[vhffs-dev] [605] Add input checking of config value to avoid /../../../ or http:// by terrible hacking tools ! :-)

[ Thread Index | Date Index | More vhffs.org/vhffs-dev Archives ]


Revision: 605
Author:   gradator
Date:     2007-05-13 19:59:23 +0000 (Sun, 13 May 2007)

Log Message:
-----------
Add input checking of config value to avoid /../../../ or http:// by terrible hacking tools ! :-)

Modified Paths:
--------------
    branches/vhffs-4.0/vhffs-robots/misc/awstats_6.4_vhffs.patch
    branches/vhffs-4.0/vhffs-robots/misc/awstats_6.5_vhffs.patch
    branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch
    branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch
    trunk/vhffs-robots/misc/awstats_6.4_vhffs.patch
    trunk/vhffs-robots/misc/awstats_6.5_vhffs.patch
    trunk/vhffs-robots/misc/awstats_6.6_vhffs.patch
    trunk/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch
    trunk/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch

Added Paths:
-----------
    trunk/vhffs-robots/misc/repository.awstats_6.6_vhffs.patch


Modified: branches/vhffs-4.0/vhffs-robots/misc/awstats_6.4_vhffs.patch
===================================================================
--- branches/vhffs-4.0/vhffs-robots/misc/awstats_6.4_vhffs.patch	2007-05-08 06:04:25 UTC (rev 604)
+++ branches/vhffs-4.0/vhffs-robots/misc/awstats_6.4_vhffs.patch	2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
 -	    @PossibleConfigDir=("$configdir");
 -	}
 -	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++	error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z\.\-]+$/ );
 +	use Digest::MD5 qw(md5 md5_hex md5_base64);
 +	my $vhffssitehash = md5_hex( $SiteConfig );
 +	my $vhffsconfigdir = '/data/web/'.substr( $vhffssitehash, 0, 2 ).'/'.substr( $vhffssitehash, 2, 2 ).'/'.substr( $vhffssitehash, 4, 2 ).'/'.$SiteConfig.'/awstats';

Modified: branches/vhffs-4.0/vhffs-robots/misc/awstats_6.5_vhffs.patch
===================================================================
--- branches/vhffs-4.0/vhffs-robots/misc/awstats_6.5_vhffs.patch	2007-05-08 06:04:25 UTC (rev 604)
+++ branches/vhffs-4.0/vhffs-robots/misc/awstats_6.5_vhffs.patch	2007-05-13 19:59:23 UTC (rev 605)
@@ -6,6 +6,7 @@
  
 -	if ($configdir && $ENV{"AWSTATS_ENABLE_CONFIG_DIR"}) { @PossibleConfigDir=("$configdir"); }
 -	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++	error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z\.\-]+$/ );
 +	use Digest::MD5 qw(md5 md5_hex md5_base64);
 +	my $vhffssitehash = md5_hex( $SiteConfig );
 +	my $vhffsconfigdir = '/data/web/'.substr( $vhffssitehash, 0, 2 ).'/'.substr( $vhffssitehash, 2, 2 ).'/'.substr( $vhffssitehash, 4, 2 ).'/'.$SiteConfig.'/awstats';

Modified: branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch
===================================================================
--- branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch	2007-05-08 06:04:25 UTC (rev 604)
+++ branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch	2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
 -	    @PossibleConfigDir=("$configdir");
 -	}
 -	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++	error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z]+$/ );
 +	my $vhffsconfigdir = '/data/logs/repository/parsed/'.$SiteConfig.'/awstats';
 +	@PossibleConfigDir=("$vhffsconfigdir");
  

Modified: branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch
===================================================================
--- branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch	2007-05-08 06:04:25 UTC (rev 604)
+++ branches/vhffs-4.0/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch	2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
 -	    @PossibleConfigDir=("$configdir");
 -	}
 -	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++	error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z]+$/ );
 +	my $vhffsconfigdir = '/data/logs/repository/parsed/'.$SiteConfig.'/awstats';
 +	@PossibleConfigDir=("$vhffsconfigdir");
  

Modified: trunk/vhffs-robots/misc/awstats_6.4_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/awstats_6.4_vhffs.patch	2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/awstats_6.4_vhffs.patch	2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
 -	    @PossibleConfigDir=("$configdir");
 -	}
 -	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++	error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z\.\-]+$/ );
 +	use Digest::MD5 qw(md5 md5_hex md5_base64);
 +	my $vhffssitehash = md5_hex( $SiteConfig );
 +	my $vhffsconfigdir = '/data/web/'.substr( $vhffssitehash, 0, 2 ).'/'.substr( $vhffssitehash, 2, 2 ).'/'.substr( $vhffssitehash, 4, 2 ).'/'.$SiteConfig.'/awstats';

