pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/net/nagios-base Fix several cross site scripting vulne...
details: https://anonhg.NetBSD.org/pkgsrc/rev/d6487eb7365c
branches: trunk
changeset: 539978:d6487eb7365c
user: tonnerre <tonnerre%pkgsrc.org@localhost>
date: Tue Mar 18 21:53:41 2008 +0000
description:
Fix several cross site scripting vulnerabilities in Nagios 2.5
Take over maintainership as suggested by jlam
Approved-by: jlam
diffstat:
net/nagios-base/Makefile | 6 ++--
net/nagios-base/distinfo | 16 ++++++++++-
net/nagios-base/patches/patch-ag | 36 ++++++++++++++++++++++++
net/nagios-base/patches/patch-ai | 52 ++++++++++++++++++++++++++++++++++
net/nagios-base/patches/patch-aj | 60 ++++++++++++++++++++++++++++++++++++++++
net/nagios-base/patches/patch-ak | 20 +++++++++++++
net/nagios-base/patches/patch-al | 29 +++++++++++++++++++
net/nagios-base/patches/patch-am | 46 ++++++++++++++++++++++++++++++
net/nagios-base/patches/patch-an | 13 ++++++++
net/nagios-base/patches/patch-ao | 54 ++++++++++++++++++++++++++++++++++++
net/nagios-base/patches/patch-ap | 20 +++++++++++++
net/nagios-base/patches/patch-aq | 44 +++++++++++++++++++++++++++++
net/nagios-base/patches/patch-ar | 12 ++++++++
net/nagios-base/patches/patch-as | 28 ++++++++++++++++++
net/nagios-base/patches/patch-at | 20 +++++++++++++
net/nagios-base/patches/patch-au | 33 ++++++++++++++++++++++
16 files changed, 485 insertions(+), 4 deletions(-)
diffs (truncated from 571 to 300 lines):
diff -r 83689d6ec90d -r d6487eb7365c net/nagios-base/Makefile
--- a/net/nagios-base/Makefile Tue Mar 18 20:01:20 2008 +0000
+++ b/net/nagios-base/Makefile Tue Mar 18 21:53:41 2008 +0000
@@ -1,13 +1,13 @@
-# $NetBSD: Makefile,v 1.16 2007/11/26 22:14:13 seb Exp $
+# $NetBSD: Makefile,v 1.17 2008/03/18 21:53:41 tonnerre Exp $
#
DISTNAME= nagios-2.5
PKGNAME= ${DISTNAME:S/-/-base-/}
-PKGREVISION= 4
+PKGREVISION= 5
CATEGORIES= net sysutils
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=nagios/}
-MAINTAINER= pkgsrc-users%NetBSD.org@localhost
+MAINTAINER= tonnerre%NetBSD.org@localhost
HOMEPAGE= http://www.nagios.org/
COMMENT= Network monitor
diff -r 83689d6ec90d -r d6487eb7365c net/nagios-base/distinfo
--- a/net/nagios-base/distinfo Tue Mar 18 20:01:20 2008 +0000
+++ b/net/nagios-base/distinfo Tue Mar 18 21:53:41 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2007/11/26 22:14:14 seb Exp $
+$NetBSD: distinfo,v 1.7 2008/03/18 21:53:41 tonnerre Exp $
SHA1 (nagios-2.5.tar.gz) = 00e6bc45c5634649b6a1be2758ec181197d38f76
RMD160 (nagios-2.5.tar.gz) = a0f1890ed546ce026cf784ae3ca83119275bd529
@@ -9,4 +9,18 @@
SHA1 (patch-ad) = 2d7c6620ed08a64c8df2d26083fa327899305004
SHA1 (patch-ae) = 088bddbbd8d6a9f6b7aff89f238d510959a7220b
SHA1 (patch-af) = a1b2c3a51b0ed72ff0f507bacc44a0d0c5924d60
+SHA1 (patch-ag) = 81c7bd5b4bbec8a5135b96d9b2d47a11f7e21953
SHA1 (patch-ah) = 88122296f9d74648c3dadbd7f6e12e7ef1f32081
+SHA1 (patch-ai) = 01af7bb4fd0bf3e341535e072384630f859b1338
+SHA1 (patch-aj) = 4655da482dced332a870feaeddc729c0c7efd841
+SHA1 (patch-ak) = ecdfe1bc8b219324780d0d86ce7c5dcc7c51c241
+SHA1 (patch-al) = 59763ce59854012ca94e5adb4d53ac5c46532309
+SHA1 (patch-am) = f839f730c11907a36df1ed0e01290caa667be655
