reinit the tree, so we can have metadata

5 files changed, 194 insertions, 0 deletions

diff --git a/dev-ruby/redcloth/Manifest b/dev-ruby/redcloth/Manifest
new file mode 100644
index 000000000000..f743cd7191cc
--- /dev/null
+++ b/dev-ruby/redcloth/Manifest
@@ -0,0 +1,8 @@
+AUX redcloth-4.2.9-cve-2012-6684.patch 1996 SHA256 5a0473add0af2158675a8b68c8832f08e3e127297b33ba8d5902109257a37640 SHA512 17ea6052abf651c41091df3a1799bb33ad2161abd5a78f2d6db4629eb57a0413f4341ad87ca065391e5cc3e083bd65000d3d68d1fa53d0d15e5a73f5962a1498 WHIRLPOOL 28b67c831e42037546e2d14c48a9256bd043660e21c9265432c7011ff0166cc16ac3909c2a54b830365393f35d14befe735a9888463e9f4c454a09ae030cbe27
+DIST RedCloth-4.3.2.tar.gz 91880 SHA256 fbfc709ef742f962896e1cd063b8bd828bdc0ddce36755edbe493cd3231ea850 SHA512 377fef21e646beb1658a4b8b8d0228e9730c6c8f33075a14137afcf80e8d37501ede8c05b720d0dfb36a680017f4dedd01565fe9b326ae06ead77afee6f122ca WHIRLPOOL 5ad0dc82805495e7a47053499d9e1301b557199b4850556192a9238bd06076470be7a6837d3547dd115d3d5f849f8662f7e4dfc1de2d7fe102da9c499a25fdb9
+DIST RedCloth-git-4.2.9.tgz 96897 SHA256 e649f46a58b949c6d229714c25b747f331b4a5b887eaa65ac43eab1f39067e6c SHA512 646f7a1a88ab9b3ff078016df706a1c9d991bf21d86ef1dd4c0a0ee6b946f94276b52499218bca222461eb003510e84b81f44b08899c5b36ac115137193e968a WHIRLPOOL 4276714eb34ec2571544ff271698f1e6540ac62d51704c4216d19452be0b59d1da3014b7c290204b9ca42d5edd88094f1de79618d3bbf8d4f8ae5fb214ecca63
+EBUILD redcloth-4.2.9-r4.ebuild 1527 SHA256 d3bacb946ec4390681da54480ac3b90719dedffef6e4b4fca9fe58651ab18cc7 SHA512 fc62194dd52dc3369068ccbfd2702505bd8449dce2e5ca6d52fd06266d6f1b4a55d166eee60732de75879e7ecb2fa20b913ca4a31882481a306d5fc93a91e9e7 WHIRLPOOL 2358647aaaaae62a3971b7eb6efdef0dc1b5a17a9146d1f89f67561517a2fa7d4ad7533394a5c9fc2a0c08df0bd8c5e8cca77c35856d867b2acb8fbc5b2259c5
+EBUILD redcloth-4.3.2.ebuild 1482 SHA256 1a11ca83c37876f193802716dab2e129bac688807a271966f837ad5e5a58a321 SHA512 5faa89e0105517293dac8f68cc052ca394abba43adedc02c30f53d259c5025c65dff29a9c54f02a357eb7482388b16bf50d0de33fa4a06af8126b872901d6490 WHIRLPOOL 3442c7432c6fbd048f5f260a0896f06ed21b6841d97836599eb63445104e4459dc7e69e3c2254ac35b30df9c9611e87028d8a6bf95ef188a54f50c629dc2189c
+MISC ChangeLog 5023 SHA256 ba46c690af38ccd468f7d7779f50d151c2b3c77701565db8f927f2bb79e98ebd SHA512 a927ebb3d1b32357867a3fef333481fc63a827e600cf88d27f0423c6229fa4e14141a3dda6702f14764f2117b9f93df12eea7652a0bfffa2dfcda160a04a9f5d WHIRLPOOL 929ebbe54b070e354d2c98a6f58a2f4857db604af23b006ba0fd1c4a0f7265bfb89f7b71148be6885acee237781a6b8fa803837a9c0b216f7fdf13d3d827353a
+MISC ChangeLog-2015 14233 SHA256 8fc368e6d227481d29b86f7b7a11843c20fbbfcd8f3d2e27e10350b136b0b62c SHA512 09dcb41ab153597e0ffa8f8cb64509a8dc0328df42a730c631e41d2f597e2add99203dbb6897c11ed78b24fbc14efc39676becfdde680e56c38152040325e509 WHIRLPOOL 3965e83b722584c435515e45cff85edb9a84e3c42b8ca0840ea0f0183e6201fb6f826528dfff03ce4d56eec74e9f9de7a227c4c4ed34db2fc57b55a6d148869c
