diff options
| author | Thomas Zander <riggs@FreeBSD.org> | 2016-03-14 06:13:15 +0000 |
|---|---|---|
| committer | Thomas Zander <riggs@FreeBSD.org> | 2016-03-14 06:13:15 +0000 |
| commit | b739eeb73219c998c649dba96618aff7686749e2 (patch) | |
| tree | ee0a0c9bebd7b1de62672d5901c9ae0c091a6b81 | |
| parent | 85e83ef13bae1cb45b424f1861dc369cfd2d06d8 (diff) | |
MFH: r410998
Fix cross site scripting vulnerability, bump PORTREVISION
Fix CVE-2009-4422: Multiple cross-site scripting (XSS) vulnerabilities in
the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
3.0.6 allow remote attackers to inject arbitrary web script or HTML via a
key to csim_in_html_ex1.php, and other unspecified vectors.
Despite ports tree version is 3.0.7, this vulnerability has not been fixed.
The solution is taken from
http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded
While on it:
- Fix typo in port creator's mail address
- Add LICENSE*
- Add NO_ARCH=yes (port only installs scripts)
PR: 207001
Submitted by: venture37@geeklan.co.uk
Security: CVE-2009-4422
Approved by: ports-secteam (feld)
Notes
Notes:
svn path=/branches/2016Q1/; revision=411047
| -rw-r--r-- | graphics/jpgraph2/Makefile | 9 | ||||
| -rw-r--r-- | graphics/jpgraph2/files/patch-src_jpgraph.php | 30 |
2 files changed, 38 insertions, 1 deletions
diff --git a/graphics/jpgraph2/Makefile b/graphics/jpgraph2/Makefile index 11ab65a97fdc..a0726f81dbfc 100644 --- a/graphics/jpgraph2/Makefile +++ b/graphics/jpgraph2/Makefile @@ -1,8 +1,9 @@ -# Created by: Alex Dupre <ale@FreeBSD.org: +# Created by: Alex Dupre <ale@FreeBSD.org> # $FreeBSD$ PORTNAME= jpgraph PORTVERSION= 3.0.7 +PORTREVISION= 1 CATEGORIES= graphics MASTER_SITES= http://hem.bredband.net/jpgraph2/ PKGNAMESUFFIX= 2 @@ -10,7 +11,13 @@ PKGNAMESUFFIX= 2 MAINTAINER= ports@FreeBSD.org COMMENT= Draw both "quick and dirty" graphs with a minimum of code +LICENSE= jpgraph +LICENSE_NAME= JpGraph license +LICENSE_FILE= ${WRKSRC}/README +LICENSE_PERMS= dist-mirror pkg-mirror auto-accept + USES= tar:bzip2 +NO_ARCH= yes NO_BUILD= yes NO_WRKSUBDIR= yes USE_PHP= gd diff --git a/graphics/jpgraph2/files/patch-src_jpgraph.php b/graphics/jpgraph2/files/patch-src_jpgraph.php new file mode 100644 index 000000000000..07b9b8c38b7c --- /dev/null +++ b/graphics/jpgraph2/files/patch-src_jpgraph.php @@ -0,0 +1,30 @@ +--- src/jpgraph.php.orig 2016-02-07 15:28:23 UTC ++++ src/jpgraph.php +@@ -1286,11 +1286,11 @@ class Graph { + while( list($key,$value) = each($_GET) ) { + if( is_array($value) ) { + foreach ( $value as $k => $v ) { +- $urlarg .= '&'.$key.'%5B'.$k.'%5D='.urlencode($v); ++ $urlarg .= '&'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v); + } + } + else { +- $urlarg .= '&'.$key.'='.urlencode($value); ++ $urlarg .= '&'.urlencode($key).'='.urlencode($value); + } + } + +@@ -1301,11 +1301,11 @@ class Graph { + while( list($key,$value) = each($_POST) ) { + if( is_array($value) ) { + foreach ( $value as $k => $v ) { +- $urlarg .= '&'.$key.'%5B'.$k.'%5D='.urlencode($v); ++ $urlarg .= '&'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v); + } + } + else { +- $urlarg .= '&'.$key.'='.urlencode($value); ++ $urlarg .= '&'.urlencode($key).'='.urlencode($value); + } + } + |