Date: Wed, 3 Jun 1998 13:09:59 -0500 (CDT) From: dkelly@nebula.tbe.com To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: dkelly@PeeCee.tbe.com Subject: ports/6851: DFN-CERT and w3c-httpd Message-ID: <199806031809.NAA07198@PeeCee.tbe.com>
next in thread | raw e-mail | index | archive | help
>Number: 6851 >Category: ports >Synopsis: apply DFN-CERT#34784 to CGIParse.c >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jun 3 11:10:01 PDT 1998 >Last-Modified: >Originator: David Kelly >Organization: >Release: FreeBSD 2.2.6-STABLE i386 >Environment: >Description: http://www13.w3.org/Daemon/User/CGI/cgiparse.html says: Security fix In reply to DFN-CERT#34784, you should apply this diff to the latest (3.0) version of WWW/Daemon/CGIParse.c: 296c296,297 < printf("QUERY_STRING='%s'; export QUERY_STRING\n", query_string) ; --- > printf("QUERY_STRING=%s; export QUERY_STRING\n" > , sh_escape(query_string)) ; >How-To-Repeat: >Fix: add this patch file to w3c-httpd/patches: begin 644 patch-ca.gz M'XL("'*+=34``W!A=&-H+6-A`)V,3TO#0!!'S]E/\:,@3=UN;1K%I*$04"GQ M(/8?11!"B-.Z8#9Q=P,MTN_NMEX4#X)S&=X,[PDA<%M05:N+K&K>J")E"RL= MWDRSQT(;&I2#6LNMMZ87W+<*"!&,QF$T#JX0Q''$..=_)G[;E\&7G:80HSCL M7X,?5X0T9?#.RU9C@F'"X$ANX$LE;0\?3'APTVBI[,;OS%9W\Z=\L9QG#]-) M]\QT$]"NJ;7%]\^SZO3QWI+>Y\8Z<]M+&/]GQXF>><W)E$5#_H\H7!:G+.VD 2]8<G/+#C`0?V"6\[7EAJ`0`` ` end Be warned I haven't tried it yet. Only have verified the above patch applies the way I think it should. >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806031809.NAA07198>