pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/www/awstats Fix XSS vulnerabilities in awstats.

details:   https://anonhg.NetBSD.org/pkgsrc/rev/0f466ed9f940
branches:  trunk
changeset: 599111:0f466ed9f940
user:      minskim <minskim%pkgsrc.org@localhost>
date:      Sun Feb 05 23:58:07 2012 +0000

description:
Fix XSS vulnerabilities in awstats.

Patch from awstat's CVS repo.

diffstat:

 www/awstats/Makefile                                 |   4 +-
 www/awstats/distinfo                                 |   3 +-
 www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl |  47 ++++++++++++++++++++
 3 files changed, 51 insertions(+), 3 deletions(-)

diffs (78 lines):

diff -r 2e239a93b543 -r 0f466ed9f940 www/awstats/Makefile
--- a/www/awstats/Makefile      Sun Feb 05 22:53:51 2012 +0000
+++ b/www/awstats/Makefile      Sun Feb 05 23:58:07 2012 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.45 2011/05/30 09:31:25 hauke Exp $
+# $NetBSD: Makefile,v 1.46 2012/02/05 23:58:07 minskim Exp $
 
 DISTNAME=      awstats-7.0
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=awstats/}
 
diff -r 2e239a93b543 -r 0f466ed9f940 www/awstats/distinfo
--- a/www/awstats/distinfo      Sun Feb 05 22:53:51 2012 +0000
+++ b/www/awstats/distinfo      Sun Feb 05 23:58:07 2012 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2011/05/30 09:32:41 hauke Exp $
+$NetBSD: distinfo,v 1.29 2012/02/05 23:58:07 minskim Exp $
 
 SHA1 (awstats-7.0/awstats-7.0.tar.gz) = 733fa7d6a540f4a54f52c69a5f271c789472b0b7
 RMD160 (awstats-7.0/awstats-7.0.tar.gz) = 0bd46afbd3159cf5f3e517b37a43b7d0852fc2a3
@@ -6,3 +6,4 @@
 SHA1 (patch-aa) = 77505c9894b0be638d748c506feb93e065a3318f
 SHA1 (patch-ab) = 9ae474058a1803c1132b36448c1a6987c58e8823
 SHA1 (patch-ad) = 9c08fff3fcc3871a08c73c9509fbeb5baca06c09
+SHA1 (patch-wwwroot_cgi-bin_awredir.pl) = 3e3a41ab4bfbe633f78af182f5d2692bd678595d
diff -r 2e239a93b543 -r 0f466ed9f940 www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl      Sun Feb 05 23:58:07 2012 +0000
@@ -0,0 +1,47 @@
+$NetBSD: patch-wwwroot_cgi-bin_awredir.pl,v 1.1 2012/02/05 23:58:07 minskim Exp $
+
+Security fix for http://secunia.com/advisories/46160/
+
+--- wwwroot/cgi-bin/awredir.pl.orig    2009-01-03 10:42:04.000000000 +0000
++++ wwwroot/cgi-bin/awredir.pl
+@@ -73,6 +73,27 @@ sub DecodeEncodedString {
+       return $stringtodecode;
+ }
+ 
++#------------------------------------------------------------------------------
++# Function:     Clean a string of HTML tags to avoid 'Cross Site Scripting attacks'
++#               and clean | char.
++# Parameters:   stringtoclean
++# Input:        None
++# Output:       None
++# Return:             cleanedstring
++#------------------------------------------------------------------------------
++sub CleanXSS {
++      my $stringtoclean = shift;
++
++      # To avoid html tags and javascript
++      $stringtoclean =~ s/</&lt;/g;
++      $stringtoclean =~ s/>/&gt;/g;
++      $stringtoclean =~ s/|//g;
++
++      # To avoid onload="
++      $stringtoclean =~ s/onload//g;
++      return $stringtoclean;
++}
++
+ 
+ #-------------------------------------------------------
+ # MAIN
+@@ -124,6 +145,12 @@ elsif ($Url =~ /url=(.+)$/) { $Url=$1; }
+ $Url = DecodeEncodedString($Url);
+ $UrlParam=$Url;
+ 
++# Sanitize parameters
++$Tag=CleanXSS($Tag);
++$Key=CleanXSS($Key);
++$UrlParam=CleanXSS($UrlParam);
++
++
+ if (! $UrlParam) {
+         error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:<br><i>/cgi-bin/$PROG.pl?url=http://urltogo</i>");
+ }
Home | Main Index | Thread Index | Old Index