github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Folding debian/patches into .diff.gz since we are still at 1.0 pkg source format in wheezy

pull/757/head debian/0.8.6-3wheezy1
Yaroslav Halchenko 2012-12-24 12:44:24 -05:00
parent 1eb6f9d0aa
commit 684bf81557
7 changed files with 21 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/changelog vendored
View File

@ -2,6 +2,8 @@ fail2ban (0.8.6-3wheezy1) unstable; urgency=high
* CVE-2012-5642: Escape the content of <matches> since its value could * CVE-2012-5642: Escape the content of <matches> since its value could
contain arbitrary symbols (Closes: #696184) contain arbitrary symbols (Closes: #696184)
* Since package source format remained 1.0, manpages patch
(deb_manpages_reportbug) was not applied -- fold it into .diff.gz
-- Yaroslav Halchenko <debian@onerussian.com> Mon, 17 Dec 2012 13:19:32 -0500 -- Yaroslav Halchenko <debian@onerussian.com> Mon, 17 Dec 2012 13:19:32 -0500

28
debian/patches/deb_manpages_reportbug vendored
View File

@ -1,28 +0,0 @@
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 8 Feb 2008 00:40:57 -0500
Subject: tune ups in upstream manpages to direct users to use reportbug
--- a/man/fail2ban-client.1
+++ b/man/fail2ban-client.1
@@ -251,7 +251,8 @@ action <ACT> for <JAIL>
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS"
-Report bugs to <cyril.jaquier@fail2ban.org>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2008 Cyril Jaquier
.br
--- a/man/fail2ban-server.1
+++ b/man/fail2ban-server.1
@@ -35,7 +35,8 @@ print the version
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS"
-Report bugs to <cyril.jaquier@fail2ban.org>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2008 Cyril Jaquier
.br

2
debian/patches/series vendored
View File

@ -1,2 +0,0 @@
up_escape-the-content-of-matches.patch
deb_manpages_reportbug

47
debian/patches/up_escape-the-content-of-matches.patch vendored
View File

@ -1,47 +0,0 @@
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 8 Oct 2012 22:14:51 -0400
Subject: [PATCH] BF: escape the content of <matches> since its value could contain arbitrary symbols
Contains two commits 83109bce144f443a48ef31165a5389b7b83f4e0e and 09355663f7a3c0409e08efdebf98b1bbf47d1d9c
Bug-Debian: http://bugs.debian.org/696184
Origin: upstream
---
server/action.py | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
--- a/server/action.py
+++ b/server/action.py
@@ -230,7 +230,14 @@ class Action:
def execActionStop(self):
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
return Action.executeCmd(stopCmd)
-
+
+ def escapeTag(tag):
+ for c in '\\#&;`|*?~<>^()[]{}$\n':
+ if c in tag:
+ tag = tag.replace(c, '\\' + c)
+ return tag
+ escapeTag = staticmethod(escapeTag)
+
##
# Replaces tags in query with property values in aInfo.
#
@@ -243,8 +250,13 @@ class Action:
""" Replace tags in query
"""
string = query
- for tag in aInfo:
- string = string.replace('<' + tag + '>', str(aInfo[tag]))
+ for tag, value in aInfo.iteritems():
+ value = str(value) # assure string
+ if tag == 'matches':
+ # That one needs to be escaped since its content is
+ # out of our control
+ value = Action.escapeTag(value)
+ string = string.replace('<' + tag + '>', value)
# New line
string = string.replace("<br>", '\n')
return string

3
man/fail2ban-client.1
View File

@ -251,7 +251,8 @@ action <ACT> for <JAIL>
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS" .SH "REPORTING BUGS"
Report bugs to <cyril.jaquier@fail2ban.org> Please report bugs via Debian bug tracking system
http://www.debian.org/Bugs/.
.SH COPYRIGHT .SH COPYRIGHT
Copyright \(co 2004-2008 Cyril Jaquier Copyright \(co 2004-2008 Cyril Jaquier
.br .br

3
man/fail2ban-server.1
View File

@ -35,7 +35,8 @@ print the version
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS" .SH "REPORTING BUGS"
Report bugs to <cyril.jaquier@fail2ban.org> Please report bugs via Debian bug tracking system
http://www.debian.org/Bugs/.
.SH COPYRIGHT .SH COPYRIGHT
Copyright \(co 2004-2008 Cyril Jaquier Copyright \(co 2004-2008 Cyril Jaquier
.br .br

16
server/action.py
View File

@ -231,6 +231,13 @@ class Action:
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
return Action.executeCmd(stopCmd) return Action.executeCmd(stopCmd)
def escapeTag(tag):
for c in '\\#&;`|*?~<>^()[]{}$\n':
if c in tag:
tag = tag.replace(c, '\\' + c)
return tag
escapeTag = staticmethod(escapeTag)
## ##
# Replaces tags in query with property values in aInfo. # Replaces tags in query with property values in aInfo.
# #
@ -243,8 +250,13 @@ class Action:
""" Replace tags in query """ Replace tags in query
""" """
string = query string = query
for tag in aInfo: for tag, value in aInfo.iteritems():
string = string.replace('<' + tag + '>', str(aInfo[tag])) value = str(value) # assure string
if tag == 'matches':
# That one needs to be escaped since its content is
# out of our control
value = Action.escapeTag(value)
string = string.replace('<' + tag + '>', value)
# New line # New line
string = string.replace("<br>", '\n') string = string.replace("<br>", '\n')
return string return string