Hello community, here is the log from the commit of package namazu for openSUSE:12.1:Update:Test checked in at 2011-12-08 17:37:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/namazu (Old) and /work/SRC/openSUSE:12.1:Update:Test/.namazu.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "namazu", Maintainer is "[email protected]" Changes: -------- New Changes file: --- /dev/null 2010-08-26 16:28:41.000000000 +0200 +++ /work/SRC/openSUSE:12.1:Update:Test/.namazu.new/namazu.changes 2011-12-08 17:37:21.000000000 +0100 @@ -0,0 +1,230 @@ +------------------------------------------------------------------- +Thu Dec 8 10:36:12 UTC 2011 - [email protected] + +- bnc#732323 (pretty bug number!) + - CVE-2011-4345 XSS flaw for IE6/7 in japanese locale + +------------------------------------------------------------------- +Mon Mar 22 14:43:54 CET 2010 - [email protected] + +- patches refreshed to remove fuzz + +------------------------------------------------------------------- +Fri Mar 19 12:33:43 CET 2010 - [email protected] + +- merged from M17N:Devel + +------------------------------------------------------------------- +Tue Nov 3 19:09:32 UTC 2009 - [email protected] + +- updated patches to apply with fuzz=0 + +------------------------------------------------------------------- +Thu Sep 24 16:54:00 CEST 2009 - [email protected] + +- updated to namazu 2.0.20: + * fix possible buffer overrun with a blank line in NMZ.field.* + files. + +------------------------------------------------------------------- +Fri Aug 21 14:15:26 CEST 2009 - [email protected] + +- updated to version 2.0.19: + * Bug fix in analytical part of namazu and namazu.cgi + * mknmz checks on the size of the file is added + * Addition of code conversion processing to htmlsplit.pl + * The regularization of the text is added + * The judgment processing of an internal filter is sped up + * The processing done with an individual filter is integrated as an + extensions module + * UTF-8 processing + * See NEWS for more details + +------------------------------------------------------------------- +Mon Apr 07 12:48:16 CEST 2008 - [email protected] + +- bnc#373529: update to 2.0.18: Upstream NEWS: + • Add 'Charset' directive. "charset" was added to "ContentType" + of the example in conf/namazurc-sample. + • "charset" was added to the response header in Error messages + for namazu.cgi. + • Add HTML, BODY tags in Error messages for namazu.cgi. + • '\'', '(', ')' is converted into "'", "(", ")" + respectively. + • Add po/{de, pl}.po files. (But, it doesn't translate.) + • Change charset from SJIS to Shift_JIS in po/ja_SJIS.po. + • Change soname (LTVERSION 8:0:1) + • pltests/env.pl: The checked environment variable and version of + the checked Perl module is added. + • pltests/mknmz-8.pl.in: The confirmation whether the index + has been updated is added. + • pltests/namazu-cgi-12.pl.in: Add new test. + • tests/mknmz-9: Expand test file. + • filter/hnf.pl: Correspondence GRP and bug fix. + • conf/*.win32: Add new files. + • filter/win32/ole*.pl: correspondence Office 2007. [for Windows] + • filter/win32/olevisio.pl: It corresponds to Visio 2000 of another + type. For Visio 2007/.vdx file. [for Windows] + • OOo bug correction. for Office Open XML file. [for Windows] + • nmzcat: SJIS output. [For Windows] + • mailutime: