From 9fcad73afa546d971e3d70dca2bb31ee13f1a1e7 Mon Sep 17 00:00:00 2001
From: Tim Jackson <timj@fedoraproject.org>
Date: Aug 23 2008 09:03:41 +0000
Subject: Fix CVE-2008-3714: cross-site scripting security issue (#459605)


---

diff --git a/awstats-6.7-CVE-2008-3714.patch b/awstats-6.7-CVE-2008-3714.patch
new file mode 100644
index 0000000..ba47246
--- /dev/null
+++ b/awstats-6.7-CVE-2008-3714.patch
@@ -0,0 +1,27 @@
+Adapted from:
+http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912
+
+diff -ur awstats-6.7/wwwroot/cgi-bin/awstats.pl awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl
+--- awstats-6.7/wwwroot/cgi-bin/awstats.pl	2007-07-07 12:00:06.000000000 +0100
++++ awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl	2008-08-23 09:21:31.000000000 +0100
+@@ -4380,6 +4380,7 @@
+ sub DecodeEncodedString {
+ 	my $stringtodecode=shift;
+ 	$stringtodecode =~ tr/\+/ /s;
++	$stringtodecode =~ s/%22//g;
+ 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
+ 	return $stringtodecode;
+ }
+@@ -4432,9 +4433,12 @@
+ #------------------------------------------------------------------------------
+ sub CleanXSS {
+ 	my $stringtoclean=shift;
++	# To avoid html tags and javascript
+ 	$stringtoclean =~ s/</&lt;/g;
+ 	$stringtoclean =~ s/>/&gt;/g;
+ 	$stringtoclean =~ s/|//g;
++	# To avoid onload="
++	$stringtoclean =~ s/onload//g;
+ 	return $stringtoclean;
+ }
+ 
diff --git a/awstats.spec b/awstats.spec
index 7150b98..1b29883 100644
--- a/awstats.spec
+++ b/awstats.spec
@@ -1,18 +1,19 @@
 Name:       awstats
 Version:    6.7
-Release:    2%{?dist}
+Release:    3%{?dist}
 Summary:    Advanced Web Statistics
 License:    GPLv2
 Group:      Applications/Internet
 URL:        http://awstats.sourceforge.net
 Source0:    http://dl.sf.net/awstats/awstats-%{version}.tar.gz
-#Source0:    http://awstats.sourceforge.net/files/awstats-6.6.tar.gz
 Source1:    awstats.README.SELinux
 
 # Fix pb in xml output for history files
 # http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.892&r2=1.894&view=patch
 Patch0:     awstats-6.7-xmlhistory.patch
 
+Patch1:     awstats-6.7-CVE-2008-3714.patch
+
 BuildArch:  noarch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: checkpolicy, selinux-policy-devel
@@ -50,9 +51,8 @@ This package adds SELinux enforcement to AWstats.
 
 %prep
 %setup -q
-# No backup or it will be installed
-#%%patch0 -p0 -b .xmlhistory
 %patch0 -p0
+%patch1 -p1
 # Fix style sheets.
 perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
 # Fix some bad file permissions here for convenience.
@@ -218,6 +218,9 @@ fi
 
 
 %changelog
+* Sat Aug 23 2008 Tim Jackson <rpm@timj.co.uk> 6.7-3
+- Fix CVE-2008-3714: cross-site scripting security issue (#459605)
+
 * Sun Mar 16 2008 Tim Jackson <rpm@timj.co.uk> 6.7-2
 - awstats does not actually require httpd (#406901)
 - Fix cron script to be compatible with SELinux (#435101)