openbsd-ports/www/webalizer/patches/patch-webalizer_c

$OpenBSD: patch-webalizer_c,v 1.4 2008/01/30 20:06:48 mbalmer Exp $
--- webalizer.c.orig	Sat Dec  8 12:49:25 2007
+++ webalizer.c	Wed Jan 30 13:44:10 2008
@@ -38,6 +38,7 @@
 #include <ctype.h>
 #include <sys/utsname.h>
 #include <sys/times.h>
+#include <sys/socket.h>
 #include <zlib.h>
 
 /* ensure getopt */
@@ -687,7 +688,7 @@ int main(int argc, char *argv[])
       }
 
       /* got a record... */
-      strcpy(tmp_buf, buffer);            /* save buffer in case of error */
+      strlcpy(tmp_buf, buffer, sizeof tmp_buf);            /* save buffer in case of error */
       if (parse_record(buffer))           /* parse the record             */
       {
          /*********************************************/
@@ -891,7 +892,7 @@ int main(int argc, char *argv[])
                if (!isurlchar(*cp1))
                {
                   /* Save query portion in log.rec.srchstr */
-                  strncpy(log_rec.srchstr,cp1,MAXSRCH);
+                  strlcpy(log_rec.srchstr,cp1,sizeof log_rec.srchstr);
                   *cp1++='\0';
                   break;
                }
@@ -1269,7 +1270,7 @@ int main(int argc, char *argv[])
 
          /* if this is a IPv4 address in IPv6 notation, normalize it back */
 	 if (strncmp(log_rec.hostname, "::ffff:", 7) == 0) {
-	    strcpy(log_rec.hostname, log_rec.hostname+7);
+	    strlcpy(log_rec.hostname, log_rec.hostname+7, sizeof(log_rec.hostname));
 	 }
 
          /* Save IP address for later checks */
@@ -1307,9 +1308,9 @@ int main(int argc, char *argv[])
                else
                {
                   if (strcmp(log_rec.hostname,ip)!=0)
-                     strcpy(log_rec.hostname,ip);
+                     strlcpy(log_rec.hostname,ip,sizeof(log_rec.hostname));
                   else
-                     strncpy(log_rec.hostname,"Invalid",8);
+                     strlcpy(log_rec.hostname,"Invalid",sizeof(log_rec.hostname));
                   invalid = 1; break;
                }
             }
@@ -1322,7 +1323,7 @@ int main(int argc, char *argv[])
 
          /* Catch blank hostnames here */
          if (log_rec.hostname[0]=='\0')
-            strncpy(log_rec.hostname,"Unknown",8);
+            strlcpy(log_rec.hostname,"Unknown",sizeof log_rec.hostname);
 
          /* Ignore/Include check */
          if ( (isinlist(include_sites,log_rec.hostname)==NULL) &&
@@ -2260,7 +2261,7 @@ void srch_string(char *ptr)
    if ( (cps=isinglist(search_list,log_rec.refer))==NULL) return; 
 
    /* Try to find query variable */
-   srch[0]='?'; strcpy(&srch[1],cps);              /* First, try "?..."      */
+   srch[0]='?'; strlcpy(&srch[1],cps,(sizeof srch) - 1);              /* First, try "?..."      */
    if ((cp1=strstr(ptr,srch))==NULL)
    {
       srch[0]='&';                                 /* Next, try "&..."       */
Switch to webalizer xtended by Patrick Frei, which adds IPv6 support and detailed http 404 error reports. Webalizer author hinted me at this, he does not intend to update. danh@ is ok with the maintainer change. ok stehn, okan. 2008-01-30 15:06:48 -05:00			$OpenBSD: patch-webalizer_c,v 1.4 2008/01/30 20:06:48 mbalmer Exp $
			`--- webalizer.c.orig Sat Dec 8 12:49:25 2007`
			`+++ webalizer.c Wed Jan 30 13:44:10 2008`
			`@@ -38,6 +38,7 @@`
			`#include <ctype.h>`
			`#include <sys/utsname.h>`
			`#include <sys/times.h>`
			`+#include <sys/socket.h>`
			`#include <zlib.h>`
update to webalizer 2.01-10 * bump NEED_VERSION * security fix: buffer overflow in DNS resolver * includes other bugfixes * some strcpy/strncpy/sprintf calls changed to strlcpy/snprintf 2002-04-17 12:17:45 -04:00
Switch to webalizer xtended by Patrick Frei, which adds IPv6 support and detailed http 404 error reports. Webalizer author hinted me at this, he does not intend to update. danh@ is ok with the maintainer change. ok stehn, okan. 2008-01-30 15:06:48 -05:00			`/* ensure getopt */`
			`@@ -687,7 +688,7 @@ int main(int argc, char *argv[])`
update to webalizer 2.01-10 * bump NEED_VERSION * security fix: buffer overflow in DNS resolver * includes other bugfixes * some strcpy/strncpy/sprintf calls changed to strlcpy/snprintf 2002-04-17 12:17:45 -04:00			`}`