Bug correction related to passing. + • To the code in which it considers after 2038 (In the direction + that doesn't correspond). + • File-MMagic: Imported 1.27. For eml file. + • libnmz: Speed-up of retrieval. + • nmzchkw.pl: New addition. (contrib) + • libnmz: The bug around the memory is corrected. (users-ja#821). + • namazu and namazu.cgi: The bug that falls into an infinite + loop is corrected. + • namazu and namazu.cgi: Correction of HTML emphasis tag. + (for Windows) + • gcnmz and nmzmerge: The output of the log is corrected and + the format is corrected. + • namazu and namazu.cgi: The possibility that the buffer + overflow cuts it when the template is corrected is corrected. + • filter/mp3.pl: MP3-Info 1.21. + • namazu.spec.in: add nmzcat, nmzegrep. + • namazu.spec.in: fix filter-requires-namazu.sh. + • conf/namazurc-sample: It is added to the comment that + Suicide_Time is only UNIX. + • scripts/mknmz.in: The mistake of the number of dummy + arguments of process_file() is corrected. + • filter/pdf.pl: 'Unable to convert pdf file (maybe copying + protection)' was corrected at option --debug. + • filter/msofficexml.pl: Added new fiter. + • filter/visio.pl: Added a new filter. + • filter/mp3.pl: Support MP3-Info 1.21's behavior. + • tests/*: It deals with trouble in which make check fails + because of the environment of Mac + gettext 0.14.2. + • tests/data/ja/*: Added new file. + • Fix some bugs. + +------------------------------------------------------------------- +Mon Feb 25 08:06:20 CET 2008 - [email protected] + +- fix library-without-ldconfig-postin errors +- disbale static libraries and remove libtool archives + +------------------------------------------------------------------- +Tue Dec 19 15:01:17 CET 2006 - [email protected] + +- updated to 2.0.16. Upstream NEWS: + • Directory traversal problem by lang and result of CGI parameter + is corrected. + • Substitution of "-r" that doesn't correspond to ACL of NTFS. + • It corresponds to the file name including space. + • For MeCab-perl-0.90rc10. + • The mistake of the document concerning ISO-8859-* is corrected. + • RedHat software namazu.spec was taken in. + The unnecessary patch was deleted. + • Include File::MMagic 1.25. + • Support MeCab. + • Add -b and --use-mecab options for mknmz. + • Add --norc option for mknmz and namazu. + • Add --decode-base64 option for mknmz. + • Add new filters (Gnumeric, Koffice, Mainman/Pipermail, Zip, Visio). + • Add new directives for mknmzrc (MECAB, DENY_DDN). + To skip when filename is DDN. + • Add sorting function by date of field. + • Added new files (nmzcat, nmzegrep). + • Adapt new filter programs (wvWare 1.0.3, xlhtml 0.5.1, xpdf 3.01). + • For Windows of filter (msword.pl, excel.pl, powerpoint.pl, + postscript.pl, etc...). + • Ole control filter renewal. + • ';' can have been used for the delimiter of QUERY_STRING. + • Add the Perl version test program (pltests). + • Fix some bugs. + +------------------------------------------------------------------- +Wed Jan 25 21:38:33 CET 2006 - [email protected] + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Dec 17 20:11:29 CET 2004 - [email protected] + +- Bugzilla #49304: update to 2.0.14. + +------------------------------------------------------------------- +Sat Jan 10 16:22:54 CET 2004 - [email protected] + +- build