| [vhffs-dev] [605] Add input checking of config value to avoid /../../../ or http:// by terrible hacking tools ! :-) |
[ Thread Index |
Date Index
| More vhffs.org/vhffs-dev Archives
]
- To: vhffs-dev@xxxxxxxxx
- Subject: [vhffs-dev] [605] Add input checking of config value to avoid /../../../ or http:// by terrible hacking tools ! :-)
- From: subversion@xxxxxxxxx
- Date: Sun, 13 May 2007 21:59:25 +0200
Revision: 605
Author: gradator
Date: 2007-05-13 19:59:23 +0000 (Sun, 13 May 2007)
Log Message:
-----------
Add input checking of config value to avoid /../../../ or http:// by terrible hacking tools ! :-)
Modified Paths:
--------------
branches/vhffs-4.0/vhffs-robots/misc/awstats_6.4_vhffs.patch
branches/vhffs-4.0/vhffs-robots/misc/awstats_6.5_vhffs.patch
branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch
branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch
trunk/vhffs-robots/misc/awstats_6.4_vhffs.patch
trunk/vhffs-robots/misc/awstats_6.5_vhffs.patch
trunk/vhffs-robots/misc/awstats_6.6_vhffs.patch
trunk/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch
trunk/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch
Added Paths:
-----------
trunk/vhffs-robots/misc/repository.awstats_6.6_vhffs.patch
Modified: branches/vhffs-4.0/vhffs-robots/misc/awstats_6.4_vhffs.patch
===================================================================
--- branches/vhffs-4.0/vhffs-robots/misc/awstats_6.4_vhffs.patch 2007-05-08 06:04:25 UTC (rev 604)
+++ branches/vhffs-4.0/vhffs-robots/misc/awstats_6.4_vhffs.patch 2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
- @PossibleConfigDir=("$configdir");
- }
- else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++ error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z\.\-]+$/ );
+ use Digest::MD5 qw(md5 md5_hex md5_base64);
+ my $vhffssitehash = md5_hex( $SiteConfig );
+ my $vhffsconfigdir = '/data/web/'.substr( $vhffssitehash, 0, 2 ).'/'.substr( $vhffssitehash, 2, 2 ).'/'.substr( $vhffssitehash, 4, 2 ).'/'.$SiteConfig.'/awstats';
Modified: branches/vhffs-4.0/vhffs-robots/misc/awstats_6.5_vhffs.patch
===================================================================
--- branches/vhffs-4.0/vhffs-robots/misc/awstats_6.5_vhffs.patch 2007-05-08 06:04:25 UTC (rev 604)
+++ branches/vhffs-4.0/vhffs-robots/misc/awstats_6.5_vhffs.patch 2007-05-13 19:59:23 UTC (rev 605)
@@ -6,6 +6,7 @@
- if ($configdir && $ENV{"AWSTATS_ENABLE_CONFIG_DIR"}) { @PossibleConfigDir=("$configdir"); }
- else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++ error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z\.\-]+$/ );
+ use Digest::MD5 qw(md5 md5_hex md5_base64);
+ my $vhffssitehash = md5_hex( $SiteConfig );
+ my $vhffsconfigdir = '/data/web/'.substr( $vhffssitehash, 0, 2 ).'/'.substr( $vhffssitehash, 2, 2 ).'/'.substr( $vhffssitehash, 4, 2 ).'/'.$SiteConfig.'/awstats';
Modified: branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch
===================================================================
--- branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch 2007-05-08 06:04:25 UTC (rev 604)
+++ branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch 2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
- @PossibleConfigDir=("$configdir");
- }
- else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++ error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z]+$/ );
+ my $vhffsconfigdir = '/data/logs/repository/parsed/'.$SiteConfig.'/awstats';
+ @PossibleConfigDir=("$vhffsconfigdir");
Modified: branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch
===================================================================
--- branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch 2007-05-08 06:04:25 UTC (rev 604)
+++ branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch 2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
- @PossibleConfigDir=("$configdir");
- }
- else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++ error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z]+$/ );
+ my $vhffsconfigdir = '/data/logs/repository/parsed/'.$SiteConfig.'/awstats';
+ @PossibleConfigDir=("$vhffsconfigdir");
Modified: trunk/vhffs-robots/misc/awstats_6.4_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/awstats_6.4_vhffs.patch 2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/awstats_6.4_vhffs.patch 2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
- @PossibleConfigDir=("$configdir");
- }
