summaryrefslogtreecommitdiffstats
path: root/www/awstats
diff options
context:
space:
mode:
authorthierry <thierry@FreeBSD.org>2006-11-02 09:22:26 +0000
committerthierry <thierry@FreeBSD.org>2006-11-02 09:22:26 +0000
commit4286b4199657210ad8e8355e04e39b7862e7693a (patch)
treec5357a0c0153eb8fe24240a128bf4781925f17db /www/awstats
parentcb7f964b745f540672f26fb060006640743a4ea2 (diff)
downloadFreeBSD-ports-4286b4199657210ad8e8355e04e39b7862e7693a.zip
FreeBSD-ports-4286b4199657210ad8e8355e04e39b7862e7693a.tar.gz
- Fix patch-awstats.pl-security.orig;
- Take maintainership. PR: ports/104784 Submitted by: Alex Samorukov <samm (at) os2.kiev.ua> Security: VuXML ID e86fbb5f-0d04-11da-bc08-0001020eed82
Diffstat (limited to 'www/awstats')
-rw-r--r--www/awstats/Makefile8
-rw-r--r--www/awstats/files/patch-awstats.pl-security91
2 files changed, 93 insertions, 6 deletions
diff --git a/www/awstats/Makefile b/www/awstats/Makefile
index 04456a6..1f9af8d 100644
--- a/www/awstats/Makefile
+++ b/www/awstats/Makefile
@@ -7,19 +7,15 @@
PORTNAME= awstats
PORTVERSION= 6.5
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
-MAINTAINER= ports@FreeBSD.org
+MAINTAINER= samm@os2.kiev.ua
COMMENT= Free real-time logfile analyzer to get advanced web statistics
-FORBIDDEN= Command Injection Vulnerability
-DEPRECATED= ${FORBIDDEN}
-EXPIRATION_DATE=2006-12-01
-
RUN_DEPENDS= ${SITE_PERL}/Net/XWhois.pm:${PORTSDIR}/net/p5-Net-XWhois
NO_BUILD= yes
diff --git a/www/awstats/files/patch-awstats.pl-security b/www/awstats/files/patch-awstats.pl-security
new file mode 100644
index 0000000..668e4c0
--- /dev/null
+++ b/www/awstats/files/patch-awstats.pl-security
@@ -0,0 +1,91 @@
+--- wwwroot/cgi-bin/awstats.pl Wed Oct 25 09:05:29 2006
++++ wwwroot/cgi-bin/awstats.pl Wed Oct 25 09:02:30 2006
+@@ -1131,7 +1131,18 @@
+ my $configdir=shift;
+ my @PossibleConfigDir=();
+
+- if ($configdir) { @PossibleConfigDir=("$configdir"); }
++ if ($configdir)
++ {
++ # If from CGI, overwriting of configdir is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
++ #if ($ENV{'GATEWAY_INTERFACE'} && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
++ #{
++ # error("Sorry, to allow overwriting of configdir parameter from an AWStats CGI usage, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1");
++ #}
++ #else
++ #{
++ @PossibleConfigDir=("$configdir");
++ #}
++ }
+ else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
+
+ # Open config file
+@@ -4439,6 +4450,7 @@
+ my $stringtoclean=shift;
+ $stringtoclean =~ s/</&lt;/g;
+ $stringtoclean =~ s/>/&gt;/g;
++ $stringtoclean =~ s/|//g;
+ return $stringtoclean;
+ }
+
+@@ -5534,7 +5546,7 @@
+ $QueryString =~ s/&/&amp;/g;
+ }
+
+- $QueryString = CleanFromCSSA($QueryString);
++ $QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
+
+ # Security test
+ if ($QueryString =~ /LogFile=([^&]+)/i) { error("Logfile parameter can't be overwritten when AWStats is used from a CGI"); }
+@@ -5542,26 +5554,26 @@
+ # No update but report by default when run from a browser
+ $UpdateStats=($QueryString=~/update=1/i?1:0);
+
+- if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&DecodeEncodedString("$1"); }
+- if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&DecodeEncodedString("$1"); }
+- if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
+- if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
+- # All filters
+- if ($QueryString =~ /hostfilter=([^&]+)/i) { $FilterIn{'host'}=&DecodeEncodedString("$1"); } # Filter on host list can also be defined with hostfilter=filter
+- if ($QueryString =~ /hostfilterex=([^&]+)/i) { $FilterEx{'host'}=&DecodeEncodedString("$1"); } #
+- if ($QueryString =~ /urlfilter=([^&]+)/i) { $FilterIn{'url'}=&DecodeEncodedString("$1"); } # Filter on URL list can also be defined with urlfilter=filter
+- if ($QueryString =~ /urlfilterex=([^&]+)/i) { $FilterEx{'url'}=&DecodeEncodedString("$1"); } #
