rpms/mldonkey/devel url_slashes.patch, NONE, 1.1 mldonkey.spec, 1.4, 1.5
Richard W.M. Jones
rjones at fedoraproject.org
Thu Feb 26 09:00:23 UTC 2009
Author: rjones
Update of /cvs/pkgs/rpms/mldonkey/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15483
Modified Files:
mldonkey.spec
Added Files:
url_slashes.patch
Log Message:
- Fix remote arbitrary file disclosure via a GET request with more
than one leading / (slash) character in the filename (rhbz#487132).
url_slashes.patch:
--- NEW FILE url_slashes.patch ---
diff -a -x Root -x Repository -x Tag -x Entries -x Entries.Log -x .svn -x '*.rej' -x '*.orig' -x '*.cmi' -x '*.cma' -x '*.cmo' -x '*.cmx' -x '*.cmxa' -x '*.a' -x '*.o' -x .depend -x Makefile -x mlnet -x ocamlpp.byte -N -r -u ./src/utils/lib/url.ml ./src/utils/lib/url.ml
--- ./src/utils/lib/url.ml 2007-03-17 19:49:32.000000000 +0100
+++ ./src/utils/lib/url.ml 2009-02-23 19:29:04.000000000 +0100
@@ -175,6 +175,19 @@
Buffer.contents res
let of_string ?(args=[]) s =
+ let remove_leading_slashes s =
+ let len = String.length s in
+ let left =
+ let rec aux i =
+ if i < len && s.[i] = '/' then aux (i+1) else i in
+ aux 0 in
+ if left = 0 then s
+ else
+ String.sub s left (len - left) in
+
+ (* redefine s to remove all leading slashes *)
+ let s = remove_leading_slashes s in
+
let s = put_args s args in
let url =
let get_two init_pos =
Index: mldonkey.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mldonkey/devel/mldonkey.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- mldonkey.spec 26 Feb 2009 01:42:36 -0000 1.4
+++ mldonkey.spec 26 Feb 2009 08:59:53 -0000 1.5
@@ -1,6 +1,6 @@
Name: mldonkey
Version: 2.9.7
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Client for several P2P networks
License: GPLv2+
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
@@ -9,6 +9,7 @@
Source9: mldonkey_df_monitor.sh
Source11: mldonkey.logrotate
Patch0: mldonkey-initscript.patch
+Patch1: url_slashes.patch
URL: http://mldonkey.sourceforge.net
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -125,6 +126,7 @@
%prep
%setup -q
%patch0 -p1 -b .fedora
+%patch1 -p0
# Let's make rpmlint happy
sed -i 's|\r||g' distrib/ed2k_submit/README.MLdonkeySubmit
sed -i 's|\r||g' docs/slavanap.txt
@@ -319,6 +321,10 @@
%changelog
+* Thu Feb 26 2009 Richard W.M. Jones <rjones at redhat.com> - 2.9.7-4
+- Fix remote arbitrary file disclosure via a GET request with more
+ than one leading / (slash) character in the filename (rhbz#487132).
+
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.9.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
More information about the fedora-extras-commits
mailing list