diff options
| author | Peter Pentchev <roam@FreeBSD.org> | 2003-10-27 12:18:06 +0000 |
|---|---|---|
| committer | Peter Pentchev <roam@FreeBSD.org> | 2003-10-27 12:18:06 +0000 |
| commit | cb98017ae9dabe7e9ddb5ca7ed32e42a9ad16078 (patch) | |
| tree | 71aa798d5d209a57e93ee719e0862113293d9fdf /www | |
| parent | o) Update to version 5.1.13 (diff) | |
Fix the vulnerabilities reported in Chris Leishman's BugTraq post of
2003/01/07, and a couple of other ones while I'm here. This could
still benefit from an in-depth audit, though.
Bump PORTREVISION, unquote COMMENT, remove the FORBIDDEN tag.
Notes
Notes:
svn path=/head/; revision=92318
Diffstat (limited to 'www')
| -rw-r--r-- | www/cgihtml/Makefile | 6 | ||||
| -rw-r--r-- | www/cgihtml/files/patch-aa | 114 |
2 files changed, 113 insertions, 7 deletions
diff --git a/www/cgihtml/Makefile b/www/cgihtml/Makefile index 9efd458f0e9a..f7ecab36e32f 100644 --- a/www/cgihtml/Makefile +++ b/www/cgihtml/Makefile @@ -7,16 +7,14 @@ PORTNAME= cgihtml PORTVERSION= 1.69 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www devel MASTER_SITES= http://www.eekim.com/software/cgihtml/ \ ftp://www.eekim.com/pub/users/eekim/cgihtml/ \ ftp://hcs.harvard.edu/pub/web/tools/cgihtml/ -FORBIDDEN= Multiple vulnerabilities, see http://online.securityfocus.com/archive/1/305469 - MAINTAINER= roam@FreeBSD.org -COMMENT= "Library that simplifies the task of writing CGI programs in C" +COMMENT= Library that simplifies the task of writing CGI programs in C INSTALLS_SHLIB= yes diff --git a/www/cgihtml/files/patch-aa b/www/cgihtml/files/patch-aa index c9a4210cdd20..f208f6cfb91b 100644 --- a/www/cgihtml/files/patch-aa +++ b/www/cgihtml/files/patch-aa @@ -1,6 +1,114 @@ ---- cgi-lib.c Wed Apr 11 20:03:57 2001 -+++ cgi-lib.c Wed Apr 11 20:04:20 2001 -@@ -529,9 +529,9 @@ +Index: cgi-lib.c +=================================================================== +RCS file: /home/cvs/ringlet/c/contrib/www/cgihtml/cgi-lib.c,v +retrieving revision 1.1.1.1 +retrieving revision 1.6 +diff -u -r1.1.1.1 -r1.6 +--- cgi-lib.c 27 Oct 2003 09:39:04 -0000 1.1.1.1 ++++ cgi-lib.c 27 Oct 2003 12:07:00 -0000 1.6 +@@ -17,6 +17,10 @@ + + #ifdef WINDOWS + #include <io.h> ++#define mktemp _mktemp ++#define snprintf _snprintf ++#else ++#include <unistd.h> + #endif + + #include "cgi-lib.h" +@@ -87,11 +91,11 @@ + + char *get_POST() + { +- unsigned int content_length; ++ size_t content_length; + char *buffer; + + if (CONTENT_LENGTH != NULL) { +- content_length = atoi(CONTENT_LENGTH); ++ content_length = (size_t)strtoull(CONTENT_LENGTH, NULL, 10); + buffer = (char *)malloc(sizeof(char) * content_length + 1); + if (fread(buffer,sizeof(char),content_length,stdin) != content_length) { + /* consistency error. */ +@@ -202,7 +206,7 @@ + + int parse_form_encoded(llist* entries) + { +- long content_length; ++ size_t content_length, fnsize; + entrytype entry; + node* window; + FILE *uploadfile; +@@ -220,7 +224,7 @@ + _fmode = BINARY; /* default all file I/O as binary */ + #endif + if (CONTENT_LENGTH != NULL) +- content_length = atol(CONTENT_LENGTH); ++ content_length = (size_t)strtoull(CONTENT_LENGTH, NULL, 10); + else + return 0; + /* get boundary */ +@@ -241,14 +245,20 @@ + robustness sake. */ + buffer[bytesread] = '\0'; + tempstr = newstr(buffer); +- tempstr += (sizeof(char) * 38); /* 38 is header up to name */ +- entry.name = tempstr; ++ entry.name = strstr(tempstr, "name=\""); ++ if (entry.name == NULL) { ++ free(tempstr); ++ return 0; ++ } ++ entry.name += 6; ++ if (strchr(entry.name, '"') == NULL) { ++ free(tempstr); ++ return 0; ++ } ++ *strchr(entry.name, '"') = '\0'; + entry.value = (char *)malloc(sizeof(char) * BUFSIZ + 1); + buffersize = BUFSIZ; + strcpy(entry.value,""); +- while (*tempstr != '"') +- tempstr++; +- *tempstr = '\0'; + if (strstr(buffer,"filename=\"") != NULL) { + isfile = 1; + tempstr = newstr(buffer); +@@ -258,9 +268,9 @@ + entry.value = (char *) realloc(entry.value, sizeof(char) * + strlen(tempstr)+1); + entry.value = tempstr; +- while (*tempstr != '"') +- tempstr++; +- *tempstr = '\0'; ++ if (strchr(tempstr, '"') == NULL) ++ return 0; ++ *strchr(tempstr, '"') = '\0'; + /* Netscape's Windows browsers handle paths differently from its + UNIX and Mac browsers. It delivers a full path for the uploaded + file (which it shouldn't do), and it uses backslashes rather than +@@ -275,13 +285,12 @@ + } + window = list_insafter(entries,window,entry); + numentries++; +- uploadfname = (char *)malloc(strlen(UPLOADDIR)+strlen(entry.value)+2); +-#ifdef WINDOWS +- sprintf(uploadfname,"%s\\%s",UPLOADDIR,entry.value); +-#else +- sprintf(uploadfname,"%s/%s",UPLOADDIR,entry.value); +-#endif +- if ( (uploadfile = fopen(uploadfname,"w")) == NULL) { ++ fnsize = strlen(UPLOADDIR) + 30; ++ uploadfname = (char *)malloc(fnsize); ++ snprintf(uploadfname,fnsize,"%s/cgihtml-upload-XXXXXX",UPLOADDIR); ++ uploadfname[fnsize - 1] = '\0'; ++ if (mktemp(uploadfname) == NULL || ++ (uploadfile = fopen(uploadfname,"w")) == NULL) { + /* null filename; for now, just don't save info. later, save + to default file */ + isfile = 0; +@@ -529,9 +538,9 @@ int numcookies = 0; short NM = 1; |