+SHA1 (patch-an) = d1110a33f26ff3807982385d8e706436214dac3f
+SHA1 (patch-ao) = ed9bff0519efeb531a4fa40170ce69dc8082139e
+SHA1 (patch-ap) = a82898a22eb0e0938bffd0a2490a8fe306f07e65
+SHA1 (patch-aq) = 7403d4192c59e522e94f221d06a1ecec5aba9118
+SHA1 (patch-ar) = a496fbee60e35a5287bd646573ecdb007033f6cf
+SHA1 (patch-as) = cd9c5454f4b6a9f8ccf496398b3413b85a7e0d99
+SHA1 (patch-at) = 9862506f7b8e87525d7c0616703154c006e6dd27
+SHA1 (patch-au) = bde2db89a81d3e41fd90556e6f0d20d3ce1d3bbc
diff -r 83689d6ec90d -r d6487eb7365c net/nagios-base/patches/patch-ag
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/nagios-base/patches/patch-ag Tue Mar 18 21:53:41 2008 +0000
@@ -0,0 +1,36 @@
+$NetBSD: patch-ag,v 1.3 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/avail.c.orig 2006-04-06 00:33:32.000000000 +0200
++++ cgi/avail.c
+@@ -1157,6 +1157,7 @@ int process_cgivars(void){
+ hostgroup_name="";
+ else
+ strcpy(hostgroup_name,variables[x]);
++ strip_html_brackets(hostgroup_name);
+ display_type=DISPLAY_HOSTGROUP_AVAIL;
+ show_all_hostgroups=(strcmp(hostgroup_name,"all"))?FALSE:TRUE;
+ }
+@@ -1174,6 +1175,7 @@ int process_cgivars(void){
+ servicegroup_name="";
+ else
+ strcpy(servicegroup_name,variables[x]);
++ strip_html_brackets(servicegroup_name);
+ display_type=DISPLAY_SERVICEGROUP_AVAIL;
+ show_all_servicegroups=(strcmp(servicegroup_name,"all"))?FALSE:TRUE;
+ }
+@@ -1191,6 +1193,7 @@ int process_cgivars(void){
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+ display_type=DISPLAY_HOST_AVAIL;
+ show_all_hosts=(strcmp(host_name,"all"))?FALSE:TRUE;
+ }
+@@ -1208,6 +1211,7 @@ int process_cgivars(void){
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+ display_type=DISPLAY_SERVICE_AVAIL;
+ show_all_services=(strcmp(svc_description,"all"))?FALSE:TRUE;
+ }
diff -r 83689d6ec90d -r d6487eb7365c net/nagios-base/patches/patch-ai
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/nagios-base/patches/patch-ai Tue Mar 18 21:53:41 2008 +0000
@@ -0,0 +1,52 @@
+$NetBSD: patch-ai,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/cmd.c.orig 2006-05-19 16:25:03.000000000 +0200
++++ cgi/cmd.c
+@@ -380,6 +380,7 @@ int process_cgivars(void){
+ comment_author="";
+ else
+ strcpy(comment_author,variables[x]);
++ strip_html_brackets(comment_author);
+ }
+
+ /* we found the comment data */
+@@ -395,6 +396,7 @@ int process_cgivars(void){
+ comment_data="";
+ else
+ strcpy(comment_data,variables[x]);
++ strip_html_brackets(comment_data);
+ }
+
+ /* we found the host name */
+@@ -410,6 +412,7 @@ int process_cgivars(void){
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+ }
+
+ /* we found the hostgroup name */
+@@ -425,6 +428,7 @@ int process_cgivars(void){
+ hostgroup_name="";
+ else
+ strcpy(hostgroup_name,variables[x]);
++ strip_html_brackets(hostgroup_name);
+ }
+
+ /* we found the service name */
+@@ -440,6 +444,7 @@ int process_cgivars(void){
+ service_desc="";
+ else
+ strcpy(service_desc,variables[x]);
++ strip_html_brackets(service_desc);
+ }
+
+ /* we found the servicegroup name */
+@@ -455,6 +460,7 @@ int process_cgivars(void){
+ servicegroup_name="";
+ else
+ strcpy(servicegroup_name,variables[x]);
++ strip_html_brackets(servicegroup_name);
+ }
+
+ /* we got the persistence option for a comment */
