add patch from upstream to fix a directory traversal problem which
could allow information disclosure by servers (CVE-2011-2524, does not affect client applications)
This commit is contained in:
parent
b5703cf078
commit
9d55275760
3 changed files with 26 additions and 2 deletions
|
@ -1,7 +1,8 @@
|
|||
# $NetBSD: Makefile,v 1.32 2011/07/08 18:35:37 drochner Exp $
|
||||
# $NetBSD: Makefile,v 1.33 2011/07/29 10:27:29 drochner Exp $
|
||||
|
||||
DISTNAME= libsoup-2.34.2
|
||||
PKGNAME= ${DISTNAME:S/libsoup/libsoup24/}
|
||||
PKGREVISION= 1
|
||||
CATEGORIES= net gnome
|
||||
MASTER_SITES= ${MASTER_SITE_GNOME:=sources/libsoup/2.34/}
|
||||
EXTRACT_SUFX= .tar.bz2
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
$NetBSD: distinfo,v 1.22 2011/06/10 09:33:53 drochner Exp $
|
||||
$NetBSD: distinfo,v 1.23 2011/07/29 10:27:29 drochner Exp $
|
||||
|
||||
SHA1 (libsoup-2.34.2.tar.bz2) = 1812b3c78778b37d55ea2904b9763b6dd8266a1c
|
||||
RMD160 (libsoup-2.34.2.tar.bz2) = a3a94ca9dd6a49a3ee15efda6cf8e4ba96a66338
|
||||
Size (libsoup-2.34.2.tar.bz2) = 683331 bytes
|
||||
SHA1 (patch-aa) = 02d26d3f70954f1bb2d2014aab84a58d5ce14469
|
||||
|
|
22
net/libsoup24/patches/patch-aa
Normal file
22
net/libsoup24/patches/patch-aa
Normal file
|
@ -0,0 +1,22 @@
|
|||
$NetBSD: patch-aa,v 1.3 2011/07/29 10:27:29 drochner Exp $
|
||||
|
||||
CVE-2011-2524
|
||||
|
||||
--- libsoup/soup-server.c.orig 2011-04-07 13:29:03.000000000 +0000
|
||||
+++ libsoup/soup-server.c
|
||||
@@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClien
|
||||
|
||||
uri = soup_message_get_uri (req);
|
||||
decoded_path = soup_uri_decode (uri->path);
|
||||
+
|
||||
+ if (strstr (decoded_path, "/../") ||
|
||||
+ g_str_has_suffix (decoded_path, "/..")) {
|
||||
+ /* Introducing new ".." segments is not allowed */
|
||||
+ g_free (decoded_path);
|
||||
+ soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
soup_uri_set_path (uri, decoded_path);
|
||||
g_free (decoded_path);
|
||||
}
|
Loading…
Reference in a new issue