pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2004Q4]: pkgsrc/www/awstats Pullup ticket 290 - requested by M...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/628fe39735f2
branches:  pkgsrc-2004Q4
changeset: 485900:628fe39735f2
user:      snj <snj%pkgsrc.org@localhost>
date:      Tue Feb 15 21:05:52 2005 +0000

description:
Pullup ticket 290 - requested by Min Sik Kim
security fix for awstats

Revisions pulled up:
- pkgsrc/www/awstats/Makefile           1.15
- pkgsrc/www/awstats/distinfo           1.9
- pkgsrc/www/awstats/patches/patch-aa   1.1
- pkgsrc/www/awstats/patches/patch-ab   1.1

    Module Name:  pkgsrc
    Committed By: minskim
    Date:         Tue Feb 15 15:55:25 UTC 2005

    Modified Files:
          pkgsrc/www/awstats: Makefile distinfo
    Added Files:
          pkgsrc/www/awstats/patches: patch-aa patch-ab

    Log Message:
    Security fix for http://www.securityfocus.com/archive/1/390368.
    Patches from awstats CVS.

    Bump PKGREVISION.

diffstat:

 www/awstats/Makefile         |    4 +-
 www/awstats/distinfo         |    8 +-
 www/awstats/patches/patch-aa |  161 +++++++++++++++++++++++++++++++++++++++++++
 www/awstats/patches/patch-ab |   16 ++++
 4 files changed, 184 insertions(+), 5 deletions(-)

diffs (212 lines):

diff -r 8448e5e5c357 -r 628fe39735f2 www/awstats/Makefile
--- a/www/awstats/Makefile      Tue Feb 15 14:02:22 2005 +0000
+++ b/www/awstats/Makefile      Tue Feb 15 21:05:52 2005 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.9.4.3 2005/02/13 15:52:07 salo Exp $
+# $NetBSD: Makefile,v 1.9.4.4 2005/02/15 21:05:52 snj Exp $
 #
 
 DISTNAME=      awstats-6.3
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    www
 MASTER_SITES=  http://awstats.sourceforge.net/files/
 EXTRACT_SUFX=  .tgz
diff -r 8448e5e5c357 -r 628fe39735f2 www/awstats/distinfo
--- a/www/awstats/distinfo      Tue Feb 15 14:02:22 2005 +0000
+++ b/www/awstats/distinfo      Tue Feb 15 21:05:52 2005 +0000
@@ -1,4 +1,6 @@
-$NetBSD: distinfo,v 1.4.4.3 2005/02/13 15:52:07 salo Exp $
+$NetBSD: distinfo,v 1.4.4.4 2005/02/15 21:05:52 snj Exp $
 
