Author: rjones Update of /cvs/pkgs/rpms/mldonkey/EL-5 In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15661 Modified Files: mldonkey.spec Added Files: url_slashes.patch Log Message: - Fix remote arbitrary file disclosure via a GET request with more than one leading / (slash) character in the filename (rhbz#487132). url_slashes.patch: --- NEW FILE url_slashes.patch --- diff -a -x Root -x Repository -x Tag -x Entries -x Entries.Log -x .svn -x '*.rej' -x '*.orig' -x '*.cmi' -x '*.cma' -x '*.cmo' -x '*.cmx' -x '*.cmxa' -x '*.a' -x '*.o' -x .depend -x Makefile -x mlnet -x ocamlpp.byte -N -r -u ./src/utils/lib/url.ml ./src/utils/lib/url.ml --- ./src/utils/lib/url.ml 2007-03-17 19:49:32.000000000 +0100 +++ ./src/utils/lib/url.ml 2009-02-23 19:29:04.000000000 +0100 @@ -175,6 +175,19 @@ Buffer.contents res let of_string ?(args=[]) s = + let remove_leading_slashes s = + let len = String.length s in + let left = + let rec aux i = + if i < len && s.[i] = '/' then aux (i+1) else i in + aux 0 in + if left = 0 then s + else + String.sub s left (len - left) in + + (* redefine s to remove all leading slashes *) + let s = remove_leading_slashes s in + let s = put_args s args in let url = let get_two init_pos = Index: mldonkey.spec =================================================================== RCS file: /cvs/pkgs/rpms/mldonkey/EL-5/mldonkey.spec,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- mldonkey.spec 10 Feb 2009 16:06:35 -0000 1.3 +++ mldonkey.spec 26 Feb 2009 09:00:47 -0000 1.4 @@ -1,6 +1,6 @@ Name: mldonkey Version: 2.9.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Client for several P2P networks License: GPLv2+ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2 @@ -9,6 +9,7 @@ Source9: mldonkey_df_monitor.sh Source11: mldonkey.logrotate Patch0: mldonkey-initscript.patch +Patch1: url_slashes.patch URL: http://mldonkey.sourceforge.net Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -125,6 +126,7 @@ %prep %setup -q %patch0 -p1 -b .fedora +%patch1 -p0 # Let's make rpmlint happy sed -i 's|\r||g' distrib/ed2k_submit/README.MLdonkeySubmit sed -i 's|\r||g' docs/slavanap.txt @@ -319,6 +321,10 @@ %changelog +* Thu Feb 26 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 2.9.7-3 +- Fix remote arbitrary file disclosure via a GET request with more + than one leading / (slash) character in the filename (rhbz#487132). + * Tue Feb 10 2009 Peter Lemenkov <lemenkov@xxxxxxxxx> 2.9.7-2 - Fixed bz# 484884 _______________________________________________ Fedora-ocaml-list mailing list Fedora-ocaml-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-ocaml-list