Pullup ticket #4646 - requested by bsiegert devel/tcllib: security update Revisions pulled up: - devel/tcllib/Makefile 1.14 - devel/tcllib/distinfo 1.6 - devel/tcllib/patches/patch-modules_html_html.tcl 1.1 --- Module Name: pkgsrc Committed By: bsiegert Date: Sat Mar 21 17:14:04 UTC 2015 Modified Files: pkgsrc/devel/tcllib: Makefile distinfo Added Files: pkgsrc/devel/tcllib/patches: patch-modules_html_html.tcl Log Message: SECURITY: Apply patch for XSS in html::textarea as of http://core.tcl.tk/tcllib/info/09110adc43. Bump PKGREVISION.diff -r1.13 -r1.13.8.1 pkgsrc/devel/tcllib/Makefile
(hiramatsu)
@@ -1,16 +1,17 @@ | @@ -1,16 +1,17 @@ | |||
1 | # $NetBSD: Makefile,v 1.13 2014/02/02 19:06:30 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.13.8.1 2015/04/01 03:31:54 hiramatsu Exp $ | |
2 | 2 | |||
3 | DISTNAME= tcllib-1.15 | 3 | DISTNAME= tcllib-1.15 | |
4 | PKGREVISION= 1 | |||
4 | CATEGORIES= devel | 5 | CATEGORIES= devel | |
5 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=tcllib/} | 6 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=tcllib/} | |
6 | EXTRACT_SUFX= .tar.bz2 | 7 | EXTRACT_SUFX= .tar.bz2 | |
7 | 8 | |||
8 | MAINTAINER= pkgsrc-users@NetBSD.org | 9 | MAINTAINER= pkgsrc-users@NetBSD.org | |
9 | HOMEPAGE= http://tcllib.sourceforge.net/ | 10 | HOMEPAGE= http://tcllib.sourceforge.net/ | |
10 | COMMENT= Collection of utility modules for Tcl | 11 | COMMENT= Collection of utility modules for Tcl | |
11 | 12 | |||
12 | GNU_CONFIGURE= yes | 13 | GNU_CONFIGURE= yes | |
13 | NO_BUILD= yes | 14 | NO_BUILD= yes | |
14 | 15 | |||
15 | CONFIGURE_ENV+= ac_cv_path_tclsh=${TCLSH:Q} | 16 | CONFIGURE_ENV+= ac_cv_path_tclsh=${TCLSH:Q} | |
16 | 17 |
@@ -1,5 +1,6 @@ | @@ -1,5 +1,6 @@ | |||
1 | $NetBSD: distinfo,v 1.5 2014/02/02 19:06:30 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.5.8.1 2015/04/01 03:31:54 hiramatsu Exp $ | |
2 | 2 | |||
3 | SHA1 (tcllib-1.15.tar.bz2) = 7130ee20c0fe7fc720288886b9ecb449899e0d6d | 3 | SHA1 (tcllib-1.15.tar.bz2) = 7130ee20c0fe7fc720288886b9ecb449899e0d6d | |
4 | RMD160 (tcllib-1.15.tar.bz2) = dcc5b8d180da1fc3ebc9d620a18c5cd063f33d32 | 4 | RMD160 (tcllib-1.15.tar.bz2) = dcc5b8d180da1fc3ebc9d620a18c5cd063f33d32 | |
5 | Size (tcllib-1.15.tar.bz2) = 5030648 bytes | 5 | Size (tcllib-1.15.tar.bz2) = 5030648 bytes | |
6 | SHA1 (patch-modules_html_html.tcl) = dcd6b9c809990e429bb65084aee3a500af05e40d |
$NetBSD: patch-modules_html_html.tcl,v 1.1.2.2 2015/04/01 03:31:54 hiramatsu Exp $
html - Fixed XSS vulnerability of "textarea" command. Now properly quoting the input value.
http://core.tcl.tk/tcllib/info/09110adc43
--- modules/html/html.tcl.orig 2015-03-21 17:08:44.000000000 +0000
+++ modules/html/html.tcl
@@ -912,7 +912,7 @@ proc ::html::selectPlain {name param cho
# The html fragment
proc ::html::textarea {name {param {}} {current {}}} {
- ::set value [ncgi::value $name $current]
+ ::set value [quoteFormValue [ncgi::value $name $current]]
return "<[string trimright \
"textarea name=\"$name\"\
[tagParam textarea $param]"]>$value</textarea>\n"