perl-www.patch...

Ralf S. Engelschall Tue, 21 Oct 2003 02:16:13 -0700

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________


  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src openpkg-web          Date:   21-Oct-2003 11:17:26
  Branch: OPENPKG_1_2_SOLID HEAD           Handle: 2003102110172402

  Modified files:
    openpkg-web             news.txt
  Modified files:           (Branch: OPENPKG_1_2_SOLID)
    openpkg-src/perl-www    perl-www.patch perl-www.spec

  Log:
    fix CGI.pm form URL generation by backporting more correct security
    fix from CGI.pm 3.00

  Summary:
    Revision    Changes     Path
    1.1.4.2     +9  -8      openpkg-src/perl-www/perl-www.patch
    1.45.2.1.2.4+2  -2      openpkg-src/perl-www/perl-www.spec
    1.7093      +1  -0      openpkg-web/news.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/perl-www/perl-www.patch
  ============================================================================
  $ cvs diff -u -r1.1.4.1 -r1.1.4.2 perl-www.patch
  --- openpkg-src/perl-www/perl-www.patch       6 Aug 2003 15:10:10 -0000       1.1.4.1
  +++ openpkg-src/perl-www/perl-www.patch       21 Oct 2003 09:17:26 -0000      1.1.4.2
  @@ -1,24 +1,25 @@
   http://stein.cshl.org/WWW/software/CGI/
       under "Revision History" find "Fixed cross-site scripting bug
       reported by obscure" note attached to Version 2.94. A quick fix was
  -    introduced in 2.94. It was replaced by a more careful patch in 2.99.
  +    introduced in 2.94. It was replaced by a more careful patch in 3.00.
   
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615
       Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm
       allows remote attackers to insert web script via a URL that is fed
       into the form's action parameter
   
  ---- CGI.pm-2.89/CGI.pm.orig  Wed Oct 16 19:48:37 2002
  -+++ CGI.pm-2.89/CGI.pm       Wed Aug  6 16:22:26 2003
  -@@ -1553,9 +1553,10 @@
  +Index: CGI.pm-2.89/CGI.pm
  +--- CGI.pm-2.89/CGI.pm.orig  2002-10-16 19:48:37.000000000 +0200
  ++++ CGI.pm-2.89/CGI.pm       2003-10-21 11:15:55.000000000 +0200
  +@@ -1551,9 +1551,9 @@
  +     $method = lc($method) || 'post';
  +     $enctype = $enctype || &URL_ENCODED;
        unless (defined $action) {
  -        $action = $self->url(-absolute=>1,-path=>1);
  +-       $action = $self->url(-absolute=>1,-path=>1);
  ++       $action = $self->escapeHTML($self->url(-absolute=>1,-path=>1));
           if (length($ENV{QUERY_STRING})>0) {
   -           $action .= "?$ENV{QUERY_STRING}";
   +           $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
           }
        }
  -+    $action = escape($action);
        $action = qq(action="$action");
  -     my($other) = @other ? " @other" : '';
  -     $self->{'.parametersToAdd'}={};
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/perl-www/perl-www.spec
  ============================================================================
  $ cvs diff -u -r1.45.2.1.2.3 -r1.45.2.1.2.4 perl-www.spec
  --- openpkg-src/perl-www/perl-www.spec        6 Aug 2003 15:10:10 -0000       
1.45.2.1.2.3
  +++ openpkg-src/perl-www/perl-www.spec        21 Oct 2003 09:17:26 -0000      
1.45.2.1.2.4
  @@ -44,8 +44,8 @@
   Distribution: OpenPKG [BASE]
   Group:        Language
   License:      GPL/Artistic
  -Version:      1.2.1
  -Release:      1.2.1
  +Version:      1.2.2
  +Release:      1.2.2
   
   #   list of sources
   Source0:      http://www.cpan.org/modules/by-module/URI/URI-%{V_uri}.tar.gz
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/news.txt
  ============================================================================
  $ cvs diff -u -r1.7092 -r1.7093 news.txt
  --- openpkg-web/news.txt      21 Oct 2003 09:12:47 -0000      1.7092
  +++ openpkg-web/news.txt      21 Oct 2003 09:17:24 -0000      1.7093
  @@ -1,3 +1,4 @@
  +21-Oct-2003: Upgraded package: P<perl-www-1.2.2-1.2.2>
   21-Oct-2003: Upgraded package: P<perl-www-1.3.2-1.3.2>
   21-Oct-2003: Upgraded package: P<perl-5.8.0-1.2.2>
   21-Oct-2003: Upgraded package: P<coreutils-5.0.1-1.3.1>
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

[CVS] OpenPKG: OPENPKG_1_2_SOLID: openpkg-src/perl-www/ perl-www.patch...

Reply via email to