[Pkg-erlang-commits] r1351 - in yaws/trunk/debian: . patches

sgolovan at alioth.debian.org sgolovan at alioth.debian.org
Sat Nov 26 15:45:01 UTC 2011 

Author: sgolovan
Date: 2011-11-26 15:45:00 +0000 (Sat, 26 Nov 2011)
New Revision: 1351

Added:
   yaws/trunk/debian/patches/dirtraversal.diff
Modified:
   yaws/trunk/debian/changelog
   yaws/trunk/debian/patches/series
Log:
[yaws]
  * Added patch by Uwe Dauernheim which fixes directory traversal bug
    (closes: #650009).


Modified: yaws/trunk/debian/changelog
===================================================================
--- yaws/trunk/debian/changelog	2011-10-25 15:20:49 UTC (rev 1350)
+++ yaws/trunk/debian/changelog	2011-11-26 15:45:00 UTC (rev 1351)
@@ -1,8 +1,9 @@
-yaws (1.91-2) UNRELEASED; urgency=low
+yaws (1.91-2) unstable; urgency=high
 
-  * NOT RELEASED YET
+  * Added patch by Uwe Dauernheim which fixes directory traversal bug
+    (closes: #650009).
 
- -- Sergei Golovan <sgolovan at debian.org>  Tue, 09 Aug 2011 23:39:29 +0400
+ -- Sergei Golovan <sgolovan at debian.org>  Sat, 26 Nov 2011 19:34:12 +0400
 
 yaws (1.91-1) unstable; urgency=low
 

Added: yaws/trunk/debian/patches/dirtraversal.diff
===================================================================
--- yaws/trunk/debian/patches/dirtraversal.diff	                        (rev 0)
+++ yaws/trunk/debian/patches/dirtraversal.diff	2011-11-26 15:45:00 UTC (rev 1351)
@@ -0,0 +1,29 @@
+Author: Uwe Dauernheim
+Description: The patch offers a quickfix for directory traversal vulnerability.
+Bug: https://github.com/klacke/yaws/issues/69
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650009
+Last-updated: Sat, 26 Nov 2011 19:30:04 +0400
+
+--- yaws-1.91.orig/src/yaws_api.erl
++++ yaws-1.91/src/yaws_api.erl
+@@ -818,12 +818,14 @@
+ path_norm_reverse("/" ++ T) -> start_dir(0, "/", T);
+ path_norm_reverse(       T) -> start_dir(0,  "", T).
+ 
+-start_dir(N, Path, [$\\|T]    ) -> start_dir(N, Path, [$/|T]);
+-start_dir(N, Path, ".."       ) -> rest_dir(N, Path, "");
+-start_dir(N, Path, "/"   ++ T ) -> start_dir(N    , Path, T);
+-start_dir(N, Path, "./"  ++ T ) -> start_dir(N    , Path, T);
+-start_dir(N, Path, "../" ++ T ) -> start_dir(N + 1, Path, T);
+-start_dir(N, Path,          T ) -> rest_dir (N    , Path, T).
++start_dir(N, Path, [$\\|T]     ) -> start_dir(N, Path, [$/|T]);
++start_dir(N, Path, ".."        ) -> rest_dir(N, Path, "");
++start_dir(N, Path, "/"    ++ T ) -> start_dir(N    , Path, T);
++start_dir(N, Path, "./"   ++ T ) -> start_dir(N    , Path, T);
++start_dir(N, Path, ".\\"  ++ T ) -> start_dir(N    , Path, T);
++start_dir(N, Path, "../"  ++ T ) -> start_dir(N + 1, Path, T);
++start_dir(N, Path, "..\\" ++ T ) -> start_dir(N + 1, Path, T);
++start_dir(N, Path,           T ) -> rest_dir (N    , Path, T).
+ 
+ rest_dir (_N, Path, []         ) -> case Path of
+                                         [] -> "/";

Modified: yaws/trunk/debian/patches/series
===================================================================
--- yaws/trunk/debian/patches/series	2011-10-25 15:20:49 UTC (rev 1350)
+++ yaws/trunk/debian/patches/series	2011-11-26 15:45:00 UTC (rev 1351)
@@ -7,3 +7,4 @@
 ctl.diff
 docs.diff
 m32m64.diff
+dirtraversal.diff

More information about the Pkg-erlang-commits mailing list