Security fix for CAN-2005-0085.

"Cross-site scripting (XSS) vulnerability in ht://dig allows remote
 attackers to execute arbitrary web script or HTML via the config
 parameter, which is not properly sanitized before it is displayed
 in an error message."

Patch from Debian.  Bump PKGREVISION.

5 files changed, 48 insertions, 3 deletions

diff --git a/www/htdig/Makefile b/www/htdig/Makefile
index 2a7d259f87a..d970e0f8e71 100644
--- a/www/htdig/Makefile
+++ b/www/htdig/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.21 2005/01/12 21:31:29 jlam Exp $
+# $NetBSD: Makefile,v 1.22 2005/03/20 20:34:27 salo Exp $
 
 DISTNAME=	htdig-3.1.6
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	www databases
 MASTER_SITES=	http://www.htdig.org/files/ \
 		ftp://ftp.htdig.org/ \
diff --git a/www/htdig/distinfo b/www/htdig/distinfo
index 313cd8b722a..660af3c4893 100644
--- a/www/htdig/distinfo
+++ b/www/htdig/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2005/02/24 14:08:32 wiz Exp $
+$NetBSD: distinfo,v 1.5 2005/03/20 20:34:27 salo Exp $
 
 SHA1 (htdig-3.1.6.tar.gz) = 603fc244ba59ee1efcbe8f2ba087567cb14468d0
 RMD160 (htdig-3.1.6.tar.gz) = 1414943255f16cd278a31b8014a5bfe6c4400ead
@@ -7,3 +7,6 @@ SHA1 (patch-ab) = 504136ce6ac0a2beed574c88ee6d9b8ef90d6564
 SHA1 (patch-ac) = d1f6ef3c4c7a2995217f391a4bf9d544e10f5a00
 SHA1 (patch-ad) = a727a2c3afdd697f0e2e46355f1e89bc70775bbf
 SHA1 (patch-ae) = 1be8e82b97bb9b16dcc301f3f02e642a41945878
+SHA1 (patch-af) = f9c83efb788cb735f42df606ee451324795140d6
+SHA1 (patch-ag) = d3c0c1b043e27706834aecf7ac0b07651ed5b438
+SHA1 (patch-ah) = e4df51f19717527c3a368cdcaffb4f3c8e7be521
diff --git a/www/htdig/patches/patch-af b/www/htdig/patches/patch-af
new file mode 100644
index 00000000000..366ae85780e
--- /dev/null
+++ b/www/htdig/patches/patch-af
@@ -0,0 +1,14 @@
+$NetBSD: patch-af,v 1.1 2005/03/20 20:34:27 salo Exp $
+
+--- htsearch/htsearch.cc.orig	2002-02-01 00:47:18.000000000 +0100
++++ htsearch/htsearch.cc	2005-03-20 21:15:02.000000000 +0100
+@@ -145,8 +145,7 @@
+     if (access(configFile, R_OK) < 0)
+     {
+ 	if (filenameok) filenamemsg << " '" << configFile.get() << "'";
+-	reportError(form("Unable to read configuration file%s",
+-			 filenamemsg.get()));
++	reportError(form("Unable to read configuration file."));
+     }
+     config.Read(configFile);
+ 
diff --git a/www/htdig/patches/patch-ag b/www/htdig/patches/patch-ag
new file mode 100644
index 00000000000..475841a3c97
--- /dev/null
+++ b/www/htdig/patches/patch-ag
@@ -0,0 +1,14 @@
+$NetBSD: patch-ag,v 1.1 2005/03/20 20:34:27 salo Exp $
+
+--- htfuzzy/htfuzzy.cc.orig	2002-02-01 00:47:17.000000000 +0100
++++ htfuzzy/htfuzzy.cc	2005-03-20 21:16:14.000000000 +0100
+@@ -148,8 +148,7 @@
+     config.Defaults(&defaults[0]);
+     if (access(configFile, R_OK) < 0)
+     {
+-	reportError(form("Unable to find configuration file '%s'",
+-			 configFile.get()));
++	reportError(form("Unable to find configuration file."));
+     }
+     config.Read(configFile);
+ 
diff --git a/www/htdig/patches/patch-ah b/www/htdig/patches/patch-ah
new file mode 100644
index 00000000000..6aceb28ffd7
--- /dev/null
+++ b/www/htdig/patches/patch-ah
@@ -0,0 +1,14 @@
+$NetBSD: patch-ah,v 1.1 2005/03/20 20:34:27 salo Exp $
+
+--- htmerge/htmerge.cc.orig	2002-02-01 00:47:18.000000000 +0100
++++ htmerge/htmerge.cc	2005-03-20 21:24:02.000000000 +0100
+@@ -116,8 +116,7 @@
+ 
+     if (access(configfile, R_OK) < 0)
+     {
+-	reportError(form("Unable to find configuration file '%s'",
+-			 configfile.get()));
++	reportError(form("Unable to find configuration file."));
+     }
+ 	
+     config.Read(configfile);