[Pkg-ocaml-maint-commits] [SCM] mldonkey packaging branch, master, updated. debian/2.9.5-2-60-g2f66d67

Samuel Mimram samuel.mimram at ens-lyon.org
Tue Feb 24 08:59:04 UTC 2009 

The following commit has been merged in the master branch:
commit 2f66d676a749d82497fd117c1d1496e59bc2f5cb
Author: Samuel Mimram <samuel.mimram at ens-lyon.org>
Date:   Tue Feb 24 09:58:57 2009 +0100

    Added url_slashes.dpatch to correct a vulnerability.

diff --git a/debian/changelog b/debian/changelog
index 89cf36e..615cabd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,8 @@ mldonkey (2.9.7-1) UNRELEASED; urgency=low
   * Pass --debconf-ok option to ucf, closes: #514449.
   * Mention default telnet port in README.Debian, closes: #508436.
   * Updated vietnamese debconf translation, closes: #513369.
+  * Added url_slashes.dpatch to correct a vulnerability when files contain
+    double slashes, closes: #516829.
 
   [ Mehdi Dogguy ]
   * Bump standards version to 3.8.0, no changes needed.
@@ -28,7 +30,7 @@ mldonkey (2.9.7-1) UNRELEASED; urgency=low
   * Simplify debian/rules
   * Create a manpage for mldonkey (link to mlnet's manpage)
 
- -- Samuel Mimram <smimram at debian.org>  Tue, 24 Feb 2009 09:51:28 +0100
+ -- Samuel Mimram <smimram at debian.org>  Tue, 24 Feb 2009 09:57:22 +0100
 
 mldonkey (2.9.5-2) unstable; urgency=low
 
diff --git a/debian/patches/00list b/debian/patches/00list
index e3142cf..eeb51fd 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1 +1,2 @@
 01_see
+url_slashes
diff --git a/debian/patches/url_slashes.dpatch b/debian/patches/url_slashes.dpatch
new file mode 100755
index 0000000..40f4110
--- /dev/null
+++ b/debian/patches/url_slashes.dpatch
@@ -0,0 +1,31 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## url_slashes.dpatch by Samuel Mimram <smimram at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix double slash vulnerability.
+## DP: See: https://savannah.nongnu.org/bugs/?25667
+
+ at DPATCH@
+diff -urNad mldonkey~/src/utils/lib/url.ml mldonkey/src/utils/lib/url.ml
+--- mldonkey~/src/utils/lib/url.ml	2009-02-18 20:53:45.000000000 +0100
++++ mldonkey/src/utils/lib/url.ml	2009-02-24 09:56:17.000000000 +0100
+@@ -175,6 +175,19 @@
+   Buffer.contents res  
+   
+ let of_string ?(args=[]) s =
++  let remove_leading_slashes s =
++    let len = String.length s in
++    let left =
++      let rec aux i =
++        if i < len && s.[i] = '/' then aux (i+1) else i in
++      aux 0 in
++    if left = 0 then s
++    else
++      String.sub s left (len - left) in
++
++  (* redefine s to remove all leading slashes *)
++  let s = remove_leading_slashes s in
++
+   let s = put_args s args in
+   let url =
+     let get_two init_pos =

-- 
mldonkey packaging

More information about the Pkg-ocaml-maint-commits mailing list