From 462fdcd20d135d10acea1b51d1beccd9fe64eb28 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Thu, 26 Nov 2009 01:33:17 +0000 Subject: [PATCH 01/10] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 63c5a86..eba022d 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ NAME := awstats SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From fb6c3cd5ad4d72e2539e6e171ef45b890f39ee67 Mon Sep 17 00:00:00 2001 From: Aurelien Bompard Date: Thu, 26 Nov 2009 05:27:36 +0000 Subject: [PATCH 02/10] - version 6.95 (security fix) - drop patch0 --- .cvsignore | 2 +- awstats-6.9-CVE-2008-3714-debian.patch | 13 ------------- awstats.spec | 11 ++++++----- sources | 2 +- 4 files changed, 8 insertions(+), 20 deletions(-) delete mode 100644 awstats-6.9-CVE-2008-3714-debian.patch diff --git a/.cvsignore b/.cvsignore index 37811e5..a48706a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -awstats-6.9.tar.gz +awstats-6.95.tar.gz diff --git a/awstats-6.9-CVE-2008-3714-debian.patch b/awstats-6.9-CVE-2008-3714-debian.patch deleted file mode 100644 index ad59113..0000000 --- a/awstats-6.9-CVE-2008-3714-debian.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up ./wwwroot/cgi-bin/awstats.pl.CVE-2008-3714 ./wwwroot/cgi-bin/awstats.pl ---- ./wwwroot/cgi-bin/awstats.pl.CVE-2008-3714 2008-12-31 09:09:43.000000000 +0100 -+++ ./wwwroot/cgi-bin/awstats.pl 2008-12-31 09:10:11.000000000 +0100 -@@ -7521,8 +7521,8 @@ sub EncodeString { - sub DecodeEncodedString { - my $stringtodecode = shift; - $stringtodecode =~ tr/\+/ /s; -- $stringtodecode =~ s/%22//g; - $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg; -+ $stringtodecode =~ s/["']//g; - return $stringtodecode; - } - diff --git a/awstats.spec b/awstats.spec index 06f977e..6d65358 100644 --- a/awstats.spec +++ b/awstats.spec @@ -1,13 +1,11 @@ Name: awstats -Version: 6.9 -Release: 4%{?dist} +Version: 6.95 +Release: 1%{?dist} Summary: Advanced Web Statistics License: GPLv2 Group: Applications/Internet URL: http://awstats.sourceforge.net Source0: http://dl.sf.net/awstats/awstats-%{version}.tar.gz -#Source0: http://awstats.sourceforge.net/files/awstats-6.6.tar.gz -Patch0: awstats-6.9-CVE-2008-3714-debian.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -40,7 +38,6 @@ http://localhost/awstats/awstats.pl %prep %setup -q -%patch0 -p0 # Fix style sheets. perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/* # Fix some bad file permissions here for convenience. @@ -160,6 +157,10 @@ fi %changelog +* Thu Nov 26 2009 Aurelien Bompard - 6.95-1 +- version 6.95 (security fix) +- drop patch0 + * Fri Aug 21 2009 Aurelien Bompard - 6.9-4 - don't backup the cgi when patching (#518168) diff --git a/sources b/sources index 2a32536..c02a89c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -fc19dbb8449eccf3300efb30ca3376cb awstats-6.9.tar.gz +26a5b19fa9f395e9e7dafed37b795d7f awstats-6.95.tar.gz From 8113fb27cf5f6cd351416f935262c0cab7ba0027 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sat, 8 May 2010 01:43:35 +0000 Subject: [PATCH 03/10] Initialize branch EL-6 for awstats --- branch | 1 + 1 file changed, 1 insertion(+) create mode 100644 branch diff --git a/branch b/branch new file mode 100644 index 0000000..46381b9 --- /dev/null +++ b/branch @@ -0,0 +1 @@ +EL-6 From 49ff803e3a76c51c259347199685362a78d3e531 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 28 Jul 2010 10:42:43 +0000 Subject: [PATCH 04/10] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- branch | 1 - 3 files changed, 22 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile delete mode 100644 branch diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index eba022d..