-SHA1 (awstats-6.3nb3/awstats-6.3.tgz) = 3ca8d0b3e008beaa544b4bc344fec7cab2554da4
-Size (awstats-6.3nb3/awstats-6.3.tgz) = 938794 bytes
+SHA1 (awstats-6.3nb4/awstats-6.3.tgz) = 3ca8d0b3e008beaa544b4bc344fec7cab2554da4
+Size (awstats-6.3nb4/awstats-6.3.tgz) = 938794 bytes
+SHA1 (patch-aa) = ecc293ac7e6a04da2b684cea01ba278d899a90bf
+SHA1 (patch-ab) = 715dcd2689f129aa71872a73a9abe15c3894d5a1
diff -r 8448e5e5c357 -r 628fe39735f2 www/awstats/patches/patch-aa
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/awstats/patches/patch-aa      Tue Feb 15 21:05:52 2005 +0000
@@ -0,0 +1,161 @@
+$NetBSD: patch-aa,v 1.1.2.2 2005/02/15 21:05:53 snj Exp $
+
+--- wwwroot/cgi-bin/awstats.pl.orig    2005-01-22 10:34:38.000000000 -0600
++++ wwwroot/cgi-bin/awstats.pl
+@@ -132,7 +132,7 @@ $BuildReportFormat='html';
+ $BuildHistoryFormat='text';
+ $ExtraTrackedRowsLimit=500;
+ use vars qw/
+-$EnableLockForUpdate $DNSLookup $AllowAccessFromWebToAuthenticatedUsersOnly
++$DebugMessages $EnableLockForUpdate $DNSLookup $AllowAccessFromWebToAuthenticatedUsersOnly
+ $BarHeight $BarWidth $CreateDirDataIfNotExists $KeepBackupOfHistoricFiles
+ $NbOfLinesParsed $NbOfLinesDropped $NbOfLinesCorrupted $NbOfOldLines $NbOfNewLines
+ $NbOfLinesShowsteps $NewLinePhase $NbOfLinesForCorruptedLog $PurgeLogFile $ArchiveLogRecords
+@@ -144,7 +144,7 @@ $AuthenticatedUsersNotCaseSensitive
+ $Expires $UpdateStats $MigrateStats $URLNotCaseSensitive $URLWithQuery $URLReferrerWithQuery
+ $DecodeUA
+ /;
+-($EnableLockForUpdate, $DNSLookup, $AllowAccessFromWebToAuthenticatedUsersOnly,
++($DebugMessages, $EnableLockForUpdate, $DNSLookup, $AllowAccessFromWebToAuthenticatedUsersOnly,
+ $BarHeight, $BarWidth, $CreateDirDataIfNotExists, $KeepBackupOfHistoricFiles,
+ $NbOfLinesParsed, $NbOfLinesDropped, $NbOfLinesCorrupted, $NbOfOldLines, $NbOfNewLines,
+ $NbOfLinesShowsteps, $NewLinePhase, $NbOfLinesForCorruptedLog, $PurgeLogFile, $ArchiveLogRecords,
+@@ -155,11 +155,11 @@ $IncludeInternalLinksInOriginSection,
+ $AuthenticatedUsersNotCaseSensitive,
+ $Expires, $UpdateStats, $MigrateStats, $URLNotCaseSensitive, $URLWithQuery, $URLReferrerWithQuery,
+ $DecodeUA)=
+-(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);
++(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);
+ use vars qw/
+ $AllowToUpdateStatsFromBrowser $DetailedReportsOnNewWindows
+ $FirstDayOfWeek $KeyWordsNotSensitive $SaveDatabaseFilesWithPermissionsForEveryone
+-$WarningMessages $DebugMessages $ShowLinksOnUrl $UseFramesWhenCGI
++$WarningMessages $ShowLinksOnUrl $UseFramesWhenCGI
+ $ShowMenu $ShowMonthStats $ShowDaysOfMonthStats $ShowDaysOfWeekStats
+ $ShowHoursStats $ShowDomainsStats $ShowHostsStats
+ $ShowRobotsStats $ShowSessionsStats $ShowPagesStats $ShowFileTypesStats
+@@ -169,7 +169,7 @@ $AddDataArrayMonthStats $AddDataArraySho
+ /;
+ ($AllowToUpdateStatsFromBrowser, $DetailedReportsOnNewWindows,
+ $FirstDayOfWeek, $KeyWordsNotSensitive, $SaveDatabaseFilesWithPermissionsForEveryone,
+-$WarningMessages, $DebugMessages, $ShowLinksOnUrl, $UseFramesWhenCGI,
++$WarningMessages, $ShowLinksOnUrl, $UseFramesWhenCGI,
+ $ShowMenu, $ShowMonthStats, $ShowDaysOfMonthStats, $ShowDaysOfWeekStats,
+ $ShowHoursStats, $ShowDomainsStats, $ShowHostsStats,
+ $ShowRobotsStats, $ShowSessionsStats, $ShowPagesStats, $ShowFileTypesStats,
+@@ -177,7 +177,7 @@ $ShowOSStats, $ShowBrowsersStats, $ShowO
+ $ShowKeyphrasesStats, $ShowKeywordsStats, $ShowMiscStats, $ShowHTTPErrorsStats,
+ $AddDataArrayMonthStats, $AddDataArrayShowDaysOfMonthStats, $AddDataArrayShowDaysOfWeekStats, $AddDataArrayShowHoursStats
+ )=
+-(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1);
++(1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1);
+ use vars qw/
+ $AllowFullYearView 
+ $LevelForRobotsDetection $LevelForWormsDetection $LevelForBrowsersDetection $LevelForOSDetection $LevelForRefererAnalyze
+@@ -1577,7 +1577,7 @@ sub Check_Config {
+       if ($URLWithQuery !~ /[0-1]/)                   { $URLWithQuery=0; }
+       if ($URLReferrerWithQuery !~ /[0-1]/)           { $URLReferrerWithQuery=0; }
+       if ($WarningMessages !~ /[0-1]/)                { $WarningMessages=1; }
+-      if ($DebugMessages !~ /[0-1]/)                  { $DebugMessages=1; }
++      if ($DebugMessages !~ /[0-1]/)                  { $DebugMessages=0; }
+       if ($NbOfLinesForCorruptedLog !~ /^\d+/ || $NbOfLinesForCorruptedLog<1) { $NbOfLinesForCorruptedLog=50; }
+       if ($Expires !~ /^\d+/)                                 { $Expires=0; }
+       if ($DecodeUA !~ /[0-1]/)                                               { $DecodeUA=0; }
+@@ -1824,7 +1824,8 @@ sub Read_Plugins {
+       my @PossiblePluginsDir=("$DIR/plugins","/usr/local/awstats/wwwroot/cgi-bin/plugins","/usr/share/awstats/plugins");
+       my %DirAddedInINC=();
+ 
+-      foreach my $key (keys %NoLoadPlugin) { if ($NoLoadPlugin{$key} < 0) { push @PluginsToLoad, $key; } }
++      #Removed for security reason
++      #foreach my $key (keys %NoLoadPlugin) { if ($NoLoadPlugin{$key} < 0) { push @PluginsToLoad, $key; } }
+       if ($Debug) { debug("Call to Read_Plugins with list: ".join(',',@PluginsToLoad)); }
+       foreach my $plugininfo (@PluginsToLoad) {
+               my ($pluginfile,$pluginparam)=split(/\s+/,$plugininfo,2);
+@@ -4288,7 +4289,12 @@ sub UnCompileRegex {
+ #------------------------------------------------------------------------------
+ sub Sanitize {
+       my $stringtoclean=shift;
+-      $stringtoclean =~ s/[^\w_\-\\\/\.\s]//g;
++      my $full=shift||0;
++      if ($full) {
++          $stringtoclean =~ s/[^\w]//g;
++    } else {
++          $stringtoclean =~ s/[^\w_\-\\\/\.\s]//g;
++      }
+       return $stringtoclean;
+ }
+ 
+@@ -5353,6 +5359,7 @@ $QueryString='';
+ # be set to force AWStats to be ran as CLI even from a web page.
+ if ($ENV{'AWSTATS_DEL_GATEWAY_INTERFACE'}) { $ENV{'GATEWAY_INTERFACE'}=''; }
+ if ($ENV{'GATEWAY_INTERFACE'}) {      # Run from a browser as CGI
++    $DebugMessages=0;
+       # Prepare QueryString
+       if ($ENV{'CONTENT_LENGTH'}) {
+               binmode STDIN;
+@@ -5370,7 +5377,7 @@ if ($ENV{'GATEWAY_INTERFACE'}) { # Run f
+ 
+       if ($QueryString =~ /config=([^&]+)/i)                          { $SiteConfig=&DecodeEncodedString("$1"); }
+       if ($QueryString =~ /diricons=([^&]+)/i)                        { $DirIcons=&DecodeEncodedString("$1"); }
+-      if ($QueryString =~ /pluginmode=([^&]+)/i)                      { $PluginMode=&Sanitize(&DecodeEncodedString("$1")); }
++      if ($QueryString =~ /pluginmode=([^&]+)/i)                      { $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
+       if ($QueryString =~ /configdir=([^&]+)/i)                       { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
+       # All filters
+       if ($QueryString =~ /hostfilter=([^&]+)/i)                      { $FilterIn{'host'}=&DecodeEncodedString("$1"); }                       # Filter on host list can also be defined with 
hostfilter=filter
+@@ -5393,6 +5400,7 @@ if ($ENV{'GATEWAY_INTERFACE'}) { # Run f
+       }
+ }
+ else {                                                                # Run from command line
++    $DebugMessages=1;
+       # Prepare QueryString
+       for (0..@ARGV-1) {
+               # If migrate
+@@ -5418,7 +5426,7 @@ else {                                                           # Run from command line
+ 
+       if ($QueryString =~ /config=([^&]+)/i)                          { $SiteConfig="$1"; }
+       if ($QueryString =~ /diricons=([^&]+)/i)                        { $DirIcons="$1"; }
+-      if ($QueryString =~ /pluginmode=([^&]+)/i)                      { $PluginMode=&Sanitize("$1"); }
