Folding debian/patches into .diff.gz since we are still at 1.0 pkg source format in wheezy
Yaroslav Halchenko
11 years ago
1 | 1 | |
2 | 2 | * CVE-2012-5642: Escape the content of <matches> since its value could |
3 | 3 | contain arbitrary symbols (Closes: #696184) |
4 | * Since package source format remained 1.0, manpages patch | |
5 | (deb_manpages_reportbug) was not applied -- fold it into .diff.gz | |
4 | 6 | |
5 | 7 | -- Yaroslav Halchenko <debian@onerussian.com> Mon, 17 Dec 2012 13:19:32 -0500 |
6 | 8 |
0 | From: Yaroslav Halchenko <debian@onerussian.com> | |
1 | Date: Fri, 8 Feb 2008 00:40:57 -0500 | |
2 | Subject: tune ups in upstream manpages to direct users to use reportbug | |
3 | ||
4 | --- a/man/fail2ban-client.1 | |
5 | +++ b/man/fail2ban-client.1 | |
6 | @@ -251,7 +251,8 @@ action <ACT> for <JAIL> | |
7 | Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. | |
8 | Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. | |
9 | .SH "REPORTING BUGS" | |
10 | -Report bugs to <cyril.jaquier@fail2ban.org> | |
11 | +Please report bugs via Debian bug tracking system | |
12 | +http://www.debian.org/Bugs/. | |
13 | .SH COPYRIGHT | |
14 | Copyright \(co 2004-2008 Cyril Jaquier | |
15 | .br | |
16 | --- a/man/fail2ban-server.1 | |
17 | +++ b/man/fail2ban-server.1 | |
18 | @@ -35,7 +35,8 @@ print the version | |
19 | Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. | |
20 | Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. | |
21 | .SH "REPORTING BUGS" | |
22 | -Report bugs to <cyril.jaquier@fail2ban.org> | |
23 | +Please report bugs via Debian bug tracking system | |
24 | +http://www.debian.org/Bugs/. | |
25 | .SH COPYRIGHT | |
26 | Copyright \(co 2004-2008 Cyril Jaquier | |
27 | .br |
0 | From: Yaroslav Halchenko <debian@onerussian.com> | |
1 | Date: Mon, 8 Oct 2012 22:14:51 -0400 | |
2 | Subject: [PATCH] BF: escape the content of <matches> since its value could contain arbitrary symbols | |
3 | ||
4 | Contains two commits 83109bce144f443a48ef31165a5389b7b83f4e0e and 09355663f7a3c0409e08efdebf98b1bbf47d1d9c | |
5 | ||
6 | Bug-Debian: http://bugs.debian.org/696184 | |
7 | Origin: upstream | |
8 | ||
9 | --- | |
10 | server/action.py | 18 +++++++++++++++--- | |
11 | 1 file changed, 15 insertions(+), 3 deletions(-) | |
12 | ||
13 | --- a/server/action.py | |
14 | +++ b/server/action.py | |
15 | @@ -230,7 +230,14 @@ class Action: | |
16 | def execActionStop(self): | |
17 | stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) | |
18 | return Action.executeCmd(stopCmd) | |
19 | - | |
20 | + | |
21 | + def escapeTag(tag): | |
22 | + for c in '\\#&;`|*?~<>^()[]{}$\n': | |
23 | + if c in tag: | |
24 | + tag = tag.replace(c, '\\' + c) | |
25 | + return tag | |
26 | + escapeTag = staticmethod(escapeTag) | |
27 | + | |
28 | ## | |
29 | # Replaces tags in query with property values in aInfo. | |
30 | # | |
31 | @@ -243,8 +250,13 @@ class Action: | |
32 | """ Replace tags in query | |
33 | """ | |
34 | string = query | |
35 | - for tag in aInfo: | |
36 | - string = string.replace('<' + tag + '>', str(aInfo[tag])) | |
37 | + for tag, value in aInfo.iteritems(): | |
38 | + value = str(value) # assure string | |
39 | + if tag == 'matches': | |
40 | + # That one needs to be escaped since its content is | |
41 | + # out of our control | |
42 | + value = Action.escapeTag(value) | |
43 | + string = string.replace('<' + tag + '>', value) | |
44 | # New line | |
45 | string = string.replace("<br>", '\n') | |
46 | return string |
250 | 250 | Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. |
251 | 251 | Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. |
252 | 252 | .SH "REPORTING BUGS" |
253 | Report bugs to <cyril.jaquier@fail2ban.org> | |
253 | Please report bugs via Debian bug tracking system | |
254 | http://www.debian.org/Bugs/. | |
254 | 255 | .SH COPYRIGHT |
255 | 256 | Copyright \(co 2004-2008 Cyril Jaquier |
256 | 257 | .br |
34 | 34 | Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. |
35 | 35 | Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. |
36 | 36 | .SH "REPORTING BUGS" |
37 | Report bugs to <cyril.jaquier@fail2ban.org> | |
37 | Please report bugs via Debian bug tracking system | |
38 | http://www.debian.org/Bugs/. | |
38 | 39 | .SH COPYRIGHT |
39 | 40 | Copyright \(co 2004-2008 Cyril Jaquier |
40 | 41 | .br |
229 | 229 | def execActionStop(self): |
230 | 230 | stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) |
231 | 231 | return Action.executeCmd(stopCmd) |
232 | ||
232 | ||
233 | def escapeTag(tag): | |
234 | for c in '\\#&;`|*?~<>^()[]{}$\n': | |
235 | if c in tag: | |
236 | tag = tag.replace(c, '\\' + c) | |
237 | return tag | |
238 | escapeTag = staticmethod(escapeTag) | |
239 | ||
233 | 240 | ## |
234 | 241 | # Replaces tags in query with property values in aInfo. |
235 | 242 | # |
242 | 249 | """ Replace tags in query |
243 | 250 | """ |
244 | 251 | string = query |
245 | for tag in aInfo: | |
246 | string = string.replace('<' + tag + '>', str(aInfo[tag])) | |
252 | for tag, value in aInfo.iteritems(): | |
253 | value = str(value) # assure string | |
254 | if tag == 'matches': | |
255 | # That one needs to be escaped since its content is | |
256 | # out of our control | |
257 | value = Action.escapeTag(value) | |
258 | string = string.replace('<' + tag + '>', value) | |
247 | 259 | # New line |
248 | 260 | string = string.replace("<br>", '\n') |
249 | 261 | return string |