summaryrefslogtreecommitdiff
path: root/www
diff options
context:
space:
mode:
authorminskim <minskim@pkgsrc.org>2005-02-15 15:55:25 +0000
committerminskim <minskim@pkgsrc.org>2005-02-15 15:55:25 +0000
commit610365866ff4e51e76e5c2a2addfa1664d6229a9 (patch)
tree6e474a4c52bbec027e73e6b1a0a44b0d5e7b6f69 /www
parent08b04ed275deef7d822f966ce5b5ecdec4cb216c (diff)
downloadpkgsrc-610365866ff4e51e76e5c2a2addfa1664d6229a9.tar.gz
Security fix for http://www.securityfocus.com/archive/1/390368.
Patches from awstats CVS. Bump PKGREVISION.
Diffstat (limited to 'www')
-rw-r--r--www/awstats/Makefile4
-rw-r--r--www/awstats/distinfo8
-rw-r--r--www/awstats/patches/patch-aa161
-rw-r--r--www/awstats/patches/patch-ab16
4 files changed, 184 insertions, 5 deletions
diff --git a/www/awstats/Makefile b/www/awstats/Makefile
index 063f840a0b3..570c4c1b365 100644
--- a/www/awstats/Makefile
+++ b/www/awstats/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.14 2005/02/13 15:29:15 minskim Exp $
+# $NetBSD: Makefile,v 1.15 2005/02/15 15:55:25 minskim Exp $
#
DISTNAME= awstats-6.3
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= www
MASTER_SITES= http://awstats.sourceforge.net/files/
EXTRACT_SUFX= .tgz
diff --git a/www/awstats/distinfo b/www/awstats/distinfo
index f5e3e5287d8..96e9cb297f3 100644
--- a/www/awstats/distinfo
+++ b/www/awstats/distinfo
@@ -1,4 +1,6 @@
-$NetBSD: distinfo,v 1.8 2005/02/13 15:29:15 minskim Exp $
+$NetBSD: distinfo,v 1.9 2005/02/15 15:55:25 minskim Exp $
-SHA1 (awstats-6.3nb3/awstats-6.3.tgz) = 3ca8d0b3e008beaa544b4bc344fec7cab2554da4
-Size (awstats-6.3nb3/awstats-6.3.tgz) = 938794 bytes
+SHA1 (awstats-6.3nb4/awstats-6.3.tgz) = 3ca8d0b3e008beaa544b4bc344fec7cab2554da4
+Size (awstats-6.3nb4/awstats-6.3.tgz) = 938794 bytes
+SHA1 (patch-aa) = ecc293ac7e6a04da2b684cea01ba278d899a90bf
+SHA1 (patch-ab) = 715dcd2689f129aa71872a73a9abe15c3894d5a1
diff --git a/www/awstats/patches/patch-aa b/www/awstats/patches/patch-aa
new file mode 100644
index 00000000000..4c5ad02225c
--- /dev/null
+++ b/www/awstats/patches/patch-aa
@@ -0,0 +1,161 @@
+$NetBSD: patch-aa,v 1.1 2005/02/15 15:55:25 minskim Exp $
+
+--- wwwroot/cgi-bin/awstats.pl.orig 2005-01-22 10:34:38.000000000 -0600
++++ wwwroot/cgi-bin/awstats.pl
+@@ -132,7 +132,7 @@ $BuildReportFormat='html';
+ $BuildHistoryFormat='text';
+ $ExtraTrackedRowsLimit=500;
+ use vars qw/
+-$EnableLockForUpdate $DNSLookup $AllowAccessFromWebToAuthenticatedUsersOnly
++$DebugMessages $EnableLockForUpdate $DNSLookup $AllowAccessFromWebToAuthenticatedUsersOnly
+ $BarHeight $BarWidth $CreateDirDataIfNotExists $KeepBackupOfHistoricFiles
+ $NbOfLinesParsed $NbOfLinesDropped $NbOfLinesCorrupted $NbOfOldLines $NbOfNewLines
+ $NbOfLinesShowsteps $NewLinePhase $NbOfLinesForCorruptedLog $PurgeLogFile $ArchiveLogRecords
+@@ -144,7 +144,7 @@ $AuthenticatedUsersNotCaseSensitive
