[Webmin-maintainers] Bug#312565: webmin-snort: conf_rules.cgi does not understand VARs (like $RULE_PATH)

Paddy Smith Paddy Smith <paddy@panici.net>, 312565@bugs.debian.org
Wed, 08 Jun 2005 20:04:51 +0000 

This is a multi-part MIME message sent by reportbug.

--===============0745683888==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: webmin-snort
Version: 1.1-3
Severity: important
Tags: patch


The attached patch is intended to fix:

#286777 conf_rules.cgi: Rule file cannot be found (/etc/snort/$RULE_PATH/scan.rules).
#296481 Rule file cannot be found when viewing

It doesn't try to notice if its passed in a non-existent $VAR, but just
blithely replaces it with the empty string.  We're past access control at 
this point.

it's against webmin-snort_1.1-3

Here's the patch inline:

--- conf_rules.cgi.dist 2005-06-08 19:47:58.369061511 +0000
+++ conf_rules.cgi      2005-06-08 19:45:03.136592356 +0000
@@ -37,7 +37,10 @@

 # Some basic error checking
 &snort_error($text{'rule_norule'}) if !$in{'rule'};
-$rulefile = $config{'snort_rules_path'} . "/" . $in{'rule'} . ".rules";
+$rulefile = $in{'rule'};
+$conf = &get_config("var") if $rulefile =~ /\$/;
+$rulefile =~ s/\$(\w+)/$$conf{$1}->{'value'}/ while $rulefile =~ /\$/;
+$rulefile .= ".rules";
 &snort_error($text{'rule_nofile'}, " ($rulefile)") if (! -r $rulefile);

 # Grab the rule file and parse it into arrays

Regards,
Paddy

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages webmin-snort depends on:
hi  perl                          5.8.4-8    Larry Wall's Practical Extraction 
hi  snort                         2.3.2-3    Flexible Network Intrusion Detecti
hi  webmin                        1.180-3    web-based administration toolkit

-- no debconf information

--===============0745683888==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="conf_rules.cgi.patch"

--- conf_rules.cgi.dist	2005-06-08 19:47:58.369061511 +0000
+++ conf_rules.cgi	2005-06-08 19:45:03.136592356 +0000
@@ -37,7 +37,10 @@
 
 # Some basic error checking
 &snort_error($text{'rule_norule'}) if !$in{'rule'};
-$rulefile = $config{'snort_rules_path'} . "/" . $in{'rule'} . ".rules";
+$rulefile = $in{'rule'};
+$conf = &get_config("var") if $rulefile =~ /\$/;
+$rulefile =~ s/\$(\w+)/$$conf{$1}->{'value'}/ while $rulefile =~ /\$/ ;
+$rulefile .= ".rules";
 &snort_error($text{'rule_nofile'}, " ($rulefile)") if (! -r $rulefile);
 
 # Grab the rule file and parse it into arrays

--===============0745683888==--