[Pkg-awstats-commits] [SCM] awstats Debian packaging branch, master, updated. debian/6.9.5_dfsg-5-10-gbabebf9

Sergey B Kirpichev skirpichev at gmail.com
Thu Mar 3 08:41:33 UTC 2011 

The following commit has been merged in the master branch:
commit babebf999099b1108c28e3191139807010735bd0
Author: Sergey B Kirpichev <skirpichev at gmail.com>
Date:   Thu Mar 3 03:06:40 2011 +0300

    Deleted old patches

diff --git a/debian/patches/0006_more_xss.patch b/debian/patches/0006_more_xss.patch
deleted file mode 100644
index 9aedbb8..0000000
--- a/debian/patches/0006_more_xss.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Description: CVS fix for upstream XSS bug.
-Author: Florian Weimer <fw at deneb.enyo.de>
-Bug-Debian: http://bugs.debian.org/495432
-
---- a/wwwroot/cgi-bin/awstats.pl
-+++ b/wwwroot/cgi-bin/awstats.pl
-@@ -7694,6 +7694,7 @@
- sub DecodeEncodedString {
- 	my $stringtodecode = shift;
- 	$stringtodecode =~ tr/\+/ /s;
-+	$stringtodecode =~ s/%22//g;
- 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
- 	$stringtodecode =~ s/["']//g;
- 
diff --git a/debian/patches/0008_nested_includes.patch b/debian/patches/0008_nested_includes.patch
deleted file mode 100644
index 274c72b..0000000
--- a/debian/patches/0008_nested_includes.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Description: Prevent nested includes from being prematurely closed.
-Author: Ken Neighbors <debian3 at ken.nsds.com>
-Bug-Debian: http://bugs.debian.org/575545
-
---- a/tools/awstats_buildstaticpages.pl
-+++ b/tools/awstats_buildstaticpages.pl
-@@ -197,6 +197,7 @@
- 				warning("Warning: Perl versions before 5.6 cannot handle nested includes");
- 				next;
- 			}
-+		    local( *CONFIG_INCLUDE );
- 		    if ( open( CONFIG_INCLUDE, $includeFile ) ) {
- 				&Parse_Config( *CONFIG_INCLUDE , $level+1, $includeFile);
- 				close( CONFIG_INCLUDE );
---- a/wwwroot/cgi-bin/awstats.pl
-+++ b/wwwroot/cgi-bin/awstats.pl
-@@ -1852,6 +1852,7 @@
- 				);
- 				next;
- 			}
-+			local( *CONFIG_INCLUDE );
- 			if ( open( CONFIG_INCLUDE, $includeFile ) ) {
- 				&Parse_Config( *CONFIG_INCLUDE, $level + 1, $includeFile );
- 				close(CONFIG_INCLUDE);
diff --git a/debian/patches/0009_CVE-2010-4369.patch b/debian/patches/0009_CVE-2010-4369.patch
deleted file mode 100644
index ad20852..0000000
--- a/debian/patches/0009_CVE-2010-4369.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Description: Fix directory traversal vulnerability (CVE-2010-4369) via
- crafted LoadPlugin directory.
-Origin: http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.966&r2=1.967
-Bug: http://sourceforge.net/tracker/index.php?func=detail&aid=2537928&group_id=13764&atid=113764
-Bug-Debian: http://bugs.debian.org/606263
-
---- a/wwwroot/cgi-bin/awstats.pl
-+++ b/wwwroot/cgi-bin/awstats.pl
-@@ -3058,8 +3058,8 @@
- 		  "";    # If split has only on part, pluginparam is not initialized
- 		$pluginfile =~ s/\.pm$//i;
- 		$pluginfile =~ /([^\/\\]+)$/;
--		my $pluginname = $1;    # pluginname is pluginfile without any path
--		                        # Check if plugin is not disabled
-+		$pluginfile = Sanitize($1);     # pluginfile is cleaned from any path for security reasons and from .pm
-+		my $pluginname = $pluginfile;
- 		if ( $NoLoadPlugin{$pluginname} && $NoLoadPlugin{$pluginname} > 0 ) {
- 			if ($Debug) {
- 				debug(
-@@ -7724,10 +7724,10 @@
- 	my $stringtoclean = shift;
- 	my $full = shift || 0;
- 	if ($full) {
--		$stringtoclean =~ s/[^\w]//g;
-+		$stringtoclean =~ s/[^\w\d]//g;
- 	}
- 	else {
--		$stringtoclean =~ s/[^\w\-\\\/\.:\s]//g;
-+		$stringtoclean =~ s/[^\w\d\-\\\/\.:\s]//g;
- 	}
- 	return $stringtoclean;
- }
diff --git a/debian/patches/1002_disable_configdir.patch b/debian/patches/1002_disable_configdir.patch
deleted file mode 100644
index 2a777b9..0000000
--- a/debian/patches/1002_disable_configdir.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-Description: Require AWSTATS_ENABLE_CONFIG_DIR environmental variable
- in order to enable configdir.  Sanitize configdir to disable usage of
- external path in cgi mode (CVE-2010-4368, CVE-2010-4367).
-Author: Charles Fry <debian at frogcircus.org>
-Origin: upstream, http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.958&r2=1.959
-Origin: upstream, http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.961&r2=1.962
-Bug-Debian: http://bugs.debian.org/365910
-Bug-Debian: http://bugs.debian.org/606263
-
---- a/wwwroot/cgi-bin/awstats.pl
-+++ b/wwwroot/cgi-bin/awstats.pl
-@@ -1716,27 +1716,28 @@
- 	# Other possible directories :				"/usr/local/etc/awstats", "/etc"
- 	# FHS standard, Suse package : 				"/etc/opt/awstats"
- 	my $configdir         = shift;