+- if ($QueryString =~ /refererpagesfilter=([^&]+)/i) { $FilterIn{'refererpages'}=&DecodeEncodedString("$1"); } # Filter on referer list can also be defined with refererpagesfilter=filter
+- if ($QueryString =~ /refererpagesfilterex=([^&]+)/i) { $FilterEx{'refererpages'}=&DecodeEncodedString("$1"); } #
++ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize("$1"); }
++ if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons="$1"; }
++ if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1",1); }
++ if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize("$1"); }
++ # All filters
++ if ($QueryString =~ /hostfilter=([^&]+)/i) { $FilterIn{'host'}="$1"; } # Filter on host list can also be defined with hostfilter=filter
++ if ($QueryString =~ /hostfilterex=([^&]+)/i) { $FilterEx{'host'}="$1"; } #
++ if ($QueryString =~ /urlfilter=([^&]+)/i) { $FilterIn{'url'}="$1"; } # Filter on URL list can also be defined with urlfilter=filter
++ if ($QueryString =~ /urlfilterex=([^&]+)/i) { $FilterEx{'url'}="$1"; } #
++ if ($QueryString =~ /refererpagesfilter=([^&]+)/i) { $FilterIn{'refererpages'}="$1"; } # Filter on referer list can also be defined with refererpagesfilter=filter
++ if ($QueryString =~ /refererpagesfilterex=([^&]+)/i) { $FilterEx{'refererpages'}="$1"; } #
+ # All output
+- if ($QueryString =~ /output=allhosts:([^&]+)/i) { $FilterIn{'host'}=&DecodeEncodedString("$1"); } # Filter on host list can be defined with output=allhosts:filter to reduce number of lines read and showed
+- if ($QueryString =~ /output=lasthosts:([^&]+)/i) { $FilterIn{'host'}=&DecodeEncodedString("$1"); } # Filter on host list can be defined with output=lasthosts:filter to reduce number of lines read and showed
+- if ($QueryString =~ /output=urldetail:([^&]+)/i) { $FilterIn{'url'}=&DecodeEncodedString("$1"); } # Filter on URL list can be defined with output=urldetail:filter to reduce number of lines read and showed
+- if ($QueryString =~ /output=refererpages:([^&]+)/i) { $FilterIn{'refererpages'}=&DecodeEncodedString("$1"); } # Filter on referer list can be defined with output=refererpages:filter to reduce number of lines read and showed
++ if ($QueryString =~ /output=allhosts:([^&]+)/i) { $FilterIn{'host'}="$1"; } # Filter on host list can be defined with output=allhosts:filter to reduce number of lines read and showed
++ if ($QueryString =~ /output=lasthosts:([^&]+)/i) { $FilterIn{'host'}="$1"; } # Filter on host list can be defined with output=lasthosts:filter to reduce number of lines read and showed
++ if ($QueryString =~ /output=urldetail:([^&]+)/i) { $FilterIn{'url'}="$1"; } # Filter on URL list can be defined with output=urldetail:filter to reduce number of lines read and showed
++ if ($QueryString =~ /output=refererpages:([^&]+)/i) { $FilterIn{'refererpages'}="$1"; } # Filter on referer list can be defined with output=refererpages:filter to reduce number of lines read and showed
+
+ # If migrate
+ if ($QueryString =~ /(^|-|&|&amp;)migrate=([^&]+)/i) {
+- $MigrateStats=&DecodeEncodedString("$2");
++ $MigrateStats=&Sanitize("$2");
+ $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
+ $SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file
+ }
+@@ -5625,8 +5637,6 @@
+ if ($QueryString =~ /(^|&|&amp;)databasebreak=(\w+)/i) { $DatabaseBreak=$2; }
+ if ($QueryString =~ /(^|&|&amp;)updatefor=(\d+)/i) { $UpdateFor=$2; }
+ if ($QueryString =~ /(^|&|&amp;)noloadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_",1)}=1; } }
+-#Removed for security reasons
+-#if ($QueryString =~ /(^|&|&amp;)loadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_",1)}=-1; } }
+ if ($QueryString =~ /(^|&|&amp;)limitflush=(\d+)/i) { $LIMITFLUSH=$2; }
+ # Get/Define output
+ if ($QueryString =~ /(^|&|&amp;)output(=[^&]*|)(.*)(&|&amp;)output(=[^&]*|)(&|$)/i) { error("Only 1 output option is allowed","","",1); }
OpenPOWER on IntegriCloud