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: awstats -# $Id$ -NAME := awstats -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/branch b/branch deleted file mode 100644 index 46381b9..0000000 --- a/branch +++ /dev/null @@ -1 +0,0 @@ -EL-6 From d32a3478da243e416fa265db91132842983014aa Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 15 Feb 2011 15:49:26 +0100 Subject: [PATCH 05/10] http://downloads.sourceforge.net/project/awstats/AWStats/7.0/awstats-7.0.tar.gz --- awstats.spec | 7 +++++-- sources | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/awstats.spec b/awstats.spec index 6d65358..fd9165c 100644 --- a/awstats.spec +++ b/awstats.spec @@ -1,11 +1,11 @@ Name: awstats -Version: 6.95 +Version: 7.0 Release: 1%{?dist} Summary: Advanced Web Statistics License: GPLv2 Group: Applications/Internet URL: http://awstats.sourceforge.net -Source0: http://dl.sf.net/awstats/awstats-%{version}.tar.gz +Source0: http://downloads.sourceforge.net/project/awstats/AWStats/%{version}/awstats-%{version}.tar.gz BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -157,6 +157,9 @@ fi %changelog +* Tue Feb 15 2011 Petr Lautrbach 7.0-1 +- update to upstream 7.0 version + * Thu Nov 26 2009 Aurelien Bompard - 6.95-1 - version 6.95 (security fix) - drop patch0 diff --git a/sources b/sources index c02a89c..6d183bc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -26a5b19fa9f395e9e7dafed37b795d7f awstats-6.95.tar.gz +3e8e09b9ebe74513bb34290dbcd37b45 awstats-7.0.tar.gz From f9659ffd3b7116116495691d0fa6e3694a66bbfa Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 7 Oct 2011 13:54:34 +0200 Subject: [PATCH 06/10] awstats-7.0-2.el6 --- awstats-awredir.pl-sanitize-parameters.patch | 68 ++++++++++++++++++++ awstats.spec | 7 +- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 awstats-awredir.pl-sanitize-parameters.patch diff --git a/awstats-awredir.pl-sanitize-parameters.patch b/awstats-awredir.pl-sanitize-parameters.patch new file mode 100644 index 0000000..1615e9b --- /dev/null +++ b/awstats-awredir.pl-sanitize-parameters.patch @@ -0,0 +1,68 @@ +diff --git a/wwwroot/cgi-bin/awredir.pl b/wwwroot/cgi-bin/awredir.pl +index 35ee82d..f1e4cd2 100755 +--- a/wwwroot/cgi-bin/awredir.pl ++++ b/wwwroot/cgi-bin/awredir.pl +@@ -8,6 +8,8 @@ + + #use DBD::mysql; + use Digest::MD5 qw(md5 md5_hex md5_base64); ++use HTML::Entities; ++use URI::Escape; + + + #------------------------------------------------------- +@@ -116,26 +118,27 @@ if ($ENV{QUERY_STRING} =~ /tag=\"?([^\"&]+)\"?/) { $Tag=$1; } + + $Key='NOKEY'; + if ($ENV{QUERY_STRING} =~ /key=\"?([^\"&]+)\"?/) { $Key=$1; } ++$KeyEncoded=HTML::Entities::encode($Key); + + # Extract url to redirect to + $Url=$ENV{QUERY_STRING}; + if ($Url =~ /url=\"([^\"]+)\"/) { $Url=$1; } + elsif ($Url =~ /url=(.+)$/) { $Url=$1; } + $Url = DecodeEncodedString($Url); +-$UrlParam=$Url; ++$UrlEncoded=HTML::Entities::encode($Url); + +-if (! $UrlParam) { ++if (! $Url) { + error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:
/cgi-bin/$PROG.pl?url=http://urltogo"); + } + ++if ($KEYFORMD5 && ($Key ne md5_hex($KEYFORMD5.$Url))) { ++# error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlEncoded." - ".$KEYFORMD5." - ".md5_hex($KEYFORMD5.$UrlEncoded) ); ++ error("Error: Bad value for parameter key=".$KeyEncoded." to allow a redirect to ".$UrlEncoded.". Key must be hexadecimal md5(KEYFORMD5.".$UrlEncoded.") where KEYFORMD5 is value hardcoded into awredir.pl. Note: You can remove use of key by setting KEYFORMD5 to empty string in script awredir.pl"); ++} ++ + if ($Url !~ /^http/i) { $Url = "http://".$Url; } + if ($DEBUG) { print LOGFILE "Url=$Url\n"; } + +-if ($KEYFORMD5 && ($Key ne md5_hex($KEYFORMD5.$UrlParam))) { +-# error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlParam." - ".$KEYFORMD5." - ".md5_hex($KEYFORMD5.$UrlParam) ); +- error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlParam.". Key must be hexadecimal md5(KEYFORMD5.".$UrlParam.") where KEYFORMD5 is value hardcoded into awredir.pl. Note: You can remove use of key by setting KEYFORMD5 to empty string in script awredir.pl"); +-} +- + + # Get date + ($nowsec,$nowmin,$nowhour,$nowday,$nowmonth,$nowyear,$nowwday,$nowyday,$nowisdst) = localtime(time); +@@ -151,14 +154,17 @@ if ($TRACEBASE == 1) { + if ($ENV{REMOTE_ADDR} !~ /$EXCLUDEIP/) { + if ($DEBUG == 1) { print LOGFILE "Execution requete Update sur BASE=$BASE, USER=$USER, PASS=$PASS\n"; } + my $dbh = DBI->connect("DBI:mysql:$BASE", $USER, $PASS) || die "Can't connect to DBI:mysql:$BASE: $dbh->errstr\n"; +- my $sth = $dbh->prepare("UPDATE T_LINKS set HITS_LINKS = HIT_LINKS+1 where URL_LINKS = '$Url'"); +- $sth->execute || error("Error: Unable execute query:$dbh->err, $dbh->errstr"); ++ my $sth = $dbh->prepare("UPDATE T_LINKS set HITS_LINKS = HIT_LINKS+1 where URL_LINKS = ?"); ++ $sth->execute($Url) || error("Error: Unable execute query:$dbh->err, $dbh->errstr"); + $sth->finish; + $dbh->disconnect; + if ($DEBUG == 1) { print LOGFILE "Execution requete Update - OK\n"; } + } + } + ++$Url=uri_escape($Url, "^A-Za-z0-9\-\._~/:"); ++$Tag=uri_escape($Tag); ++ + if ($TRACEFILE == 1) { + if ($ENV{REMOTE_ADDR} !~ /$EXCLUDEIP/) { + open(FICHIER,">>$TXTDIR/$TXTFILE") || error("Error: Enable to open trace file $TXTDIR/$TXTFILE: $!"); diff --git a/awstats.spec b/awstats.spec index fd9165c..3599048 100644 --- a/awstats.spec +++ b/awstats.spec @@ -1,11 +1,12 @@ Name: awstats Version: 7.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Advanced Web Statistics License: GPLv2 Group: Applications/Internet URL: http://awstats.sourceforge.net Source0: http://downloads.sourceforge.net/project/awstats/AWStats/%{version}/awstats-%{version}.tar.gz +Patch0: awstats-awredir.pl-sanitize-parameters.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -38,6 +39,7 @@ http://localhost/awstats/awstats.pl %prep %setup -q +%patch0 -p 1 # Fix style sheets. perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/* # Fix some bad file permissions here for convenience. @@ -157,6 +159,9 @@ fi %changelog +* Fri Oct 07 2011 Petr Lautrbach 7.0-2 +- fix multiple XSS and sql injection flaws (#740926) + * Tue Feb 15 2011 Petr Lautrbach 7.0-1 - update to upstream 7.0 version From 291a91d5c91df2dd4414e95bdf5949428ac6916a Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 16 Nov 2012 16:00:38 +0100 Subject: [PATCH 07/10] fix potential XSS attacks - CVE-2012-4547 (#871159) --- awstats-7.0-cleanxss.patch | 43 ++++++++++++++++++++++++++++++++++++++ awstats.spec | 3 +++ 2 files changed, 46 insertions(+) create mode 100644 awstats-7.0-cleanxss.patch diff --git a/awstats-7.0-cleanxss.patch b/awstats-7.0-cleanxss.patch new file mode 100644 index 0000000..98f10a7 --- /dev/null +++ b/awstats-7.0-cleanxss.patch @@ -0,0 +1,43 @@ +diff -up awstats-7.0/wwwroot/cgi-bin/awredir.pl.cleanxss awstats-7.0/wwwroot/cgi-bin/awredir.pl +--- awstats-7.0/wwwroot/cgi-bin/awredir.pl.cleanxss 2012-11-16 15:38:42.077347478 +0100 ++++ awstats-7.0/wwwroot/cgi-bin/awredir.pl 2012-11-16 15:53:28.893552096 +0100 +@@ -75,6 +75,27 @@ sub DecodeEncodedString { + return $stringtodecode; + } + ++#------------------------------------------------------------------------------ ++# Function: Clean a string of HTML tags to avoid 'Cross Site Scripting attacks' ++# and clean | char. ++# Parameters: stringtoclean ++# Input: None ++# Output: None ++# Return: cleanedstring ++#------------------------------------------------------------------------------ ++sub CleanXSS { ++ my $stringtoclean = shift; ++ ++ # To avoid html tags and javascript ++ $stringtoclean =~ s//>/g; ++ $stringtoclean =~ s/|//g; ++ ++ # To avoid onload=" ++ $stringtoclean =~ s/onload//g; ++ return $stringtoclean; ++} ++ + + #------------------------------------------------------- + # MAIN +@@ -127,6 +148,11 @@ elsif ($Url =~ /url=(.+)$/) { $Url=$1; } + $Url = DecodeEncodedString($Url); + $UrlEncoded=HTML::Entities::encode($Url); + ++# Sanitize parameters ++$Tag=CleanXSS($Tag); ++$Key=CleanXSS($Key); ++$UrlEncoded=CleanXSS($UrlEncoded); ++ + if (! $Url) { + error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:
/cgi-bin/$PROG.pl?url=http://urltogo"); + } diff --git a/awstats.spec b/awstats.spec index 3599048..1d1a424 100644 --- a/awstats.spec +++ b/awstats.spec @@ -7,6 +7,8 @@ Group: Applications/Internet URL: http://awstats.sourceforge.net Source0: http://downloads.sourceforge.net/project/awstats/AWStats/%{version}/awstats-%{version}.tar.gz Patch0: awstats-awredir.pl-sanitize-parameters.patch +# CVE-2012-4547, #871159 +Patch3: awstats-7.0-cleanxss.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -40,6 +42,7 @@ http://localhost/awstats/awstats.pl %prep %setup -q %patch0 -p 1 +%patch3 -p 1 -b .cleanxss # Fix style sheets. perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/* # Fix some bad file permissions here for convenience. From 7f45ddfe55e15482bc4fa74c7707efc1a02f2210 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 21 Feb 2013 10:16:19 +0100 Subject: [PATCH 08/10] awstats-7.0-3 --- awstats.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/awstats.spec b/awstats.spec index 1d1a424..6f6c580 100644 --- a/awstats.spec +++ b/awstats.spec @@ -1,6 +1,6 @@ Name: awstats Version: 7.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Advanced Web Statistics License: GPLv2 Group: Applications/Internet @@ -162,6 +162,9 @@ fi %changelog +* Thu Feb 21 2013 Petr Lautrbach 7.0-3 +- fix potential XSS attacks - CVE-2012-4547 (#871159) + * Fri Oct 07 2011 Petr Lautrbach 7.0-2 - fix multiple XSS and sql injection flaws (#740926) From 288ddeb58b8bedac86e44bb95610ebe68eaf1233 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Sat, 24 Aug 2019 23:30:11 +0200 Subject: [PATCH 09/10] awstats-7.7-1 --- .gitignore | 9 ++- awstats-7.0-cleanxss.patch | 43 ----------- awstats-awredir.pl-sanitize-parameters.patch | 46 ++---------- awstats-awstats_path.patch | 38 ++++++++++ awstats.cron | 3 + awstats.spec | 79 +++++++++++++------- sources | 2 +- 7 files changed, 107 insertions(+), 113 deletions(-) delete mode 100644 awstats-7.0-cleanxss.patch create mode 100644 awstats-awstats_path.patch create mode 100644 awstats.cron diff --git a/.gitignore b/.gitignore index a48706a..ed55366 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,8 @@ -awstats-6.95.tar.gz +awstats-7.0.tar.gz +/awstats-7.1.tar.gz +/awstats-7.1.1.tar.gz +/awstats-7.2.tar.gz +/awstats-7.3.tar.gz +/awstats-7.4.tar.gz +/awstats-7.6.tar.gz +/awstats-7.7.tar.gz diff --git a/awstats-7.0-cleanxss.patch b/awstats-7.0-cleanxss.patch deleted file mode 100644 index 98f10a7..0000000 --- a/awstats-7.0-cleanxss.patch +++ /dev/null @@ -1,43 +0,0 @@ -diff -up awstats-7.0/wwwroot/cgi-bin/awredir.pl.cleanxss awstats-7.0/wwwroot/cgi-bin/awredir.pl ---- awstats-7.0/wwwroot/cgi-bin/awredir.pl.cleanxss 2012-11-16 15:38:42.077347478 +0100 -+++ awstats-7.0/wwwroot/cgi-bin/awredir.pl 2012-11-16 15:53:28.893552096 +0100 -@@ -75,6 +75,27 @@ sub DecodeEncodedString { - return $stringtodecode; - } - -+#------------------------------------------------------------------------------ -+# Function: Clean a string of HTML tags to avoid 'Cross Site Scripting attacks' -+# and clean | char. -+# Parameters: stringtoclean -+# Input: None -+# Output: None -+# Return: cleanedstring -+#------------------------------------------------------------------------------ -+sub CleanXSS { -+ my $stringtoclean = shift; -+ -+ # To avoid html tags and javascript -+ $stringtoclean =~ s//>/g; -+ $stringtoclean =~ s/|//g; -+ -+ # To avoid onload=" -+ $stringtoclean =~ s/onload//g; -+ return $stringtoclean; -+} -+ - - #------------------------------------------------------- - # MAIN -@@ -127,6 +148,11 @@ elsif ($Url =~ /url=(.+)$/) { $Url=$1; } - $Url = DecodeEncodedString($Url); - $UrlEncoded=HTML::Entities::encode($Url); - -+# Sanitize parameters -+$Tag=CleanXSS($Tag); -+$Key=CleanXSS($Key); -+$UrlEncoded=CleanXSS($UrlEncoded); -+ - if (! $Url) { - error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:
/cgi-bin/$PROG.pl?url=http://urltogo"); - } diff --git a/awstats-awredir.pl-sanitize-parameters.patch b/awstats-awredir.pl-sanitize-parameters.patch index 1615e9b..bc92ebb 100644 --- a/awstats-awredir.pl-sanitize-parameters.patch +++ b/awstats-awredir.pl-sanitize-parameters.patch @@ -1,8 +1,7 @@ -diff --git a/wwwroot/cgi-bin/awredir.pl b/wwwroot/cgi-bin/awredir.pl -index 35ee82d..f1e4cd2 100755 ---- a/wwwroot/cgi-bin/awredir.pl -+++ b/wwwroot/cgi-bin/awredir.pl -@@ -8,6 +8,8 @@ +diff -up awstats-7.1/wwwroot/cgi-bin/awredir.pl.sanitize awstats-7.1/wwwroot/cgi-bin/awredir.pl +--- awstats-7.1/wwwroot/cgi-bin/awredir.pl.sanitize 2012-02-15 15:19:22.000000000 +0100 ++++ awstats-7.1/wwwroot/cgi-bin/awredir.pl 2013-01-04 10:31:33.303448288 +0100 +@@ -21,6 +21,8 @@ #use DBD::mysql; use Digest::MD5 qw(md5 md5_hex md5_base64); @@ -11,42 +10,7 @@ index 35ee82d..f1e4cd2 100755 #------------------------------------------------------- -@@ -116,26 +118,27 @@ if ($ENV{QUERY_STRING} =~ /tag=\"?([^\"&]+)\"?/) { $Tag=$1; } - - $Key='NOKEY'; - if ($ENV{QUERY_STRING} =~ /key=\"?([^\"&]+)\"?/) { $Key=$1; } -+$KeyEncoded=HTML::Entities::encode($Key); - - # Extract url to redirect to - $Url=$ENV{QUERY_STRING}; - if ($Url =~ /url=\"([^\"]+)\"/) { $Url=$1; } - elsif ($Url =~ /url=(.+)$/) { $Url=$1; } - $Url = DecodeEncodedString($Url); --$UrlParam=$Url; -+$UrlEncoded=HTML::Entities::encode($Url); - --if (! $UrlParam) { -+if (! $Url) { - error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:
