Add missing dependency pam and security patches

6 files changed, 99 insertions, 13 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 2036a2b72130..9ac858afe6a7 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,9 +1,9 @@
 # Generated by mksrcinfo v8
-# Fri Oct  6 14:54:50 UTC 2017
+# Sun Nov  5 18:32:11 UTC 2017
 pkgbase = gogs
 	pkgdesc = Self Hosted Git Service written in Go
 	pkgver = 0.11.29
-	pkgrel = 3
+	pkgrel = 4
 	epoch = 1
 	url = https://gogs.io
 	install = gogs.install
@@ -14,6 +14,7 @@ pkgbase = gogs
 	license = MIT
 	makedepends = go>=1.3
 	depends = git>=1.7.1
+	depends = pam
 	optdepends = sqlite: SQLite support
 	optdepends = mariadb: MariaDB support
 	optdepends = postgresql: PostgreSQL support
@@ -28,9 +29,13 @@ pkgbase = gogs
 	source = gogs-0.11.29::https://github.com/gogits/gogs/archive/v0.11.29.tar.gz
 	source = 0001-Adjust-config-for-Arch-Linux-package.patch
 	source = 0002-Adjust-service-file-for-Arch-Linux-package.patch
+	source = 0003-SECURITY-HTML-injection-in-user-search-API.patch
+	source = 0004-SECURITY-fix-branch-name-persistent-XSS.patch
 	sha512sums = 094dd6b5010128b8a68c3b4a2be389593380be527dd1f1c37882cbd7762ae31ff8da824d047acecb9ef31233ab3c576bc5030c90763adfa32d01b5830d12c04b
-	sha512sums = 8aad23ec5b600a56aee4fd8db8e998d973865dd2e6432ca88e014c024a88ed5d7baa1a65b8ae752364d1e94a2d42795f5ced71b3f11dc2c57eb84ed110f2e3c1
-	sha512sums = 01e19a45212a066589fbedbda9a0f2ac803269b855afed422fdcefb455f8e0da993ac11f0d36028858e4516d2d017e4c29f66dcc7b2260dd24022d1501e230a3
+	sha512sums = 43a337ccc0932a8e6f538d24ec8e13a7b509d1e7c4da40d2e76339a67b043090ab648b323c08311f5a62f81db19911138b6ff2c74fb9a869a401571d9b3770c5
+	sha512sums = 969a29c3d1a9667e285ebd3490a83c5a684fa037a540ba242dcd86fe8294eef0b1247fc996a4926832ba0d8c56b5d843a117c14c7696899cb813b847b861a5cc
+	sha512sums = dca31ee707586a2c055f549a36cdfd113def1436dfbb8eaf2358347d66c968fdb265e8832f1c8f8041d0fbddda708f5eac37719ab85040024cdf6eb82568a219
+	sha512sums = afafb48f86906db3c1385541eba3d02e028cda087067f4ec467b538cc215d5662ba0af8fe488f4ecbb1f6dff96520c47868c1584239540fb41db8781af6eb792
 
 pkgname = gogs
 
diff --git a/0001-Adjust-config-for-Arch-Linux-package.patch b/0001-Adjust-config-for-Arch-Linux-package.patch
index 47477db8721d..a6e6bb624b09 100644
--- a/0001-Adjust-config-for-Arch-Linux-package.patch
+++ b/0001-Adjust-config-for-Arch-Linux-package.patch
@@ -1,7 +1,7 @@
 From 73ef207e99b977f830e8a0d5fc98b8f8d25bb3f6 Mon Sep 17 00:00:00 2001
 From: Martchus <martchus@gmx.net>
 Date: Sun, 19 Mar 2017 18:03:36 +0100
-Subject: [PATCH 1/2] Adjust config for Arch Linux package
+Subject: [PATCH 1/4] Adjust config for Arch Linux package
 
 ---
  conf/app.ini | 31 +++++++++++++++++++------------
@@ -92,5 +92,5 @@ index fc43868e9..bc78b8d8c 100644
  ; Use comma to separate multiple modes, e.g. "console, file"
  MODE = console
 -- 
-2.14.2
+2.15.0
 
diff --git a/0002-Adjust-service-file-for-Arch-Linux-package.patch b/0002-Adjust-service-file-for-Arch-Linux-package.patch
index 05dcf23d67f8..efdafe67c3bc 100644
--- a/0002-Adjust-service-file-for-Arch-Linux-package.patch
+++ b/0002-Adjust-service-file-for-Arch-Linux-package.patch
@@ -1,7 +1,7 @@
 From 6c229c932878e189e3a785c337a1c5d1cdbea2c3 Mon Sep 17 00:00:00 2001
 From: Martchus <martchus@gmx.net>
 Date: Sun, 19 Mar 2017 18:04:48 +0100
-Subject: [PATCH 2/2] Adjust service file for Arch Linux package
+Subject: [PATCH 2/4] Adjust service file for Arch Linux package
 
