Opened 2 years ago

Closed 2 years ago

#11827 closed task (fixed)

Reported by: Owned by: rjollos glen normal VcsReleaseInfoMacro normal license hasienda, jun66j5

Description

I noticed that your macro doesn't have a license. It would be simple to add a license header:

# -*- coding: utf-8 -*-
#
# Copyright (C) 2010-2014 "author name" <author-email>
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution.
#


If you choose to use the same license as Trac, you can copy a file with the text of the 3-Clause BSD license from: tracjenkinsplugin/trunk/COPYING@13976.

You can also add metadata to the single-file plugin, using the keywords: t:browser:/trunk/trac/loader.py@12785:157-158#L153. An example use can be seen in browser:/lastmodifiedmacro/trunk/LastModified.py@13555:18-24.

comment:1 Changed 2 years ago by rjollos

• Cc hasienda added; anonymous removed

comment:2 Changed 2 years ago by glen

• Resolution set to fixed
• Status changed from new to closed

In 13980:

comment:3 Changed 2 years ago by rjollos

In 13981:

Corrected author in COPYING file. Refs #11827.

comment:4 Changed 2 years ago by rjollos

In 13982:

Correct copyright year in COPYING file. Refs #11827.

comment:5 Changed 2 years ago by rjollos

Thanks for the quick fix. Sorry about having two follow-on changes. I only noticed the second issue after committing the first change.

comment:6 follow-up: ↓ 7 Changed 2 years ago by glen

Thanks for reviewing it, i didn't even think COPYING has any names in it. i.e i thought it's generic as GPL licenses are.

also, the trac ui seems to render utf8 wrong, any chance to make this trac default encoding to be utf8 instead of latin1 so these render correctly?

comment:7 in reply to: ↑ 6 Changed 2 years ago by rjollos

also, the trac ui seems to render utf8 wrong, any chance to make this trac default encoding to be utf8 instead of latin1 so these render correctly?

The encoding issues can be tricky. Could you describe in more detail the issue you are experiencing?

Changed 2 years ago by glen

this is how it looks

Changed 2 years ago by glen

this is how it should look

comment:8 Changed 2 years ago by glen

added screenshots. the bad encoding can be seen any commits in this ticket that has my name in the text.

as i understood you only need to change conf/trac.ini:

[trac]
default_charset = utf-8


however trac http header already is Content-Type: text/html;charset=utf-8 so not really sure where it goes wrong.

as for accessing svn directly http://trac-hacks.org/svn/vcsreleaseinfomacro/COPYING, then that has no charset specified: Content-Type: text/plain. i propose you to change that with AddDefaultCharset directive in your <Location /svn/>

comment:9 follow-up: ↓ 11 Changed 2 years ago by rjollos

• Cc jun66j5 added

Okay, I had misunderstood the earlier comment. I didn't realize you were commenting on the site rather than a plugin development issue.

I set [trac] default_charset = utf-8, which seems to have fixed vcsreleaseinfomacro/COPYING.

Adding AddDefaultCharset utf-8 to the <Location /svn/> section seems to have fixed the rendering when accessing svn/vcsreleaseinfomacro/COPYING.

Thanks for the tips!

Last edited 2 years ago by rjollos (previous) (diff)

comment:10 Changed 2 years ago by rjollos

It looks like t.e.o has the same content-type issue with files served from SVN over HTTPS. For example, see wikisyntax.py. However I wonder if it's really worth suggesting any server configuration change since it's unlikely many people will be looking at the source code served directly from SVN.

comment:11 in reply to: ↑ 9 Changed 2 years ago by jun66j5

Adding AddDefaultCharset utf-8 to the <Location /svn/> section seems to have fixed the rendering when accessing svn/vcsreleaseinfomacro/COPYING.

Sounds good for trac-hacks and t.e.o..

However, I think another issue in Content-Type in trac-hacks.

All committers can add any contents and set any Content-Type to the files via svn:mime-type in repository of trac-hacks. Any one can register to trac-hacks. Therefore, a attacker can add html files with attack javascript vectors in the same origin of trac-hacks.org.

Workaround is adding Content-Disposition: attachment header for force a file to download if GET request for a file.

Header set Content-Disposition attachment env=x-disposition-attachment
RewriteEngine On
RewriteCond %{REQUEST_METHOD} =GET
RewriteCond %{REQUEST_URI} !/\$
RewriteRule ^/svn/ - [E=x-disposition-attachment]

Last edited 2 years ago by rjollos (previous) (diff)

comment:12 Changed 2 years ago by rjollos

I've created tickets in the Edgewall administrative Trac instance so that we can continue discussion: lynx:#11, lynx:#12.

Last edited 2 years ago by rjollos (previous) (diff)

comment:13 follow-up: ↓ 14 Changed 2 years ago by glen

Feels awesome that I pointed you accidentally to (possible) security problem(s), which was originally just aesthetic issue :)

ps: the lynx-links don't work:

  Can't view #11. Resource doesn't exist or you don't have the required permission.

Last edited 2 years ago by glen (previous) (diff)

comment:14 in reply to: ↑ 13 Changed 2 years ago by rjollos

ps: the lynx-links don't work:

Lynx is not a public site. We keep it private so that we can discuss security and sensitive configuration issues.