# you need to go back. -+ -+# It is also possible to remove all default values and just specify what you want -+# to change because /usr/share/gogs/conf/app.ini also serves as fallback. - +@@ -5,7 +5,7 @@ ; App name that shows on every page title APP_NAME = Gogs ; The name of the system user that runs Gogs @@ -34,7 +20,7 @@ index fc43868e9..bc78b8d8c 100644 ; Either "dev", "prod" or "test" RUN_MODE = dev -@@ -54,16 +61,16 @@ DISABLE_ROUTER_LOG = false +@@ -54,16 +54,16 @@ DISABLE_ROUTER_LOG = false ; not forget to export the private key): ; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes @@ -55,7 +41,7 @@ index fc43868e9..bc78b8d8c 100644 ; Application level GZIP support ENABLE_GZIP = false ; Landing page for non-logged users, can be "home" or "explore" -@@ -71,7 +78,7 @@ LANDING_PAGE = home +@@ -71,7 +71,7 @@ LANDING_PAGE = home [repository] ; Root path for storing repositories's data, default is "~//gogs-repositories" @@ -64,7 +50,7 @@ index fc43868e9..bc78b8d8c 100644 ; The script type server supports, sometimes could be "sh" SCRIPT_TYPE = bash ; Default ANSI charset for an unrecognized charset -@@ -111,7 +118,7 @@ PREVIEWABLE_FILE_MODES = markdown +@@ -111,7 +111,7 @@ PREVIEWABLE_FILE_MODES = markdown ; Enable repository file uploads. ENABLED = true ; Path to temporarily store uploads (default path gets cleaned by Gogs in every start) @@ -73,7 +59,16 @@ index fc43868e9..bc78b8d8c 100644 ; File types that are allowed to be uploaded, e.g. image/jpeg|image/png. Leave empty means allow any file type ALLOWED_TYPES = ; Maximum size of each file in MB -@@ -170,7 +177,7 @@ PASSWD = +@@ -124,7 +124,7 @@ MAX_FILES = 5 + ; Whether attachments are enabled. Defaults to `true` + ENABLED = true + ; Path for attachments. Defaults to `data/attachments` +-PATH = data/attachments ++PATH = /var/lib/gogs/attachments + ; One or more allowed types, e.g. image/jpeg|image/png + ALLOWED_TYPES = */* + ; Max size of each file. Defaults to 32MB +@@ -170,7 +170,7 @@ PASSWD = ; For "postgres" only, either "disable", "require" or "verify-full" SSL_MODE = disable ; For "sqlite3" and "tidb", use absolute path when you start as service @@ -82,7 +77,25 @@ index fc43868e9..bc78b8d8c 100644 [admin] ; Disable regular (non-admin) users to create organizations -@@ -315,7 +322,7 @@ FORMAT = +@@ -283,7 +283,7 @@ CSRF_COOKIE_NAME = _csrf + + [picture] + ; Path to store user uploaded avatars +-AVATAR_UPLOAD_PATH = data/avatars ++AVATAR_UPLOAD_PATH = /var/lib/gogs/avatars + ; Chinese users can choose "duoshuo" + ; or a custom avatar source, like: http://cn.gravatar.com/avatar/ + GRAVATAR_SOURCE = gravatar +@@ -299,7 +299,7 @@ ENABLE_FEDERATED_AVATAR = true + ; Whether attachments are enabled. Defaults to `true` + ENABLED = true + ; Path for attachments. Defaults to `data/attachments` +-PATH = data/attachments ++PATH = /var/lib/gogs/attachments + ; One or more allowed types, e.g. image/jpeg|image/png + ALLOWED_TYPES = image/jpeg|image/png + ; Max size of each file. Defaults to 4MB +@@ -315,7 +315,7 @@ FORMAT = ; General settings of loggers [log] diff --git a/gogs/default/0002-Adjust-service-file-for-Arch-Linux-package.patch b/gogs/default/0002-Adjust-service-file-for-Arch-Linux-package.patch index efdafe67..3d3bd575 100644 --- a/gogs/default/0002-Adjust-service-file-for-Arch-Linux-package.patch +++ b/gogs/default/0002-Adjust-service-file-for-Arch-Linux-package.patch @@ -1,14 +1,14 @@ -From 6c229c932878e189e3a785c337a1c5d1cdbea2c3 Mon Sep 17 00:00:00 2001 +From 3d8abcd653f46d72c47687e8b4186157f0526401 Mon Sep 17 00:00:00 2001 From: Martchus Date: Sun, 19 Mar 2017 18:04:48 +0100 -Subject: [PATCH 2/4] Adjust service file for Arch Linux package +Subject: [PATCH 2/2] Adjust service file for Arch Linux package --- scripts/systemd/gogs.service | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/systemd/gogs.service b/scripts/systemd/gogs.service -index 9f105bf8e..07ffa1f66 100644 +index 9f105bf8..99ca11e0 100644 --- a/scripts/systemd/gogs.service +++ b/scripts/systemd/gogs.service @@ -12,12 +12,12 @@ After=mariadb.service mysqld.service postgresql.service memcached.service redis. @@ -25,7 +25,7 @@ index 9f105bf8e..07ffa1f66 100644 +ExecStart=/usr/bin/gogs web --config /etc/gogs/app.ini Restart=always -Environment=USER=git HOME=/home/git -+Environment=USER=gogs HOME=/var/lib/gogs GOGS_CUSTOM=/var/lib/gogs/custom ++Environment=USER=gogs HOME=/var/lib/gogs [Install] WantedBy=multi-user.target diff --git a/gogs/default/0003-SECURITY-HTML-injection-in-user-search-API.patch b/gogs/default/0003-SECURITY-HTML-injection-in-user-search-API.patch deleted file mode 100644 index 3fe930ff..00000000 --- a/gogs/default/0003-SECURITY-HTML-injection-in-user-search-API.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f331f09bbd849c0aa568f704a09e81ff77fc50f8 Mon Sep 17 00:00:00 2001 -From: Unknwon -Date: Sat, 14 Oct 2017 23:53:20 -0400 -Subject: [PATCH 3/4] SECURITY: HTML injection in user search API - -Reported by Tim Hawes. ---- - routes/api/v1/user/user.go | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/routes/api/v1/user/user.go b/routes/api/v1/user/user.go -index dbf727def..8326eea57 100644 ---- a/routes/api/v1/user/user.go -+++ b/routes/api/v1/user/user.go -@@ -12,6 +12,7 @@ import ( - "github.com/gogits/gogs/models" - "github.com/gogits/gogs/models/errors" - "github.com/gogits/gogs/pkg/context" -+ "github.com/gogits/gogs/pkg/markup" - ) - - func Search(c *context.APIContext) { -@@ -39,7 +40,7 @@ func Search(c *context.APIContext) { - ID: users[i].ID, - UserName: users[i].Name, - AvatarUrl: users[i].AvatarLink(), -- FullName: users[i].FullName, -+ FullName: markup.Sanitize(users[i].FullName), - } - if c.IsLogged { - results[i].Email = users[i].Email --- -2.15.0 - diff --git a/gogs/default/0004-SECURITY-fix-branch-name-persistent-XSS.patch b/gogs/default/0004-SECURITY-fix-branch-name-persistent-XSS.patch deleted file mode 100644 index 36c42434..00000000 --- a/gogs/default/0004-SECURITY-fix-branch-name-persistent-XSS.