Index: head/devel/simgear/Makefile
===================================================================
--- head/devel/simgear/Makefile	(revision 428652)
+++ head/devel/simgear/Makefile	(revision 428653)
@@ -1,29 +1,30 @@
 # $FreeBSD$
 
 PORTNAME=	simgear
 PORTVERSION=	2016.4.3
+PORTREVISION=	1
 CATEGORIES=	devel games
 MASTER_SITES=	SF/flightgear/release-${PORTVERSION:R}
 
 MAINTAINER=	martymac@FreeBSD.org
 COMMENT=	Toolkit for 3D games and simulations
 
 LICENSE=	GPLv2
 
 BUILD_DEPENDS=	${LOCALBASE}/lib/libplibsl.a:x11-toolkits/plib
 RUN_DEPENDS=	${LOCALBASE}/lib/libplibsl.a:x11-toolkits/plib
 LIB_DEPENDS=	libboost_thread.so:devel/boost-libs \
 		libosg.so:graphics/osg
 
 USE_XORG=	ice sm x11 xext xi xmu xt
 USE_GL=		gl glu glut
 USES=		alias cmake compiler cpe jpeg openal:al,alut tar:bzip2
 
 .include <bsd.port.pre.mk>
 
 # When building with Gcc, needs Gcc 4.6+
 .if ${COMPILER_TYPE} == gcc && ${COMPILER_VERSION} < 46
 USE_GCC=	yes
 .endif
 
 .include <bsd.port.post.mk>
Index: head/devel/simgear/files/patch-a2b111b-simgear-io-HTTPRepository.cxx
===================================================================
--- head/devel/simgear/files/patch-a2b111b-simgear-io-HTTPRepository.cxx	(nonexistent)
+++ head/devel/simgear/files/patch-a2b111b-simgear-io-HTTPRepository.cxx	(revision 428653)
@@ -0,0 +1,28 @@
+commit a2b111bb09485769d75addf563cb6e44be6655b3
+Author: James Turner <zakalawe@mac.com>
+Date:   Wed Dec 14 09:41:44 2016 +0000
+
+    Bugfix: reject dubious paths in HTTP repos.
+    
+    This avoids a malicious repository writing to files outside the local
+    storage root.
+
+diff --git simgear/io/HTTPRepository.cxx simgear/io/HTTPRepository.cxx
+index 1c95f278..b0335783 100644
+--- simgear/io/HTTPRepository.cxx
++++ simgear/io/HTTPRepository.cxx
+@@ -503,6 +503,14 @@ private:
+                 SG_LOG(SG_TERRASYNC, SG_WARN, "malformed .dirindex file: invalid type in line '" << line << "', expected 'd' or 'f', (ignoring line)" );
+                 continue;
+             }
++
++            // security: prevent writing outside the repository via ../../.. filenames
++            // (valid filenames never contain / - subdirectories have their own .dirindex)
++            if ((tokens[1] == "..") || (tokens[1].find_first_of("/\\") != std::string::npos)) {
++                SG_LOG(SG_TERRASYNC, SG_WARN, "malformed .dirindex file: invalid filename in line '" << line << "', (ignoring line)" );
++                continue;
++            }
++
+             children.push_back(ChildInfo(typeData == "f" ? ChildInfo::FileType : ChildInfo::DirectoryType, tokens[1], tokens[2]));
+ 
+             if (tokens.size() > 3) {

Property changes on: head/devel/simgear/files/patch-a2b111b-simgear-io-HTTPRepository.cxx
___________________________________________________________________
Added: fbsd:nokeywords
## -0,0 +1 ##
+yes
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property