- else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++ error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z\.\-]+$/ );
+ use Digest::MD5 qw(md5 md5_hex md5_base64);
+ my $vhffssitehash = md5_hex( $SiteConfig );
+ my $vhffsconfigdir = '/data/web/'.substr( $vhffssitehash, 0, 2 ).'/'.substr( $vhffssitehash, 2, 2 ).'/'.substr( $vhffssitehash, 4, 2 ).'/'.$SiteConfig.'/awstats';
Modified: trunk/vhffs-robots/misc/awstats_6.5_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/awstats_6.5_vhffs.patch 2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/awstats_6.5_vhffs.patch 2007-05-13 19:59:23 UTC (rev 605)
@@ -6,6 +6,7 @@
- if ($configdir && $ENV{"AWSTATS_ENABLE_CONFIG_DIR"}) { @PossibleConfigDir=("$configdir"); }
- else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++ error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z\.\-]+$/ );
+ use Digest::MD5 qw(md5 md5_hex md5_base64);
+ my $vhffssitehash = md5_hex( $SiteConfig );
+ my $vhffsconfigdir = '/data/web/'.substr( $vhffssitehash, 0, 2 ).'/'.substr( $vhffssitehash, 2, 2 ).'/'.substr( $vhffssitehash, 4, 2 ).'/'.$SiteConfig.'/awstats';
Modified: trunk/vhffs-robots/misc/awstats_6.6_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/awstats_6.6_vhffs.patch 2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/awstats_6.6_vhffs.patch 2007-05-13 19:59:23 UTC (rev 605)
@@ -17,11 +17,11 @@
- }
- }
- else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++ error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z\.\-]+$/ );
+ use Digest::MD5 qw(md5 md5_hex md5_base64);
+ my $vhffssitehash = md5_hex( $SiteConfig );
+ my $vhffsconfigdir = '/data/web/'.substr( $vhffssitehash, 0, 2 ).'/'.substr( $vhffssitehash, 2, 2 ).'/'.substr( $vhffssitehash, 4, 2 ).'/'.$SiteConfig.'/awstats';
+ @PossibleConfigDir=("$vhffsconfigdir");
-+
# Open config file
$FileConfig=$FileSuffix='';
Modified: trunk/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch 2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch 2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
- @PossibleConfigDir=("$configdir");
- }
- else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++ error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z]+$/ );
+ my $vhffsconfigdir = '/data/logs/repository/parsed/'.$SiteConfig.'/awstats';
+ @PossibleConfigDir=("$vhffsconfigdir");
Modified: trunk/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch 2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch 2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
- @PossibleConfigDir=("$configdir");
- }
- else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++ error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z]+$/ );
+ my $vhffsconfigdir = '/data/logs/repository/parsed/'.$SiteConfig.'/awstats';
+ @PossibleConfigDir=("$vhffsconfigdir");
Added: trunk/vhffs-robots/misc/repository.awstats_6.6_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/repository.awstats_6.6_vhffs.patch 2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/repository.awstats_6.6_vhffs.patch 2007-05-13 19:59:23 UTC (rev 605)
@@ -0,0 +1,34 @@
+--- /usr/lib/cgi-bin/awstats.pl 2007-04-09 18:52:46.000000000 +0200
++++ awstats.pl 2007-04-09 18:50:35.000000000 +0200
+@@ -1131,19 +1131,11 @@
+ my $configdir=shift;
+ my @PossibleConfigDir=();
+
+- if ($configdir)
+- {
+- # If from CGI, overwriting of configdir is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
+- if ($ENV{'GATEWAY_INTERFACE'} && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
+- {
+- error("Sorry, to allow overwriting of configdir parameter from an AWStats CGI usage, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1");
+- }
+- else
+- {
+- @PossibleConfigDir=("$configdir");
+- }
+- }
+- else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++ error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z]+$/ );
++ my $vhffsconfigdir = '/data/logs/repository/parsed/'.$SiteConfig.'/awstats';
++ @PossibleConfigDir=("$vhffsconfigdir");
+
+ # Open config file
+ $FileConfig=$FileSuffix='';
+@@ -5858,7 +5850,7 @@
+ else { @DOWIndex = (0,1,2,3,4,5,6); }
+
+ # Should we link to ourselves or to a wrapper script
+-$AWScript=($WrapperScript?"$WrapperScript":"$DirCgi$PROG.$Extension");
++$AWScript=($WrapperScript?"$WrapperScript":"/$DirCgi$PROG.$Extension");
+
+ # Print html header (Need HTMLOutput,Expires,Lang,StyleSheet,HTMLHeadSectionExpires defined by Read_Config, PageCode defined by Read_Language_Data)
+ if (! $HeaderHTMLSent) { &html_head; }