Namazu-devel-ja(旧)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2.0.8pre1 (Re: Namazu v2.0.7 にクロスサイトスクリプティング脆弱性)
- From: knok@xxxxxxxxxxxxx (NOKUBI Takatsugu)
- Date: Tue, 27 Nov 2001 17:16:10 JST
- X-ml-name: namazu-devel-ja
- X-mail-count: 02152
<200111270800.fAR80tF02895@xxxxxxxxxxxxxxxxxxxxxxxxxxx>の記事において
taca@xxxxxxxxxxxxxxxxxxxxxxさんは書きました。
>> 1.3系は、既に保守は終わっているのだと思いますが、できれば公式なパッチ
>> があると幸せになるところも多いのではないでしょうか。
とりあえず 1.3 用のパッチを書いてみました。チェックはしていませんの
で、どなたか試してみていただけると嬉しいです。
--
野首 貴嗣
E-mail: knok@xxxxxxxxxxxxx
knok@xxxxxxxxxx / knok@xxxxxxxxxx
diff -cr namazu-1.3.0.11/ChangeLog namazu-1.3.0.12/ChangeLog
*** namazu-1.3.0.11/ChangeLog Wed Jan 26 22:38:50 2000
--- namazu-1.3.0.12/ChangeLog Tue Nov 27 17:09:23 2001
***************
*** 4,10 ****
--- 4,16 ----
This file describes Namazu's change history. If you want to know
about major changes from previous version, please see
"manual.html#VERSIONDIFF".
+ v1.3.0.12
+ [2001-11-27]
+ * Fix a security hole in CGI mode which allows malicious person to
+ put any HTML tags or scripts in CGI form (cross-site scripting).
+ - [TAKAGI, Hiromitsu <takagi.hiromitsu@xxxxxxxxxx>] - report
+
v1.3.0.11
[2000-01-26]
diff -cr namazu-1.3.0.11/VERSION namazu-1.3.0.12/VERSION
*** namazu-1.3.0.11/VERSION Wed Jan 26 22:38:51 2000
--- namazu-1.3.0.12/VERSION Tue Nov 27 17:02:41 2001
***************
*** 1 ****
! namazu-1.3.0.11
--- 1 ----
! namazu-1.3.0.12
diff -cr namazu-1.3.0.11/src/messages.c namazu-1.3.0.12/src/messages.c
*** namazu-1.3.0.11/src/messages.c Wed Jan 26 22:38:51 2000
--- namazu-1.3.0.12/src/messages.c Tue Nov 27 17:04:10 2001
***************
*** 37,45 ****
#endif
/* information about Namazu */
! uchar *VERSION = "1.3.0.11";
uchar *COPYRIGHT =
! " Copyright (C) 1997-1999 Satoru Takabayashi All rights reserved.";
uchar *MSG_USAGE, *MSG_TOO_LONG_KEY, *MSG_TOO_MANY_KEYITEM,
*MSG_RESULT_HEADER, *MSG_NO_HIT, *MSG_HIT_1, *MSG_HIT_2,
--- 37,46 ----
#endif
/* information about Namazu */
! uchar *VERSION = "1.3.0.12";
uchar *COPYRIGHT =
! " Copyright (C) 1997-1999 Satoru Takabayashi All rights reserved.\n"
! " Copyright (C) 2001 Namazu Project All rights reserved.";
uchar *MSG_USAGE, *MSG_TOO_LONG_KEY, *MSG_TOO_MANY_KEYITEM,
*MSG_RESULT_HEADER, *MSG_NO_HIT, *MSG_HIT_1, *MSG_HIT_2,
diff -cr namazu-1.3.0.11/src/mknmz.pl namazu-1.3.0.12/src/mknmz.pl
*** namazu-1.3.0.11/src/mknmz.pl Wed Jan 26 22:38:51 2000
--- namazu-1.3.0.12/src/mknmz.pl Tue Nov 27 17:03:22 2001
***************
*** 1,7 ****
#!%OPT_PATH_PERL%
#
# mknmz.pl - indexer of Namazu
! # Version 1.3.0.11 [01/26/2000]
#
# Copyright (C) 1997-1999 Satoru Takabayashi All rights reserved.
# This is free software with ABSOLUTELY NO WARRANTY.
--- 1,7 ----
#!%OPT_PATH_PERL%
#
# mknmz.pl - indexer of Namazu
! # Version 1.3.0.12 [11/27/2001]
#
# Copyright (C) 1997-1999 Satoru Takabayashi All rights reserved.
# This is free software with ABSOLUTELY NO WARRANTY.
diff -cr namazu-1.3.0.11/src/output.c namazu-1.3.0.12/src/output.c
*** namazu-1.3.0.11/src/output.c Wed Jan 26 22:38:51 2000
--- namazu-1.3.0.12/src/output.c Tue Nov 27 17:01:22 2001
***************
*** 13,20 ****
if (!strncmp(qs, "whence=", 7)) {
printf("whence=%d", w);
for (qs += 7; isdigit(*qs); qs++);
! } else
! fputc(*(qs++), stdout);
}
}
--- 13,25 ----
if (!strncmp(qs, "whence=", 7)) {
printf("whence=%d", w);
for (qs += 7; isdigit(*qs); qs++);
! } else {
! if (*qs == '"') {
! fputs(""", stdout);
! } else {
! fputc(*qs, stdout);
! }
! qs ++;
}
}