Wed Aug 20 21:20:33 2008 UTC ()
Fix XSS (http://secunia.com/advisories/31519/).  Bump PKGREVISION.


(minskim)
diff -r1.37 -r1.38 pkgsrc/www/awstats/Makefile
diff -r1.20 -r1.21 pkgsrc/www/awstats/distinfo
diff -r0 -r1.1 pkgsrc/www/awstats/patches/patch-ac
cvs diff -r1.37 -r1.38 pkgsrc/www/awstats/Makefile (expand / switch to unified diff)

--- pkgsrc/www/awstats/Makefile 2008/06/20 01:09:40 1.37
+++ pkgsrc/www/awstats/Makefile 2008/08/20 21:20:33 1.38
@@ -1,16 +1,17 @@ @@ -1,16 +1,17 @@
1# $NetBSD: Makefile,v 1.37 2008/06/20 01:09:40 joerg Exp $ 1# $NetBSD: Makefile,v 1.38 2008/08/20 21:20:33 minskim Exp $
2 2
3DISTNAME= awstats-6.7 3DISTNAME= awstats-6.7
 4PKGREVISION= 1
4CATEGORIES= www 5CATEGORIES= www
5MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=awstats/} 6MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=awstats/}
6 7
7MAINTAINER= minskim@NetBSD.org 8MAINTAINER= minskim@NetBSD.org
8HOMEPAGE= http://awstats.sourceforge.net/ 9HOMEPAGE= http://awstats.sourceforge.net/
9COMMENT= Free real-time logfile analyzer to get advanced web statistics 10COMMENT= Free real-time logfile analyzer to get advanced web statistics
10 11
11PKG_DESTDIR_SUPPORT= user-destdir 12PKG_DESTDIR_SUPPORT= user-destdir
12 13
13NO_BUILD= yes 14NO_BUILD= yes
14 15
15USE_TOOLS+= perl:run pax 16USE_TOOLS+= perl:run pax
16REPLACE_PERL+= tools/*.pl 17REPLACE_PERL+= tools/*.pl
cvs diff -r1.20 -r1.21 pkgsrc/www/awstats/distinfo (expand / switch to unified diff)

--- pkgsrc/www/awstats/distinfo 2008/04/07 07:21:00 1.20
+++ pkgsrc/www/awstats/distinfo 2008/08/20 21:20:33 1.21
@@ -1,7 +1,8 @@ @@ -1,7 +1,8 @@
1$NetBSD: distinfo,v 1.20 2008/04/07 07:21:00 adam Exp $ 1$NetBSD: distinfo,v 1.21 2008/08/20 21:20:33 minskim Exp $
2 2
3SHA1 (awstats-6.7.tar.gz) = 7dab4208441bce494bf1b3937242794a2328ace1 3SHA1 (awstats-6.7.tar.gz) = 7dab4208441bce494bf1b3937242794a2328ace1
4RMD160 (awstats-6.7.tar.gz) = 5a84327871b65cad5cb6dbaded5c223660806953 4RMD160 (awstats-6.7.tar.gz) = 5a84327871b65cad5cb6dbaded5c223660806953
5Size (awstats-6.7.tar.gz) = 1089638 bytes 5Size (awstats-6.7.tar.gz) = 1089638 bytes
6SHA1 (patch-aa) = 78b3a3100d687f07e0bed7b677abc52b767b8598 6SHA1 (patch-aa) = 78b3a3100d687f07e0bed7b677abc52b767b8598
7SHA1 (patch-ab) = df8961949160d172ab40569a414b52eb4a8b1f06 7SHA1 (patch-ab) = df8961949160d172ab40569a414b52eb4a8b1f06
 8SHA1 (patch-ac) = 2c4f26e5cdd3550f20450c3484bc1d91000bdd63
File Added: pkgsrc/www/awstats/patches/Attic/patch-ac
$NetBSD: patch-ac,v 1.1 2008/08/20 21:20:33 minskim Exp $

XSS (http://secunia.com/advisories/31519/) fix. Not needed in 6.9.

--- wwwroot/cgi-bin/awstats.pl.orig	2008-08-20 14:17:04.000000000 -0700
+++ wwwroot/cgi-bin/awstats.pl
@@ -4380,6 +4380,7 @@ sub EncodeString {
 sub DecodeEncodedString {
 	my $stringtodecode=shift;
 	$stringtodecode =~ tr/\+/ /s;
+	$stringtodecode =~ s/%22//g;
 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
 	return $stringtodecode;
 }
@@ -4432,9 +4433,12 @@ sub Sanitize {
 #------------------------------------------------------------------------------
 sub CleanXSS {
 	my $stringtoclean=shift;
+	# To avoid html tags and javascript
 	$stringtoclean =~ s/</&lt;/g;
 	$stringtoclean =~ s/>/&gt;/g;
 	$stringtoclean =~ s/|//g;
+	# To avoid onload="
+	$stringtoclean =~ s/onload//g;
 	return $stringtoclean;
 }