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 3025fe70a794d70e3422784401f9ad04d0d71032 Mon Sep 17 00:00:00 2001 -From: Unknwon -Date: Sun, 15 Oct 2017 00:07:46 -0400 -Subject: [PATCH 4/4] SECURITY: fix branch name persistent XSS - -Reported by Carl Hattenfels. ---- - templates/repo/editor/commit_form.tmpl | 3 ++- - templates/repo/issue/view_title.tmpl | 2 +- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/templates/repo/editor/commit_form.tmpl b/templates/repo/editor/commit_form.tmpl -index 6aee9f1d1..6ee6300ff 100644 ---- a/templates/repo/editor/commit_form.tmpl -+++ b/templates/repo/editor/commit_form.tmpl -@@ -14,7 +14,8 @@ - - - - -diff --git a/templates/repo/issue/view_title.tmpl b/templates/repo/issue/view_title.tmpl -index 3f3b62e65..4650ba4c8 100644 ---- a/templates/repo/issue/view_title.tmpl -+++ b/templates/repo/issue/view_title.tmpl -@@ -28,7 +28,7 @@ - {{if .Issue.PullRequest.HasMerged}} - {{ $mergedStr:= TimeSince .Issue.PullRequest.Merged $.Lang }} - {{.Issue.PullRequest.Merger.Name}} -- {{$.i18n.Tr "repo.pulls.merged_title_desc" .NumCommits .HeadTarget .BaseTarget $mergedStr | Safe}} -+ {{$.i18n.Tr "repo.pulls.merged_title_desc" .NumCommits .HeadTarget .BaseTarget $mergedStr | Str2html}} - {{else}} - {{.Issue.Poster.Name}} - {{$.i18n.Tr "repo.pulls.title_desc" .NumCommits .HeadTarget .BaseTarget | Str2html}} --- -2.15.0 - diff --git a/gogs/default/PKGBUILD b/gogs/default/PKGBUILD index f0701843..3df70e8a 100644 --- a/gogs/default/PKGBUILD +++ b/gogs/default/PKGBUILD @@ -7,8 +7,8 @@ _orga=gogits _gourl=github.com/gogits/$_pkgname pkgname=$_pkgname -pkgver=0.11.29 -pkgrel=4 +pkgver=0.11.34 +pkgrel=1 epoch=1 pkgdesc='Self Hosted Git Service written in Go' arch=('i686' 'x86_64' 'armv6h' 'armv7h') @@ -28,14 +28,10 @@ backup=("etc/$_pkgname/app.ini") install=$_pkgname.install source=("$_pkgname-$pkgver::https://github.com/$_orga/$_pkgname/archive/v${pkgver}.tar.gz" '0001-Adjust-config-for-Arch-Linux-package.patch' - '0002-Adjust-service-file-for-Arch-Linux-package.patch' - '0003-SECURITY-HTML-injection-in-user-search-API.patch' - '0004-SECURITY-fix-branch-name-persistent-XSS.patch') + '0002-Adjust-service-file-for-Arch-Linux-package.patch') sha512sums=('094dd6b5010128b8a68c3b4a2be389593380be527dd1f1c37882cbd7762ae31ff8da824d047acecb9ef31233ab3c576bc5030c90763adfa32d01b5830d12c04b' '43a337ccc0932a8e6f538d24ec8e13a7b509d1e7c4da40d2e76339a67b043090ab648b323c08311f5a62f81db19911138b6ff2c74fb9a869a401571d9b3770c5' - '969a29c3d1a9667e285ebd3490a83c5a684fa037a540ba242dcd86fe8294eef0b1247fc996a4926832ba0d8c56b5d843a117c14c7696899cb813b847b861a5cc' - 'dca31ee707586a2c055f549a36cdfd113def1436dfbb8eaf2358347d66c968fdb265e8832f1c8f8041d0fbddda708f5eac37719ab85040024cdf6eb82568a219' - 'afafb48f86906db3c1385541eba3d02e028cda087067f4ec467b538cc215d5662ba0af8fe488f4ecbb1f6dff96520c47868c1584239540fb41db8781af6eb792') + '969a29c3d1a9667e285ebd3490a83c5a684fa037a540ba242dcd86fe8294eef0b1247fc996a4926832ba0d8c56b5d843a117c14c7696899cb813b847b861a5cc') _goroot='/usr/lib/go' prepare() {