--	my @PossibleConfigDir = ();
-+	my @PossibleConfigDir = (
-+			"$DIR",
-+			"/etc/awstats",
-+			"/usr/local/etc/awstats", "/etc",
-+			"/etc/opt/awstats"
-+		);
- 
- 	if ($configdir) {
-+		# Check if configdir is outside default values.
-+		my $outsidedefaultvalue=1;
-+		foreach (@PossibleConfigDir) {
-+			if ($_ eq $configdir) { $outsidedefaultvalue=0; last; }
-+		}
- 
--# If from CGI, overwriting of configdir is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
--#if ($ENV{'GATEWAY_INTERFACE'} && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
--#{
--#	error("Sorry, to allow overwriting of configdir parameter from an AWStats CGI usage, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1");
--#}
--#else
--#{
--		@PossibleConfigDir = ("$configdir");
-+		# If from CGI, overwriting of configdir with a value that differs from a default value
-+		# is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
-+		if ($ENV{'GATEWAY_INTERFACE'} && $outsidedefaultvalue && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
-+		{
-+			error("Sorry, to allow overwriting of configdir parameter, from an AWStats CGI page, with a non default value, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1. For example, by adding the line 'SetEnv AWSTATS_ENABLE_CONFIG_DIR 1' in your Apache config file or into a .htaccess file.");
-+		}
- 
--		#}
--	}
--	else {
--		@PossibleConfigDir = (
--			"$DIR",                   "/etc/awstats",
--			"/usr/local/etc/awstats", "/etc",
--			"/etc/opt/awstats"
--		);
-+		@PossibleConfigDir = ("$configdir");
- 	}
- 
- 	# Open config file
-@@ -9545,6 +9546,8 @@
- 	}
- 	if ( $QueryString =~ /configdir=([^&]+)/i ) {
- 		$DirConfig = &Sanitize("$1");
-+		$DirConfig =~ s/\\{2,}/\\/g;	# This is to clean Remote URL
-+		$DirConfig =~ s/\/{2,}/\//g;	# This is to clean Remote URL
- 	}
- 
- 	# All filters
-@@ -9630,6 +9633,8 @@
- 	}
- 	if ( $QueryString =~ /configdir=([^&]+)/i ) {
- 		$DirConfig = &Sanitize("$1");
-+		$DirConfig =~ s/\\{2,}/\\/g;	# This is to clean Remote URL
-+		$DirConfig =~ s/\/{2,}/\//g;	# This is to clean Remote URL
- 	}
- 
- 	# All filters
diff --git a/debian/patches/1015_ignore_case_for_rtsp.patch b/debian/patches/1015_ignore_case_for_rtsp.patch
deleted file mode 100644
index 9d3f70d..0000000
--- a/debian/patches/1015_ignore_case_for_rtsp.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Description: Recognize method/protocol RTSP in uppercase
-Author: Lee Maguire <lee-debian at hexkey.co.uk>
-Bug-Debian: http://bugs.debian.org/350601
-
---- a/wwwroot/cgi-bin/awstats.pl
-+++ b/wwwroot/cgi-bin/awstats.pl
-@@ -10879,7 +10879,7 @@
- 			( $LogType eq 'W' || $LogType eq 'S' )
- 			&& (   $field[$pos_method] eq 'GET'
- 				|| $field[$pos_method] eq 'mms'
--				|| $field[$pos_method] eq 'rtsp'
-+				|| lc($field[$pos_method]) eq 'rtsp'
- 				|| $field[$pos_method] eq 'http'
- 				|| $field[$pos_method] eq 'RTP' )
- 		  )
diff --git a/debian/patches/1016_report_permissions_problem_for_configs.patch b/debian/patches/1016_report_permissions_problem_for_configs.patch
deleted file mode 100644
index 87e740e..0000000
--- a/debian/patches/1016_report_permissions_problem_for_configs.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Description: Report permissions problem while reading awstats.custom.conf
-Author: Ken Neighbors <KenNeighbors at gmail.com>
-Bug-Debian: http://bugs.debian.org/572353
-
---- a/wwwroot/cgi-bin/awstats.pl
-+++ b/wwwroot/cgi-bin/awstats.pl
-@@ -1750,11 +1750,17 @@
- 			$FileSuffix = ".$SiteConfig";
- 			last;
- 		}
-+		elsif ( -e "$searchdir$PROG.$SiteConfig.conf" ) {
-+			error("Couldn't open config file \"$searchdir$PROG.$SiteConfig.conf\": $!" );
-+		}
- 		if ( open( CONFIG, "$searchdir$PROG.conf" ) ) {
- 			$FileConfig = "$searchdir$PROG.conf";
- 			$FileSuffix = '';
- 			last;
- 		}
-+		elsif ( -e "$searchdir$PROG.conf" ) {
-+			error("Couldn't open config file \"$searchdir$PROG.conf\": $!" );
-+		}
- 	}
- 	if ( !$FileConfig ) {
- 		error(
diff --git a/debian/patches/series b/debian/patches/series
index af98cf0..283aff2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,8 +1,4 @@
-#0006_more_xss.patch
 0007_russian_lang.patch
-#0008_nested_includes.patch
-#0009_CVE-2010-4369.patch
-#1002_disable_configdir.patch
 1003_redirect_to_STDERR.patch
 1004_perl_version.patch
 1008_extrasections_with_top.patch
@@ -11,6 +7,4 @@
 1012_ipv6_strip_trailing_dot.patch
 1013_yahoo_search.patch
 1014_websec_robot.patch
-#1015_ignore_case_for_rtsp.patch
-#1016_report_permissions_problem_for_configs.patch
 2001_awstatsprog_path.patch

-- 
awstats Debian packaging

More information about the Pkg-awstats-commits mailing list