+ $Expires $UpdateStats $MigrateStats $URLNotCaseSensitive $URLWithQuery $URLReferrerWithQuery
+ $DecodeUA
+ /;
+-($EnableLockForUpdate, $DNSLookup, $AllowAccessFromWebToAuthenticatedUsersOnly,
++($DebugMessages, $EnableLockForUpdate, $DNSLookup, $AllowAccessFromWebToAuthenticatedUsersOnly,
+ $BarHeight, $BarWidth, $CreateDirDataIfNotExists, $KeepBackupOfHistoricFiles,
+ $NbOfLinesParsed, $NbOfLinesDropped, $NbOfLinesCorrupted, $NbOfOldLines, $NbOfNewLines,
+ $NbOfLinesShowsteps, $NewLinePhase, $NbOfLinesForCorruptedLog, $PurgeLogFile, $ArchiveLogRecords,
+@@ -155,11 +155,11 @@ $IncludeInternalLinksInOriginSection,
+ $AuthenticatedUsersNotCaseSensitive,
+ $Expires, $UpdateStats, $MigrateStats, $URLNotCaseSensitive, $URLWithQuery, $URLReferrerWithQuery,
+ $DecodeUA)=
+-(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);
++(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);
+ use vars qw/
+ $AllowToUpdateStatsFromBrowser $DetailedReportsOnNewWindows
+ $FirstDayOfWeek $KeyWordsNotSensitive $SaveDatabaseFilesWithPermissionsForEveryone
+-$WarningMessages $DebugMessages $ShowLinksOnUrl $UseFramesWhenCGI
++$WarningMessages $ShowLinksOnUrl $UseFramesWhenCGI
+ $ShowMenu $ShowMonthStats $ShowDaysOfMonthStats $ShowDaysOfWeekStats
+ $ShowHoursStats $ShowDomainsStats $ShowHostsStats
+ $ShowRobotsStats $ShowSessionsStats $ShowPagesStats $ShowFileTypesStats
+@@ -169,7 +169,7 @@ $AddDataArrayMonthStats $AddDataArraySho
+ /;
+ ($AllowToUpdateStatsFromBrowser, $DetailedReportsOnNewWindows,
+ $FirstDayOfWeek, $KeyWordsNotSensitive, $SaveDatabaseFilesWithPermissionsForEveryone,
+-$WarningMessages, $DebugMessages, $ShowLinksOnUrl, $UseFramesWhenCGI,
++$WarningMessages, $ShowLinksOnUrl, $UseFramesWhenCGI,
+ $ShowMenu, $ShowMonthStats, $ShowDaysOfMonthStats, $ShowDaysOfWeekStats,
+ $ShowHoursStats, $ShowDomainsStats, $ShowHostsStats,
+ $ShowRobotsStats, $ShowSessionsStats, $ShowPagesStats, $ShowFileTypesStats,
+@@ -177,7 +177,7 @@ $ShowOSStats, $ShowBrowsersStats, $ShowO
+ $ShowKeyphrasesStats, $ShowKeywordsStats, $ShowMiscStats, $ShowHTTPErrorsStats,
+ $AddDataArrayMonthStats, $AddDataArrayShowDaysOfMonthStats, $AddDataArrayShowDaysOfWeekStats, $AddDataArrayShowHoursStats
+ )=
+-(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1);
++(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1);
+ use vars qw/
+ $AllowFullYearView
+ $LevelForRobotsDetection $LevelForWormsDetection $LevelForBrowsersDetection $LevelForOSDetection $LevelForRefererAnalyze
+@@ -1577,7 +1577,7 @@ sub Check_Config {
+ if ($URLWithQuery !~ /[0-1]/) { $URLWithQuery=0; }
+ if ($URLReferrerWithQuery !~ /[0-1]/) { $URLReferrerWithQuery=0; }
+ if ($WarningMessages !~ /[0-1]/) { $WarningMessages=1; }
+- if ($DebugMessages !~ /[0-1]/) { $DebugMessages=1; }
++ if ($DebugMessages !~ /[0-1]/) { $DebugMessages=0; }
+ if ($NbOfLinesForCorruptedLog !~ /^\d+/ || $NbOfLinesForCorruptedLog<1) { $NbOfLinesForCorruptedLog=50; }
+ if ($Expires !~ /^\d+/) { $Expires=0; }
+ if ($DecodeUA !~ /[0-1]/) { $DecodeUA=0; }
+@@ -1824,7 +1824,8 @@ sub Read_Plugins {
+ my @PossiblePluginsDir=("$DIR/plugins","/usr/local/awstats/wwwroot/cgi-bin/plugins","/usr/share/awstats/plugins");
+ my %DirAddedInINC=();
+
+- foreach my $key (keys %NoLoadPlugin) { if ($NoLoadPlugin{$key} < 0) { push @PluginsToLoad, $key; } }
++ #Removed for security reason
++ #foreach my $key (keys %NoLoadPlugin) { if ($NoLoadPlugin{$key} < 0) { push @PluginsToLoad, $key; } }
+ if ($Debug) { debug("Call to Read_Plugins with list: ".join(',',@PluginsToLoad)); }
+ foreach my $plugininfo (@PluginsToLoad) {
+ my ($pluginfile,$pluginparam)=split(/\s+/,$plugininfo,2);
+@@ -4288,7 +4289,12 @@ sub UnCompileRegex {
+ #------------------------------------------------------------------------------
+ sub Sanitize {
+ my $stringtoclean=shift;
+- $stringtoclean =~ s/[^\w_\-\\\/\.\s]//g;
++ my $full=shift||0;
++ if ($full) {
++ $stringtoclean =~ s/[^\w]//g;
++ } else {
++ $stringtoclean =~ s/[^\w_\-\\\/\.\s]//g;
++ }
+ return $stringtoclean;
+ }
+
+@@ -5353,6 +5359,7 @@ $QueryString='';
+ # be set to force AWStats to be ran as CLI even from a web page.
+ if ($ENV{'AWSTATS_DEL_GATEWAY_INTERFACE'}) { $ENV{'GATEWAY_INTERFACE'}=''; }
+ if ($ENV{'GATEWAY_INTERFACE'}) { # Run from a browser as CGI
++ $DebugMessages=0;
+ # Prepare QueryString
+ if ($ENV{'CONTENT_LENGTH'}) {
+ binmode STDIN;
+@@ -5370,7 +5377,7 @@ if ($ENV{'GATEWAY_INTERFACE'}) { # Run f
+
+ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&DecodeEncodedString("$1"); }
+ if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&DecodeEncodedString("$1"); }
+- if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1")); }
++ if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
+ if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
+ # All filters
+ if ($QueryString =~ /hostfilter=([^&]+)/i) { $FilterIn{'host'}=&DecodeEncodedString("$1"); } # Filter on host list can also be defined with hostfilter=filter
+@@ -5393,6 +5400,7 @@ if ($ENV{'GATEWAY_INTERFACE'}) { # Run f
+ }
+ }
+ else { # Run from command line
++ $DebugMessages=1;
+ # Prepare QueryString
+ for (0..@ARGV-1) {
+ # If migrate
+@@ -5418,7 +5426,7 @@ else { # Run from command line
+
+ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig="$1"; }
+ if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons="$1"; }
+- if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1"); }
++ if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1",1); }
+ if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize("$1"); }
+ # All filters
+ if ($QueryString =~ /hostfilter=([^&]+)/i) { $FilterIn{'host'}="$1"; } # Filter on host list can also be defined with hostfilter=filter
+@@ -5440,6 +5448,7 @@ else { # Run from command line
+ if ($QueryString =~ /showcorrupted/i) { $ShowCorrupted=1; $QueryString=~s/showcorrupted[^&]*//i; }
