From 94bcadc35d703e3423b2d882da923ee1210f7e19 Mon Sep 17 00:00:00 2001 From: manu Date: Sun, 20 Dec 2009 11:31:30 +0000 Subject: Fix a XSS vulnerability --- www/ap2-auth-mellon/Makefile | 10 +++++++++- www/ap2-auth-mellon/distinfo | 3 ++- www/ap2-auth-mellon/patches/patch-aa | 14 ++++++++++++++ 3 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 www/ap2-auth-mellon/patches/patch-aa (limited to 'www/ap2-auth-mellon') diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile index ee6b06c1f4c..a92524e2f4f 100644 --- a/www/ap2-auth-mellon/Makefile +++ b/www/ap2-auth-mellon/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.9 2009/12/11 14:45:38 obache Exp $ +# $NetBSD: Makefile,v 1.10 2009/12/20 11:31:30 manu Exp $ # PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/} DISTNAME= mod_auth_mellon-0.2.5 +PKGREVISION= 2 CATEGORIES= www security MASTER_SITES= http://modmellon.googlecode.com/files/ @@ -10,6 +11,8 @@ MAINTAINER= manu@NetBSD.org HOMEPAGE= http://code.google.com/p/modmellon/ COMMENT= SAML 2.0 authentication for Apache +PKG_DESTDIR_SUPPORT= destdir + GNU_CONFIGURE= YES USE_LIBTOOL= YES USE_TOOLS+= pkg-config @@ -20,8 +23,13 @@ PKG_APACHE_ACCEPTED= apache2 apache22 .include "../../mk/apache.mk" BUILDLINK_API_DEPENDS.apache+= apache>=2.0.47 +CONFIGURE_ENV+= PKG_CONFIG_PATH=${PREFIX}/lib/pkgconfig +CONFIGURE_ENV+= OPENSSL_CFLAGS="${CPPFLAGS}" +CONFIGURE_ENV+= OPENSSL_LIBS="-L${PREFIX}/lib -lssl -lcrypto" CONFIGURE_ARGS+= --with-apxs2=${APXS:Q} +# url2pkg-marker (please do not remove this line.) + .include "../../security/lasso/buildlink3.mk" .include "../../www/curl/buildlink3.mk" diff --git a/www/ap2-auth-mellon/distinfo b/www/ap2-auth-mellon/distinfo index fc2d215f89b..9ac6768a10f 100644 --- a/www/ap2-auth-mellon/distinfo +++ b/www/ap2-auth-mellon/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.6 2009/11/16 09:48:28 manu Exp $ +$NetBSD: distinfo,v 1.7 2009/12/20 11:31:30 manu Exp $ SHA1 (mod_auth_mellon-0.2.5.tar.gz) = f1d75456df39d183b6d1919f06dc2bc7b9b1afb6 RMD160 (mod_auth_mellon-0.2.5.tar.gz) = 7db221e431384ff9f73badc208eed55a0a0011a7 Size (mod_auth_mellon-0.2.5.tar.gz) = 89404 bytes +SHA1 (patch-aa) = b8a46a2a82f228a95cf28c1d395394373e0f6ccb diff --git a/www/ap2-auth-mellon/patches/patch-aa b/www/ap2-auth-mellon/patches/patch-aa new file mode 100644 index 00000000000..067eeb969b2 --- /dev/null +++ b/www/ap2-auth-mellon/patches/patch-aa @@ -0,0 +1,14 @@ +$NetBSD: patch-aa,v 1.3 2009/12/20 11:31:30 manu Exp $ +--- auth_mellon_handler.c.orig 2009-12-20 10:19:47.000000000 +0100 ++++ auth_mellon_handler.c 2009-12-20 10:20:09.000000000 +0100 +@@ -1899,9 +1899,9 @@ + return HTTP_BAD_REQUEST; + } + + /* Check that charset is sane */ +- for (cp = psf_id; *cp; cp++) { ++ for (cp = charset; *cp; cp++) { + if (!apr_isalnum(*cp) && (*cp != '-') && (*cp != '_')) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Bad repost query: invalid charset \"%s\"", charset); + return HTTP_BAD_REQUEST; -- cgit v1.2.3