+MISC metadata.xml 342 SHA256 ee440f9485581df66fa7dc69c2131cbac81b160edc4a7ccbf3f330ce7044e24c SHA512 7a6f73a77cda62ea21a2d2fdfcf0bf848ffdd90e7272e0b06aef67a8147e5a6ae14e871d216750ce20d12e18823d3e3d36e60a99972019fde7195a2350480791 WHIRLPOOL 107854ebcc2169dece970febc77acd1af218127033191256fc6ee918098a8f9f76f44132ef750317ff397214eff26231ead2b2cf0bcc8db5f4f496695e5cd586
diff --git a/dev-ruby/redcloth/files/redcloth-4.2.9-cve-2012-6684.patch b/dev-ruby/redcloth/files/redcloth-4.2.9-cve-2012-6684.patch
new file mode 100644
index 000000000000..ec36340f8aad
--- /dev/null
+++ b/dev-ruby/redcloth/files/redcloth-4.2.9-cve-2012-6684.patch
@@ -0,0 +1,58 @@
+Patch taken from Debian (via upstream pull request that is still pending)
+
+http://sources.debian.net/src/ruby-redcloth/4.2.9-4/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch/
+https://github.com/jgarber/redcloth/pull/20/commits
+
+From b3d82f0c3a354a2f589e1fd43f5f1d7e427b530e Mon Sep 17 00:00:00 2001
+From: Antonio Terceiro <terceiro@debian.org>
+Date: Sat, 7 Feb 2015 23:27:39 -0200
+Subject: [PATCH] Filter out 'javascript:' links when using filter_html or
+ sanitize_html
+
+This is a fix for CVE-2012-6684
+---
+ lib/redcloth/formatters/html.rb     |  6 +++++-
+ spec/security/CVE-2012-6684_spec.rb | 14 ++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 spec/security/CVE-2012-6684_spec.rb
+
+diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
+index bfadfb7..b8793b2 100644
+--- a/lib/redcloth/formatters/html.rb
++++ b/lib/redcloth/formatters/html.rb
+@@ -111,7 +111,11 @@ module RedCloth::Formatters::HTML
+   end
+   
+   def link(opts)
+-    "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
++    if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
++      opts[:name]
++    else
++      "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
++    end
+   end
+   
+   def image(opts)
+diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb
+new file mode 100644
+index 0000000..05219fd
+--- /dev/null
++++ b/spec/security/CVE-2012-6684_spec.rb
+@@ -0,0 +1,14 @@
++# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684
++
++require 'redcloth'
++
++describe 'CVE-2012-6684' do
++
++  it 'should not let javascript links pass through' do
++    # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
++    output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
++    expect(output).to_not match(/href=.javascript:alert/)
++  end
++
++
++end
+-- 
+2.1.4
+
diff --git a/dev-ruby/redcloth/metadata.xml b/dev-ruby/redcloth/metadata.xml
new file mode 100644
index 000000000000..1246bb351a87
--- /dev/null
+++ b/dev-ruby/redcloth/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>ruby@gentoo.org</email>
+    <name>Gentoo Ruby Project</name>
+  </maintainer>
+  <upstream>
+    <remote-id type="github">jgarber/redcloth</remote-id>
+  </upstream>
+</pkgmetadata>
diff --git a/dev-ruby/redcloth/redcloth-4.2.9-r4.ebuild b/dev-ruby/redcloth/redcloth-4.2.9-r4.ebuild
new file mode 100644
index 000000000000..350ea61be175
--- /dev/null