as user + +------------------------------------------------------------------- +Thu Jun 19 21:27:24 CEST 2003 - [email protected] + +- build with current gettext + +------------------------------------------------------------------- +Mon Jun 16 12:51:22 CEST 2003 - [email protected] + +- add patch for German template files from + http://www.namazu.org/stable/namazu-2.0.12-de.diff +- fix "directory not owned by any package". + +------------------------------------------------------------------- +Sun Feb 16 13:16:04 CET 2003 - [email protected] + +- update to 2.0.12 + From the NEWS file of 2.0.12 + * Fix more cross-site scripting issue around NMZ.warnlog. + From the NEWS file of 2.0.11 + * Change output warning to NMZ.warnlog file instead stderr + (for cross-site scripting issue on some environments) + * Update some filters. + * Fix possibility of buffer overflow. + * Fix shell execution issue on rpm/deb files. + * Adaptation to xpdf 1.0x (filter/pdf.pl). + * Fix possibility of relative path vulnerability on Win95/98. + * Improve HTML filter (exclude scripting language code). + * Add German template files. + +------------------------------------------------------------------- +Mon Nov 18 20:46:25 CET 2002 - [email protected] + +- Add AM_GNU_GETTEXT_VERSION. + +------------------------------------------------------------------- +Sat Aug 10 01:21:42 CEST 2002 - [email protected] + +- namazu-devel package should require namazu package +- fix directory permissions + +------------------------------------------------------------------- +Mon Aug 5 12:57:08 CEST 2002 - [email protected] + +- adapt to server-root /srv/www + ++++ 33 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update:Test/.namazu.new/namazu.changes New: ---- _link configure.patch linguas.patch namazu-2.0.18-CVE-2011-4345-XSS.patch namazu-2.0.20.tar.bz2 namazu.changes namazu.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ namazu.spec ++++++ # # spec file for package namazu # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild Name: namazu BuildRequires: kakasi-devel nkf perl-File-MMagic perl-NKF perl-Text-ChaSen perl-Text-Kakasi License: GPLv2+ Group: Productivity/Networking/Web/Utilities Requires: perl >= 5.8.0, perl-File-MMagic >= 1.20, nkf >= 1.70, perl-NKF >= 1.70 Requires: kakasi >= 2.3.0, perl-Text-Kakasi >= 1.00 AutoReqProv: on Version: 2.0.20 Release: 1 Url: http://www.namazu.org/ # Original Source is gzipped. Source0: http://www.namazu.org/stable/%{name}-%{version}.tar.bz2 Patch0: linguas.patch Patch2: configure.patch Patch3: namazu-2.0.18-CVE-2011-4345-XSS.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: A Full-Text Search Engine #Summary(ja): 全文検索シス テムです。 # %description -l ja # Namazu は手軽に使えることを第一に目指した日本語全文検索シ # ステムです。CGI として動作させることにより小中規模の WWW # 全文検索システムを構築することができるほか、コマンドライ # ンやEmacs上で電子メイルの山を検索するといった個人用途にも # 使えます。 # # Authors: # -------- # Satoru Takabayashi <[email protected]> # [email protected] (NOKUBI Takatsugu) # Yukinori MAEDA <[email protected]> # Ken-ichi Hirose <[email protected]> # [email protected] (Masao Takaku) # Ryuji Abe <[email protected]> # Hajime BABA <[email protected]> # KOSEKI Yoshinori <[email protected]> # Rei FURUKAWA <[email protected]> # Makoto Fujiwara <[email protected]> # Kenji Suzuki <[email protected]> # MIYOSHI Masanori <[email protected]> # Hideyuki SHIRAI <[email protected]> # Jose Juan Zapater Vera <[email protected]> # Yoshinori TAKESAKO <[email protected]> # SATOH Fumiyasu <[email protected]> %description Namazu is a full-text search engine software intended for easy use. It works not only as a CGI program for small or medium scale WWW search engines, but also works for personal use such as a search system for the local hard disk. Authors: -------- Satoru Takabayashi <[email protected]> [email protected] (NOKUBI Takatsugu) Yukinori MAEDA <[email protected]> Ken-ichi Hirose <[email protected]> [email protected] (Masao Takaku) Ryuji Abe <[email protected]> Hajime BABA <[email protected]> KOSEKI Yoshinori <[email protected]> Rei FURUKAWA <[email protected]> Makoto Fujiwara <[email protected]> Kenji Suzuki <[email protected]> MIYOSHI Masanori <[email protected]> Hideyuki SHIRAI <[email protected]> Jose Juan Zapater Vera <[email protected]> Yoshinori TAKESAKO <[email protected]> SATOH Fumiyasu <[email protected]> %package -n namazu-devel License: GPLv2+ Summary: Header files and libraries of Namazu # Summary(ja): Namazu のヘッダファイル及びライブラリです。 Group: Productivity/Networking/Web/Utilities Requires: %{name} = %{version} # %description -n namazu-devel -l ja # Namazuのヘッダファイル及びライブラリです。 %description -n namazu-devel header files and libraries of Namazu Authors: -------- Satoru Takabayashi <[email protected]> [email protected] (NOKUBI Takatsugu) Yukinori MAEDA <[email protected]> Ken-ichi Hirose <[email protected]> [email protected] (Masao Takaku) Ryuji Abe <[email protected]> Hajime BABA <[email protected]> KOSEKI Yoshinori <[email protected]> Rei FURUKAWA <[email protected]> Makoto Fujiwara <[email protected]> Kenji Suzuki <[email protected]> MIYOSHI Masanori <[email protected]> Hideyuki SHIRAI <[email protected]> Jose Juan Zapater Vera <[email protected]> Yoshinori TAKESAKO <[email protected]> SATOH Fumiyasu <[email protected]> %package -n namazu-cgi License: GPLv2+ Summary: A CGI interface for Namazu # Summary(ja): Namazu のためのCGIインタフェース Group: Productivity/Networking/Web/Utilities # Requires: webserver # %description -n namazu-cgi -l ja # Namazu のためのCGIインタフェース %description -n namazu-cgi a CGI interface for Namazu Authors: -------- Satoru Takabayashi <[email protected]> [email protected] (NOKUBI Takatsugu) Yukinori MAEDA <[email protected]> Ken-ichi Hirose <[email protected]> [email protected] (Masao Takaku) Ryuji Abe <[email protected]> Hajime BABA <[email protected]> KOSEKI Yoshinori <[email protected]> Rei FURUKAWA <[email protected]> Makoto Fujiwara <[email protected]> Kenji Suzuki <[email protected]> MIYOSHI Masanori <[email protected]> Hideyuki SHIRAI <[email protected]> Jose Juan Zapater Vera <[email protected]> Yoshinori TAKESAKO <[email protected]> SATOH Fumiyasu <[email protected]> %prep %setup0 -q %patch0 -p1 -b .linguas %patch2 -p1 -b .config %patch3 -p1 chmod +x tests/ja-namazu-cgi-3 %build # XXX is this right - it was /var/lib before FHS macros %define _localstatedir /var/lib %define _libexecdir /srv/www/cgi-bin autoreconf --force --install test -f po/Makevars || mv po/Makevars.template po/Makevars export CFLAGS="$RPM_OPT_FLAGS" %configure --disable-static --with-pic \ --with-perl5=/usr/bin/perl make %install mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/namazu \ $RPM_BUILD_ROOT/%{_libexecdir} make DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} install mv %{buildroot}%{_sysconfdir}/namazu/namazurc-sample \ %{buildroot}%{_sysconfdir}/namazu/namazurc mv %{buildroot}%{_sysconfdir}/namazu/mknmzrc-sample \ %{buildroot}%{_sysconfdir}/namazu/mknmzrc chmod a+rw -R %{buildroot}%{_localstatedir}/namazu chmod a+rw -R %{buildroot}%{_localstatedir}/namazu/index mkdir -p $RPM_BUILD_ROOT/%{_defaultdocdir}/namazu/ pushd $RPM_BUILD_ROOT/%{_defaultdocdir}/namazu/ ln -s %{_datadir}/namazu/doc . ln -s %{_datadir}/namazu/etc . popd # install (X)Emacs lisp code: mkdir -p $RPM_BUILD_ROOT/usr/share/emacs/site-lisp install -p -m 644 lisp/gnus-nmz-1.el $RPM_BUILD_ROOT/usr/share/emacs/site-lisp install -p -m 644 lisp/namazu.el $RPM_BUILD_ROOT/usr/share/emacs/site-lisp mkdir -p $RPM_BUILD_ROOT/usr/share/xemacs/site-lisp/lisp install -p -m 644 lisp/gnus-nmz-1.el $RPM_BUILD_ROOT/usr/share/xemacs/site-lisp/lisp install -p -m 644 lisp/namazu.el $RPM_BUILD_ROOT/usr/share/xemacs/site-lisp/lisp %{find_lang} namazu %clean rm -rf $RPM_BUILD_ROOT; %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files -f namazu.lang %defattr(-, root, root) %doc %dir %{_defaultdocdir}/namazu/ %doc %{_defaultdocdir}/namazu/* %dir %{_sysconfdir}/namazu/ %config(noreplace) %{_sysconfdir}/namazu/* %{_bindir}/namazu %{_bindir}/bnamazu %{_bindir}/*nmz %{_bindir}/mailutime %{_bindir}/nmzgrep %{_bindir}/nmzegrep %{_bindir}/nmzmerge %{_bindir}/nmzcat %{_libdir}/*.so.* %{_mandir}/man1/* %{_datadir}/namazu %attr(755,root,root) %dir %{_localstatedir}/namazu %attr(755,root,root) %dir %{_localstatedir}/namazu/index %dir /usr/share/emacs/ %dir /usr/share/emacs/site-lisp/ /usr/share/emacs/site-lisp/* %dir /usr/share/xemacs/ %dir /usr/share/xemacs/site-lisp/ %dir /usr/share/xemacs/site-lisp/lisp/ /usr/share/xemacs/site-lisp/lisp/* %files devel %defattr(-, root, root) %{_bindir}/nmz-config %dir %{_includedir}/namazu/ %{_includedir}/namazu/*.h %{_libdir}/*.so %exclude %{_libdir}/*.la %files cgi %defattr(-, root, root) %{_libexecdir}/namazu.cgi %changelog ++++++ _link ++++++ <link project="openSUSE:12.1" package="namazu" baserev="dac68119db673f8f01f11270a17af035"> <patches> <branch/> </patches> </link> ++++++ configure.patch ++++++ --- configure.in | 1 + 1 file changed, 1 insertion(+) --- a/configure.in +++ b/configure.in @@ -94,6 +94,7 @@ dnl * ALL_LINGUAS="ja es fr de pl" AM_GNU_GETTEXT([external]) +AM_GNU_GETTEXT_VERSION(0.12) AM_LC_MESSAGES dnl For latest gettext ++++++ linguas.patch ++++++ --- configure | 2 +- configure.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/configure +++ b/configure @@ -8019,7 +8019,7 @@ LTVERSION="8:2:1" -ALL_LINGUAS="ja ja_JP.SJIS es fr de pl" +ALL_LINGUAS="ja es fr de pl" MKINSTALLDIRS= if test -n "$ac_aux_dir"; then --- a/configure.in +++ b/configure.in @@ -92,7 +92,7 @@ dnl * dnl * I18N dnl * -ALL_LINGUAS="ja ja_JP.SJIS es fr de pl" +ALL_LINGUAS="ja es fr de pl" AM_GNU_GETTEXT([external]) AM_LC_MESSAGES ++++++ namazu-2.0.18-CVE-2011-4345-XSS.patch ++++++ Index: namazu-2.0.18/nmz/codeconv.c =================================================================== --- namazu-2.0.18.orig/nmz/codeconv.c +++ namazu-2.0.18/nmz/codeconv.c @@ -400,6 +400,71 @@ zen2han(char *str) *(s + q) = '\0'; } +static void +check_eucjp(uchar *s) +{ + int i; + size_t num; + + num = strlen((char *)s); + i = 0; + while (i < num) { + if (s[i] >= 0x20 && s[i] <= 0x7e) { + i++; + } + else if (s[i] >= 0xa1 && s[i] <= 0xfe) { + if (i + 1 < num) { + if (s[i + 1] >= 0xa1 && s[i + 1] <= 0xfe) { + i += 2; + } + else { + s[i++] = ' '; + s[i++] = ' '; + } + } + else { + s[i++] = ' '; + } + } + else if (s[i] == 0x8e) { + if (i + 1 < num) { + if (s[i + 1] >= 0xa1 && s[i + 1] <= 0xdf) { + i += 2; + } + else { + s[i++] = ' '; + s[i++] = ' '; + } + } + else { + s[i++] = ' '; + } + } + else if (s[i] == 0x8f) { + if (i + 2 < num) { + if (s[i + 1] >= 0xa1 && s[i + 1] <= 0xfe + && s[i + 2] >= 0xa1 && s[i + 2] <= 0xfe) { + i += 3; + } + else { + s[i++] = ' '; + s[i++] = ' '; + s[i++] = ' '; + } + } + else if (i + 1 < num) { + s[i++] = ' '; + s[i++] = ' '; + } + else { + s[i++] = ' '; + } + } + else { + s[i++] = ' '; + } + } +} /* * @@ -422,17 +486,24 @@ nmz_codeconv_internal(char *s) in = (uchar *)s; if (!nmz_is_lang_ja()) { /* Lang != ja */ + for (i = 0; i < strlen(s); i++) { + if (s[i] < 0x20 || s[i] >= 0x7f) { + s[i] = ' '; + } + } return 0; } for (i = 0, m = 0, n = 0, f = 0; *(in + i); i++) { if (*(in + i) == ESC) { jistoeuc(in); + check_eucjp(in); return 1; } if (*(in + i) > (uchar) '\x80') m++, f = f ? 0 : 1; else if (f) { sjistoeuc(in); + check_eucjp(in); return 1; } if (*(in + i) > (uchar) '\xa0') @@ -440,10 +511,14 @@ nmz_codeconv_internal(char *s) } if (m != n) { sjistoeuc(in); + check_eucjp(in); return 1; } - if (n) + if (n) { + check_eucjp(in); return 1; + } + check_eucjp(in); return 0; } Index: namazu-2.0.18/pltests/alltests.pl.in =================================================================== --- namazu-2.0.18.orig/pltests/alltests.pl.in +++ namazu-2.0.18/pltests/alltests.pl.in @@ -44,6 +44,7 @@ my @TESTS = ( 'namazu-cgi-7.pl', 'namazu-cgi-8.pl', 'namazu-cgi-9.pl', 'namazu-cgi-10.pl', 'namazu-cgi-12.pl', + 'ja-namazu-cgi-3.pl', 'chasen-1.pl', 'chasen-2.pl', 'chasen-3.pl', 'mecab-1.pl', 'mecab-2.pl', 'mecab-3.pl', 'kakasi-1.pl', 'kakasi-2.pl', 'kakasi-3.pl', Index: namazu-2.0.18/pltests/Makefile.am =================================================================== --- namazu-2.0.18.orig/pltests/Makefile.am +++ namazu-2.0.18/pltests/Makefile.am @@ -23,6 +23,7 @@ PROGRAM = alltests.pl pltests.pl \ namazu-cgi-7.pl namazu-cgi-8.pl \ namazu-cgi-9.pl namazu-cgi-10.pl \ namazu-cgi-12.pl \ + ja-namazu-cgi-3.pl \ chasen-1.pl chasen-2.pl chasen-3.pl \ mecab-1.pl mecab-2.pl mecab-3.pl \ kakasi-1.pl kakasi-2.pl kakasi-3.pl @@ -48,6 +49,7 @@ EXTRA_DIST = pltests.pl.in \ namazu-cgi-7.pl.in namazu-cgi-8.pl.in \ namazu-cgi-9.pl.in namazu-cgi-10.pl.in \ namazu-cgi-12.pl.in \ + ja-namazu-cgi-3.pl.in \ chasen-1.pl.in chasen-2.pl.in chasen-3.pl.in \ mecab-1.pl.in mecab-2.pl.in mecab-3.pl.in \ kakasi-1.pl.in kakasi-2.pl.in kakasi-3.pl.in @@ -283,6 +285,11 @@ namazu-cgi-12.pl: namazu-cgi-12.pl.in pl sed -e 's!%PERL%!$(PERL)!g' $(srcdir)/[email protected] > [email protected] mv [email protected] $@ chmod +x $@ + +ja-namazu-cgi-3.pl: ja-namazu-cgi-3.pl.in pltests.pl.in Makefile + sed -e 's!%PERL%!$(PERL)!g' $(srcdir)/[email protected] > [email protected] + mv [email protected] $@ + chmod +x $@ chasen-1.pl: chasen-1.pl.in pltests.pl.in Makefile sed -e 's!%PERL%!