From 480a4c5c2d240d333196cbc0100a4e930d33cb91 Mon Sep 17 00:00:00 2001
From: Tim Jackson <timj@fedoraproject.org>
Date: Dec 07 2008 18:40:14 +0000
Subject: Use Debian's patch for CVE-2008-3714 (#474396 Sync spec with devel branch a

    bit

---

diff --git a/awstats-6.7-CVE-2008-3714.patch b/awstats-6.7-CVE-2008-3714.patch
index ba47246..3878464 100644
--- a/awstats-6.7-CVE-2008-3714.patch
+++ b/awstats-6.7-CVE-2008-3714.patch
@@ -1,27 +1,12 @@
-Adapted from:
-http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912
-
 diff -ur awstats-6.7/wwwroot/cgi-bin/awstats.pl awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl
 --- awstats-6.7/wwwroot/cgi-bin/awstats.pl	2007-07-07 12:00:06.000000000 +0100
-+++ awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl	2008-08-23 09:21:31.000000000 +0100
-@@ -4380,6 +4380,7 @@
- sub DecodeEncodedString {
++++ awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl	2008-12-06 15:01:44.000000000 +0000
+@@ -4381,6 +4381,7 @@
  	my $stringtodecode=shift;
  	$stringtodecode =~ tr/\+/ /s;
-+	$stringtodecode =~ s/%22//g;
  	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
++	$stringtodecode =~ s/["']//g;
  	return $stringtodecode;
  }
-@@ -4432,9 +4433,12 @@
- #------------------------------------------------------------------------------
- sub CleanXSS {
- 	my $stringtoclean=shift;
-+	# To avoid html tags and javascript
- 	$stringtoclean =~ s/</&lt;/g;
- 	$stringtoclean =~ s/>/&gt;/g;
- 	$stringtoclean =~ s/|//g;
-+	# To avoid onload="
-+	$stringtoclean =~ s/onload//g;
- 	return $stringtoclean;
- }
  
+Only in awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin: awstats.pl.orig
diff --git a/awstats.spec b/awstats.spec
index 16fa62a..3bf2e95 100644
--- a/awstats.spec
+++ b/awstats.spec
@@ -9,7 +9,7 @@ Source0:    http://dl.sf.net/awstats/awstats-%{version}.tar.gz
 Source1:    awstats.README.SELinux
 Source2:    awstats.README.Fedora
 
-# Fix pb in xml output for history files
+# Fix XML output for history files
 # http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.892&r2=1.894&view=patch
 Patch0:     awstats-6.7-xmlhistory.patch
 
@@ -59,8 +59,8 @@ perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
 # Fix some bad file permissions here for convenience.
 chmod -x tools/httpd_conf
 find tools/xslt -type f | xargs chmod -x
-# Remove \r in conf file (file written on MS Windows)
-perl -pi -e 's/\r//g' tools/httpd_conf tools/logresolvemerge.pl
+# Remove \r in various files
+perl -pi -e 's/\r//g' docs/COPYING.TXT docs/LICENSE.TXT docs/pad_awstats.xml docs/awstats_changelog.txt docs/styles.css tools/httpd_conf tools/logresolvemerge.pl tools/awstats_exportlib.pl tools/awstats_buildstaticpages.pl tools/maillogconvert.pl tools/urlaliasbuilder.pl wwwroot/cgi-bin/awredir.pl
 # SELinux README
 cp -a %{SOURCE1} README.SELinux
 cp -a %{SOURCE2} README.Fedora
@@ -126,11 +126,6 @@ find docs/ -name .cvsignore | xargs rm -f
 iconv -f iso-8859-1 -t utf-8 < docs/awstats_changelog.txt > docs/awstats_changelog.txt.utf8
 mv docs/awstats_changelog.txt.utf8 docs/awstats_changelog.txt
 
-# Fix EOLs
-%{__sed} -i 's/\r//' docs/pad_awstats.xml
-%{__sed} -i 's/\r//' docs/styles.css
-%{__sed} -i 's/\r//' docs/awstats_changelog.txt
-
 # Apache configuration
 install -p -m 644 tools/httpd_conf $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf
 perl -pi -e 's|/usr/local|%{_datadir}|g;s|Allow from all|Allow from 127.0.0.1|g' \
@@ -220,7 +215,8 @@ fi
 
 
 %changelog
-* Wed Sep 24 2008 Tim Jackson <rpm@timj.co.uk> 6.7-4
+* Sat Dec 06 2008 Tim Jackson <rpm@timj.co.uk> 6.7-4
+- Use Debian's patch for CVE-2008-3714 (#474396)
 - Add README.Fedora file pointing people towards the -selinux subpackage
 
 * Sat Aug 23 2008 Tim Jackson <rpm@timj.co.uk> 6.7-3