++      if ($QueryString =~ /pluginmode=([^&]+)/i)                      { $PluginMode=&Sanitize("$1",1); }
+       if ($QueryString =~ /configdir=([^&]+)/i)                       { $DirConfig=&Sanitize("$1"); }
+       # All filters
+       if ($QueryString =~ /hostfilter=([^&]+)/i)                      { $FilterIn{'host'}="$1"; }                     # Filter on host list can also be defined with hostfilter=filter
+@@ -5440,6 +5448,7 @@ else {                                                           # Run from command line
+       if ($QueryString =~ /showcorrupted/i)                           { $ShowCorrupted=1; $QueryString=~s/showcorrupted[^&]*//i; }
+       if ($QueryString =~ /showdropped/i)                                     { $ShowDropped=1; $QueryString=~s/showdropped[^&]*//i; }
+       if ($QueryString =~ /showunknownorigin/i)                       { $ShowUnknownOrigin=1; $QueryString=~s/showunknownorigin[^&]*//i; }
++
+ }
+ if ($QueryString =~ /(^|&)staticlinks/i)                      { $StaticLinks=".$SiteConfig"; }
+ if ($QueryString =~ /(^|&)staticlinks=([^&]+)/i)      { $StaticLinks=".$2"; }         # When ran from awstatsbuildstaticpages.pl
+@@ -5447,8 +5456,9 @@ if ($QueryString =~ /(^|&)staticlinksext
+ if ($QueryString =~ /(^|&)framename=([^&]+)/i)                { $FrameName="$2"; }
+ if ($QueryString =~ /(^|&)debug=(\d+)/i)                      { $Debug=$2; }
+ if ($QueryString =~ /(^|&)updatefor=(\d+)/i)          { $UpdateFor=$2; }
+-if ($QueryString =~ /(^|&)noloadplugin=([^&]+)/i)     { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_")}=1; } }
+-if ($QueryString =~ /(^|&)loadplugin=([^&]+)/i)               { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_")}=-1; } }
++if ($QueryString =~ /(^|&)noloadplugin=([^&]+)/i)     { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_",1)}=1; } }
++#Removed for security reasons
++#if ($QueryString =~ /(^|&)loadplugin=([^&]+)/i)              { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_",1)}=-1; } }
+ if ($QueryString =~ /(^|&)limitflush=(\d+)/i)         { $LIMITFLUSH=$2; }
+ # Get/Define output
+ if ($QueryString =~ /(^|&)output(=[^&]*|)(.*)&output(=[^&]*|)(&|$)/i) { error("Only 1 output option is allowed","","",1); }
+@@ -5488,7 +5498,7 @@ else { $DayRequired=''; }
+ # Print AWStats and Perl version 
+ if ($Debug) {
+       debug(ucfirst($PROG)." - $VERSION - Perl $^X $]",1);
+-      debug("DIR=$DIR PROG=$PROG",2);
++      debug("DIR=$DIR PROG=$PROG Extension=$Extension",2);
+       debug("QUERY_STRING=$QueryString",2);
+       debug("HTMLOutput=".join(',',keys %HTMLOutput),1);
+       debug("YearRequired=$YearRequired, MonthRequired=$MonthRequired",2);
+@@ -5634,6 +5644,10 @@ if (! $Lang || $Lang eq 'auto') {
+ &Check_Config();
+ # Now SiteDomain is defined
+ 
++if ($Debug && ! $DebugMessages) {
++    error("Debug has not been allowed. Change DebugMessages parameter in config file to allow debug.");   
++}
++
+ # Define frame name and correct variable for frames
+ if (! $FrameName) {
+       if ($ENV{'GATEWAY_INTERFACE'} && $UseFramesWhenCGI && $HTMLOutput{'main'} && ! $PluginMode) { $FrameName='index'; }
diff -r 8448e5e5c357 -r 628fe39735f2 www/awstats/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/awstats/patches/patch-ab      Tue Feb 15 21:05:52 2005 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-ab,v 1.1.2.2 2005/02/15 21:05:53 snj Exp $
+
+--- wwwroot/cgi-bin/awstats.model.conf.orig    2005-01-22 09:26:06.000000000 -0600
++++ wwwroot/cgi-bin/awstats.model.conf
+@@ -701,9 +701,9 @@ ErrorMessages=""
+ # security reasons) to disable debugging, set this parameter to 0.
+ # Change : Effective immediatly
+ # Possible values: 0 or 1
+-# Default: 1
++# Default: 0
+ #
+-DebugMessages=1
++DebugMessages=0
+ 
+ 
+ # To help you to detect if your log format is good, AWStats report an error



Home | Main Index | Thread Index | Old Index