[Pkg-awstats-commits] r50 - in awstats/trunk/debian: . patches

Sat May 6 21:42:50 UTC 2006

Author: cfry-guest
Date: 2006-05-06 21:42:50 +0000 (Sat, 06 May 2006)
New Revision: 50

Added:
   awstats/trunk/debian/patches/0001_sanitize_more.patch
   awstats/trunk/debian/patches/1002_disable_configdir.patch
   awstats/trunk/debian/patches/1003_redirect_to_STDERR.patch
Removed:
   awstats/trunk/debian/patches/1001_sanitize_more.patch
   awstats/trunk/debian/patches/1002_redirect_to_STDERR.patch
Modified:
   awstats/trunk/debian/changelog
   awstats/trunk/debian/patches/series
Log:
integrated security patches provided from upstream


Modified: awstats/trunk/debian/changelog
===================================================================

--- awstats/trunk/debian/changelog	2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/changelog	2006-05-06 21:42:50 UTC (rev 50)
@@ -1,11 +1,15 @@
 awstats (6.5-2) unstable; urgency=low
 
-  * Patch to sanitize diricons parameter, thanks to Hendrik Weimer
-    <hendrik at enyo.de> (Closes: #364443)
-  * Patch to sanitize migrate parameter, thanks to Hendrik Weimer
-    <hendrik at enyo.de> (Closes: #365909)
+  * Require AWSTATS_ENABLE_CONFIG_DIR environmental variable in order to
+    enable configdir. Closes: #365910 (thanks to Hendrik Weimer
+    <hendrik at enyo.de>)
+  * Integrated security patches from upstream:
+    + Decode QueryString. Closes: #364443 (thanks to Micah Anderson
+      <micah at debian.org>)
+    + Sanitize migrate parameter. Closes: #365909 (thanks to Hendrik Weimer
+      <hendrik at enyo.de>)
 
- -- Charles Fry <debian at frogcircus.org>  Fri,  5 May 2006 16:43:53 -0400
+ -- Charles Fry <debian at frogcircus.org>  Sat,  6 May 2006 17:36:46 -0400
 
 awstats (6.5-1) unstable; urgency=low
 

Copied: awstats/trunk/debian/patches/0001_sanitize_more.patch (from rev 49, awstats/trunk/debian/patches/1001_sanitize_more.patch)
===================================================================
--- awstats/trunk/debian/patches/1001_sanitize_more.patch	2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/patches/0001_sanitize_more.patch	2006-05-06 21:42:50 UTC (rev 50)
@@ -0,0 +1,40 @@
+Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
+===================================================================
+--- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl	2005-11-24 15:11:19.000000000 -0500
++++ awstats-6.5/wwwroot/cgi-bin/awstats.pl	2006-05-06 17:34:13.000000000 -0400
+@@ -5534,7 +5534,7 @@
+ 	    $QueryString =~ s/&/&amp;/g;
+ 	}
+ 
+-	$QueryString = CleanFromCSSA($QueryString);
++	$QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
+ 
+     # Security test
+ 	if ($QueryString =~ /LogFile=([^&]+)/i)				{ error("Logfile parameter can't be overwritten when AWStats is used from a CGI"); }
+@@ -5542,7 +5542,7 @@
+ 	# No update but report by default when run from a browser
+ 	$UpdateStats=($QueryString=~/update=1/i?1:0);
+ 
+-	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&DecodeEncodedString("$1"); }
++	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
+ 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&DecodeEncodedString("$1"); }
+ 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
+ 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
+@@ -5561,7 +5561,7 @@
+ 
+ 	# If migrate
+ 	if ($QueryString =~ /(^|-|&|&amp;)migrate=([^&]+)/i)	{
+-		$MigrateStats=&DecodeEncodedString("$2"); 
++		$MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
+ 		$MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
+ 		$SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//;		# SiteConfig is used to find config file
+ 	}
+@@ -5591,7 +5591,7 @@
+ 	# Update with no report by default when run from command line
+ 	$UpdateStats=1;
+ 
+-	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig="$1"; }
++	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize("$1"); }
+ 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons="$1"; }
+ 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize("$1",1); }
+ 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize("$1"); }

Deleted: awstats/trunk/debian/patches/1001_sanitize_more.patch
===================================================================
--- awstats/trunk/debian/patches/1001_sanitize_more.patch	2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/patches/1001_sanitize_more.patch	2006-05-06 21:42:50 UTC (rev 50)
@@ -1,35 +0,0 @@
-Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
-===================================================================
---- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl	2005-11-24 15:11:19.000000000 -0500
-+++ awstats-6.5/wwwroot/cgi-bin/awstats.pl	2006-05-05 16:43:12.000000000 -0400
-@@ -5542,8 +5542,8 @@
- 	# No update but report by default when run from a browser
- 	$UpdateStats=($QueryString=~/update=1/i?1:0);
- 
--	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&DecodeEncodedString("$1"); }
--	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&DecodeEncodedString("$1"); }
-+	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
-+	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&Sanitize(&DecodeEncodedString("$1")); }
- 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
- 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
- 	# All filters
-@@ -5561,7 +5561,7 @@
- 
- 	# If migrate
- 	if ($QueryString =~ /(^|-|&|&amp;)migrate=([^&]+)/i)	{
--		$MigrateStats=&DecodeEncodedString("$2"); 
-+		$MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
- 		$MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
- 		$SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//;		# SiteConfig is used to find config file
- 	}
-@@ -5591,8 +5591,8 @@
- 	# Update with no report by default when run from command line
- 	$UpdateStats=1;
- 
--	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig="$1"; }
--	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons="$1"; }
-+	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize("$1"); }
-+	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&Sanitize("$1"); }
- 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize("$1",1); }
- 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize("$1"); }
- 	# All filters

Added: awstats/trunk/debian/patches/1002_disable_configdir.patch
===================================================================
--- awstats/trunk/debian/patches/1002_disable_configdir.patch	2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/patches/1002_disable_configdir.patch	2006-05-06 21:42:50 UTC (rev 50)
@@ -0,0 +1,13 @@
+Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
+===================================================================
+--- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl	2006-05-05 16:43:12.000000000 -0400
++++ awstats-6.5/wwwroot/cgi-bin/awstats.pl	2006-05-06 17:26:10.000000000 -0400
+@@ -1131,7 +1131,7 @@
+ 	my $configdir=shift;
+ 	my @PossibleConfigDir=();
+ 
+-	if ($configdir) { @PossibleConfigDir=("$configdir"); }
++	if ($configdir && $ENV{"AWSTATS_ENABLE_CONFIG_DIR"}) { @PossibleConfigDir=("$configdir"); }
+ 	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
+ 
+ 	# Open config file