+ if ($QueryString =~ /showdropped/i) { $ShowDropped=1; $QueryString=~s/showdropped[^&]*//i; }
+ if ($QueryString =~ /showunknownorigin/i) { $ShowUnknownOrigin=1; $QueryString=~s/showunknownorigin[^&]*//i; }
++
+ }
+ if ($QueryString =~ /(^|&)staticlinks/i) { $StaticLinks=".$SiteConfig"; }
+ if ($QueryString =~ /(^|&)staticlinks=([^&]+)/i) { $StaticLinks=".$2"; } # When ran from awstatsbuildstaticpages.pl
+@@ -5447,8 +5456,9 @@ if ($QueryString =~ /(^|&)staticlinksext
+ if ($QueryString =~ /(^|&)framename=([^&]+)/i) { $FrameName="$2"; }
+ if ($QueryString =~ /(^|&)debug=(\d+)/i) { $Debug=$2; }
+ if ($QueryString =~ /(^|&)updatefor=(\d+)/i) { $UpdateFor=$2; }
+-if ($QueryString =~ /(^|&)noloadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_")}=1; } }
+-if ($QueryString =~ /(^|&)loadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_")}=-1; } }
++if ($QueryString =~ /(^|&)noloadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_",1)}=1; } }
++#Removed for security reasons
++#if ($QueryString =~ /(^|&)loadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_",1)}=-1; } }
+ if ($QueryString =~ /(^|&)limitflush=(\d+)/i) { $LIMITFLUSH=$2; }
+ # Get/Define output
+ if ($QueryString =~ /(^|&)output(=[^&]*|)(.*)&output(=[^&]*|)(&|$)/i) { error("Only 1 output option is allowed","","",1); }
+@@ -5488,7 +5498,7 @@ else { $DayRequired=''; }
+ # Print AWStats and Perl version
+ if ($Debug) {
+ debug(ucfirst($PROG)." - $VERSION - Perl $^X $]",1);
+- debug("DIR=$DIR PROG=$PROG",2);
++ debug("DIR=$DIR PROG=$PROG Extension=$Extension",2);
+ debug("QUERY_STRING=$QueryString",2);
+ debug("HTMLOutput=".join(',',keys %HTMLOutput),1);
+ debug("YearRequired=$YearRequired, MonthRequired=$MonthRequired",2);
+@@ -5634,6 +5644,10 @@ if (! $Lang || $Lang eq 'auto') {
+ &Check_Config();
+ # Now SiteDomain is defined
+
++if ($Debug && ! $DebugMessages) {
++ error("Debug has not been allowed. Change DebugMessages parameter in config file to allow debug.");
++}
++
+ # Define frame name and correct variable for frames
+ if (! $FrameName) {
+ if ($ENV{'GATEWAY_INTERFACE'} && $UseFramesWhenCGI && $HTMLOutput{'main'} && ! $PluginMode) { $FrameName='index'; }
diff --git a/www/awstats/patches/patch-ab b/www/awstats/patches/patch-ab
new file mode 100644
index 00000000000..3149c4a7de8
--- /dev/null
+++ b/www/awstats/patches/patch-ab
@@ -0,0 +1,16 @@
+$NetBSD: patch-ab,v 1.1 2005/02/15 15:55:25 minskim Exp $
+
+--- wwwroot/cgi-bin/awstats.model.conf.orig 2005-01-22 09:26:06.000000000 -0600
++++ wwwroot/cgi-bin/awstats.model.conf
+@@ -701,9 +701,9 @@ ErrorMessages=""
+ # security reasons) to disable debugging, set this parameter to 0.
+ # Change : Effective immediatly
+ # Possible values: 0 or 1
+-# Default: 1
++# Default: 0
+ #
+-DebugMessages=1
++DebugMessages=0
+
+
+ # To help you to detect if your log format is good, AWStats report an error