app-misc/gallery updated for webapp.eclass
Created attachment 36175 [details]
Created attachment 36176 [details]
see http://bugs.gentoo.org/show_bug.cgi?id=51008 perhaps..
Also, As of 1.4.4, Gallery no longer requires the use of configure.sh and secure.sh. The configuration wizard is run via a logged in administrator for upgrades and without running the script on a new install.
Three issues about that ebuild. Only one is major:
1. In the dodoc line, Changelog should be Changlog.archive.gz (don't know why they have it that way).
2. After the dodoc, you should rm -f the dodoc files or else they're duplicated into the master-copy installation.
3. *** The major one ***: Don't "touch config.php". Packaging config.php makes it overwrite the user's config.php with no backup.
Doh, typo: I meant "ChangeLog.archive.gz"
Oh, and ditto item 3 for .htaccess!
Thanks for your comments, I did not think about overwriting existing configfiles. Will fix shortly.
FYI there is a ChangeLog and a ChangeLog.archive.gz because the raw changelog is about ~300K when uncompressed. the non-compressed one is the most recent changes, usually since the last point release.
Ah, you're absolutely right, Chris. I missed that.
Created attachment 36698 [details]
- version bump (all arches dropped to ~)
- incorporated suggestions
Created attachment 36699 [details]
That one seems to work well here. One thought, though: I agree with you not doing "rm -rf html" after the dohtml, since the docs are linked from within gallery when logged in. But the dohtml redundantly duplicates the whole html documentation tree in /usr/share/doc/gallery-*. I'm not sure the right thing to do is *not* to do the dohtml so as to avoid this duplication since, typically, those docs are supposed to be there. I'm just mentioning it for consideration.
If/when we get ready to draft a GLSA:
20:42 <@Stuart> klieber: by default, we ship php w/ allow_fopen_url=off, which (from reading the code) should be enough to prevent the attack from working
In CVS, also see bug #60742
# emerge -av gallery
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild R ] www-apps/gallery-1.4.4-r1 0 kB
Total size of downloads: 0 kB
Do you want me to merge these packages? [Yes/No]
>>> emerge (1 of 1) www-apps/gallery-1.4.4-r1 to /
>>> md5 src_uri ;-) gallery-1.4.4.tar.gz
>>> Unpacking source...
>>> Unpacking gallery-1.4.4.tar.gz to /var/tmp/portage/gallery-1.4.4-r1/work
* Applying vuln-20040817.diff... [ ok ]
>>> Source unpacked.
>>> Install gallery-1.4.4-r1 into /var/tmp/portage/gallery-1.4.4-r1/image/ category www-apps
gzip: /var/tmp/portage/gallery-1.4.4-r1/image/usr/share/doc/gallery-1.4.4-r1/ChangeLog.archive.gz already has .gz suffix -- unchanged
* (server owned) htdocs/albums
* ebuild fault: file '/usr/portage/www-apps/gallery/files/postinstall-en.txt' not found
* Please report this as a bug at http://bugs.gentoo.org/
!!! ERROR: www-apps/gallery-1.4.4-r1 failed.
!!! Function webapp_checkfileexists, Line 59, Exitcode 0
!!! ebuild fault: file '/usr/portage/www-apps/gallery/files/postinstall-en.txt' not found
Thanks for reporting. Missing file in CVS now, will hit your mirrors in about an hour.
Works for me now. :)