+++ b/dev-ruby/redcloth/redcloth-4.2.9-r4.ebuild
@@ -0,0 +1,60 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+USE_RUBY="ruby20 ruby21 ruby22"
+
+RUBY_FAKEGEM_NAME="RedCloth"
+
+RUBY_FAKEGEM_RECIPE_TEST="rspec"
+RUBY_FAKEGEM_TASK_DOC=""
+
+RUBY_FAKEGEM_DOCDIR="doc"
+
+RUBY_FAKEGEM_EXTRADOC="README.rdoc CHANGELOG"
+
+RUBY_FAKEGEM_REQUIRE_PATHS="lib/case_sensitive_require"
+
+inherit ruby-fakegem versionator
+
+DESCRIPTION="A module for using Textile in Ruby"
+HOMEPAGE="http://redcloth.org/"
+
+GITHUB_USER=jgarber
+SRC_URI="https://github.com/${GITHUB_USER}/redcloth/tarball/v${PV} -> ${RUBY_FAKEGEM_NAME}-git-${PV}.tgz"
+RUBY_S="${GITHUB_USER}-${PN}-*"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 ~sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE=""
+
+DEPEND+=" =dev-util/ragel-6*"
+
+ruby_add_bdepend "
+	>=dev-ruby/rake-0.8.7
+	>=dev-ruby/rake-compiler-0.7.1
+	test? ( >=dev-ruby/diff-lcs-1.1.2 )"
+
+pkg_setup() {
+	ruby-ng_pkg_setup
+
+	# Export the VERBOSE variable to avoid remapping of stdout and
+	# stderr, and that breaks because of bad interactions between
+	# echoe, Ruby and Gentoo.
+	export VERBOSE=1
+}
+
+RUBY_PATCHES=( ${P}-cve-2012-6684.patch )
+
+all_ruby_prepare() {
+	sed -i -e '/[Bb]undler/d' Rakefile ${PN}.gemspec || die
+	rm tasks/{release,gems,rspec}.rake || die
+}
+
+each_ruby_compile() {
+	# We cannot run this manually easily, because Ragel re-generation
+	# is a mess
+	${RUBY} -S rake compile || die "rake compile failed"
+}
diff --git a/dev-ruby/redcloth/redcloth-4.3.2.ebuild b/dev-ruby/redcloth/redcloth-4.3.2.ebuild
new file mode 100644
index 000000000000..680fbe1910d1
--- /dev/null
+++ b/dev-ruby/redcloth/redcloth-4.3.2.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+USE_RUBY="ruby21 ruby22 ruby23 ruby24"
+
+RUBY_FAKEGEM_NAME="RedCloth"
+
+RUBY_FAKEGEM_RECIPE_TEST="rspec"
+RUBY_FAKEGEM_TASK_DOC=""
+
+RUBY_FAKEGEM_DOCDIR="doc"
+
+RUBY_FAKEGEM_EXTRADOC="README.rdoc CHANGELOG"
+
+RUBY_FAKEGEM_REQUIRE_PATHS="lib/case_sensitive_require"
+
+inherit ruby-fakegem versionator
+
+DESCRIPTION="A module for using Textile in Ruby"
+HOMEPAGE="http://redcloth.org/"
+
+GITHUB_USER=jgarber
+SRC_URI="https://github.com/${GITHUB_USER}/redcloth/archive/v${PV}.tar.gz -> ${RUBY_FAKEGEM_NAME}-${PV}.tar.gz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE=""
+
+DEPEND+=" =dev-util/ragel-6*"
+
+ruby_add_bdepend "
+	>=dev-ruby/rake-0.8.7
+	>=dev-ruby/rake-compiler-0.7.1
+	test? ( >=dev-ruby/diff-lcs-1.1.2 )"
+
+pkg_setup() {
+	ruby-ng_pkg_setup
+
+	# Export the VERBOSE variable to avoid remapping of stdout and
+	# stderr, and that breaks because of bad interactions between
+	# echoe, Ruby and Gentoo.
+	export VERBOSE=1
+}
+
+all_ruby_prepare() {
+	sed -i -e '/[Bb]undler/d' Rakefile ${PN}.gemspec || die
+	rm -f tasks/{release,rspec,rvm}.rake || die
+}
+
+each_ruby_compile() {
+	# We cannot run this manually easily, because Ragel re-generation
+	# is a mess
+	${RUBY} -S rake compile || die "rake compile failed"
+}