[Pkg-awstats-commits] [SCM] awstats Debian packaging branch, lenny, updated. debian/6.7.dfsg-5.1-3-g2376c32

[Sergey B Kirpichev]

The following commit has been merged in the lenny branch:
commit 2376c32073e3d4ab1af9ec432d74025cc4250916
Author: Sergey B Kirpichev <skirpichev at gmail.com>
Date:   Thu Dec 16 19:01:26 2010 +0300

    Update patch 1002 to adopt CVE-2010-4368 and CVE-2010-4367 fixes in upstream

diff --git a/debian/patches/1002_disable_configdir.patch b/debian/patches/1002_disable_configdir.patch
index e4883e7..aaf525c 100644
--- a/debian/patches/1002_disable_configdir.patch
+++ b/debian/patches/1002_disable_configdir.patch
@@ -1,26 +1,79 @@
-Index: awstats-6.6/wwwroot/cgi-bin/awstats.pl
-===================================================================
---- awstats-6.6.orig/wwwroot/cgi-bin/awstats.pl	2007-01-13 12:35:06.000000000 -0500
-+++ awstats-6.6/wwwroot/cgi-bin/awstats.pl	2007-01-13 12:35:21.000000000 -0500
-@@ -1134,14 +1134,14 @@
+Description: Require AWSTATS_ENABLE_CONFIG_DIR environmental variable
+ in order to enable configdir.  Sanitize configdir to disable usage of
+ external path in cgi mode (CVE-2010-4368, CVE-2010-4367).
+Author: Charles Fry <debian at frogcircus.org>
+Origin: upstream, http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.958&r2=1.959
+Origin: upstream, http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.961&r2=1.962
+Bug-Debian: http://bugs.debian.org/365910
+Bug-Debian: http://bugs.debian.org/606263
+
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -1139,21 +1139,30 @@
+ 	# Other possible directories :				"/usr/local/etc/awstats", "/etc"
+ 	# FHS standard, Suse package : 				"/etc/opt/awstats"
+ 	my $configdir=shift;
+-	my @PossibleConfigDir=();
++	my @PossibleConfigDir = (
++		"$DIR",
++		"/etc/awstats",
++		"/usr/local/etc/awstats", "/etc",
++		"/etc/opt/awstats"
++	);
+ 
  	if ($configdir)
  	{
- 		# If from CGI, overwriting of configdir is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
+-		# If from CGI, overwriting of configdir is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
 -		#if ($ENV{'GATEWAY_INTERFACE'} && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
 -		#{
 -		#	error("Sorry, to allow overwriting of configdir parameter from an AWStats CGI usage, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1");
 -		#}
 -		#else
 -		#{
-+		if ($ENV{'GATEWAY_INTERFACE'} && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
-+		{
-+			error("Sorry, to allow overwriting of configdir parameter from an AWStats CGI usage, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1");
+-			@PossibleConfigDir=("$configdir");
+-		#}
++		# Check if configdir is outside default values.
++		my $outsidedefaultvalue=1;
++		foreach (@PossibleConfigDir) {
++			if ($_ eq $configdir) { $outsidedefaultvalue=0; last; }
 +		}
-+		else
++
++		# If from CGI, overwriting of configdir with a value that differs from a default value
++		# is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
++		if ($ENV{'GATEWAY_INTERFACE'} && $outsidedefaultvalue && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
 +		{
- 			@PossibleConfigDir=("$configdir");
--		#}
++			error("Sorry, to allow overwriting of configdir parameter, from an AWStats CGI page, with a non default value, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1. For example, by adding the line 'SetEnv AWSTATS_ENABLE_CONFIG_DIR 1' in your Apache config file or into a .htaccess file.");
 +		}
++
++		@PossibleConfigDir=("$configdir");
  	}
- 	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
+-	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
  
+ 	# Open config file
+ 	$FileConfig=$FileSuffix='';
+@@ -5553,7 +5562,11 @@
+ 	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize("$1"); }
+ 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons="$1"; }
+ 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize("$1",1); }
+-	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize("$1"); }
++	if ($QueryString =~ /configdir=([^&]+)/i) {
++		$DirConfig=&Sanitize("$1");
++		$DirConfig =~ s/\\{2,}/\\/g;    # This is to clean Remote URL
++		$DirConfig =~ s/\/{2,}/\//g;    # This is to clean Remote URL
++	}
+ 	# All filters
+ 	if ($QueryString =~ /hostfilter=([^&]+)/i)			{ $FilterIn{'host'}="$1"; }				# Filter on host list can also be defined with hostfilter=filter
+ 	if ($QueryString =~ /hostfilterex=([^&]+)/i)		{ $FilterEx{'host'}="$1"; }				#
+@@ -5603,7 +5616,11 @@
+ 	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize("$1"); }
+ 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons="$1"; }
+ 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize("$1",1); }
+-	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize("$1"); }
++	if ($QueryString =~ /configdir=([^&]+)/i) {
++		$DirConfig=&Sanitize("$1");
++		$DirConfig =~ s/\\{2,}/\\/g;    # This is to clean Remote URL
++		$DirConfig =~ s/\/{2,}/\//g;    # This is to clean Remote URL
++	}
+ 	# All filters
+ 	if ($QueryString =~ /hostfilter=([^&]+)/i)			{ $FilterIn{'host'}="$1"; }			# Filter on host list can also be defined with hostfilter=filter
+ 	if ($QueryString =~ /hostfilterex=([^&]+)/i)		{ $FilterEx{'host'}="$1"; }			#

-- 
awstats Debian packaging