Update to nostromo-1.9.4.

OK jasper@
2011-03-20 12:04:19 +00:00 · 2011-03-20 12:04:19 +00:00 · 9c79b9da65
commit 9c79b9da65
parent a7df20e149
7 changed files with 7 additions and 190 deletions
--- a/www/nostromo/Makefile
+++ b/www/nostromo/Makefile
@ -1,9 +1,8 @@
-# $OpenBSD: Makefile,v 1.36 2011/03/17 17:43:14 jasper Exp $
+# $OpenBSD: Makefile,v 1.37 2011/03/20 12:04:19 mglocker Exp $

 COMMENT=		Nostromo webserver

-DISTNAME=		nostromo-1.9.3
-REVISION=		1
+DISTNAME=		nostromo-1.9.4
 CATEGORIES=		www
 MASTER_SITES=		http://www.nazgul.ch/dev/

--- a/www/nostromo/distinfo
+++ b/www/nostromo/distinfo
@ -1,5 +1,5 @@
-MD5 (nostromo-1.9.3.tar.gz) = ppca62hygrWdDIlTD1sYpg==
-RMD160 (nostromo-1.9.3.tar.gz) = IJkofhjHcD5j0iX343wcsj2y/8I=
-SHA1 (nostromo-1.9.3.tar.gz) = liCF+AfHtC5hX76hPUzDR2YPhFQ=
-SHA256 (nostromo-1.9.3.tar.gz) = k2uQQglCASKBWfnboYdr8/Nl9Q4Vl2nh1URbUb2nuO4=
-SIZE (nostromo-1.9.3.tar.gz) = 46917
+MD5 (nostromo-1.9.4.tar.gz) = AVBaNcf3foN0+Hj4uUSxnA==
+RMD160 (nostromo-1.9.4.tar.gz) = Q1OkISfe1itlbzYtKwrpPJoahHQ=
+SHA1 (nostromo-1.9.4.tar.gz) = ExlEv9uENSuSaxdOZ9riY8pQNag=
+SHA256 (nostromo-1.9.4.tar.gz) = 291x/P3vuchivavY6uJTMpOhEYSN2aku4VFGXjezMZQ=
+SIZE (nostromo-1.9.4.tar.gz) = 47724
--- a/www/nostromo/patches/patch-ChangeLog
+++ b/www/nostromo/patches/patch-ChangeLog
@ -1,18 +0,0 @@
-$OpenBSD: patch-ChangeLog,v 1.1 2011/03/17 17:43:14 jasper Exp $
-
-Security fix for CVE-2011-0751
-Nostromo Directory Traversal Vulnerability.
-
-Patch from upstream CVS.
-
--- ChangeLog.orig	Thu Mar 17 18:39:48 2011
-+++ ChangeLog	Thu Mar 17 18:40:02 2011
-@@ -1,3 +1,8 @@
-+- fix a bug where when nostromo doesn't run in chroot mode somebody can
-+  access files beyond our htdocs environment by using specific encoded
-+  characters in the request URI (security issue).
-+  Issue found and reported by RedTeam Pentesting GmbH
-+
- 1.9.3
- =====
- - fix two err(3) calls which are lacking an `%s' modifier (security issue).
--- a/www/nostromo/patches/patch-src_nhttpd_Makefile
+++ b/www/nostromo/patches/patch-src_nhttpd_Makefile
@ -1,11 +0,0 @@
--- src/nhttpd/Makefile.orig	Tue Apr 22 20:16:48 2008
-+++ src/nhttpd/Makefile	Tue Apr 22 20:16:59 2008
-@@ -1,7 +1,7 @@
- PROG= nhttpd
- SRCS= main.c http.c sys.c
- 
-CFLAGS+= -Wall -Werror -Wstrict-prototypes
-+CFLAGS+= -Wall -Wstrict-prototypes
- LDADD+=	-L../libmy -lmy
- 
- PIPE= -pipe
--- a/www/nostromo/patches/patch-src_nhttpd_http_c
+++ b/www/nostromo/patches/patch-src_nhttpd_http_c
@ -1,113 +0,0 @@
-$OpenBSD: patch-src_nhttpd_http_c,v 1.1 2011/03/17 17:43:14 jasper Exp $
-
-Security fix for CVE-2011-0751
-Nostromo Directory Traversal Vulnerability.
-
-Patch from upstream CVS.
-
--- src/nhttpd/http.c.orig	Fri Jul  3 10:36:52 2009
-+++ src/nhttpd/http.c	Thu Mar 17 18:40:37 2011
-@@ -96,7 +96,8 @@ static const char *doc =
-  *	0 = invalid header, 1 = valid header
-  */
- int
-http_verify(const char *header, const char *cip, const int sfd, const int hr)
-+http_verify(char *header, const int header_size, const char *cip, const int sfd,
-+    const int hr)
- {
- 	int		r, proto;
- 	char		*h, *b, line[1024], protocol[16];
-@@ -105,6 +106,21 @@ http_verify(const char *header, const char *cip, const
- 
- 	r = proto = 0;
- 
-+	/* check if header URI needs to be decoded */
-+	if (http_decode_header_uri(header, header_size) == -1) {
-+		h = http_head(http_s_400, "-", cip, 0);
-+		b = http_body(http_s_400, "", h, 0);
-+		c[sfd].pfdo++;
-+		c[sfd].pfdn[hr] = 1;
-+		c[sfd].pfdh[hr] = strdup(b);
-+		c[sfd].x_ful[hr] = 1;
-+		c[sfd].x_chk[hr] = 0;
-+		c[sfd].x_sta = 0;
-+		free(h);
-+		free(b);
-+		return (0);
-+	}
-+
