OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src openpkg-web Date: 21-Oct-2003 11:12:49
Branch: OPENPKG_1_3_SOLID HEAD Handle: 2003102110124702
Modified files:
openpkg-web news.txt
Modified files: (Branch: OPENPKG_1_3_SOLID)
openpkg-src/perl-www perl-www.patch perl-www.spec
Log:
fix CGI.pm form URL generation by backporting more correct security
fix from CGI.pm 3.00
Summary:
Revision Changes Path
1.1.2.1.2.2 +9 -6 openpkg-src/perl-www/perl-www.patch
1.45.2.5.2.3+2 -2 openpkg-src/perl-www/perl-www.spec
1.7092 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/perl-www/perl-www.patch
============================================================================
$ cvs diff -u -r1.1.2.1.2.1 -r1.1.2.1.2.2 perl-www.patch
--- openpkg-src/perl-www/perl-www.patch 6 Aug 2003 15:07:14 -0000
1.1.2.1.2.1
+++ openpkg-src/perl-www/perl-www.patch 21 Oct 2003 09:12:49 -0000
1.1.2.1.2.2
@@ -1,25 +1,28 @@
http://stein.cshl.org/WWW/software/CGI/
under "Revision History" find "Fixed cross-site scripting bug
reported by obscure" note attached to Version 2.94. A quick fix was
- introduced in 2.94. It was replaced by a more careful patch in 2.99.
+ introduced in 2.94. It was replaced by a more careful patch in 3.00.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615
Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm
allows remote attackers to insert web script via a URL that is fed
into the form's action parameter
---- CGI.pm-2.98/CGI.pm.orig Wed Jun 18 21:57:21 2003
-+++ CGI.pm-2.98/CGI.pm Fri Aug 1 16:39:52 2003
-@@ -1641,10 +1641,10 @@
+Index: CGI.pm-2.98/CGI.pm
+--- CGI.pm-2.98/CGI.pm.orig 2003-06-18 21:57:21.000000000 +0200
++++ CGI.pm-2.98/CGI.pm 2003-10-21 11:10:30.000000000 +0200
+@@ -1639,12 +1639,11 @@
+ $method = lc($method) || 'post';
+ $enctype = $enctype || &URL_ENCODED;
unless (defined $action) {
- $action = $self->url(-absolute=>1,-path=>1);
+- $action = $self->url(-absolute=>1,-path=>1);
++ $action = $self->escapeHTML($self->url(-absolute=>1,-path=>1));
if (length($ENV{QUERY_STRING})>0) {
- $action .= "?$ENV{QUERY_STRING}";
+ $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
}
}
- $action =~ s/\"/%22/g; # fix cross-site scripting bug reported by obscure
-+ $action = escape($action);
$action = qq(action="$action");
my($other) = @other ? " @other" : '';
$self->{'.parametersToAdd'}={};
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/perl-www/perl-www.spec
============================================================================
$ cvs diff -u -r1.45.2.5.2.2 -r1.45.2.5.2.3 perl-www.spec
--- openpkg-src/perl-www/perl-www.spec 6 Aug 2003 15:07:14 -0000
1.45.2.5.2.2
+++ openpkg-src/perl-www/perl-www.spec 21 Oct 2003 09:12:49 -0000
1.45.2.5.2.3
@@ -48,8 +48,8 @@
Distribution: OpenPKG [BASE]
Group: Language
License: GPL/Artistic
-Version: 1.3.1
-Release: 1.3.1
+Version: 1.3.2
+Release: 1.3.2
# list of sources
Source0: http://www.cpan.org/modules/by-module/URI/URI-%{V_uri}.tar.gz
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/news.txt
============================================================================
$ cvs diff -u -r1.7091 -r1.7092 news.txt
--- openpkg-web/news.txt 21 Oct 2003 09:06:48 -0000 1.7091
+++ openpkg-web/news.txt 21 Oct 2003 09:12:47 -0000 1.7092
@@ -1,3 +1,4 @@
+21-Oct-2003: Upgraded package: P<perl-www-1.3.2-1.3.2>
21-Oct-2003: Upgraded package: P<perl-5.8.0-1.2.2>
21-Oct-2003: Upgraded package: P<coreutils-5.0.1-1.3.1>
21-Oct-2003: Upgraded package: P<perl-5.8.0-1.3.2>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