/cgi-bin/$PROG.pl?url=http://urltogo"); - } - -+if ($KEYFORMD5 && ($Key ne md5_hex($KEYFORMD5.$Url))) { -+# error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlEncoded." - ".$KEYFORMD5." - ".md5_hex($KEYFORMD5.$UrlEncoded) ); -+ error("Error: Bad value for parameter key=".$KeyEncoded." to allow a redirect to ".$UrlEncoded.". Key must be hexadecimal md5(KEYFORMD5.".$UrlEncoded.") where KEYFORMD5 is value hardcoded into awredir.pl. Note: You can remove use of key by setting KEYFORMD5 to empty string in script awredir.pl"); -+} -+ - if ($Url !~ /^http/i) { $Url = "http://".$Url; } - if ($DEBUG) { print LOGFILE "Url=$Url\n"; } - --if ($KEYFORMD5 && ($Key ne md5_hex($KEYFORMD5.$UrlParam))) { --# error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlParam." - ".$KEYFORMD5." - ".md5_hex($KEYFORMD5.$UrlParam) ); -- error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlParam.". Key must be hexadecimal md5(KEYFORMD5.".$UrlParam.") where KEYFORMD5 is value hardcoded into awredir.pl. Note: You can remove use of key by setting KEYFORMD5 to empty string in script awredir.pl"); --} -- - - # Get date - ($nowsec,$nowmin,$nowhour,$nowday,$nowmonth,$nowyear,$nowwday,$nowyday,$nowisdst) = localtime(time); -@@ -151,14 +154,17 @@ if ($TRACEBASE == 1) { +@@ -193,14 +195,17 @@ if ($TRACEBASE == 1) { if ($ENV{REMOTE_ADDR} !~ /$EXCLUDEIP/) { if ($DEBUG == 1) { print LOGFILE "Execution requete Update sur BASE=$BASE, USER=$USER, PASS=$PASS\n"; } my $dbh = DBI->connect("DBI:mysql:$BASE", $USER, $PASS) || die "Can't connect to DBI:mysql:$BASE: $dbh->errstr\n"; diff --git a/awstats-awstats_path.patch b/awstats-awstats_path.patch new file mode 100644 index 0000000..ba708d6 --- /dev/null +++ b/awstats-awstats_path.patch @@ -0,0 +1,38 @@ +From: Chris Caron +Date: Tue, 29 Nov 2016 20:33:53 -0500 +Subject: update default path to be more compatible with Linux distro +Website: http://nuxref.com + +Make it so you don't have to pass in the -awstats=/path/to/awstats.pl +every time any script is called. + +--- + +diff -Naur awstats-7.4/tools/awstats_buildstaticpages.pl awstats-7.4.patched/tools/awstats_buildstaticpages.pl +--- awstats-7.4/tools/awstats_buildstaticpages.pl 2014-09-23 03:16:09.000000000 -0400 ++++ awstats-7.4.patched/tools/awstats_buildstaticpages.pl 2016-11-29 20:33:53.203777945 -0500 +@@ -299,6 +299,10 @@ + # Check if AWSTATS prog is found + my $AwstatsFound=0; + if (-s "$Awstats") { $AwstatsFound=1; } ++elsif (-s "/usr/share/awstats/wwwroot/cgi-bin/awstats.pl") { ++ $Awstats="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl"; ++ $AwstatsFound=1; ++} + elsif (-s "/usr/local/awstats/wwwroot/cgi-bin/awstats.pl") { + $Awstats="/usr/local/awstats/wwwroot/cgi-bin/awstats.pl"; + $AwstatsFound=1; +diff -Naur awstats-7.4/tools/awstats_updateall.pl awstats-7.4.patched/tools/awstats_updateall.pl +--- awstats-7.4/tools/awstats_updateall.pl 2014-09-23 03:16:09.000000000 -0400 ++++ awstats-7.4.patched/tools/awstats_updateall.pl 2016-11-29 20:34:58.026745752 -0500 +@@ -129,6 +129,10 @@ + # Check if AWSTATS prog is found + my $AwstatsFound=0; + if (-s "$Awstats") { $AwstatsFound=1; } ++ elsif (-s "/usr/share/awstats/wwwroot/cgi-bin/awstats.pl") { ++ $Awstats="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl"; ++ $AwstatsFound=1; ++ } + elsif (-s "/usr/local/awstats/wwwroot/cgi-bin/awstats.pl") { + $Awstats="/usr/local/awstats/wwwroot/cgi-bin/awstats.pl"; + $AwstatsFound=1; diff --git a/awstats.cron b/awstats.cron new file mode 100644 index 0000000..c2a44ab --- /dev/null +++ b/awstats.cron @@ -0,0 +1,3 @@ +#!