summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorminskim <minskim@pkgsrc.org>2012-02-05 23:58:07 +0000
committerminskim <minskim@pkgsrc.org>2012-02-05 23:58:07 +0000
commite761ac4e7f3a3e6a16a06a2c6be7a88296ca3c84 (patch)
tree990f68f9cb5279a6e1750cd1b8a8786c48ab212b
parentb9763b0ece894e9c8b7ffc0a04c5a02ffac8515f (diff)
downloadpkgsrc-e761ac4e7f3a3e6a16a06a2c6be7a88296ca3c84.tar.gz
Fix XSS vulnerabilities in awstats.
Patch from awstat's CVS repo.
-rw-r--r--www/awstats/Makefile4
-rw-r--r--www/awstats/distinfo3
-rw-r--r--www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl47
3 files changed, 51 insertions, 3 deletions
diff --git a/www/awstats/Makefile b/www/awstats/Makefile
index e18b7fd9c8f..f061e47bc0b 100644
--- a/www/awstats/Makefile
+++ b/www/awstats/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.45 2011/05/30 09:31:25 hauke Exp $
+# $NetBSD: Makefile,v 1.46 2012/02/05 23:58:07 minskim Exp $
DISTNAME= awstats-7.0
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=awstats/}
diff --git a/www/awstats/distinfo b/www/awstats/distinfo
index 983366d4421..4b872f521f8 100644
--- a/www/awstats/distinfo
+++ b/www/awstats/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2011/05/30 09:32:41 hauke Exp $
+$NetBSD: distinfo,v 1.29 2012/02/05 23:58:07 minskim Exp $
SHA1 (awstats-7.0/awstats-7.0.tar.gz) = 733fa7d6a540f4a54f52c69a5f271c789472b0b7
RMD160 (awstats-7.0/awstats-7.0.tar.gz) = 0bd46afbd3159cf5f3e517b37a43b7d0852fc2a3
@@ -6,3 +6,4 @@ Size (awstats-7.0/awstats-7.0.tar.gz) = 1254327 bytes
SHA1 (patch-aa) = 77505c9894b0be638d748c506feb93e065a3318f
SHA1 (patch-ab) = 9ae474058a1803c1132b36448c1a6987c58e8823
SHA1 (patch-ad) = 9c08fff3fcc3871a08c73c9509fbeb5baca06c09
+SHA1 (patch-wwwroot_cgi-bin_awredir.pl) = 3e3a41ab4bfbe633f78af182f5d2692bd678595d
diff --git a/www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl b/www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl
new file mode 100644
index 00000000000..0ada11d3fd8
--- /dev/null
+++ b/www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl
@@ -0,0 +1,47 @@
+$NetBSD: patch-wwwroot_cgi-bin_awredir.pl,v 1.1 2012/02/05 23:58:07 minskim Exp $
+
+Security fix for http://secunia.com/advisories/46160/
+
+--- wwwroot/cgi-bin/awredir.pl.orig 2009-01-03 10:42:04.000000000 +0000
++++ wwwroot/cgi-bin/awredir.pl
+@@ -73,6 +73,27 @@ sub DecodeEncodedString {
+ return $stringtodecode;
+ }
+
++#------------------------------------------------------------------------------
++# Function: Clean a string of HTML tags to avoid 'Cross Site Scripting attacks'
++# and clean | char.
++# Parameters: stringtoclean
++# Input: None
++# Output: None
++# Return: cleanedstring
++#------------------------------------------------------------------------------
++sub CleanXSS {
++ my $stringtoclean = shift;
++
++ # To avoid html tags and javascript
++ $stringtoclean =~ s/</&lt;/g;
++ $stringtoclean =~ s/>/&gt;/g;
++ $stringtoclean =~ s/|//g;
++
++ # To avoid onload="
++ $stringtoclean =~ s/onload//g;
++ return $stringtoclean;
++}
++
+
+ #-------------------------------------------------------
+ # MAIN
+@@ -124,6 +145,12 @@ elsif ($Url =~ /url=(.+)$/) { $Url=$1; }
+ $Url = DecodeEncodedString($Url);
+ $UrlParam=$Url;
+
++# Sanitize parameters
++$Tag=CleanXSS($Tag);
++$Key=CleanXSS($Key);
++$UrlParam=CleanXSS($UrlParam);
++
++
+ if (! $UrlParam) {
+ error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:<br><i>/cgi-bin/$PROG.pl?url=http://urltogo</i>");
+ }