Security fix for CVE-2011-1838:

XSS Vulnerability with origurl parameter of login script

Patch from upstream

www/twiki/Makefile

@@ -1,9 +1,10 @@
-# $OpenBSD: Makefile,v 1.8 2010/11/22 08:36:54 espie Exp $
+# $OpenBSD: Makefile,v 1.9 2011/05/19 06:27:30 jasper Exp $
 
 COMMENT=	web-based collaboration platform
 
 DISTNAME=	TWiki-4.1.1
 EXTRACT_SUFX=	.tgz
+REVISION=	0
 CATEGORIES=	www
 
 HOMEPAGE=	http://twiki.org/

www/twiki/patches/patch-lib_TWiki_Client_TemplateLogin_pm

@@ -0,0 +1,20 @@
+$OpenBSD: patch-lib_TWiki_Client_TemplateLogin_pm,v 1.1 2011/05/19 06:27:30 jasper Exp $
+
+Security fix for CVE-2011-1838:
+XSS Vulnerability with origurl parameter of login script
+
+Patch from upstream:
+http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2011-1838#Hotfix_for_TWiki_Production_Rele
+
+--- lib/TWiki/Client/TemplateLogin.pm.orig	Thu May 19 08:24:32 2011
++++ lib/TWiki/Client/TemplateLogin.pm	Thu May 19 08:25:03 2011
+@@ -107,6 +107,9 @@ sub login {
+     my $loginName = $query->param( 'username' );
+     my $loginPass = $query->param( 'password' );
+ 
++    # Item6673: Cleanup origurl parameter
++    $origurl   =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&]//g;
++
+     # Eat these so there's no risk of accidental passthrough
+     $query->delete('origurl', 'username', 'password');
+