Modified: trunk/vhffs-robots/misc/awstats_6.5_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/awstats_6.5_vhffs.patch	2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/awstats_6.5_vhffs.patch	2007-05-13 19:59:23 UTC (rev 605)
@@ -6,6 +6,7 @@
  
 -	if ($configdir && $ENV{"AWSTATS_ENABLE_CONFIG_DIR"}) { @PossibleConfigDir=("$configdir"); }
 -	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++	error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z\.\-]+$/ );
 +	use Digest::MD5 qw(md5 md5_hex md5_base64);
 +	my $vhffssitehash = md5_hex( $SiteConfig );
 +	my $vhffsconfigdir = '/data/web/'.substr( $vhffssitehash, 0, 2 ).'/'.substr( $vhffssitehash, 2, 2 ).'/'.substr( $vhffssitehash, 4, 2 ).'/'.$SiteConfig.'/awstats';

Modified: trunk/vhffs-robots/misc/awstats_6.6_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/awstats_6.6_vhffs.patch	2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/awstats_6.6_vhffs.patch	2007-05-13 19:59:23 UTC (rev 605)
@@ -17,11 +17,11 @@
 -		}
 -	}
 -	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++	error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z\.\-]+$/ );
 +       use Digest::MD5 qw(md5 md5_hex md5_base64);
 +       my $vhffssitehash = md5_hex( $SiteConfig );
 +       my $vhffsconfigdir = '/data/web/'.substr( $vhffssitehash, 0, 2 ).'/'.substr( $vhffssitehash, 2, 2 ).'/'.substr( $vhffssitehash, 4, 2 ).'/'.$SiteConfig.'/awstats';
 +       @PossibleConfigDir=("$vhffsconfigdir");
-+
  
  	# Open config file
  	$FileConfig=$FileSuffix='';

Modified: trunk/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch	2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/repository.awstats_6.4_vhffs.patch	2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
 -	    @PossibleConfigDir=("$configdir");
 -	}
 -	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++	error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z]+$/ );
 +	my $vhffsconfigdir = '/data/logs/repository/parsed/'.$SiteConfig.'/awstats';
 +	@PossibleConfigDir=("$vhffsconfigdir");
  

Modified: trunk/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch	2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/repository.awstats_6.5_vhffs.patch	2007-05-13 19:59:23 UTC (rev 605)
@@ -8,6 +8,7 @@
 -	    @PossibleConfigDir=("$configdir");
 -	}
 -	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++	error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z]+$/ );
 +	my $vhffsconfigdir = '/data/logs/repository/parsed/'.$SiteConfig.'/awstats';
 +	@PossibleConfigDir=("$vhffsconfigdir");
  

Added: trunk/vhffs-robots/misc/repository.awstats_6.6_vhffs.patch
===================================================================
--- trunk/vhffs-robots/misc/repository.awstats_6.6_vhffs.patch	2007-05-08 06:04:25 UTC (rev 604)
+++ trunk/vhffs-robots/misc/repository.awstats_6.6_vhffs.patch	2007-05-13 19:59:23 UTC (rev 605)
@@ -0,0 +1,34 @@
+--- /usr/lib/cgi-bin/awstats.pl	2007-04-09 18:52:46.000000000 +0200
++++ awstats.pl	2007-04-09 18:50:35.000000000 +0200
+@@ -1131,19 +1131,11 @@
+ 	my $configdir=shift;
+ 	my @PossibleConfigDir=();
+ 
+-	if ($configdir)
+-	{
+-		# If from CGI, overwriting of configdir is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
+-		if ($ENV{'GATEWAY_INTERFACE'} && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
+-		{
+-			error("Sorry, to allow overwriting of configdir parameter from an AWStats CGI usage, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1");
+-		}
+-		else
+-		{
+-			@PossibleConfigDir=("$configdir");
+-		}
+-	}
+-	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
++	error("Wrong config name") unless( $SiteConfig =~ /^[0-9a-z]+$/ );
++	my $vhffsconfigdir = '/data/logs/repository/parsed/'.$SiteConfig.'/awstats';
++	@PossibleConfigDir=("$vhffsconfigdir");
+ 
+ 	# Open config file
+ 	$FileConfig=$FileSuffix='';
+@@ -5858,7 +5850,7 @@
+ else { @DOWIndex = (0,1,2,3,4,5,6); }
+ 
+ # Should we link to ourselves or to a wrapper script
+-$AWScript=($WrapperScript?"$WrapperScript":"$DirCgi$PROG.$Extension");
++$AWScript=($WrapperScript?"$WrapperScript":"/$DirCgi$PROG.$Extension");
+ 
+ # Print html header (Need HTMLOutput,Expires,Lang,StyleSheet,HTMLHeadSectionExpires defined by Read_Config, PageCode defined by Read_Language_Data)
+ if (! $HeaderHTMLSent) { &html_head; }


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/