- 	/* check for valid method */
- 	if (strcutl(line, header, 1, sizeof(line)) > 0) {
- 		if (!strncasecmp("GET ", line, 4))
-@@ -192,6 +208,56 @@ http_verify(const char *header, const char *cip, const
- }
- 
- /*
-+ * http_decode_header_uri()
-+ *	decodes an encoded URI within a complete HTTP header
-+ * Return:
-+ *	 0 = nothing to do, <bytes of new header> = URI decoded, -1 = error
-+ */
-+int
-+http_decode_header_uri(char *header, const int header_size)
-+{
-+	int	 uri_len;
-+	char	*p, *h, *u;
-+	char	 request[1024];
-+	struct	 header hd;
-+
-+	/* any chance for encoded characters? */
-+	if (strchr(header, '%') == NULL)
-+		return (0);
-+
-+	/* copy request line */
-+        if (strcuts(request, header, '\0', '\n', sizeof(request)) == -1)
-+                return (-1);
-+        strlcat(request, "\n", sizeof(request));
-+        uri_len = strlen(request);
-+
-+	/* isolate URI */
-+	strcutw(hd.rq_method, request, 1, sizeof(hd.rq_method));
-+	strcutw(hd.rq_uri, request, 2, sizeof(hd.rq_uri));
-+	strcutw(hd.rq_protocol, request, 3, sizeof(hd.rq_protocol));
-+
-+	/* decode URI */
-+	if ((u = http_uridecode(hd.rq_uri)) == NULL)
-+		return (0);
-+
-+	/* build new header with decoded URI */
-+	p = header;
-+	p = p + uri_len;
-+	if ((h = strdup(p)) == NULL) {
-+		free(u);
-+		return (-1);
-+	}
-+	snprintf(header, header_size, "%s %s %s%s",
-+	    hd.rq_method, u, hd.rq_protocol, h);
-+
-+	/* cleanup */
-+	free(u);
-+	free(h);
-+
-+	return (strlen(header));
-+}
-+
-+/*
-  * http_proc()
-  *	main function to process incoming header
-  * Return:
-@@ -1413,14 +1479,6 @@ http_header(const char *header_data, const char *force
- 	/* set protocol depended flags */
- 	if (!strcasecmp(h->rq_protocol, http_fv_pr1))
- 		h->x_chk = 1;
-
-	/* decode uri if encoded */
-	if (strchr(h->rq_uri, '%') != NULL) {
-		if ((x = http_uridecode(h->rq_uri)) != NULL) {
-			strlcpy(h->rq_uri, x, sizeof(h->rq_uri));
-			free(x);
-		}
-	}
- 
- 	/* is there a query string */
- 	if (strcuts(h->rq_query, h->rq_uri, '?', '\0', sizeof(h->rq_query))
--- a/www/nostromo/patches/patch-src_nhttpd_main_c
+++ b/www/nostromo/patches/patch-src_nhttpd_main_c
@ -1,20 +0,0 @@
-$OpenBSD: patch-src_nhttpd_main_c,v 1.1 2011/03/17 17:43:14 jasper Exp $
-
-Security fix for CVE-2011-0751
-Nostromo Directory Traversal Vulnerability.
-
-Patch from upstream CVS.
-
--- src/nhttpd/main.c.orig	Tue Dec 29 10:20:51 2009
-+++ src/nhttpd/main.c	Thu Mar 17 18:40:37 2011
-@@ -1465,8 +1465,8 @@ main(int argc, char *argv[])
- 			for (i = 0; i < k; i++) {
- 				s = 0;
- 				r = 1;
-				s = http_verify(header[i], c[sdnow].ip, sdnow,
-				    i);
-+				s = http_verify(header[i], sizeof(header[i]),
-+				    c[sdnow].ip, sdnow, i);
- 				if (s == 1)
- 					r = http_proc(header[i], body, i, size,
- 					    sdnow);
--- a/www/nostromo/patches/patch-src_nhttpd_proto_h
+++ b/www/nostromo/patches/patch-src_nhttpd_proto_h
@ -1,20 +0,0 @@
-$OpenBSD: patch-src_nhttpd_proto_h,v 1.2 2011/03/17 17:44:23 jasper Exp $
-
-Security fix for CVE-2011-0751
-Nostromo Directory Traversal Vulnerability.
-
-Patch from upstream CVS.
-
--- src/nhttpd/proto.h.orig	Tue Jun 23 16:33:23 2009
-+++ src/nhttpd/proto.h	Thu Mar 17 18:40:37 2011
-@@ -27,7 +27,9 @@ int		sdlisten(int, int);
- /*
-  * http.c
-  */
-int		http_verify(const char *, const char *, const int, const int);
-+int		http_decode_header_uri(char *, const int);
-+int		http_verify(char *, const int, const char *, const int,
-+		    const int);
- int		http_proc(const char *, char *, const int, const int,
- 		    const int);
- int		http_cgi_getexec(char *, char *, const char *, const int,