rpms/mldonkey/EL-5 url_slashes.patch, NONE, 1.1 mldonkey.spec, 1.3, 1.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Author: rjones

Update of /cvs/pkgs/rpms/mldonkey/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15661

Modified Files:
	mldonkey.spec 
Added Files:
	url_slashes.patch 
Log Message:
- Fix remote arbitrary file disclosure via a GET request with more
  than one leading / (slash) character in the filename (rhbz#487132).


url_slashes.patch:

--- NEW FILE url_slashes.patch ---
diff -a -x Root -x Repository -x Tag -x Entries -x Entries.Log -x .svn -x '*.rej' -x '*.orig' -x '*.cmi' -x '*.cma' -x '*.cmo' -x '*.cmx' -x '*.cmxa' -x '*.a' -x '*.o' -x .depend -x Makefile -x mlnet -x ocamlpp.byte -N -r -u ./src/utils/lib/url.ml ./src/utils/lib/url.ml
--- ./src/utils/lib/url.ml	2007-03-17 19:49:32.000000000 +0100
+++ ./src/utils/lib/url.ml	2009-02-23 19:29:04.000000000 +0100
@@ -175,6 +175,19 @@
   Buffer.contents res  
   
 let of_string ?(args=[]) s =
+  let remove_leading_slashes s =
+    let len = String.length s in
+    let left =
+      let rec aux i =
+        if i < len && s.[i] = '/' then aux (i+1) else i in
+      aux 0 in
+    if left = 0 then s
+    else
+      String.sub s left (len - left) in
+
+  (* redefine s to remove all leading slashes *)
+  let s = remove_leading_slashes s in
+
   let s = put_args s args in
   let url =
     let get_two init_pos =


Index: mldonkey.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mldonkey/EL-5/mldonkey.spec,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- mldonkey.spec	10 Feb 2009 16:06:35 -0000	1.3
+++ mldonkey.spec	26 Feb 2009 09:00:47 -0000	1.4
@@ -1,6 +1,6 @@
 Name:		mldonkey
 Version:	2.9.7
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Client for several P2P networks
 License:	GPLv2+
 Source0:	http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
@@ -9,6 +9,7 @@
 Source9:	mldonkey_df_monitor.sh
 Source11:	mldonkey.logrotate
 Patch0:		mldonkey-initscript.patch
+Patch1:         url_slashes.patch
 URL:		http://mldonkey.sourceforge.net
 Group:		Applications/Internet
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -125,6 +126,7 @@
 %prep
 %setup -q
 %patch0 -p1 -b .fedora
+%patch1 -p0
 # Let's make rpmlint happy
 sed -i 's|\r||g' distrib/ed2k_submit/README.MLdonkeySubmit
 sed -i 's|\r||g' docs/slavanap.txt
@@ -319,6 +321,10 @@
 
 
 %changelog
+* Thu Feb 26 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 2.9.7-3
+- Fix remote arbitrary file disclosure via a GET request with more
+  than one leading / (slash) character in the filename (rhbz#487132).
+
 * Tue Feb 10 2009 Peter Lemenkov <lemenkov@xxxxxxxxx> 2.9.7-2
 - Fixed bz# 484884
 

_______________________________________________
Fedora-ocaml-list mailing list
Fedora-ocaml-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-ocaml-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux