[pkgsrc/pkgsrc-2008Q2]: pkgsrc/www/awstats Pullup ticket #2504 - requested by...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/ee28902e21dc
branches:  pkgsrc-2008Q2
changeset: 544278:ee28902e21dc
user:      tron <tron%pkgsrc.org@localhost>
date:      Thu Aug 21 11:17:03 2008 +0000

description:
Pullup ticket #2504 - requested by minskim
awstats: security fix

Revisions pulled up:
- www/awstats/Makefile          1.38
- www/awstats/distinfo          1.21
- www/awstats/patches/patch-ac  1.1
---
Module Name:    pkgsrc
Committed By:   minskim
Date:           Wed Aug 20 21:20:33 UTC 2008

Modified Files:
         pkgsrc/www/awstats: Makefile distinfo
Added Files:
         pkgsrc/www/awstats/patches: patch-ac

Log Message:
Fix XSS (http://secunia.com/advisories/31519/).  Bump PKGREVISION.

diffstat:

 www/awstats/Makefile         |   3 ++-
 www/awstats/distinfo         |   3 ++-
 www/awstats/patches/patch-ac |  27 +++++++++++++++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)

diffs (56 lines):

diff -r 8efddf9a4b0a -r ee28902e21dc www/awstats/Makefile
--- a/www/awstats/Makefile      Wed Aug 20 10:07:24 2008 +0000
+++ b/www/awstats/Makefile      Thu Aug 21 11:17:03 2008 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.37 2008/06/20 01:09:40 joerg Exp $
+# $NetBSD: Makefile,v 1.37.4.1 2008/08/21 11:17:03 tron Exp $
 
 DISTNAME=      awstats-6.7
+PKGREVISION=   1
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=awstats/}
 
diff -r 8efddf9a4b0a -r ee28902e21dc www/awstats/distinfo
--- a/www/awstats/distinfo      Wed Aug 20 10:07:24 2008 +0000
+++ b/www/awstats/distinfo      Thu Aug 21 11:17:03 2008 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.20 2008/04/07 07:21:00 adam Exp $
+$NetBSD: distinfo,v 1.20.4.1 2008/08/21 11:17:03 tron Exp $
 
 SHA1 (awstats-6.7.tar.gz) = 7dab4208441bce494bf1b3937242794a2328ace1
 RMD160 (awstats-6.7.tar.gz) = 5a84327871b65cad5cb6dbaded5c223660806953
 Size (awstats-6.7.tar.gz) = 1089638 bytes
 SHA1 (patch-aa) = 78b3a3100d687f07e0bed7b677abc52b767b8598
 SHA1 (patch-ab) = df8961949160d172ab40569a414b52eb4a8b1f06
+SHA1 (patch-ac) = 2c4f26e5cdd3550f20450c3484bc1d91000bdd63
diff -r 8efddf9a4b0a -r ee28902e21dc www/awstats/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/awstats/patches/patch-ac      Thu Aug 21 11:17:03 2008 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-ac,v 1.1.2.2 2008/08/21 11:17:03 tron Exp $
+
+XSS (http://secunia.com/advisories/31519/) fix. Not needed in 6.9.
+
+--- wwwroot/cgi-bin/awstats.pl.orig    2008-08-20 14:17:04.000000000 -0700
++++ wwwroot/cgi-bin/awstats.pl
+@@ -4380,6 +4380,7 @@ sub EncodeString {
+ sub DecodeEncodedString {
+       my $stringtodecode=shift;
+       $stringtodecode =~ tr/\+/ /s;
++      $stringtodecode =~ s/%22//g;
+       $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
+       return $stringtodecode;
+ }
+@@ -4432,9 +4433,12 @@ sub Sanitize {
+ #------------------------------------------------------------------------------
+ sub CleanXSS {
+       my $stringtoclean=shift;
++      # To avoid html tags and javascript
+       $stringtoclean =~ s/</&lt;/g;
+       $stringtoclean =~ s/>/&gt;/g;
+       $stringtoclean =~ s/|//g;
++      # To avoid onload="
++      $stringtoclean =~ s/onload//g;
+       return $stringtoclean;
+ }
+