$(PERL)!g' $(srcdir)/[email protected] > [email protected] Index: namazu-2.0.18/pltests/Makefile.in =================================================================== --- namazu-2.0.18.orig/pltests/Makefile.in +++ namazu-2.0.18/pltests/Makefile.in @@ -158,6 +158,7 @@ PROGRAM = alltests.pl pltests.pl \ namazu-cgi-7.pl namazu-cgi-8.pl \ namazu-cgi-9.pl namazu-cgi-10.pl \ namazu-cgi-12.pl \ + ja-namazu-cgi-3.pl \ chasen-1.pl chasen-2.pl chasen-3.pl \ mecab-1.pl mecab-2.pl mecab-3.pl \ kakasi-1.pl kakasi-2.pl kakasi-3.pl @@ -184,6 +185,7 @@ EXTRA_DIST = pltests.pl.in \ namazu-cgi-7.pl.in namazu-cgi-8.pl.in \ namazu-cgi-9.pl.in namazu-cgi-10.pl.in \ namazu-cgi-12.pl.in \ + ja-namazu-cgi-3.pl.in \ chasen-1.pl.in chasen-2.pl.in chasen-3.pl.in \ mecab-1.pl.in mecab-2.pl.in mecab-3.pl.in \ kakasi-1.pl.in kakasi-2.pl.in kakasi-3.pl.in @@ -590,6 +592,11 @@ namazu-cgi-12.pl: namazu-cgi-12.pl.in pl sed -e 's!%PERL%!$(PERL)!g' $(srcdir)/[email protected] > [email protected] mv [email protected] $@ chmod +x $@ + +ja-namazu-cgi-3.pl: ja-namazu-cgi-3.pl.in pltests.pl.in Makefile + sed -e 's!%PERL%!$(PERL)!g' $(srcdir)/[email protected] > [email protected] + mv [email protected] $@ + chmod +x $@ chasen-1.pl: chasen-1.pl.in pltests.pl.in Makefile sed -e 's!%PERL%!$(PERL)!g' $(srcdir)/[email protected] > [email protected] Index: namazu-2.0.18/tests/Makefile.am =================================================================== --- namazu-2.0.18.orig/tests/Makefile.am +++ namazu-2.0.18/tests/Makefile.am @@ -17,7 +17,10 @@ TESTS = mknmz-1 mknmz-2 mknmz-3 mknmz-4 namazu-cgi-1 namazu-cgi-2 namazu-cgi-3 namazu-cgi-4 \ namazu-cgi-5 namazu-cgi-6 namazu-cgi-7 namazu-cgi-8 \ namazu-cgi-9 namazu-cgi-10 namazu-cgi-11 \ - ja-mknmz-1 ja-namazu-cgi-1 ja-namazu-1 + ja-mknmz-1 ja-namazu-cgi-1 \ + ja-namazu-cgi-3 ja-namazu-1 + +distclean: clean-local clean-local: rm -rf test-log tmp-data tmp.* idx[0-9]* ja-idx[0-9]* Index: namazu-2.0.18/tests/Makefile.in =================================================================== --- namazu-2.0.18.orig/tests/Makefile.in +++ namazu-2.0.18/tests/Makefile.in @@ -152,7 +152,8 @@ TESTS = mknmz-1 mknmz-2 mknmz-3 mknmz-4 namazu-cgi-1 namazu-cgi-2 namazu-cgi-3 namazu-cgi-4 \ namazu-cgi-5 namazu-cgi-6 namazu-cgi-7 namazu-cgi-8 \ namazu-cgi-9 namazu-cgi-10 namazu-cgi-11 \ - ja-mknmz-1 ja-namazu-cgi-1 ja-namazu-1 + ja-mknmz-1 ja-namazu-cgi-1 \ + ja-namazu-cgi-3 ja-namazu-1 EXTRA_DIST = $(TESTS) select-data commonfuncs @@ -465,6 +466,8 @@ uninstall-info: uninstall-info-recursive uninstall-info-recursive uninstall-recursive +distclean: clean-local + clean-local: rm -rf test-log tmp-data tmp.* idx[0-9]* ja-idx[0-9]* # Tell versions [3.59,3.63) of GNU make to not export all variables. Index: namazu-2.0.18/pltests/ja-namazu-cgi-3.pl.in =================================================================== --- /dev/null +++ namazu-2.0.18/pltests/ja-namazu-cgi-3.pl.in @@ -0,0 +1,90 @@ +#!%PERL% -w +# +# $Id: ja-namazu-cgi-3.pl.in,v 1.1.2.1 2011-07-18 13:32:49 opengl2772 Exp $ +# Copyright (C) 2007 Tadamasa Teranishi +# 2007,2011 Namazu Project All rights reserved. +# This is free software with ABSOLUTELY NO WARRANTY. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either versions 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA +# 02111-1307, USA +# +# This file must be encoded in EUC-JP encoding +# + +# +# Test for cross-site scripting vulnerability with IE6,IE7 and wrong EUC-JP chracter code. +# + +use strict; +require Cwd; +use File::Copy; +require 'pltests.pl'; + +my $cwd = Cwd::cwd(); +my $LOG = "$cwd/test-log"; +my $INDEX = "$cwd/idx1"; +my $NAMAZU = pltests::binpath('namazu.cgi'); +my $RC = pltests::binpath('.namazurc'); + +my @cmd; + +$ENV{'SCRIPT_NAME'} = 'namazu.cgi'; +$ENV{'QUERY_STRING'} = 'query=%8F%EF%9C/%20%8F%EF%9E%20%8F%EF%9C/'; + +pltests::putline($LOG, " *** starting $0"); + +if ($English::OSNAME eq "MSWin32" || $English::OSNAME eq "os2") { + pltests::putline($LOG, "Skipping because of MSWin32 or os2: $0"); + exit 77; +} + +if (pltests::get_lang() !~ /^ja/) { + pltests::putline($LOG, "Skipping because of LANG does not begin with ja: $0"); + exit 77; +} + +if (-f $RC) { + unlink("$RC"); +} +pltests::putline($RC, "Index $INDEX"); +pltests::duprcs($RC); + +my $ascii = '[\x00-\x7F]'; +my $twoBytes = '(?:[\x8E\xA1-\xFE][\xA1-\xFE])'; +my $threeBytes = '(?:\x8F[\xA1-\xFE][xA1-\xFE])'; +my $character = "(?:$ascii|$twoBytes|$threeBytes)"; + +@cmd = ("$NAMAZU"); +my ($staus, $result, $conts_err) = pltests::ezsyscmd(\@cmd); +$result =~ s/$character//g; +$result =~ s/[\n\r]//g; +pltests::putline($LOG, "\"$result\""); +exit 1 if $result; + +$ENV{'QUERY_STRING'} = 'query=%8F%AF%82%20'; +@cmd = ("$NAMAZU"); +($staus, $result, $conts_err) = pltests::ezsyscmd(\@cmd); +$result =~ s/$character//g; +$result =~ s/[\n\r]//g; +pltests::putline($LOG, "\"$result\""); +exit 1 if $result; + +exit 0; + +END { + if (-f $RC) { + unlink("$RC"); + } +} Index: namazu-2.0.18/tests/ja-namazu-cgi-3 =================================================================== --- /dev/null +++ namazu-2.0.18/tests/ja-namazu-cgi-3 @@ -0,0 +1,80 @@ +#! /bin/sh +# +# Test for cross-site scripting vulnerability with IE6,IE7 and wrong EUC-JP chracter code. +# +LOG=`pwd`/test-log +echo ' *** starting ' $0 >>$LOG +. ${srcdir}/commonfuncs + +EXEC=no + +lc_all=$LC_ALL +lc_ctype=$LC_CTYPE +lang=$LANG + +for ctype in "$lc_all" "$lc_ctype" "$lang"; do + if test -n "$ctype" -a "$ctype" = "C"; then + ctype="en" + break + fi + cand=`echo "$ctype" | LC_ALL="C" perl -nle 'print $1 if /^(..)/'` + if test -n "$cand"; then + ctype=$cand + break + fi +done + +case $ctype in + ja*) + EXEC=yes + ;; +esac +if [ $EXEC = 'no' ] +then + echo "Skipping because of LANG does not begin with ja: $0" >> $LOG + exit 77 +fi + +unset LANGUAGE +unset LC_ALL +unset LC_MESSAGES +unset LC_CTYPE +unset LANG + + +pwd=`pwd` +tmprc="$pwd/../src/.namazurc" +echo "Index ../tests/idx1" > $tmprc +echo "Lang ja" >> $tmprc +duprcs +cd ../src + +perl << 'TEST' >> $LOG + my $query = 'query=%8F%EF%9C/%8F%EF%9E%20%8F%EF%9C'; + $ENV{'SCRIPT_NAME'} = 'namazu.cgi'; + $ENV{'QUERY_STRING'} = $query; + my $cmd = "./namazu.cgi"; + my $result = `$cmd 2>&1`; + + my $ascii = '[\x00-\x7F]'; + my $twoBytes = '(?:[\x8E\xA1-\xFE][\xA1-\xFE])'; + my $threeBytes = '(?:\x8F[\xA1-\xFE][xA1-\xFE])'; + my $character = "(?:$ascii|$twoBytes|$threeBytes)"; + $result =~ s/$character//g; + $result =~ s/[\n\r]//g; + print "\"$result\"\n"; + exit 1 if $result; + + $query = 'query=%8F%AF%82%20'; + $ENV{'QUERY_STRING'} = $query; + $result = `$cmd 2>&1`; + $result =~ s/$character//g; + $result =~ s/[\n\r]//g; + print "\"$result\"\n"; + exit 1 if $result; + + exit 0; +TEST +result=$? +rm -f $tmprc +exit $result -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
