svn commit: r410998 - in head/graphics/jpgraph2: . files
Thomas Zander
riggs at FreeBSD.org
Sun Mar 13 16:19:29 UTC 2016
Author: riggs
Date: Sun Mar 13 16:19:27 2016
New Revision: 410998
URL: https://svnweb.freebsd.org/changeset/ports/410998
Log:
Fix cross site scripting vulnerability, bump PORTREVISION
Fix CVE-2009-4422: Multiple cross-site scripting (XSS) vulnerabilities in
the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
3.0.6 allow remote attackers to inject arbitrary web script or HTML via a
key to csim_in_html_ex1.php, and other unspecified vectors.
Despite ports tree version is 3.0.7, this vulnerability has not been fixed.
The solution is taken from
http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded
While on it:
- Fix typo in port creator's mail address
- Add LICENSE*
- Add NO_ARCH=yes (port only installs scripts)
PR: 207001
Submitted by: venture37 at geeklan.co.uk
MFH: 2016Q1
Security: CVE-2009-4422
Added:
head/graphics/jpgraph2/files/
head/graphics/jpgraph2/files/patch-src_jpgraph.php (contents, props changed)
Modified:
head/graphics/jpgraph2/Makefile
Modified: head/graphics/jpgraph2/Makefile
==============================================================================
--- head/graphics/jpgraph2/Makefile Sun Mar 13 15:56:37 2016 (r410997)
+++ head/graphics/jpgraph2/Makefile Sun Mar 13 16:19:27 2016 (r410998)
@@ -1,8 +1,9 @@
-# Created by: Alex Dupre <ale at FreeBSD.org:
+# Created by: Alex Dupre <ale at FreeBSD.org>
# $FreeBSD$
PORTNAME= jpgraph
PORTVERSION= 3.0.7
+PORTREVISION= 1
CATEGORIES= graphics
MASTER_SITES= http://hem.bredband.net/jpgraph2/
PKGNAMESUFFIX= 2
@@ -10,7 +11,13 @@ PKGNAMESUFFIX= 2
MAINTAINER= ports at FreeBSD.org
COMMENT= Draw both "quick and dirty" graphs with a minimum of code
+LICENSE= jpgraph
+LICENSE_NAME= JpGraph license
+LICENSE_FILE= ${WRKSRC}/README
+LICENSE_PERMS= dist-mirror pkg-mirror auto-accept
+
USES= tar:bzip2
+NO_ARCH= yes
NO_BUILD= yes
NO_WRKSUBDIR= yes
USE_PHP= gd
Added: head/graphics/jpgraph2/files/patch-src_jpgraph.php
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/graphics/jpgraph2/files/patch-src_jpgraph.php Sun Mar 13 16:19:27 2016 (r410998)
@@ -0,0 +1,30 @@
+--- src/jpgraph.php.orig 2016-02-07 15:28:23 UTC
++++ src/jpgraph.php
+@@ -1286,11 +1286,11 @@ class Graph {
+ while( list($key,$value) = each($_GET) ) {
+ if( is_array($value) ) {
+ foreach ( $value as $k => $v ) {
+- $urlarg .= '&'.$key.'%5B'.$k.'%5D='.urlencode($v);
++ $urlarg .= '&'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
+ }
+ }
+ else {
+- $urlarg .= '&'.$key.'='.urlencode($value);
++ $urlarg .= '&'.urlencode($key).'='.urlencode($value);
+ }
+ }
+
+@@ -1301,11 +1301,11 @@ class Graph {
+ while( list($key,$value) = each($_POST) ) {
+ if( is_array($value) ) {
+ foreach ( $value as $k => $v ) {
+- $urlarg .= '&'.$key.'%5B'.$k.'%5D='.urlencode($v);
++ $urlarg .= '&'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
+ }
+ }
+ else {
+- $urlarg .= '&'.$key.'='.urlencode($value);
++ $urlarg .= '&'.urlencode($key).'='.urlencode($value);
+ }
+ }
+
More information about the svn-ports-all
mailing list