From 2fa8fd4d3b3ac4fd6f7264fa6fede5e9d183669a Mon Sep 17 00:00:00 2001
From: Aurelien Bompard <abompard@fedoraproject.org>
Date: Dec 06 2008 09:32:21 +0000
Subject: - Use Debian's patch for CVE-2008-3714 (rh#474396)


---

diff --git a/awstats-6.8-CVE-2008-3714-debian.patch b/awstats-6.8-CVE-2008-3714-debian.patch
new file mode 100644
index 0000000..9111eb3
--- /dev/null
+++ b/awstats-6.8-CVE-2008-3714-debian.patch
@@ -0,0 +1,11 @@
+diff -up ./wwwroot/cgi-bin/awstats.pl.CVE-2008-3714 ./wwwroot/cgi-bin/awstats.pl
+--- ./wwwroot/cgi-bin/awstats.pl.CVE-2008-3714	2008-12-06 10:19:42.000000000 +0100
++++ ./wwwroot/cgi-bin/awstats.pl	2008-12-06 10:21:01.000000000 +0100
+@@ -4407,6 +4407,7 @@ sub DecodeEncodedString {
+ 	my $stringtodecode=shift;
+ 	$stringtodecode =~ tr/\+/ /s;
+ 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
++	$stringtodecode =~ s/["']//g;
+ 	return $stringtodecode;
+ }
+ 
diff --git a/awstats-6.8-CVE-2008-3714.patch b/awstats-6.8-CVE-2008-3714.patch
deleted file mode 100644
index 3de2f54..0000000
--- a/awstats-6.8-CVE-2008-3714.patch
+++ /dev/null
@@ -1,43 +0,0 @@
---- awstats.pl	2008/04/21 21:13:28	1.910
-+++ awstats.pl	2008/07/27 17:44:11	1.912
-@@ -6,7 +6,7 @@
- # line or a browser to read report results.
- # See AWStats documentation (in docs/ directory) for all setup instructions.
- #------------------------------------------------------------------------------
--# $Revision: 1.910 $ - $Author: eldy $ - $Date: 2008/04/21 21:13:28 $
-+# $Revision: 1.912 $ - $Author: eldy $ - $Date: 2008/07/27 17:44:11 $
- require 5.005;
- 
- #$|=1;
-@@ -21,8 +21,8 @@
- # Defines
- #------------------------------------------------------------------------------
- use vars qw/ $REVISION $VERSION /;
--$REVISION='$Revision: 1.910 $'; $REVISION =~ /\s(.*)\s/; $REVISION=$1;
--$VERSION="6.8 (build $REVISION)";
-+$REVISION='$Revision: 1.912 $'; $REVISION =~ /\s(.*)\s/; $REVISION=$1;
-+$VERSION="6.9 (build $REVISION)";
- 
- # ----- Constants -----
- use vars qw/
-@@ -4406,6 +4406,7 @@
- sub DecodeEncodedString {
- 	my $stringtodecode=shift;
- 	$stringtodecode =~ tr/\+/ /s;
-+	$stringtodecode =~ s/%22//g;
- 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
- 	return $stringtodecode;
- }
-@@ -4458,9 +4459,12 @@
- #------------------------------------------------------------------------------
- sub CleanXSS {
- 	my $stringtoclean=shift;
-+	# To avoid html tags and javascript
- 	$stringtoclean =~ s/</&lt;/g;
- 	$stringtoclean =~ s/>/&gt;/g;
- 	$stringtoclean =~ s/|//g;
-+	# To avoid onload="
-+	$stringtoclean =~ s/onload//g;
- 	return $stringtoclean;
- }
- 
diff --git a/awstats.spec b/awstats.spec
index 11815ca..0d72ace 100644
--- a/awstats.spec
+++ b/awstats.spec
@@ -1,6 +1,6 @@
 Name:       awstats
 Version:    6.8
-Release:    2%{?dist}
+Release:    3%{?dist}
 Summary:    Advanced Web Statistics
 License:    GPLv2
 Group:      Applications/Internet
@@ -8,7 +8,7 @@ URL:        http://awstats.sourceforge.net
 Source0:    http://dl.sf.net/awstats/awstats-%{version}.tar.gz
 #Source0:    http://awstats.sourceforge.net/files/awstats-6.6.tar.gz
 # http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912&view=patch
-Patch0:     awstats-6.8-CVE-2008-3714.patch
+Patch0:     awstats-6.8-CVE-2008-3714-debian.patch
 
 BuildArch:  noarch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -41,9 +41,7 @@ http://localhost/awstats/awstats.pl
 
 %prep
 %setup -q
-pushd wwwroot/cgi-bin/
 %patch0 -p0 -b .CVE-2008-3714
-popd
 # Fix style sheets.
 perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
 # Fix some bad file permissions here for convenience.
@@ -163,6 +161,9 @@ fi
 
 
 %changelog
+* Sat Dec 06 2008 Aurelien Bompard <abompard@fedoraproject.org> 6.8-3
+- Use Debian's patch for CVE-2008-3714 (rh#474396)
+
 * Sat Aug 23 2008 Aurelien Bompard <abompard@fedoraproject.org> 6.8-2
 - Add upstream patch for CVE-2008-3714