aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Zander <riggs@FreeBSD.org>2016-03-14 06:13:15 +0000
committerThomas Zander <riggs@FreeBSD.org>2016-03-14 06:13:15 +0000
commitb739eeb73219c998c649dba96618aff7686749e2 (patch)
treeee0a0c9bebd7b1de62672d5901c9ae0c091a6b81
parent85e83ef13bae1cb45b424f1861dc369cfd2d06d8 (diff)
downloadports-b739eeb73219c998c649dba96618aff7686749e2.tar.gz
ports-b739eeb73219c998c649dba96618aff7686749e2.zip
MFH: r410998
Fix cross site scripting vulnerability, bump PORTREVISION Fix CVE-2009-4422: Multiple cross-site scripting (XSS) vulnerabilities in the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph 3.0.6 allow remote attackers to inject arbitrary web script or HTML via a key to csim_in_html_ex1.php, and other unspecified vectors. Despite ports tree version is 3.0.7, this vulnerability has not been fixed. The solution is taken from http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded While on it: - Fix typo in port creator's mail address - Add LICENSE* - Add NO_ARCH=yes (port only installs scripts) PR: 207001 Submitted by: venture37@geeklan.co.uk Security: CVE-2009-4422 Approved by: ports-secteam (feld)
Notes
Notes: svn path=/branches/2016Q1/; revision=411047
Diffstat
-rw-r--r--graphics/jpgraph2/Makefile9
-rw-r--r--graphics/jpgraph2/files/patch-src_jpgraph.php30
2 files changed, 38 insertions, 1 deletions
diff --git a/graphics/jpgraph2/Makefile b/graphics/jpgraph2/Makefile
index 11ab65a97fdc..a0726f81dbfc 100644
--- a/graphics/jpgraph2/Makefile
+++ b/graphics/jpgraph2/Makefile
@@ -1,8 +1,9 @@
-# Created by: Alex Dupre <ale@FreeBSD.org:
+# Created by: Alex Dupre <ale@FreeBSD.org>
# $FreeBSD$
PORTNAME= jpgraph
PORTVERSION= 3.0.7
+PORTREVISION= 1
CATEGORIES= graphics
MASTER_SITES= http://hem.bredband.net/jpgraph2/
PKGNAMESUFFIX= 2
@@ -10,7 +11,13 @@ PKGNAMESUFFIX= 2
MAINTAINER= ports@FreeBSD.org
COMMENT= Draw both "quick and dirty" graphs with a minimum of code
+LICENSE= jpgraph
+LICENSE_NAME= JpGraph license
+LICENSE_FILE= ${WRKSRC}/README
+LICENSE_PERMS= dist-mirror pkg-mirror auto-accept
+
USES= tar:bzip2
+NO_ARCH= yes
NO_BUILD= yes
NO_WRKSUBDIR= yes
USE_PHP= gd
diff --git a/graphics/jpgraph2/files/patch-src_jpgraph.php b/graphics/jpgraph2/files/patch-src_jpgraph.php
new file mode 100644
index 000000000000..07b9b8c38b7c
--- /dev/null
+++ b/graphics/jpgraph2/files/patch-src_jpgraph.php
@@ -0,0 +1,30 @@
+--- src/jpgraph.php.orig 2016-02-07 15:28:23 UTC
++++ src/jpgraph.php
+@@ -1286,11 +1286,11 @@ class Graph {
+ while( list($key,$value) = each($_GET) ) {
+ if( is_array($value) ) {
+ foreach ( $value as $k => $v ) {
+- $urlarg .= '&amp;'.$key.'%5B'.$k.'%5D='.urlencode($v);
++ $urlarg .= '&amp;'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
+ }
+ }
+ else {
+- $urlarg .= '&amp;'.$key.'='.urlencode($value);
++ $urlarg .= '&amp;'.urlencode($key).'='.urlencode($value);
+ }
+ }
+
+@@ -1301,11 +1301,11 @@ class Graph {
+ while( list($key,$value) = each($_POST) ) {
+ if( is_array($value) ) {
+ foreach ( $value as $k => $v ) {
+- $urlarg .= '&amp;'.$key.'%5B'.$k.'%5D='.urlencode($v);
++ $urlarg .= '&amp;'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
+ }
+ }
+ else {
+- $urlarg .= '&amp;'.$key.'='.urlencode($value);
++ $urlarg .= '&amp;'.urlencode($key).'='.urlencode($value);
+ }
+ }
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-19 23:18:56 +0000