Merge fix for Bug 418620 (SVN revision 111276) - Sys.Web is prone to

"HTTP header injection" attacks
author: kefren <kefren@pkgsrc.org> 2008-09-01 09:28:54 +0000
committer: kefren <kefren@pkgsrc.org> 2008-09-01 09:28:54 +0000
commit: c43c16cebf6af094ee421e4a37e972a48aefb35e (patch)
tree: 3656feee674020935f22d0998edbaee55a982825 /lang
parent: 967cafd9a8d2316a35265a14e736b56a162b4591 (diff)
download: pkgsrc-c43c16cebf6af094ee421e4a37e972a48aefb35e.tar.gz
4 files changed, 96 insertions, 3 deletions
diff --git a/lang/mono/Makefile b/lang/mono/Makefile
index 97a1d4e611f..3ed21b75637 100644
--- a/lang/mono/Makefile
+++ b/lang/mono/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.70 2008/08/10 16:19:33 tron Exp $
+# $NetBSD: Makefile,v 1.71 2008/09/01 09:28:54 kefren Exp $
 
 DISTNAME=	mono-${MONO_VERSION}
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	lang
 MASTER_SITES=	http://go-mono.com/sources/mono/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/lang/mono/distinfo b/lang/mono/distinfo
index 053a57a928c..f5b79f30697 100644
--- a/lang/mono/distinfo
+++ b/lang/mono/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.36 2008/08/09 19:57:51 kefren Exp $
+$NetBSD: distinfo,v 1.37 2008/09/01 09:28:54 kefren Exp $
 
 SHA1 (mono-1.9.1.tar.bz2) = a6229bb625dcdbcc992aef3f8049bf1b27205db7
 RMD160 (mono-1.9.1.tar.bz2) = 32659841ef5de912b8064f7b1f0452304ffd35d0
@@ -33,3 +33,5 @@ SHA1 (patch-ch) = ac6f50457ac38d922394b47d6e8bd2595991fcaa
 SHA1 (patch-ci) = 3f2a817ac3bfab939d62c1053790e0c3d4a8c961
 SHA1 (patch-cj) = 0cd0f67ba1443ee1f9c55ed930208304c1dae0be
 SHA1 (patch-ck) = 31979c8d8136e3530590dd4f1118189fbbcdad68
+SHA1 (patch-cl) = 7678d74b5ee3c1d179b83d070f8e3855c2eb3c9a
+SHA1 (patch-cm) = 304168de1dc9e16b87264cb14af0c00a55b87f0e
diff --git a/lang/mono/patches/patch-cl b/lang/mono/patches/patch-cl
new file mode 100644
index 00000000000..9add244aa5c
--- /dev/null
+++ b/lang/mono/patches/patch-cl
@@ -0,0 +1,70 @@
+$NetBSD: patch-cl,v 1.1 2008/09/01 09:28:54 kefren Exp $
+--- mcs/class/System.Web/System.Web/HttpResponseHeader.cs	2008/08/21 16:19:17	111275
++++ mcs/class/System.Web/System.Web/HttpResponseHeader.cs	2008/08/21 16:51:54	111276
+@@ -30,17 +30,65 @@
+ 
+ using System.Collections;
+ using System.Text;
++using System.Web.Configuration;
+ 
+ namespace System.Web {
+ 
+ 	internal abstract class BaseResponseHeader {
+-		public string Value;
++		string headerValue;
++		
++		public string Value {
++			get { return headerValue; }
++			set { headerValue = EncodeHeader (value); }
++		}
+ 	  
++		static bool headerCheckingEnabled;
++		
++		static BaseResponseHeader () {
++#if NET_2_0
++			HttpRuntimeSection section = WebConfigurationManager.GetSection ("system.web/httpRuntime") as HttpRuntimeSection;
++#else
++			HttpRuntimeConfig section = HttpContext.GetAppConfig ("system.web/httpRuntime") as HttpRuntimeConfig;
++#endif
++			headerCheckingEnabled = section == null || section.EnableHeaderChecking;
++		}
++
++
+ 		internal BaseResponseHeader (string val)
+ 		{
+ 			Value = val;
+ 		}
+ 
++		string EncodeHeader (string value)
++		{
++			if (value == null || value.Length == 0)
++				return value;
++			
++			if (headerCheckingEnabled) {
++				StringBuilder ret = new StringBuilder ();
++				int len = value.Length;
++
++				for (int i = 0; i < len; i++) {
++					switch (value [i]) {
++						case '\r':
++							ret.Append ("%0d");
++							break;
++
++						case '\n':
++							ret.Append ("%0a");
++							break;
++
++						default:
++							ret.Append (value [i]);
++							break;
++					}
++				}
++
++				return ret.ToString ();
++			} else
++				return value;
++		}
++		
+ 		internal abstract void SendContent (HttpWorkerRequest wr);
+ 	}
+ 
diff --git a/lang/mono/patches/patch-cm b/lang/mono/patches/patch-cm
new file mode 100644
index 00000000000..32e0ec20cc9
--- /dev/null
+++ b/lang/mono/patches/patch-cm
@@ -0,0 +1,21 @@
+$NetBSD: patch-cm,v 1.1 2008/09/01 09:28:54 kefren Exp $
+--- mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs	2008/08/21 16:19:17	111275
++++ mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs	2008/08/21 16:51:54	111276
+@@ -55,7 +55,8 @@
+ 		public int IdleTimeout = 20; // minutes
+ 		public bool Enable = true;
+ 		public string VersionHeader;
+-
++		public bool EnableHeaderChecking = true;
++		
+ 		/* Only the config. handler should create instances of this. Use GetInstance (context) */
+ 		public HttpRuntimeConfig (object p)
+ 		{
+@@ -92,6 +93,7 @@
+ 			RequireRootSaveAsPath = parent.RequireRootSaveAsPath;
+ 			IdleTimeout = parent.IdleTimeout;
+ 			Enable = parent.Enable;
++			EnableHeaderChecking = parent.EnableHeaderChecking;
+ 		}
+ 	}
+ }
author	kefren <kefren@pkgsrc.org>	2008-09-01 09:28:54 +0000
committer	kefren <kefren@pkgsrc.org>	2008-09-01 09:28:54 +0000
commit	c43c16cebf6af094ee421e4a37e972a48aefb35e (patch)
tree	3656feee674020935f22d0998edbaee55a982825 /lang
parent	967cafd9a8d2316a35265a14e736b56a162b4591 (diff)
download	pkgsrc-c43c16cebf6af094ee421e4a37e972a48aefb35e.tar.gz