[Webmin-maintainers] Bug#312565: webmin-snort: conf_rules.cgi does not understand VARs (like $RULE_PATH)
Paddy Smith
Paddy Smith <paddy@panici.net>, 312565@bugs.debian.org
Wed, 08 Jun 2005 20:04:51 +0000
This is a multi-part MIME message sent by reportbug.
--===============0745683888==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: webmin-snort
Version: 1.1-3
Severity: important
Tags: patch
The attached patch is intended to fix:
#286777 conf_rules.cgi: Rule file cannot be found (/etc/snort/$RULE_PATH/scan.rules).
#296481 Rule file cannot be found when viewing
It doesn't try to notice if its passed in a non-existent $VAR, but just
blithely replaces it with the empty string. We're past access control at
this point.
it's against webmin-snort_1.1-3
Here's the patch inline:
--- conf_rules.cgi.dist 2005-06-08 19:47:58.369061511 +0000
+++ conf_rules.cgi 2005-06-08 19:45:03.136592356 +0000
@@ -37,7 +37,10 @@
# Some basic error checking
&snort_error($text{'rule_norule'}) if !$in{'rule'};
-$rulefile = $config{'snort_rules_path'} . "/" . $in{'rule'} . ".rules";
+$rulefile = $in{'rule'};
+$conf = &get_config("var") if $rulefile =~ /\$/;
+$rulefile =~ s/\$(\w+)/$$conf{$1}->{'value'}/ while $rulefile =~ /\$/;
+$rulefile .= ".rules";
&snort_error($text{'rule_nofile'}, " ($rulefile)") if (! -r $rulefile);
# Grab the rule file and parse it into arrays
Regards,
Paddy
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages webmin-snort depends on:
hi perl 5.8.4-8 Larry Wall's Practical Extraction
hi snort 2.3.2-3 Flexible Network Intrusion Detecti
hi webmin 1.180-3 web-based administration toolkit
-- no debconf information
--===============0745683888==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="conf_rules.cgi.patch"
--- conf_rules.cgi.dist 2005-06-08 19:47:58.369061511 +0000
+++ conf_rules.cgi 2005-06-08 19:45:03.136592356 +0000
@@ -37,7 +37,10 @@
# Some basic error checking
&snort_error($text{'rule_norule'}) if !$in{'rule'};
-$rulefile = $config{'snort_rules_path'} . "/" . $in{'rule'} . ".rules";
+$rulefile = $in{'rule'};
+$conf = &get_config("var") if $rulefile =~ /\$/;
+$rulefile =~ s/\$(\w+)/$$conf{$1}->{'value'}/ while $rulefile =~ /\$/ ;
+$rulefile .= ".rules";
&snort_error($text{'rule_nofile'}, " ($rulefile)") if (! -r $rulefile);
# Grab the rule file and parse it into arrays
--===============0745683888==--