Deleted: awstats/trunk/debian/patches/1002_redirect_to_STDERR.patch
===================================================================
--- awstats/trunk/debian/patches/1002_redirect_to_STDERR.patch	2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/patches/1002_redirect_to_STDERR.patch	2006-05-06 21:42:50 UTC (rev 50)
@@ -1,92 +0,0 @@
-diff -urNad awstats~/tools/awstats_buildstaticpages.pl awstats/tools/awstats_buildstaticpages.pl
---- awstats~/tools/awstats_buildstaticpages.pl	2005-08-23 15:56:35.000000000 -0400
-+++ awstats/tools/awstats_buildstaticpages.pl	2006-01-04 00:58:20.490613529 -0500
-@@ -75,7 +75,7 @@
- # Return:		None
- #------------------------------------------------------------------------------
- sub error {
--	print "Error: $_[0].\n";
-+	print STDERR "Error: $_[0].\n";
-     exit 1;
- }
- 
-@@ -95,7 +95,7 @@
- #    		print "$messagestring<br />\n";
- #    	}
- #    	else {
--	    	print "$messagestring\n";
-+	    	print STDERR "$messagestring\n";
- #    	}
- #	}
- }
-diff -urNad awstats~/tools/awstats_configure.pl awstats/tools/awstats_configure.pl
---- awstats~/tools/awstats_configure.pl	2005-04-22 13:34:05.000000000 -0400
-+++ awstats/tools/awstats_configure.pl	2006-01-04 00:58:24.987002812 -0500
-@@ -87,7 +87,7 @@
- # error
- #-------------------------------------------------------
- sub error {
--	print "Error: $_[0].\n";
-+	print STDERR "Error: $_[0].\n";
-     exit 1;
- }
- 
-diff -urNad awstats~/tools/awstats_exportlib.pl awstats/tools/awstats_exportlib.pl
---- awstats~/tools/awstats_exportlib.pl	2003-12-05 18:53:38.000000000 -0500
-+++ awstats/tools/awstats_exportlib.pl	2006-01-04 00:58:30.769217454 -0500
-@@ -93,8 +93,8 @@
- 	my $thirdmessage=shift||"";
- 	my $donotshowsetupinfo=shift||0;
- 	if ($Debug) { debug("$message $secondmessage $thirdmessage",1); }
--	print "$message";
--	print "\n";
-+	print STDERR "$message";
-+	print STDERR "\n";
- 	exit 1;
- }
- 
-diff -urNad awstats~/tools/awstats_updateall.pl awstats/tools/awstats_updateall.pl
---- awstats~/tools/awstats_updateall.pl	2005-04-22 13:34:05.000000000 -0400
-+++ awstats/tools/awstats_updateall.pl	2006-01-04 00:58:34.910654953 -0500
-@@ -36,7 +36,7 @@
- # Return:		None
- #------------------------------------------------------------------------------
- sub error {
--	print "Error: $_[0].\n";
-+	print STDERR "Error: $_[0].\n";
-     exit 1;
- }
- 
-diff -urNad awstats~/tools/logresolvemerge.pl awstats/tools/logresolvemerge.pl
---- awstats~/tools/logresolvemerge.pl	2005-12-04 16:10:46.000000000 -0500
-+++ awstats/tools/logresolvemerge.pl	2006-01-04 00:58:38.552160356 -0500
-@@ -104,7 +104,7 @@
- # Return:		None
- #------------------------------------------------------------------------------
- sub error {
--	print "Error: $_[0].\n";
-+	print STDERR "Error: $_[0].\n";
-     exit 1;
- }
- 
-@@ -133,7 +133,7 @@
- sub warning {
- 	my $messagestring=shift;
- 	if ($Debug) { debug("$messagestring",1); }
--   	print "$messagestring\n";
-+   	print STDERR "$messagestring\n";
- }
- 
- #-----------------------------------------------------------------------------
-diff -urNad awstats~/tools/maillogconvert.pl awstats/tools/maillogconvert.pl
---- awstats~/tools/maillogconvert.pl	2005-04-22 13:34:05.000000000 -0400
-+++ awstats/tools/maillogconvert.pl	2006-01-04 00:58:42.465628823 -0500
-@@ -56,7 +56,7 @@
- #-------------------------------------------------------
- 
- sub error {
--	print "Error: $_[0].\n";
-+	print STDERR "Error: $_[0].\n";
-     exit 1;
- }
- 

Copied: awstats/trunk/debian/patches/1003_redirect_to_STDERR.patch (from rev 47, awstats/trunk/debian/patches/1002_redirect_to_STDERR.patch)

Modified: awstats/trunk/debian/patches/series
===================================================================
--- awstats/trunk/debian/patches/series	2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/patches/series	2006-05-06 21:42:50 UTC (rev 50)
@@ -1,2 +1,3 @@
-1001_sanitize_more.patch
-1002_redirect_to_STDERR.patch
+0001_sanitize_more.patch
+1002_disable_configdir.patch
+1003_redirect_to_STDERR.patch


