From d1cf2fe9c98ab33e4ecdb65d481874df574ec321 Mon Sep 17 00:00:00 2001
From: Aurelien Bompard <abompard@fedoraproject.org>
Date: Aug 23 2008 06:00:03 +0000
Subject: - Add upstream patch for CVE-2008-3714


---

diff --git a/awstats-6.8-CVE-2008-3714.patch b/awstats-6.8-CVE-2008-3714.patch
new file mode 100644
index 0000000..3de2f54
--- /dev/null
+++ b/awstats-6.8-CVE-2008-3714.patch
@@ -0,0 +1,43 @@
+--- awstats.pl	2008/04/21 21:13:28	1.910
++++ awstats.pl	2008/07/27 17:44:11	1.912
+@@ -6,7 +6,7 @@
+ # line or a browser to read report results.
+ # See AWStats documentation (in docs/ directory) for all setup instructions.
+ #------------------------------------------------------------------------------
+-# $Revision: 1.910 $ - $Author: eldy $ - $Date: 2008/04/21 21:13:28 $
++# $Revision: 1.912 $ - $Author: eldy $ - $Date: 2008/07/27 17:44:11 $
+ require 5.005;
+ 
+ #$|=1;
+@@ -21,8 +21,8 @@
+ # Defines
+ #------------------------------------------------------------------------------
+ use vars qw/ $REVISION $VERSION /;
+-$REVISION='$Revision: 1.910 $'; $REVISION =~ /\s(.*)\s/; $REVISION=$1;
+-$VERSION="6.8 (build $REVISION)";
++$REVISION='$Revision: 1.912 $'; $REVISION =~ /\s(.*)\s/; $REVISION=$1;
++$VERSION="6.9 (build $REVISION)";
+ 
+ # ----- Constants -----
+ use vars qw/
+@@ -4406,6 +4406,7 @@
+ sub DecodeEncodedString {
+ 	my $stringtodecode=shift;
+ 	$stringtodecode =~ tr/\+/ /s;
++	$stringtodecode =~ s/%22//g;
+ 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
+ 	return $stringtodecode;
+ }
+@@ -4458,9 +4459,12 @@
+ #------------------------------------------------------------------------------
+ sub CleanXSS {
+ 	my $stringtoclean=shift;
++	# To avoid html tags and javascript
+ 	$stringtoclean =~ s/</&lt;/g;
+ 	$stringtoclean =~ s/>/&gt;/g;
+ 	$stringtoclean =~ s/|//g;
++	# To avoid onload="
++	$stringtoclean =~ s/onload//g;
+ 	return $stringtoclean;
+ }
+ 
diff --git a/awstats.spec b/awstats.spec
index e49be77..11815ca 100644
--- a/awstats.spec
+++ b/awstats.spec
@@ -1,12 +1,14 @@
 Name:       awstats
 Version:    6.8
-Release:    1%{?dist}
+Release:    2%{?dist}
 Summary:    Advanced Web Statistics
 License:    GPLv2
 Group:      Applications/Internet
 URL:        http://awstats.sourceforge.net
 Source0:    http://dl.sf.net/awstats/awstats-%{version}.tar.gz
 #Source0:    http://awstats.sourceforge.net/files/awstats-6.6.tar.gz
+# http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912&view=patch
+Patch0:     awstats-6.8-CVE-2008-3714.patch
 
 BuildArch:  noarch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -39,6 +41,9 @@ http://localhost/awstats/awstats.pl
 
 %prep
 %setup -q
+pushd wwwroot/cgi-bin/
+%patch0 -p0 -b .CVE-2008-3714
+popd
 # Fix style sheets.
 perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
 # Fix some bad file permissions here for convenience.
@@ -158,6 +163,9 @@ fi
 
 
 %changelog
+* Sat Aug 23 2008 Aurelien Bompard <abompard@fedoraproject.org> 6.8-2
+- Add upstream patch for CVE-2008-3714
+
 * Mon Jul 21 2008 Aurelien Bompard <abompard@fedoraproject.org> 6.8-1
 - version 6.8