mirror of https://github.com/fail2ban/fail2ban
Folding debian/patches into .diff.gz since we are still at 1.0 pkg source format in wheezy
parent
1eb6f9d0aa
commit
684bf81557
|
@ -2,6 +2,8 @@ fail2ban (0.8.6-3wheezy1) unstable; urgency=high
|
|||
|
||||
* CVE-2012-5642: Escape the content of <matches> since its value could
|
||||
contain arbitrary symbols (Closes: #696184)
|
||||
* Since package source format remained 1.0, manpages patch
|
||||
(deb_manpages_reportbug) was not applied -- fold it into .diff.gz
|
||||
|
||||
-- Yaroslav Halchenko <debian@onerussian.com> Mon, 17 Dec 2012 13:19:32 -0500
|
||||
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
From: Yaroslav Halchenko <debian@onerussian.com>
|
||||
Date: Fri, 8 Feb 2008 00:40:57 -0500
|
||||
Subject: tune ups in upstream manpages to direct users to use reportbug
|
||||
|
||||
--- a/man/fail2ban-client.1
|
||||
+++ b/man/fail2ban-client.1
|
||||
@@ -251,7 +251,8 @@ action <ACT> for <JAIL>
|
||||
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
|
||||
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
|
||||
.SH "REPORTING BUGS"
|
||||
-Report bugs to <cyril.jaquier@fail2ban.org>
|
||||
+Please report bugs via Debian bug tracking system
|
||||
+http://www.debian.org/Bugs/.
|
||||
.SH COPYRIGHT
|
||||
Copyright \(co 2004-2008 Cyril Jaquier
|
||||
.br
|
||||
--- a/man/fail2ban-server.1
|
||||
+++ b/man/fail2ban-server.1
|
||||
@@ -35,7 +35,8 @@ print the version
|
||||
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
|
||||
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
|
||||
.SH "REPORTING BUGS"
|
||||
-Report bugs to <cyril.jaquier@fail2ban.org>
|
||||
+Please report bugs via Debian bug tracking system
|
||||
+http://www.debian.org/Bugs/.
|
||||
.SH COPYRIGHT
|
||||
Copyright \(co 2004-2008 Cyril Jaquier
|
||||
.br
|
|
@ -1,2 +0,0 @@
|
|||
up_escape-the-content-of-matches.patch
|
||||
deb_manpages_reportbug
|
|
@ -1,47 +0,0 @@
|
|||
From: Yaroslav Halchenko <debian@onerussian.com>
|
||||
Date: Mon, 8 Oct 2012 22:14:51 -0400
|
||||
Subject: [PATCH] BF: escape the content of <matches> since its value could contain arbitrary symbols
|
||||
|
||||
Contains two commits 83109bce144f443a48ef31165a5389b7b83f4e0e and 09355663f7a3c0409e08efdebf98b1bbf47d1d9c
|
||||
|
||||
Bug-Debian: http://bugs.debian.org/696184
|
||||
Origin: upstream
|
||||
|
||||
---
|
||||
server/action.py | 18 +++++++++++++++---
|
||||
1 file changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/server/action.py
|
||||
+++ b/server/action.py
|
||||
@@ -230,7 +230,14 @@ class Action:
|
||||
def execActionStop(self):
|
||||
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
|
||||
return Action.executeCmd(stopCmd)
|
||||
-
|
||||
+
|
||||
+ def escapeTag(tag):
|
||||
+ for c in '\\#&;`|*?~<>^()[]{}$\n':
|
||||
+ if c in tag:
|
||||
+ tag = tag.replace(c, '\\' + c)
|
||||
+ return tag
|
||||
+ escapeTag = staticmethod(escapeTag)
|
||||
+
|
||||
##
|
||||
# Replaces tags in query with property values in aInfo.
|
||||
#
|
||||
@@ -243,8 +250,13 @@ class Action:
|
||||
""" Replace tags in query
|
||||
"""
|
||||
string = query
|
||||
- for tag in aInfo:
|
||||
- string = string.replace('<' + tag + '>', str(aInfo[tag]))
|
||||
+ for tag, value in aInfo.iteritems():
|
||||
+ value = str(value) # assure string
|
||||
+ if tag == 'matches':
|
||||
+ # That one needs to be escaped since its content is
|
||||
+ # out of our control
|
||||
+ value = Action.escapeTag(value)
|
||||
+ string = string.replace('<' + tag + '>', value)
|
||||
# New line
|
||||
string = string.replace("<br>", '\n')
|
||||
return string
|
|
@ -251,7 +251,8 @@ action <ACT> for <JAIL>
|
|||
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
|
||||
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
|
||||
.SH "REPORTING BUGS"
|
||||
Report bugs to <cyril.jaquier@fail2ban.org>
|
||||
Please report bugs via Debian bug tracking system
|
||||
http://www.debian.org/Bugs/.
|
||||
.SH COPYRIGHT
|
||||
Copyright \(co 2004-2008 Cyril Jaquier
|
||||
.br
|
||||
|
|
|
@ -35,7 +35,8 @@ print the version
|
|||
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
|
||||
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
|
||||
.SH "REPORTING BUGS"
|
||||
Report bugs to <cyril.jaquier@fail2ban.org>
|
||||
Please report bugs via Debian bug tracking system
|
||||
http://www.debian.org/Bugs/.
|
||||
.SH COPYRIGHT
|
||||
Copyright \(co 2004-2008 Cyril Jaquier
|
||||
.br
|
||||
|
|
|
@ -230,7 +230,14 @@ class Action:
|
|||
def execActionStop(self):
|
||||
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
|
||||
return Action.executeCmd(stopCmd)
|
||||
|
||||
|
||||
def escapeTag(tag):
|
||||
for c in '\\#&;`|*?~<>^()[]{}$\n':
|
||||
if c in tag:
|
||||
tag = tag.replace(c, '\\' + c)
|
||||
return tag
|
||||
escapeTag = staticmethod(escapeTag)
|
||||
|
||||
##
|
||||
# Replaces tags in query with property values in aInfo.
|
||||
#
|
||||
|
@ -243,8 +250,13 @@ class Action:
|
|||
""" Replace tags in query
|
||||
"""
|
||||
string = query
|
||||
for tag in aInfo:
|
||||
string = string.replace('<' + tag + '>', str(aInfo[tag]))
|
||||
for tag, value in aInfo.iteritems():
|
||||
value = str(value) # assure string
|
||||
if tag == 'matches':
|
||||
# That one needs to be escaped since its content is
|
||||
# out of our control
|
||||
value = Action.escapeTag(value)
|
||||
string = string.replace('<' + tag + '>', value)
|
||||
# New line
|
||||
string = string.replace("<br>", '\n')
|
||||
return string
|
||||
|
|
Loading…
Reference in New Issue