head	1.1;
access;
symbols;
locks; strict;
comment	@# @;


1.1
date	2012.09.04.13.45.28;	author rea;	state Exp;
branches;
next	;


desc
@@


1.1
log
@SVN rev 303652 on 2012-09-04 13:45:28Z by rea

security/squidclamav: fix DoS and XSS vulnerabilities

Apply upstream patches for CVE-2012-3501 and CVE-2012-4667.

Security:	http://www.vuxml.org/freebsd/ce680f0a-eea6-11e1-8bd8-0022156e8794.html
Security:	http://www.vuxml.org/freebsd/8defa0f9-ee8a-11e1-8bd8-0022156e8794.html
PR:		171022
QA page:	http://codelabs.ru/fbsd/ports/qa/security/squidclamav/5.7_1
Approved by:	maintainer timeout (1 week)
@
text
@Fixes CVE-2012-4667, XSS in clwarn.cgi

Integrated to 5.8 and 6.7.

Obtained-from: https://github.com/darold/squidclamav/commit/5806d10a31183a0b0d18eccc3a3e04e536e2315b.diff

diff --git a/cgi-bin/clwarn.cgi b/cgi-bin/clwarn.cgi
index 9333bef..a43eca7 100755
--- cgi-bin/clwarn.cgi
+++ cgi-bin/clwarn.cgi
@@@@ -7,11 +7,11 @@@@ my $VERSION = '6.6';
 
 my $cgi = new CGI;
 
-my $url = $cgi->param('url') || '';
-my $virus = $cgi->param('virus') || '';
-my $source = $cgi->param('source') || '';
+my $url = CGI::escapeHTML($cgi->param('url')) || '';
+my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
+my $source = CGI::escapeHTML($cgi->param('source')) || '';
 $source =~ s/\/-//;
-my $user = $cgi->param('user') || '';
+my $user = CGI::escapeHTML($cgi->param('user')) || '';
 
 
 my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection";
diff --git a/cgi-bin/clwarn.cgi.de_DE b/cgi-bin/clwarn.cgi.de_DE
index 700c3df..3f21180 100755
--- cgi-bin/clwarn.cgi.de_DE
+++ cgi-bin/clwarn.cgi.de_DE
@@@@ -7,11 +7,11 @@@@ my $VERSION = '6.6';
 
 my $cgi = new CGI;
 
-my $url = $cgi->param('url') || '';
-my $virus = $cgi->param('virus') || '';
-my $source = $cgi->param('source') || '';
+my $url = CGI::escapeHTML($cgi->param('url')) || '';
+my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
+my $source = CGI::escapeHTML($cgi->param('source')) || '';
 $source =~ s/\/-//;
-my $user = $cgi->param('user') || '';
+my $user = CGI::escapeHTML($cgi->param('user')) || '';
 
 my $TITLE_VIRUS = "Virus Alarm";
 my $subtitle = 'enthlt folgenden Virus';
diff --git a/cgi-bin/clwarn.cgi.en_EN b/cgi-bin/clwarn.cgi.en_EN
index d246e54..6e70e46 100755
--- cgi-bin/clwarn.cgi.en_EN
+++ cgi-bin/clwarn.cgi.en_EN
@@@@ -7,11 +7,11 @@@@ my $VERSION = '6.6';
 
 my $cgi = new CGI;
 
-my $url = $cgi->param('url') || '';
-my $virus = $cgi->param('virus') || '';
-my $source = $cgi->param('source') || '';
+my $url = CGI::escapeHTML($cgi->param('url')) || '';
+my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
+my $source = CGI::escapeHTML($cgi->param('source')) || '';
 $source =~ s/\/-//;
-my $user = $cgi->param('user') || '';
+my $user = CGI::escapeHTML($cgi->param('user')) || '';
 
 my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection";
 my $subtitle = 'contains the virus';
diff --git a/cgi-bin/clwarn.cgi.fr_FR b/cgi-bin/clwarn.cgi.fr_FR
index c0b3896..323fa30 100755
--- cgi-bin/clwarn.cgi.fr_FR
+++ cgi-bin/clwarn.cgi.fr_FR
@@@@ -7,11 +7,11 @@@@ my $VERSION = '6.6';
 
 my $cgi = new CGI;
 
-my $url = $cgi->param('url') || '';
-my $virus = $cgi->param('virus') || '';
-my $source = $cgi->param('source') || '';
+my $url = CGI::escapeHTML($cgi->param('url')) || '';
+my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
+my $source = CGI::escapeHTML($cgi->param('source')) || '';
 $source =~ s/\/-//;
-my $user = $cgi->param('user') || '';
+my $user = CGI::escapeHTML($cgi->param('user')) || '';
 
 my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection";
 my $subtitle = 'contient le virus';
diff --git a/cgi-bin/clwarn.cgi.pt_BR b/cgi-bin/clwarn.cgi.pt_BR
index 6bf12a0..1a6492a 100755
--- cgi-bin/clwarn.cgi.pt_BR
+++ cgi-bin/clwarn.cgi.pt_BR
@@@@ -7,8 +7,11 @@@@ my $VERSION = '6.6';
 
 my $cgi = new CGI;
 
-my $url = $cgi->param('url') || '';
-my $virus = $cgi->param('virus') || '';
+my $url = CGI::escapeHTML($cgi->param('url')) || '';
+my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
+my $source = CGI::escapeHTML($cgi->param('source')) || '';
+$source =~ s/\/-//;
+my $user = CGI::escapeHTML($cgi->param('user')) || '';
 
 my $TITLE_VIRUS = "SquidClamAv $VERSION: Foi detectado um v&iacute;rus!";
 my $subtitle = 'est&aacute; infectada pelo v&iacute;rus';
diff --git a/cgi-bin/clwarn.cgi.ru_RU b/cgi-bin/clwarn.cgi.ru_RU
index 21e4d94..1e82a0b 100755
--- cgi-bin/clwarn.cgi.ru_RU
+++ cgi-bin/clwarn.cgi.ru_RU
@@@@ -7,11 +7,11 @@@@ my $VERSION = '6.6';
 
 my $cgi = new CGI;
 
-my $url = $cgi->param('url') || '';
-my $virus = $cgi->param('virus') || '';
-my $source = $cgi->param('source') || '';
+my $url = CGI::escapeHTML($cgi->param('url')) || '';
+my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
+my $source = CGI::escapeHTML($cgi->param('source')) || '';
 $source =~ s/\/-//;
-my $user = $cgi->param('user') || '';
+my $user = CGI::escapeHTML($cgi->param('user')) || '';
 
 my $TITLE_VIRUS = "SquidClamAv $VERSION: Обнаружен вирус!";
 my $subtitle = 'содержит вирус';
@