 ---
  scripts/systemd/gogs.service | 10 +++++-----
@@ -30,5 +30,5 @@ index 9f105bf8e..07ffa1f66 100644
  [Install]
  WantedBy=multi-user.target
 -- 
-2.14.2
+2.15.0
 
diff --git a/0003-SECURITY-HTML-injection-in-user-search-API.patch b/0003-SECURITY-HTML-injection-in-user-search-API.patch
new file mode 100644
index 000000000000..3fe930ff609e
--- /dev/null
+++ b/0003-SECURITY-HTML-injection-in-user-search-API.patch
@@ -0,0 +1,34 @@
+From f331f09bbd849c0aa568f704a09e81ff77fc50f8 Mon Sep 17 00:00:00 2001
+From: Unknwon <u@gogs.io>
+Date: Sat, 14 Oct 2017 23:53:20 -0400
+Subject: [PATCH 3/4] SECURITY: HTML injection in user search API
+
+Reported by Tim Hawes.
+---
+ routes/api/v1/user/user.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/routes/api/v1/user/user.go b/routes/api/v1/user/user.go
+index dbf727def..8326eea57 100644
+--- a/routes/api/v1/user/user.go
++++ b/routes/api/v1/user/user.go
+@@ -12,6 +12,7 @@ import (
+ 	"github.com/gogits/gogs/models"
+ 	"github.com/gogits/gogs/models/errors"
+ 	"github.com/gogits/gogs/pkg/context"
++	"github.com/gogits/gogs/pkg/markup"
+ )
+ 
+ func Search(c *context.APIContext) {
+@@ -39,7 +40,7 @@ func Search(c *context.APIContext) {
+ 			ID:        users[i].ID,
+ 			UserName:  users[i].Name,
+ 			AvatarUrl: users[i].AvatarLink(),
+-			FullName:  users[i].FullName,
++			FullName:  markup.Sanitize(users[i].FullName),
+ 		}
+ 		if c.IsLogged {
+ 			results[i].Email = users[i].Email
+-- 
+2.15.0
+
diff --git a/0004-SECURITY-fix-branch-name-persistent-XSS.patch b/0004-SECURITY-fix-branch-name-persistent-XSS.patch
new file mode 100644
index 000000000000..36c424342c3c
--- /dev/null
+++ b/0004-SECURITY-fix-branch-name-persistent-XSS.patch
@@ -0,0 +1,41 @@
+From 3025fe70a794d70e3422784401f9ad04d0d71032 Mon Sep 17 00:00:00 2001
+From: Unknwon <u@gogs.io>
+Date: Sun, 15 Oct 2017 00:07:46 -0400
+Subject: [PATCH 4/4] SECURITY: fix branch name persistent XSS
+
+Reported by Carl Hattenfels.
+---
+ templates/repo/editor/commit_form.tmpl | 3 ++-
+ templates/repo/issue/view_title.tmpl   | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/templates/repo/editor/commit_form.tmpl b/templates/repo/editor/commit_form.tmpl
+index 6aee9f1d1..6ee6300ff 100644
+--- a/templates/repo/editor/commit_form.tmpl
++++ b/templates/repo/editor/commit_form.tmpl
+@@ -14,7 +14,8 @@
+ 					<input type="radio" class="js-quick-pull-choice-option" name="commit_choice" value="direct" {{if eq .commit_choice "direct"}}checked{{end}}>
+ 					<label>
+ 						<i class="octicon octicon-git-commit" height="16" width="14"></i>
+-						{{.i18n.Tr "repo.editor.commit_directly_to_this_branch" .BranchName | Safe}}
++						{{$branchName := .BranchName | Str2html}}
++						{{.i18n.Tr "repo.editor.commit_directly_to_this_branch" $branchName | Safe}}
+ 					</label>
+ 				</div>
+ 			</div>
+diff --git a/templates/repo/issue/view_title.tmpl b/templates/repo/issue/view_title.tmpl
+index 3f3b62e65..4650ba4c8 100644
+--- a/templates/repo/issue/view_title.tmpl
++++ b/templates/repo/issue/view_title.tmpl
+@@ -28,7 +28,7 @@
+ 		{{if .Issue.PullRequest.HasMerged}}
+ 			{{ $mergedStr:= TimeSince .Issue.PullRequest.Merged $.Lang }}
+ 			<a {{if gt .Issue.PullRequest.Merger.ID 0}}href="{{.Issue.PullRequest.Merger.HomeLink}}"{{end}}>{{.Issue.PullRequest.Merger.Name}}</a>
+-			<span class="pull-desc">{{$.i18n.Tr "repo.pulls.merged_title_desc" .NumCommits .HeadTarget .BaseTarget $mergedStr | Safe}}</span>
++			<span class="pull-desc">{{$.i18n.Tr "repo.pulls.merged_title_desc" .NumCommits .HeadTarget .BaseTarget $mergedStr | Str2html}}</span>
+ 		{{else}}
+ 			<a {{if gt .Issue.Poster.ID 0}}href="{{.Issue.Poster.HomeLink}}"{{end}}>{{.Issue.Poster.Name}}</a>
+ 			<span class="pull-desc">{{$.i18n.Tr "repo.pulls.title_desc" .NumCommits .HeadTarget .BaseTarget | Str2html}}</span>
+-- 
+2.15.0
+
diff --git a/PKGBUILD b/PKGBUILD
index d703bb1979d5..f0701843b74a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -8,13 +8,13 @@ _gourl=github.com/gogits/$_pkgname
 
