License

[Ryan J Ollos]

I noticed that your macro doesn't have a license. It would be simple to add a license header:

# -*- coding: utf-8 -*-
#
# Copyright (C) 2010-2014 "author name" <author-email>
# All rights reserved.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution.
#

If you choose to use the same license as Trac, you can copy a file with the text of the 3-Clause BSD license from: tracjenkinsplugin/trunk/COPYING@13976​.

You can also add metadata to the single-file plugin, using the keywords: ​t:browser:/trunk/trac/loader.py@12785:157-158#L153. An example use can be seen in browser:/lastmodifiedmacro/trunk/LastModified.py@13555:18-24​.

[Elan Ruusamäe]

In 13980:

Added 3-Clause BSD license. Fixes #11827

[Ryan J Ollos]

In 13981:

Corrected author in COPYING file. Refs #11827.

[Ryan J Ollos]

In 13982:

Correct copyright year in COPYING file. Refs #11827.

[Ryan J Ollos]

Thanks for the quick fix. Sorry about having two follow-on changes. I only noticed the second issue after committing the first change.

[Elan Ruusamäe]

Thanks for reviewing it, i didn't even think COPYING has any names in it. i.e i thought it's generic as GPL licenses are.

also, the trac ui seems to render utf8 wrong, any chance to make this trac default encoding to be utf8 instead of latin1 so these render correctly?

[Ryan J Ollos]

Replying to glen:

also, the trac ui seems to render utf8 wrong, any chance to make this trac default encoding to be utf8 instead of latin1 so these render correctly?

The encoding issues can be tricky. Could you describe in more detail the issue you are experiencing?

[Elan Ruusamäe]

this is how it looks

[Elan Ruusamäe]

this is how it should look

[Elan Ruusamäe]

added screenshots. the bad encoding can be seen any commits in this ticket that has my name in the text.

as i understood you only need to change conf/trac.ini:

[trac] 
default_charset = utf-8 

however trac http header already is Content-Type: text/html;charset=utf-8 so not really sure where it goes wrong.

as for accessing svn directly ​http://trac-hacks.org/svn/vcsreleaseinfomacro/COPYING, then that has no charset specified: Content-Type: text/plain. i propose you to change that with ​AddDefaultCharset directive in your <Location /svn/>

[Ryan J Ollos]

Okay, I had misunderstood the earlier comment. I didn't realize you were commenting on the site rather than a plugin development issue.

I set [trac] default_charset = utf-8, which seems to have fixed vcsreleaseinfomacro/COPYING​.

Adding AddDefaultCharset utf-8 to the <Location /svn/> section seems to have fixed the rendering when accessing svn/vcsreleaseinfomacro/COPYING.

Thanks for the tips!

[Ryan J Ollos]

It looks like t.e.o has the same content-type issue with files served from SVN over HTTPS. For example, see ​wikisyntax.py. However I wonder if it's really worth suggesting any server configuration change since it's unlikely many people will be looking at the source code served directly from SVN.

[Jun Omae]

Replying to rjollos:

Adding AddDefaultCharset utf-8 to the <Location /svn/> section seems to have fixed the rendering when accessing svn/vcsreleaseinfomacro/COPYING.

Sounds good for trac-hacks and t.e.o..

However, I think another issue in Content-Type in trac-hacks.

All committers can add any contents and set any Content-Type to the files via svn:mime-type in repository of trac-hacks. Any one can register to trac-hacks. Therefore, a attacker can add html files with attack javascript vectors in the same origin of trac-hacks.org.

Workaround is adding Content-Disposition: attachment header for force a file to download if GET request for a file.

Header set Content-Disposition attachment env=x-disposition-attachment
RewriteEngine On
RewriteCond %{REQUEST_METHOD} =GET
RewriteCond %{REQUEST_URI} !/$
RewriteRule ^/svn/ - [E=x-disposition-attachment]

[Ryan J Ollos]

I've created tickets in the Edgewall administrative Trac instance so that we can continue discussion: ​lynx:#11, ​lynx:#12.

[Elan Ruusamäe]

Feels awesome that I pointed you accidentally to (possible) security problem(s), which was originally just aesthetic issue :)

ps: the lynx-links don't work:

  Can't view #11. Resource doesn't exist or you don't have the required permission.

[Ryan J Ollos]

Replying to glen:

ps: the lynx-links don't work:

Lynx is not a public site. We keep it private so that we can discuss security and sensitive configuration issues.