From 171562d5c1821bdb5c2339831c8fe0322d51cf19 Mon Sep 17 00:00:00 2001
From: niels <niels@FreeBSD.org>
Date: Tue, 1 Feb 2005 09:36:44 +0000
Subject: Fixed directory traversal in file creation and fixed usage of
 insecure permissions.

Approved by:	nectar (mentor), maintainer
VuXML:		http://vuxml.freebsd.org/35f6093c-73c3-11d9-8a93-00065be4b5b6.html
VuXML:		http://vuxml.freebsd.org/cd7e260a-6bff-11d9-a5df-00065be4b5b6.html
---
 news/newsgrab/Makefile                |  1 +
 news/newsgrab/files/patch-newsgrab.pl | 43 +++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 news/newsgrab/files/patch-newsgrab.pl

(limited to 'news/newsgrab')

diff --git a/news/newsgrab/Makefile b/news/newsgrab/Makefile
index 6d4640bb4013..8782c888aaf4 100644
--- a/news/newsgrab/Makefile
+++ b/news/newsgrab/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	newsgrab
 PORTVERSION=	0.4.0
+PORTREVISION=	1
 CATEGORIES=	news
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	newsgrab
diff --git a/news/newsgrab/files/patch-newsgrab.pl b/news/newsgrab/files/patch-newsgrab.pl
new file mode 100644
index 000000000000..2c4227a0949f
--- /dev/null
+++ b/news/newsgrab/files/patch-newsgrab.pl
@@ -0,0 +1,43 @@
+--- newsgrab.pl.orig	Wed Mar 26 14:07:11 2003
++++ newsgrab.pl	Thu Jan 27 10:36:23 2005
+@@ -178,7 +178,7 @@
+ if ($input_outdir) {
+ 	# Create the directory for the files, if it doesn't exits.
+ 	if (! -e $input_outdir) {
+-		if (!(mkdir $input_outdir, 0777)) {
++		if (!(mkdir $input_outdir, 0600)) {
+ 			stat_print "Unable to create output dir '$input_outdir'",
+ 				"ERROR";
+ 			exit 1;
+@@ -853,6 +853,7 @@
+ 		chomp;
+ 		if(/^begin\s*(\d*)\s*(.*)/) {
+ 			($mode, $file) = ($1, $2);
++			$file =~ s/^.*\///g;
+ 			if (-e "$OUTDIR/$file") {
+ 				print STDERR "File: '$file' already exists. skipping\n";
+ 				undef $file;
+@@ -867,13 +868,8 @@
+ 		}
+ 		if (/^end/) {
+ 			close (OUT);
+-			if (!($mode)) {
+-				stat_print "No mode supplied for file", "Warning";
+-			} elsif (!($file)) {
+-				stat_print "No filename to chmod().. Wierd", "Error";
+-			} else {
+-				chmod oct($mode), "$OUTDIR/$file";
+-			}
++
++			chmod 0600 , "$OUTDIR/$file";
+ 			# Set $file and $mode to undef, we have reached the end of this file
+ 			undef $file;
+ 			undef $mode;
+@@ -926,6 +922,7 @@
+ 			if(/ name=(.*)$/) {
+ 				$ydec_name = $1;
+ 				$ydec_name =~ s/\s+$//g;	# Strip wierdo chars
++				$ydec_name =~ s/^.*\///g;
+ 				#print "Found attach ".$ydec_name." of size ".$ydec_size."\n";
+ 			} else {
+ 				print STDERR "Unknown attach name\n";
-- 
cgit