 pkgname=$_pkgname
 pkgver=0.11.29
-pkgrel=3
+pkgrel=4
 epoch=1
 pkgdesc='Self Hosted Git Service written in Go'
 arch=('i686' 'x86_64' 'armv6h' 'armv7h')
 url="https://$_pkgname.io"
 license=('MIT')
-depends=('git>=1.7.1')
+depends=('git>=1.7.1' 'pam')
 optdepends=('sqlite: SQLite support'
             'mariadb: MariaDB support'
             'postgresql: PostgreSQL support'
@@ -28,10 +28,14 @@ backup=("etc/$_pkgname/app.ini")
 install=$_pkgname.install
 source=("$_pkgname-$pkgver::https://github.com/$_orga/$_pkgname/archive/v${pkgver}.tar.gz"
         '0001-Adjust-config-for-Arch-Linux-package.patch'
-        '0002-Adjust-service-file-for-Arch-Linux-package.patch')
+        '0002-Adjust-service-file-for-Arch-Linux-package.patch'
+        '0003-SECURITY-HTML-injection-in-user-search-API.patch'
+        '0004-SECURITY-fix-branch-name-persistent-XSS.patch')
 sha512sums=('094dd6b5010128b8a68c3b4a2be389593380be527dd1f1c37882cbd7762ae31ff8da824d047acecb9ef31233ab3c576bc5030c90763adfa32d01b5830d12c04b'
-            '8aad23ec5b600a56aee4fd8db8e998d973865dd2e6432ca88e014c024a88ed5d7baa1a65b8ae752364d1e94a2d42795f5ced71b3f11dc2c57eb84ed110f2e3c1'
-            '01e19a45212a066589fbedbda9a0f2ac803269b855afed422fdcefb455f8e0da993ac11f0d36028858e4516d2d017e4c29f66dcc7b2260dd24022d1501e230a3')
+            '43a337ccc0932a8e6f538d24ec8e13a7b509d1e7c4da40d2e76339a67b043090ab648b323c08311f5a62f81db19911138b6ff2c74fb9a869a401571d9b3770c5'
+            '969a29c3d1a9667e285ebd3490a83c5a684fa037a540ba242dcd86fe8294eef0b1247fc996a4926832ba0d8c56b5d843a117c14c7696899cb813b847b861a5cc'
+            'dca31ee707586a2c055f549a36cdfd113def1436dfbb8eaf2358347d66c968fdb265e8832f1c8f8041d0fbddda708f5eac37719ab85040024cdf6eb82568a219'
+            'afafb48f86906db3c1385541eba3d02e028cda087067f4ec467b538cc215d5662ba0af8fe488f4ecbb1f6dff96520c47868c1584239540fb41db8781af6eb792')
 _goroot='/usr/lib/go'
 
 prepare() {
@@ -62,6 +66,8 @@ prepare() {
   cd "$GOPATH/src/${_gourl}"
   patch -Np1 -i "$srcdir/0001-Adjust-config-for-Arch-Linux-package.patch"
   patch -Np1 -i "$srcdir/0002-Adjust-service-file-for-Arch-Linux-package.patch"
+  patch -Np1 -i "$srcdir/0003-SECURITY-HTML-injection-in-user-search-API.patch"
+  patch -Np1 -i "$srcdir/0004-SECURITY-fix-branch-name-persistent-XSS.patch"
 }
 
 build() {