			`/* got a record... */`
			`- strcpy(tmp_buf, buffer); /* save buffer in case of error */`
			`+ strlcpy(tmp_buf, buffer, sizeof tmp_buf); /* save buffer in case of error */`
			`if (parse_record(buffer)) /* parse the record */`
			`{`
			`/*********************************************/`
Switch to webalizer xtended by Patrick Frei, which adds IPv6 support and detailed http 404 error reports. Webalizer author hinted me at this, he does not intend to update. danh@ is ok with the maintainer change. ok stehn, okan. 2008-01-30 15:06:48 -05:00			`@@ -891,7 +892,7 @@ int main(int argc, char *argv[])`
update to webalizer 2.01-10 * bump NEED_VERSION * security fix: buffer overflow in DNS resolver * includes other bugfixes * some strcpy/strncpy/sprintf calls changed to strlcpy/snprintf 2002-04-17 12:17:45 -04:00			`if (!isurlchar(*cp1))`
			`{`
			`/* Save query portion in log.rec.srchstr */`
			`- strncpy(log_rec.srchstr,cp1,MAXSRCH);`
			`+ strlcpy(log_rec.srchstr,cp1,sizeof log_rec.srchstr);`
			`*cp1++='\0';`
			`break;`
			`}`
Switch to webalizer xtended by Patrick Frei, which adds IPv6 support and detailed http 404 error reports. Webalizer author hinted me at this, he does not intend to update. danh@ is ok with the maintainer change. ok stehn, okan. 2008-01-30 15:06:48 -05:00			`@@ -1269,7 +1270,7 @@ int main(int argc, char *argv[])`

			`/* if this is a IPv4 address in IPv6 notation, normalize it back */`
			`if (strncmp(log_rec.hostname, "::ffff:", 7) == 0) {`
			`- strcpy(log_rec.hostname, log_rec.hostname+7);`
			`+ strlcpy(log_rec.hostname, log_rec.hostname+7, sizeof(log_rec.hostname));`
			`}`

			`/* Save IP address for later checks */`
			`@@ -1307,9 +1308,9 @@ int main(int argc, char *argv[])`
			`else`
			`{`
			`if (strcmp(log_rec.hostname,ip)!=0)`
			`- strcpy(log_rec.hostname,ip);`
			`+ strlcpy(log_rec.hostname,ip,sizeof(log_rec.hostname));`
			`else`
			`- strncpy(log_rec.hostname,"Invalid",8);`
			`+ strlcpy(log_rec.hostname,"Invalid",sizeof(log_rec.hostname));`
			`invalid = 1; break;`
			`}`
			`}`
			`@@ -1322,7 +1323,7 @@ int main(int argc, char *argv[])`
update to webalizer 2.01-10 * bump NEED_VERSION * security fix: buffer overflow in DNS resolver * includes other bugfixes * some strcpy/strncpy/sprintf calls changed to strlcpy/snprintf 2002-04-17 12:17:45 -04:00
			`/* Catch blank hostnames here */`
			`if (log_rec.hostname[0]=='\0')`
			`- strncpy(log_rec.hostname,"Unknown",8);`
			`+ strlcpy(log_rec.hostname,"Unknown",sizeof log_rec.hostname);`

			`/* Ignore/Include check */`
			`if ( (isinlist(include_sites,log_rec.hostname)==NULL) &&`
Switch to webalizer xtended by Patrick Frei, which adds IPv6 support and detailed http 404 error reports. Webalizer author hinted me at this, he does not intend to update. danh@ is ok with the maintainer change. ok stehn, okan. 2008-01-30 15:06:48 -05:00			`@@ -2260,7 +2261,7 @@ void srch_string(char *ptr)`
update to webalizer 2.01-10 * bump NEED_VERSION * security fix: buffer overflow in DNS resolver * includes other bugfixes * some strcpy/strncpy/sprintf calls changed to strlcpy/snprintf 2002-04-17 12:17:45 -04:00			`if ( (cps=isinglist(search_list,log_rec.refer))==NULL) return;`

			`/* Try to find query variable */`
			`- srch[0]='?'; strcpy(&srch[1],cps); /* First, try "?..." */`
			`+ srch[0]='?'; strlcpy(&srch[1],cps,(sizeof srch) - 1); /* First, try "?..." */`
			`if ((cp1=strstr(ptr,srch))==NULL)`
			`{`
			`srch[0]='&'; /* Next, try "&..." */`