[Pkg-awstats-commits] r50 - in awstats/trunk/debian: . patches
Charles Fry
cfry-guest at costa.debian.org
Sat May 6 21:42:50 UTC 2006
Author: cfry-guest
Date: 2006-05-06 21:42:50 +0000 (Sat, 06 May 2006)
New Revision: 50
Added:
awstats/trunk/debian/patches/0001_sanitize_more.patch
awstats/trunk/debian/patches/1002_disable_configdir.patch
awstats/trunk/debian/patches/1003_redirect_to_STDERR.patch
Removed:
awstats/trunk/debian/patches/1001_sanitize_more.patch
awstats/trunk/debian/patches/1002_redirect_to_STDERR.patch
Modified:
awstats/trunk/debian/changelog
awstats/trunk/debian/patches/series
Log:
integrated security patches provided from upstream
Modified: awstats/trunk/debian/changelog
===================================================================
--- awstats/trunk/debian/changelog 2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/changelog 2006-05-06 21:42:50 UTC (rev 50)
@@ -1,11 +1,15 @@
awstats (6.5-2) unstable; urgency=low
- * Patch to sanitize diricons parameter, thanks to Hendrik Weimer
- <hendrik at enyo.de> (Closes: #364443)
- * Patch to sanitize migrate parameter, thanks to Hendrik Weimer
- <hendrik at enyo.de> (Closes: #365909)
+ * Require AWSTATS_ENABLE_CONFIG_DIR environmental variable in order to
+ enable configdir. Closes: #365910 (thanks to Hendrik Weimer
+ <hendrik at enyo.de>)
+ * Integrated security patches from upstream:
+ + Decode QueryString. Closes: #364443 (thanks to Micah Anderson
+ <micah at debian.org>)
+ + Sanitize migrate parameter. Closes: #365909 (thanks to Hendrik Weimer
+ <hendrik at enyo.de>)
- -- Charles Fry <debian at frogcircus.org> Fri, 5 May 2006 16:43:53 -0400
+ -- Charles Fry <debian at frogcircus.org> Sat, 6 May 2006 17:36:46 -0400
awstats (6.5-1) unstable; urgency=low
Copied: awstats/trunk/debian/patches/0001_sanitize_more.patch (from rev 49, awstats/trunk/debian/patches/1001_sanitize_more.patch)
===================================================================
--- awstats/trunk/debian/patches/1001_sanitize_more.patch 2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/patches/0001_sanitize_more.patch 2006-05-06 21:42:50 UTC (rev 50)
@@ -0,0 +1,40 @@
+Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
+===================================================================
+--- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl 2005-11-24 15:11:19.000000000 -0500
++++ awstats-6.5/wwwroot/cgi-bin/awstats.pl 2006-05-06 17:34:13.000000000 -0400
+@@ -5534,7 +5534,7 @@
+ $QueryString =~ s/&/&/g;
+ }
+
+- $QueryString = CleanFromCSSA($QueryString);
++ $QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
+
+ # Security test
+ if ($QueryString =~ /LogFile=([^&]+)/i) { error("Logfile parameter can't be overwritten when AWStats is used from a CGI"); }
+@@ -5542,7 +5542,7 @@
+ # No update but report by default when run from a browser
+ $UpdateStats=($QueryString=~/update=1/i?1:0);
+
+- if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&DecodeEncodedString("$1"); }
++ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
+ if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&DecodeEncodedString("$1"); }
+ if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
+ if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
+@@ -5561,7 +5561,7 @@
+
+ # If migrate
+ if ($QueryString =~ /(^|-|&|&)migrate=([^&]+)/i) {
+- $MigrateStats=&DecodeEncodedString("$2");
++ $MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
+ $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
+ $SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file
+ }
+@@ -5591,7 +5591,7 @@
+ # Update with no report by default when run from command line
+ $UpdateStats=1;
+
+- if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig="$1"; }
++ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize("$1"); }
+ if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons="$1"; }
+ if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1",1); }
+ if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize("$1"); }
Deleted: awstats/trunk/debian/patches/1001_sanitize_more.patch
===================================================================
--- awstats/trunk/debian/patches/1001_sanitize_more.patch 2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/patches/1001_sanitize_more.patch 2006-05-06 21:42:50 UTC (rev 50)
@@ -1,35 +0,0 @@
-Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
-===================================================================
---- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl 2005-11-24 15:11:19.000000000 -0500
-+++ awstats-6.5/wwwroot/cgi-bin/awstats.pl 2006-05-05 16:43:12.000000000 -0400
-@@ -5542,8 +5542,8 @@
- # No update but report by default when run from a browser
- $UpdateStats=($QueryString=~/update=1/i?1:0);
-
-- if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&DecodeEncodedString("$1"); }
-- if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&DecodeEncodedString("$1"); }
-+ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
-+ if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&Sanitize(&DecodeEncodedString("$1")); }
- if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
- if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
- # All filters
-@@ -5561,7 +5561,7 @@
-
- # If migrate
- if ($QueryString =~ /(^|-|&|&)migrate=([^&]+)/i) {
-- $MigrateStats=&DecodeEncodedString("$2");
-+ $MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
- $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
- $SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file
