head	1.2;
access;
symbols
	old_RELEASE_4_10_0:1.1;
locks; strict;
comment	@# @;


1.2
date	2004.05.06.13.13.11;	author pav;	state dead;
branches;
next	1.1;

1.1
date	2003.12.09.02.48.11;	author linimon;	state Exp;
branches;
next	;


desc
@@


1.2
log
@- Update to 1.5.7

PR:		ports/66321
Submitted by:	Fumihiko Kimura <jfkimura@@yahoo.co.jp> (maintainer)
@
text
@--- tdiary.rb	Thu Nov 13 15:34:22 2003
+++ tdiary.rb.new	Fri Nov 21 16:11:26 2003
@@@@ -1,13 +1,13 @@@@
 =begin
 == NAME
 tDiary: the "tsukkomi-able" web diary system.
-tdiary.rb $Revision: 1.156 $
+tdiary.rb $Revision: 1.159 $
 
 Copyright (C) 2001-2003, TADA Tadashi <sho@@spc.gr.jp>
 You can redistribute it and/or modify it under GPL2.
 =end
 
-TDIARY_VERSION = '1.5.6'
+TDIARY_VERSION = '1.5.6.20031118'
 
 require 'cgi'
 begin
@@@@ -62,10 +62,14 @@@@
 module Safe
 	def safe( level = 4 )
 		result = nil
-		Thread.start {
-			$SAFE = level
+		if $SAFE < level then
+			Thread.start {
+				$SAFE = level
+				result = yield
+			}.join
+		else
 			result = yield
-		}.join
+		end
 		result
   end
   module_function :safe
@@@@ -740,7 +744,9 @@@@
 			r = str.dup
 			if @@options['apply_plugin'] and str.index( '<%' ) then
 				r = str.untaint if $SAFE < 3
-				r = ERbLight.new( r ).result( binding )
+				Safe::safe( @@conf.secure ? 4 : 1 ) do
+					r = ERbLight.new( r ).result( binding )
+				end
 			end
 			r.gsub!( /<.*?>/, '' ) if remove_tag
 			r
@


1.1
log
@Fix a security related problem in tDiary 1.5.6, see
http://www.tdiary.org/20031119.html (Japanese-language) for details.
It only happened in the following case:

 * "@@secure = true" in setting file (tdiary.conf)
 * output_rdf.rb or tb-send.rb by plugin choice

PR:		ports/59451
Submitted by:	Fumihiko Kimura <jfkimura@@yahoo.co.jp> (maintainer)
@
text
@@