/bin/bash +exec /usr/share/awstats/tools/awstats_updateall.pl now -configdir="/etc/awstats" -awstatsprog="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" >/dev/null +exit 0 diff --git a/awstats.spec b/awstats.spec index 6f6c580..ffa5d6b 100644 --- a/awstats.spec +++ b/awstats.spec @@ -1,21 +1,43 @@ Name: awstats -Version: 7.0 -Release: 3%{?dist} +Version: 7.7 +Release: 1%{?dist} Summary: Advanced Web Statistics -License: GPLv2 +License: GPLv3+ Group: Applications/Internet URL: http://awstats.sourceforge.net Source0: http://downloads.sourceforge.net/project/awstats/AWStats/%{version}/awstats-%{version}.tar.gz +Source1: %{name}.cron Patch0: awstats-awredir.pl-sanitize-parameters.patch -# CVE-2012-4547, #871159 -Patch3: awstats-7.0-cleanxss.patch + +%if 0%{?rhel} == 7 || 0%{?fedora} +# fix configuration for httpd 2.4 (#871366) +Patch1: awstats-7.0-httpd-2.4.patch +%endif + +Patch2: awstats-awstats_path.patch + +# distribution specific definitions +%define use_systemd (0%{?fedora} || 0%{?rhel} >= 7) BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: perl +BuildRequires: perl-generators BuildRequires: recode -Requires: perl +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +Requires: perl-Net-IP, perl-Net-DNS, perl-Geo-IP +Requires: crontabs Requires(post): perl + +%if %use_systemd +# For systemd.macros +BuildRequires: systemd +Requires(postun): systemd +%else Requires(postun): /sbin/service +%endif ## SELinux policy is now included upstream Obsoletes: awstats-selinux < 6.8-1 @@ -42,7 +64,11 @@ http://localhost/awstats/awstats.pl %prep %setup -q %patch0 -p 1 -%patch3 -p 1 -b .cleanxss +%if 0%{?rhel} == 7 || 0%{?fedora} +%patch1 -p 1 +%endif +%patch2 -p 1 + # Fix style sheets. perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/* # Fix some bad file permissions here for convenience. @@ -57,15 +83,6 @@ recode ISO-8859-1..UTF-8 docs/awstats_changelog.txt %install rm -rf $RPM_BUILD_ROOT -### Create cron job -cat <awstats.cron -#!/bin/bash -exec %{_datadir}/awstats/tools/awstats_updateall.pl now \ - -configdir="%{_sysconfdir}/awstats" \ - -awstatsprog="%{_datadir}/awstats/wwwroot/cgi-bin/awstats.pl" >/dev/null -exit 0 -EOF - ### Create folders mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{httpd/conf.d,%{name},cron.hourly} mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name} @@ -103,20 +120,21 @@ install -p -m 644 $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.