From 5c3f0ccfa550f029ddf5d36def869bc3e99207b1 Mon Sep 17 00:00:00 2001 From: minskim Date: Tue, 15 Feb 2005 15:55:25 +0000 Subject: Security fix for http://www.securityfocus.com/archive/1/390368. Patches from awstats CVS. Bump PKGREVISION. --- www/awstats/Makefile | 4 +- www/awstats/distinfo | 8 ++- www/awstats/patches/patch-aa | 161 +++++++++++++++++++++++++++++++++++++++++++ www/awstats/patches/patch-ab | 16 +++++ 4 files changed, 184 insertions(+), 5 deletions(-) create mode 100644 www/awstats/patches/patch-aa create mode 100644 www/awstats/patches/patch-ab (limited to 'www/awstats') diff --git a/www/awstats/Makefile b/www/awstats/Makefile index 063f840a0b3..570c4c1b365 100644 --- a/www/awstats/Makefile +++ b/www/awstats/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.14 2005/02/13 15:29:15 minskim Exp $ +# $NetBSD: Makefile,v 1.15 2005/02/15 15:55:25 minskim Exp $ # DISTNAME= awstats-6.3 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= www MASTER_SITES= http://awstats.sourceforge.net/files/ EXTRACT_SUFX= .tgz diff --git a/www/awstats/distinfo b/www/awstats/distinfo index f5e3e5287d8..96e9cb297f3 100644 --- a/www/awstats/distinfo +++ b/www/awstats/distinfo @@ -1,4 +1,6 @@ -$NetBSD: distinfo,v 1.8 2005/02/13 15:29:15 minskim Exp $ +$NetBSD: distinfo,v 1.9 2005/02/15 15:55:25 minskim Exp $ -SHA1 (awstats-6.3nb3/awstats-6.3.tgz) = 3ca8d0b3e008beaa544b4bc344fec7cab2554da4 -Size (awstats-6.3nb3/awstats-6.3.tgz) = 938794 bytes +SHA1 (awstats-6.3nb4/awstats-6.3.tgz) = 3ca8d0b3e008beaa544b4bc344fec7cab2554da4 +Size (awstats-6.3nb4/awstats-6.3.tgz) = 938794 bytes +SHA1 (patch-aa) = ecc293ac7e6a04da2b684cea01ba278d899a90bf +SHA1 (patch-ab) = 715dcd2689f129aa71872a73a9abe15c3894d5a1 diff --git a/www/awstats/patches/patch-aa b/www/awstats/patches/patch-aa new file mode 100644 index 00000000000..4c5ad02225c --- /dev/null +++ b/www/awstats/patches/patch-aa @@ -0,0 +1,161 @@ +$NetBSD: patch-aa,v 1.1 2005/02/15 15:55:25 minskim Exp $ + +--- wwwroot/cgi-bin/awstats.pl.orig 2005-01-22 10:34:38.000000000 -0600 ++++ wwwroot/cgi-bin/awstats.pl +@@ -132,7 +132,7 @@ $BuildReportFormat='html'; + $BuildHistoryFormat='text'; + $ExtraTrackedRowsLimit=500; + use vars qw/ +-$EnableLockForUpdate $DNSLookup $AllowAccessFromWebToAuthenticatedUsersOnly ++$DebugMessages $EnableLockForUpdate $DNSLookup $AllowAccessFromWebToAuthenticatedUsersOnly + $BarHeight $BarWidth $CreateDirDataIfNotExists $KeepBackupOfHistoricFiles + $NbOfLinesParsed $NbOfLinesDropped $NbOfLinesCorrupted $NbOfOldLines $NbOfNewLines + $NbOfLinesShowsteps $NewLinePhase $NbOfLinesForCorruptedLog $PurgeLogFile $ArchiveLogRecords +@@ -144,7 +144,7 @@ $AuthenticatedUsersNotCaseSensitive + $Expires $UpdateStats $MigrateStats $URLNotCaseSensitive $URLWithQuery $URLReferrerWithQuery + $DecodeUA + /; +-($EnableLockForUpdate, $DNSLookup, $AllowAccessFromWebToAuthenticatedUsersOnly, ++($DebugMessages, $EnableLockForUpdate, $DNSLookup, $AllowAccessFromWebToAuthenticatedUsersOnly, + $BarHeight, $BarWidth, $CreateDirDataIfNotExists, $KeepBackupOfHistoricFiles, + $NbOfLinesParsed, $NbOfLinesDropped, $NbOfLinesCorrupted, $NbOfOldLines, $NbOfNewLines, + $NbOfLinesShowsteps, $NewLinePhase, $NbOfLinesForCorruptedLog, $PurgeLogFile, $ArchiveLogRecords, +@@ -155,11 +155,11 @@ $IncludeInternalLinksInOriginSection, + $AuthenticatedUsersNotCaseSensitive, + $Expires, $UpdateStats, $MigrateStats, $URLNotCaseSensitive, $URLWithQuery, $URLReferrerWithQuery, + $DecodeUA)= +-(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0); ++(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0); + use vars qw/ + $AllowToUpdateStatsFromBrowser $DetailedReportsOnNewWindows + $FirstDayOfWeek $KeyWordsNotSensitive $SaveDatabaseFilesWithPermissionsForEveryone +-$WarningMessages $DebugMessages $ShowLinksOnUrl $UseFramesWhenCGI ++$WarningMessages $ShowLinksOnUrl $UseFramesWhenCGI + $ShowMenu $ShowMonthStats $ShowDaysOfMonthStats $ShowDaysOfWeekStats + $ShowHoursStats $ShowDomainsStats $ShowHostsStats + $ShowRobotsStats $ShowSessionsStats $ShowPagesStats $ShowFileTypesStats +@@ -169,7 +169,7 @@ $AddDataArrayMonthStats $AddDataArraySho + /; + ($AllowToUpdateStatsFromBrowser, $DetailedReportsOnNewWindows, + $FirstDayOfWeek, $KeyWordsNotSensitive, $SaveDatabaseFilesWithPermissionsForEveryone, +-$WarningMessages, $DebugMessages, $ShowLinksOnUrl, $UseFramesWhenCGI, ++$WarningMessages, $ShowLinksOnUrl, $UseFramesWhenCGI, + $ShowMenu, $ShowMonthStats, $ShowDaysOfMonthStats, $ShowDaysOfWeekStats, + $ShowHoursStats, $ShowDomainsStats, $ShowHostsStats, + $ShowRobotsStats, $ShowSessionsStats, $ShowPagesStats, $ShowFileTypesStats, +@@ -177,7 +177,7 @@ $ShowOSStats, $ShowBrowsersStats, $ShowO + $ShowKeyphrasesStats, $ShowKeywordsStats, $ShowMiscStats, $ShowHTTPErrorsStats, + $AddDataArrayMonthStats, $AddDataArrayShowDaysOfMonthStats, $AddDataArrayShowDaysOfWeekStats, $AddDataArrayShowHoursStats + )= +-(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1); ++(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1); + use vars qw/ + $AllowFullYearView + $LevelForRobotsDetection $LevelForWormsDetection $LevelForBrowsersDetection $LevelForOSDetection $LevelForRefererAnalyze +@@ -1577,7 +1577,7 @@ sub Check_Config { + if ($URLWithQuery !~ /[0-1]/) { $URLWithQuery=0; } + if ($URLReferrerWithQuery !~ /[0-1]/) { $URLReferrerWithQuery=0; } + if ($WarningMessages !~ /[0-1]/) { $WarningMessages=1; } +- if ($DebugMessages !~ /[0-1]/) { $DebugMessages=1; } ++ if ($DebugMessages !~ /[0-1]/) { $DebugMessages=0; } + if ($NbOfLinesForCorruptedLog !~ /^\d+/ || $NbOfLinesForCorruptedLog<1) { $NbOfLinesForCorruptedLog=50; } + if ($Expires !~ /^\d+/) { $Expires=0; } + if ($DecodeUA !~ /[0-1]/) { $DecodeUA=0; } +@@ -1824,7 +1824,8 @@ sub Read_Plugins { + my @PossiblePluginsDir=("$DIR/plugins","/usr/local/awstats/wwwroot/cgi-bin/plugins","/usr/share/awstats/plugins"); + my %DirAddedInINC=(); + +- foreach my $key (keys %NoLoadPlugin) { if ($NoLoadPlugin{$key} < 0) { push @PluginsToLoad, $key; } } ++ #Removed for security reason ++ #foreach my $key (keys %NoLoadPlugin) { if ($NoLoadPlugin{$key} < 0) { push @PluginsToLoad, $key; } } + if ($Debug) { debug("Call to Read_Plugins with list: ".join(',',@PluginsToLoad)); } + foreach my $plugininfo (@PluginsToLoad) { + my ($pluginfile,$pluginparam)=split(/\s+/,$plugininfo,2); +@@ -4288,7 +4289,12 @@ sub UnCompileRegex { + #------------------------------------------------------------------------------ + sub Sanitize { + my $stringtoclean=shift; +- $stringtoclean =~ s/[^\w_\-\\\/\.\s]//g; ++ my $full=shift||0; ++ if ($full) { ++ $stringtoclean =~ s/[^\w]//g; ++ } else { ++ $stringtoclean =~ s/[^\w_\-\\\/\.\s]//g; ++ } + return $stringtoclean; + } + +@@ -5353,6 +5359,7 @@ $QueryString=''; + # be set to force AWStats to be ran as CLI even from a web page. + if ($ENV{'AWSTATS_DEL_GATEWAY_INTERFACE'}) { $ENV{'GATEWAY_INTERFACE'}=''; } + if ($ENV{'GATEWAY_INTERFACE'}) { # Run from a browser as CGI ++ $DebugMessages=0; + # Prepare QueryString + if ($ENV{'CONTENT_LENGTH'}) { + binmode STDIN; +@@ -5370,7 +5377,7 @@ if ($ENV{'GATEWAY_INTERFACE'}) { # Run f + + if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&DecodeEncodedString("$1"); } + if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&DecodeEncodedString("$1"); } +- if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1")); } ++ if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); } + if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); } + # All filters + if ($QueryString =~ /hostfilter=([^&]+)/i) { $FilterIn{'host'}=&DecodeEncodedString("$1"); } # Filter on host list can also be defined with hostfilter=filter +@@ -5393,6 +5400,7 @@ if ($ENV{'GATEWAY_INTERFACE'}) { # Run f + } + } + else { # Run from command line ++ $DebugMessages=1; + # Prepare QueryString + for (0..