diff options
author | minskim <minskim@pkgsrc.org> | 2012-02-05 23:58:07 +0000 |
---|---|---|
committer | minskim <minskim@pkgsrc.org> | 2012-02-05 23:58:07 +0000 |
commit | e761ac4e7f3a3e6a16a06a2c6be7a88296ca3c84 (patch) | |
tree | 990f68f9cb5279a6e1750cd1b8a8786c48ab212b | |
parent | b9763b0ece894e9c8b7ffc0a04c5a02ffac8515f (diff) | |
download | pkgsrc-e761ac4e7f3a3e6a16a06a2c6be7a88296ca3c84.tar.gz |
Fix XSS vulnerabilities in awstats.
Patch from awstat's CVS repo.
-rw-r--r-- | www/awstats/Makefile | 4 | ||||
-rw-r--r-- | www/awstats/distinfo | 3 | ||||
-rw-r--r-- | www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl | 47 |
3 files changed, 51 insertions, 3 deletions
diff --git a/www/awstats/Makefile b/www/awstats/Makefile index e18b7fd9c8f..f061e47bc0b 100644 --- a/www/awstats/Makefile +++ b/www/awstats/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.45 2011/05/30 09:31:25 hauke Exp $ +# $NetBSD: Makefile,v 1.46 2012/02/05 23:58:07 minskim Exp $ DISTNAME= awstats-7.0 -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=awstats/} diff --git a/www/awstats/distinfo b/www/awstats/distinfo index 983366d4421..4b872f521f8 100644 --- a/www/awstats/distinfo +++ b/www/awstats/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.28 2011/05/30 09:32:41 hauke Exp $ +$NetBSD: distinfo,v 1.29 2012/02/05 23:58:07 minskim Exp $ SHA1 (awstats-7.0/awstats-7.0.tar.gz) = 733fa7d6a540f4a54f52c69a5f271c789472b0b7 RMD160 (awstats-7.0/awstats-7.0.tar.gz) = 0bd46afbd3159cf5f3e517b37a43b7d0852fc2a3 @@ -6,3 +6,4 @@ Size (awstats-7.0/awstats-7.0.tar.gz) = 1254327 bytes SHA1 (patch-aa) = 77505c9894b0be638d748c506feb93e065a3318f SHA1 (patch-ab) = 9ae474058a1803c1132b36448c1a6987c58e8823 SHA1 (patch-ad) = 9c08fff3fcc3871a08c73c9509fbeb5baca06c09 +SHA1 (patch-wwwroot_cgi-bin_awredir.pl) = 3e3a41ab4bfbe633f78af182f5d2692bd678595d diff --git a/www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl b/www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl new file mode 100644 index 00000000000..0ada11d3fd8 --- /dev/null +++ b/www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl @@ -0,0 +1,47 @@ +$NetBSD: patch-wwwroot_cgi-bin_awredir.pl,v 1.1 2012/02/05 23:58:07 minskim Exp $ + +Security fix for http://secunia.com/advisories/46160/ + +--- wwwroot/cgi-bin/awredir.pl.orig 2009-01-03 10:42:04.000000000 +0000 ++++ wwwroot/cgi-bin/awredir.pl +@@ -73,6 +73,27 @@ sub DecodeEncodedString { + return $stringtodecode; + } + ++#------------------------------------------------------------------------------ ++# Function: Clean a string of HTML tags to avoid 'Cross Site Scripting attacks' ++# and clean | char. ++# Parameters: stringtoclean ++# Input: None ++# Output: None ++# Return: cleanedstring ++#------------------------------------------------------------------------------ ++sub CleanXSS { ++ my $stringtoclean = shift; ++ ++ # To avoid html tags and javascript ++ $stringtoclean =~ s/</</g; ++ $stringtoclean =~ s/>/>/g; ++ $stringtoclean =~ s/|//g; ++ ++ # To avoid onload=" ++ $stringtoclean =~ s/onload//g; ++ return $stringtoclean; ++} ++ + + #------------------------------------------------------- + # MAIN +@@ -124,6 +145,12 @@ elsif ($Url =~ /url=(.+)$/) { $Url=$1; } + $Url = DecodeEncodedString($Url); + $UrlParam=$Url; + ++# Sanitize parameters ++$Tag=CleanXSS($Tag); ++$Key=CleanXSS($Key); ++$UrlParam=CleanXSS($UrlParam); ++ ++ + if (! $UrlParam) { + error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:<br><i>/cgi-bin/$PROG.pl?url=http://urltogo</i>"); + } |