{model,localhos # Fix scripts perl -pi -e 's|/usr/local/awstats|%{_datadir}/awstats|g' \ - $RPM_BUILD_ROOT%{_datadir}/%{name}/tools/{*.pl,httpd_conf} + $RPM_BUILD_ROOT%{_datadir}/%{name}/tools/{*.pl} # Apache configuration install -p -m 644 tools/httpd_conf $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf -perl -pi -e 's|/usr/local|%{_datadir}|g;s|Allow from all|Allow from 127.0.0.1|g' \ - $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf -echo "# Additional Perl modules - - SetEnv PERL5LIB %{_datadir}/awstats/lib:%{_datadir}/awstats/plugins -" >> $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf # Cron job -install -m 0755 awstats.cron $RPM_BUILD_ROOT%{_sysconfdir}/cron.hourly/%{name} +install -m 0750 -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/cron.hourly/%{name} +# replace logos with Copyright and Trademark problem by unknown.png +# https://bugzilla.redhat.com/show_bug.cgi?id=1196549 +cd $RPM_BUILD_ROOT%{_datadir}/%{name}/wwwroot/icon +for i in browser/adobe.png browser/seamonkey.png os/win*.png os/macos*.png cpu/intel.png cpu/ibm.png; do + cp -v os/unknown.png $i +done +cd - %clean rm -rf $RPM_BUILD_ROOT @@ -133,16 +151,20 @@ if [ $1 -eq 1 ]; then fi %postun +%if %use_systemd +%systemd_postun_with_restart httpd.service +%else if [ $1 -ne 0 ]; then /sbin/service httpd condrestart >/dev/null 2>&1 fi +%endif %files %defattr(-,root,root,755) # Apache configuration file %config(noreplace) %{_sysconfdir}/httpd/conf.d/%{name}.conf -%config(noreplace) %attr(755,root,root) %{_sysconfdir}/cron.hourly/%{name} +%config(noreplace) %attr(750,root,root) %{_sysconfdir}/cron.hourly/%{name} %config(noreplace) %{_sysconfdir}/%{name}/ %{_localstatedir}/lib/%{name} %dir %{_datadir}/%{name} @@ -151,7 +173,7 @@ fi %{_datadir}/%{name}/wwwroot/cgi-bin # Different defattr to fix lots of files which should not be +x. %defattr(644,root,root,755) -%doc README.TXT docs/* +%doc README.md docs/* %{_datadir}/%{name}/lang %{_datadir}/%{name}/lib %{_datadir}/%{name}/plugins @@ -162,6 +184,9 @@ fi %changelog +* Sat Aug 24 2019 Petr Lautrbach - 7.7-1 +- Version 7.7 + * Thu Feb 21 2013 Petr Lautrbach 7.0-3 - fix potential XSS attacks - CVE-2012-4547 (#871159) @@ -278,7 +303,7 @@ fi * Wed Mar 03 2004 Aurelien Bompard 6.0.0.fdr.2 - requires perl without version to fix build on rh9 -* Tue Feb 19 2004 Aurelien Bompard 6.0-0.fdr.1 +* Thu Feb 19 2004 Aurelien Bompard 6.0-0.fdr.1 - version 6.0 * Mon Dec 22 2003 Aurelien Bompard 5.9-0.fdr.5 diff --git a/sources b/sources index 6d183bc..a8fba76 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3e8e09b9ebe74513bb34290dbcd37b45 awstats-7.0.tar.gz +SHA512 (awstats-7.7.tar.gz) = 8bf32b0650ef0cc900a16eead866da3847d81c2696e7a90fb49833679c958768833d781e5b4becd9b4f6748c7266e2887ff7ff33d98293ce3a0296a810fbe899 From ee96b8956f3434f9b6ddbb438ad5f19444288d6d Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 26 Aug 2019 22:10:20 +0200 Subject: [PATCH 10/10] Do not require perl-Geo-IP which is not available --- awstats.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/awstats.spec b/awstats.spec index ffa5d6b..2a64c1f 100644 --- a/awstats.spec +++ b/awstats.spec @@ -1,6 +1,6 @@ Name: awstats Version: 7.7 -Release: 1%{?dist} +Release: 1.1%{?dist} Summary: Advanced Web Statistics License: GPLv3+ Group: Applications/Internet @@ -27,7 +27,7 @@ BuildRequires: perl BuildRequires: perl-generators BuildRequires: recode Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) -Requires: perl-Net-IP, perl-Net-DNS, perl-Geo-IP +Requires: perl-Net-IP, perl-Net-DNS Requires: crontabs Requires(post): perl @@ -184,8 +184,8 @@ fi %changelog -* Sat Aug 24 2019 Petr Lautrbach - 7.7-1 -- Version 7.7 +* Mon Aug 26 2019 Petr Lautrbach - 7.7-1.1 +- version 7.7 * Thu Feb 21 2013 Petr Lautrbach 7.0-3 - fix potential XSS attacks - CVE-2012-4547 (#871159)