@ARGV-1) { + # If migrate +@@ -5418,7 +5426,7 @@ else { # Run from command line + + if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig="$1"; } + if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons="$1"; } +- if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1"); } ++ if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1",1); } + if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize("$1"); } + # All filters + if ($QueryString =~ /hostfilter=([^&]+)/i) { $FilterIn{'host'}="$1"; } # Filter on host list can also be defined with hostfilter=filter +@@ -5440,6 +5448,7 @@ else { # Run from command line + if ($QueryString =~ /showcorrupted/i) { $ShowCorrupted=1; $QueryString=~s/showcorrupted[^&]*//i; } + if ($QueryString =~ /showdropped/i) { $ShowDropped=1; $QueryString=~s/showdropped[^&]*//i; } + if ($QueryString =~ /showunknownorigin/i) { $ShowUnknownOrigin=1; $QueryString=~s/showunknownorigin[^&]*//i; } ++ + } + if ($QueryString =~ /(^|&)staticlinks/i) { $StaticLinks=".$SiteConfig"; } + if ($QueryString =~ /(^|&)staticlinks=([^&]+)/i) { $StaticLinks=".$2"; } # When ran from awstatsbuildstaticpages.pl +@@ -5447,8 +5456,9 @@ if ($QueryString =~ /(^|&)staticlinksext + if ($QueryString =~ /(^|&)framename=([^&]+)/i) { $FrameName="$2"; } + if ($QueryString =~ /(^|&)debug=(\d+)/i) { $Debug=$2; } + if ($QueryString =~ /(^|&)updatefor=(\d+)/i) { $UpdateFor=$2; } +-if ($QueryString =~ /(^|&)noloadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_")}=1; } } +-if ($QueryString =~ /(^|&)loadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_")}=-1; } } ++if ($QueryString =~ /(^|&)noloadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_",1)}=1; } } ++#Removed for security reasons ++#if ($QueryString =~ /(^|&)loadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_",1)}=-1; } } + if ($QueryString =~ /(^|&)limitflush=(\d+)/i) { $LIMITFLUSH=$2; } + # Get/Define output + if ($QueryString =~ /(^|&)output(=[^&]*|)(.*)&output(=[^&]*|)(&|$)/i) { error("Only 1 output option is allowed","","",1); } +@@ -5488,7 +5498,7 @@ else { $DayRequired=''; } + # Print AWStats and Perl version + if ($Debug) { + debug(ucfirst($PROG)." - $VERSION - Perl $^X $]",1); +- debug("DIR=$DIR PROG=$PROG",2); ++ debug("DIR=$DIR PROG=$PROG Extension=$Extension",2); + debug("QUERY_STRING=$QueryString",2); + debug("HTMLOutput=".join(',',keys %HTMLOutput),1); + debug("YearRequired=$YearRequired, MonthRequired=$MonthRequired",2); +@@ -5634,6 +5644,10 @@ if (! $Lang || $Lang eq 'auto') { + &Check_Config(); + # Now SiteDomain is defined + ++if ($Debug && ! $DebugMessages) { ++ error("Debug has not been allowed. Change DebugMessages parameter in config file to allow debug."); ++} ++ + # Define frame name and correct variable for frames + if (! $FrameName) { + if ($ENV{'GATEWAY_INTERFACE'} && $UseFramesWhenCGI && $HTMLOutput{'main'} && ! $PluginMode) { $FrameName='index'; } diff --git a/www/awstats/patches/patch-ab b/www/awstats/patches/patch-ab new file mode 100644 index 00000000000..3149c4a7de8 --- /dev/null +++ b/www/awstats/patches/patch-ab @@ -0,0 +1,16 @@ +$NetBSD: patch-ab,v 1.1 2005/02/15 15:55:25 minskim Exp $ + +--- wwwroot/cgi-bin/awstats.model.conf.orig 2005-01-22 09:26:06.000000000 -0600 ++++ wwwroot/cgi-bin/awstats.model.conf +@@ -701,9 +701,9 @@ ErrorMessages="" + # security reasons) to disable debugging, set this parameter to 0. + # Change : Effective immediatly + # Possible values: 0 or 1 +-# Default: 1 ++# Default: 0 + # +-DebugMessages=1 ++DebugMessages=0 + + + # To help you to detect if your log format is good, AWStats report an error -- cgit v1.2.3