- }
-@@ -5591,8 +5591,8 @@
- # Update with no report by default when run from command line
- $UpdateStats=1;
-
-- if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig="$1"; }
-- if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons="$1"; }
-+ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize("$1"); }
-+ if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&Sanitize("$1"); }
- if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1",1); }
- if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize("$1"); }
- # All filters
Added: awstats/trunk/debian/patches/1002_disable_configdir.patch
===================================================================
--- awstats/trunk/debian/patches/1002_disable_configdir.patch 2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/patches/1002_disable_configdir.patch 2006-05-06 21:42:50 UTC (rev 50)
@@ -0,0 +1,13 @@
+Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
+===================================================================
+--- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl 2006-05-05 16:43:12.000000000 -0400
++++ awstats-6.5/wwwroot/cgi-bin/awstats.pl 2006-05-06 17:26:10.000000000 -0400
+@@ -1131,7 +1131,7 @@
+ my $configdir=shift;
+ my @PossibleConfigDir=();
+
+- if ($configdir) { @PossibleConfigDir=("$configdir"); }
++ if ($configdir && $ENV{"AWSTATS_ENABLE_CONFIG_DIR"}) { @PossibleConfigDir=("$configdir"); }
+ else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
+
+ # Open config file
Deleted: awstats/trunk/debian/patches/1002_redirect_to_STDERR.patch
===================================================================
--- awstats/trunk/debian/patches/1002_redirect_to_STDERR.patch 2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/patches/1002_redirect_to_STDERR.patch 2006-05-06 21:42:50 UTC (rev 50)
@@ -1,92 +0,0 @@
-diff -urNad awstats~/tools/awstats_buildstaticpages.pl awstats/tools/awstats_buildstaticpages.pl
---- awstats~/tools/awstats_buildstaticpages.pl 2005-08-23 15:56:35.000000000 -0400
-+++ awstats/tools/awstats_buildstaticpages.pl 2006-01-04 00:58:20.490613529 -0500
-@@ -75,7 +75,7 @@
- # Return: None
- #------------------------------------------------------------------------------
- sub error {
-- print "Error: $_[0].\n";
-+ print STDERR "Error: $_[0].\n";
- exit 1;
- }
-
-@@ -95,7 +95,7 @@
- # print "$messagestring<br />\n";
- # }
- # else {
-- print "$messagestring\n";
-+ print STDERR "$messagestring\n";
- # }
- # }
- }
-diff -urNad awstats~/tools/awstats_configure.pl awstats/tools/awstats_configure.pl
---- awstats~/tools/awstats_configure.pl 2005-04-22 13:34:05.000000000 -0400
-+++ awstats/tools/awstats_configure.pl 2006-01-04 00:58:24.987002812 -0500
-@@ -87,7 +87,7 @@
- # error
- #-------------------------------------------------------
- sub error {
-- print "Error: $_[0].\n";
-+ print STDERR "Error: $_[0].\n";
- exit 1;
- }
-
-diff -urNad awstats~/tools/awstats_exportlib.pl awstats/tools/awstats_exportlib.pl
---- awstats~/tools/awstats_exportlib.pl 2003-12-05 18:53:38.000000000 -0500
-+++ awstats/tools/awstats_exportlib.pl 2006-01-04 00:58:30.769217454 -0500
-@@ -93,8 +93,8 @@
- my $thirdmessage=shift||"";
- my $donotshowsetupinfo=shift||0;
- if ($Debug) { debug("$message $secondmessage $thirdmessage",1); }
-- print "$message";
-- print "\n";
-+ print STDERR "$message";
-+ print STDERR "\n";
- exit 1;
- }
-
-diff -urNad awstats~/tools/awstats_updateall.pl awstats/tools/awstats_updateall.pl
---- awstats~/tools/awstats_updateall.pl 2005-04-22 13:34:05.000000000 -0400
-+++ awstats/tools/awstats_updateall.pl 2006-01-04 00:58:34.910654953 -0500
-@@ -36,7 +36,7 @@
- # Return: None
- #------------------------------------------------------------------------------
- sub error {
-- print "Error: $_[0].\n";
-+ print STDERR "Error: $_[0].\n";
- exit 1;
- }
-
-diff -urNad awstats~/tools/logresolvemerge.pl awstats/tools/logresolvemerge.pl
---- awstats~/tools/logresolvemerge.pl 2005-12-04 16:10:46.000000000 -0500
-+++ awstats/tools/logresolvemerge.pl 2006-01-04 00:58:38.552160356 -0500
-@@ -104,7 +104,7 @@
- # Return: None
- #------------------------------------------------------------------------------
- sub error {
-- print "Error: $_[0].\n";
-+ print STDERR "Error: $_[0].\n";
- exit 1;
- }
-
-@@ -133,7 +133,7 @@
- sub warning {
- my $messagestring=shift;
- if ($Debug) { debug("$messagestring",1); }
-- print "$messagestring\n";
-+ print STDERR "$messagestring\n";
- }
-
- #-----------------------------------------------------------------------------
-diff -urNad awstats~/tools/maillogconvert.pl awstats/tools/maillogconvert.pl
---- awstats~/tools/maillogconvert.pl 2005-04-22 13:34:05.000000000 -0400
-+++ awstats/tools/maillogconvert.pl 2006-01-04 00:58:42.465628823 -0500
-@@ -56,7 +56,7 @@
- #-------------------------------------------------------
-
- sub error {
-- print "Error: $_[0].\n";
-+ print STDERR "Error: $_[0].\n";
- exit 1;
- }
-
Copied: awstats/trunk/debian/patches/1003_redirect_to_STDERR.patch (from rev 47, awstats/trunk/debian/patches/1002_redirect_to_STDERR.patch)
Modified: awstats/trunk/debian/patches/series
===================================================================
--- awstats/trunk/debian/patches/series 2006-05-05 20:45:07 UTC (rev 49)
+++ awstats/trunk/debian/patches/series 2006-05-06 21:42:50 UTC (rev 50)
@@ -1,2 +1,3 @@
-1001_sanitize_more.patch
-1002_redirect_to_STDERR.patch
+0001_sanitize_more.patch
+1002_disable_configdir.patch
+1003_redirect_to_STDERR.patch
More information about the Pkg-awstats-commits
mailing list