Escape user-supplied URL parameter to avoid a cross-site scripting problem.
From upstream repo.
This commit is contained in:
sthen
parent
8885cf1220
commit
4fef4216a0
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.6 2011/06/02 13:41:39 ajacoutot Exp $
|
||||
# $OpenBSD: Makefile,v 1.7 2011/06/02 19:48:17 sthen Exp $
|
||||
|
||||
COMMENT-main = network monitoring system (improved fork of Nagios)
|
||||
COMMENT-cgi = cgi scripts for Icinga (classic Nagios-style UI)
|
||||
@ -7,12 +7,12 @@ COMMENT-api = database-backed API for icinga
|
||||
|
||||
DISTNAME = icinga-$V
|
||||
PKGNAME-main = icinga-$V
|
||||
REVISION-main = 0
|
||||
PKGNAME-cgi = icinga-cgi-$V
|
||||
REVISION-cgi = 1
|
||||
PKGNAME-ido = icinga-idoutils-$V
|
||||
PKGNAME-api = icinga-api-$V
|
||||
|
||||
REVISION-main = 0
|
||||
|
||||
MULTI_PACKAGES = -main -cgi -api -ido
|
||||
PREFIX-cgi = /var/www
|
||||
PREFIX-api = /var/www
|
||||
|
||||
15
net/icinga/core/patches/patch-cgi_config_c
Normal file
15
net/icinga/core/patches/patch-cgi_config_c
Normal file
@ -0,0 +1,15 @@
|
||||
$OpenBSD: patch-cgi_config_c,v 1.1 2011/06/02 19:48:17 sthen Exp $
|
||||
|
||||
fix XSS; from cbe9993f upstream
|
||||
|
||||
--- cgi/config.c.orig Thu Jun 2 14:26:09 2011
|
||||
+++ cgi/config.c Thu Jun 2 14:26:27 2011
|
||||
@@ -429,7 +429,7 @@ int process_cgivars(void){
|
||||
error=TRUE;
|
||||
break;
|
||||
}
|
||||
- strncpy(to_expand,variables[x],MAX_COMMAND_BUFFER);
|
||||
+ strncpy(to_expand,escape_string(variables[x]),MAX_COMMAND_BUFFER);
|
||||
to_expand[MAX_COMMAND_BUFFER-1]='\0';
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user