diff -r 83689d6ec90d -r d6487eb7365c net/nagios-base/patches/patch-aj
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/nagios-base/patches/patch-aj Tue Mar 18 21:53:41 2008 +0000
@@ -0,0 +1,60 @@
+$NetBSD: patch-aj,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/extinfo.c.orig 2006-03-21 22:31:46.000000000 +0100
++++ cgi/extinfo.c
+@@ -598,6 +598,7 @@ int process_cgivars(void){
+ host_name=strdup(variables[x]);
+ if(host_name==NULL)
+ host_name="";
++ strip_html_brackets(host_name);
+ }
+
+ /* we found the hostgroup name */
+@@ -611,6 +612,7 @@ int process_cgivars(void){
+ hostgroup_name=strdup(variables[x]);
+ if(hostgroup_name==NULL)
+ hostgroup_name="";
++ strip_html_brackets(hostgroup_name);
+ }
+
+ /* we found the service name */
+@@ -624,6 +626,7 @@ int process_cgivars(void){
+ service_desc=strdup(variables[x]);
+ if(service_desc==NULL)
+ service_desc="";
++ strip_html_brackets(service_desc);
+ }
+
+ /* we found the servicegroup name */
+@@ -637,6 +640,7 @@ int process_cgivars(void){
+ servicegroup_name=strdup(variables[x]);
+ if(servicegroup_name==NULL)
+ servicegroup_name="";
++ strip_html_brackets(servicegroup_name);
+ }
+
+ /* we found the sort type argument */
+@@ -989,9 +993,9 @@ void show_host_info(void){
+
+ printf("<TR><TD CLASS='dataVar'>Host Status:</td><td CLASS='dataVal'><DIV
CLASS='%s'> %s %s </DIV></td></tr>\n",bg_class,state_string,(temp_hoststatus->problem_has_been_acknowledged==TRUE)?"(Has been acknowledged)":"");
+
+- printf("<TR><TD CLASS='dataVar'>Status Information:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_hoststatus->plugin_output==NULL)?"":temp_hoststatus->plugin_output);
++ printf("<TR><TD CLASS='dataVar'>Status Information:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_hoststatus->plugin_output==NULL)?"":html_encode(temp_hoststatus->plugin_output));
+
+- printf("<TR><TD CLASS='dataVar'>Performance Data:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_hoststatus->perf_data==NULL)?"":temp_hoststatus->perf_data);
++ printf("<TR><TD CLASS='dataVar'>Performance Data:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_hoststatus->perf_data==NULL)?"":html_encode(temp_hoststatus->perf_data));
+
+ printf("<TR><TD CLASS='dataVar'>Current Attempt:</TD><TD CLASS='dataVal'>%d/%d</TD></TR>\n",temp_hoststatus->current_attempt,temp_hoststatus->max_attempts);
+
+@@ -1299,9 +1303,9 @@ void show_service_info(void){
+ }
+ printf("<TR><TD CLASS='dataVar'>Current Status:</TD><TD CLASS='dataVal'><DIV
CLASS='%s'> %s %s </DIV></TD></TR>\n",bg_class,state_string,(temp_svcstatus->problem_has_been_acknowledged==TRUE)?"(Has been acknowledged)":"");
+
+- printf("<TR><TD CLASS='dataVar'>Status Information:</TD><TD CLASS='dataVal'>%s</TD></TR>\n",(temp_svcstatus->plugin_output==NULL)?"":temp_svcstatus->plugin_output);
++ printf("<TR><TD CLASS='dataVar'>Status Information:</TD><TD CLASS='dataVal'>%s</TD></TR>\n",(temp_svcstatus->plugin_output==NULL)?"":html_encode(temp_svcstatus->plugin_output));
+
+- printf("<TR><TD CLASS='dataVar'>Performance Data:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_svcstatus->perf_data==NULL)?"":temp_svcstatus->perf_data);
++ printf("<TR><TD CLASS='dataVar'>Performance Data:</td><td CLASS='dataVal'>%s</td></tr>\n",(temp_svcstatus->perf_data==NULL)?"":html_encode(temp_svcstatus->perf_data));
+
+ printf("<TR><TD CLASS='dataVar'>Current Attempt:</TD><TD CLASS='dataVal'>%d/%d</TD></TR>\n",temp_svcstatus->current_attempt,temp_svcstatus->max_attempts);
+
diff -r 83689d6ec90d -r d6487eb7365c net/nagios-base/patches/patch-ak
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/nagios-base/patches/patch-ak Tue Mar 18 21:53:41 2008 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-ak,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/histogram.c.orig 2006-03-21 22:31:46.000000000 +0100
++++ cgi/histogram.c
+@@ -1086,6 +1086,7 @@ int process_cgivars(void){
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+
+ display_type=DISPLAY_HOST_HISTOGRAM;
+ }
+@@ -1103,6 +1104,7 @@ int process_cgivars(void){
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+
+ display_type=DISPLAY_SERVICE_HISTOGRAM;
+ }
diff -r 83689d6ec90d -r d6487eb7365c net/nagios-base/patches/patch-al
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/nagios-base/patches/patch-al Tue Mar 18 21:53:41 2008 +0000
@@ -0,0 +1,29 @@
+$NetBSD: patch-al,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/history.c.orig 2006-03-21 22:31:46.000000000 +0100
++++ cgi/history.c
+@@ -379,6 +379,7 @@ int process_cgivars(void){
+ host_name="";
+ else
+ strcpy(host_name,variables[x]);
++ strip_html_brackets(host_name);
+
+ display_type=DISPLAY_HOSTS;
+
+@@ -401,6 +402,7 @@ int process_cgivars(void){
+ svc_description="";
+ else
+ strcpy(svc_description,variables[x]);
++ strip_html_brackets(svc_description);
+
+ display_type=DISPLAY_SERVICES;
+ }
+@@ -901,7 +903,7 @@ void get_history(void){
+
+ if(display_frills==TRUE)
+ printf("<img align='left' src='%s%s' alt='%s' title='%s'>",url_images_path,image,image_alt,image_alt);
+- printf("[%s] %s<br clear='all'>\n",date_time,temp_buffer);
++ printf("[%s] %s<br clear='all'>\n",date_time,html_encode(temp_buffer));
+ found_line=TRUE;
+ }
+ }
diff -r 83689d6ec90d -r d6487eb7365c net/nagios-base/patches/patch-am
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/nagios-base/patches/patch-am Tue Mar 18 21:53:41 2008 +0000
@@ -0,0 +1,46 @@
+$NetBSD: patch-am,v 1.1 2008/03/18 21:53:41 tonnerre Exp $
+
+--- cgi/notifications.c.orig 2006-06-19 22:53:24.000000000 +0200
++++ cgi/notifications.c
+@@ -371,6 +371,7 @@ int process_cgivars(void){
+ query_host_name=strdup(variables[x]);
+ if(query_host_name==NULL)
+ query_host_name="";
++ strip_html_brackets(query_host_name);
+ if(!strcmp(query_host_name,"all"))
+ find_all=TRUE;
+ else
+@@ -390,6 +391,7 @@ int process_cgivars(void){
+
+ if(query_contact_name==NULL)
+ query_contact_name="";
++ strip_html_brackets(query_contact_name);
+ if(!strcmp(query_contact_name,"all"))
+ find_all=TRUE;
+ else
+@@ -408,6 +410,7 @@ int process_cgivars(void){
+ query_svc_description=strdup(variables[x]);
+ if(query_svc_description==NULL)
+ query_svc_description="";
++ strip_html_brackets(query_svc_description);
+ }
+
+ /* we found the notification type argument */
+@@ -553,7 +556,7 @@ void display_notifications(void){
+ /* get the host name */
+ temp_buffer=(char *)strtok(NULL,";");
Home |
Main Index |
Thread Index |
Old Index