[zabbix] * Wed Aug 11 2010 Dan Horák <dan[at]danny.cz> - 1.8.2-3 - added patch for XSS in triggers page (#62
Dan Horák
sharkcz at fedoraproject.org
Wed Aug 11 08:55:06 UTC 2010
commit 467c8877b969dd5e29dda96432a18e8fd6ba3ee9
Author: Dan Horák <dan at danny.cz>
Date: Wed Aug 11 10:55:03 2010 +0200
* Wed Aug 11 2010 Dan Horák <dan[at]danny.cz> - 1.8.2-3
- added patch for XSS in triggers page (#620809, ZBX-2326)
zabbix-1.8.2-zbx-2326.patch | 53 +++++++++++++++++++++++++++++++++++++++++++
zabbix.spec | 9 ++++++-
2 files changed, 61 insertions(+), 1 deletions(-)
---
diff --git a/zabbix-1.8.2-zbx-2326.patch b/zabbix-1.8.2-zbx-2326.patch
new file mode 100644
index 0000000..4588b8b
--- /dev/null
+++ b/zabbix-1.8.2-zbx-2326.patch
@@ -0,0 +1,53 @@
+diff -up zabbix-1.8.2/frontends/php/js/class.curl.js.orig zabbix-1.8.2/frontends/php/js/class.curl.js
+--- zabbix-1.8.2/frontends/php/js/class.curl.js.orig 2010-03-29 19:22:44.000000000 +0200
++++ zabbix-1.8.2/frontends/php/js/class.curl.js 2010-08-11 09:32:21.000000000 +0200
+@@ -114,13 +114,13 @@ initialize: function(url){
+ formatQuery: function(){
+ if(this.args.lenght < 1) return;
+
+- var query = '';
++ var query = new Array();
+ for(var key in this.args){
+ if((typeof(this.args[key]) != 'undefined') && !is_null(this.args[key])){
+- query+=key+'='+this.args[key]+'&';
++ query.push(key+'='+encodeURIComponent(this.args[key]));
+ }
+ }
+- this.query = query.substring(0,query.length-1);
++ this.query = query.join('&');
+ },
+
+ formatArguments: function(){
+@@ -131,7 +131,7 @@ formatArguments: function(){
+
+ for(var i=0; i<args.length; i++){
+ keyval = args[i].split('=');
+- this.args[keyval[0]] = (keyval.length>1)?keyval[1]:'';
++ this.args[keyval[0]] = keyval.length > 1 ? decodeURIComponent(keyval[1]):'';
+ }
+ },
+
+@@ -157,15 +157,14 @@ getArguments: function(){
+ getUrl: function(){
+ this.formatQuery();
+
+- var url = (this.protocol.length > 0)?(this.protocol+'://'):'';
+- url += encodeURI((this.username.length > 0)?(this.username):'');
+- url += encodeURI((this.password.length > 0)?(':'+this.password):'');
+- url += (this.host.length > 0)?(this.host):'';
+- url += (this.port.length > 0)?(':'+this.port):'';
+- url += encodeURI((this.path.length > 0)?(this.path):'');
+- url += encodeURI((this.query.length > 0)?('?'+this.query):'');
+- url += encodeURI((this.reference.length > 0)?('#'+this.reference):'');
+-//alert(url);
++ var url = this.protocol.length > 0 ? this.protocol+'://':'';
++ url += this.username.length > 0 ? encodeURI(this.username):'';
++ url += this.password.length > 0 ? encodeURI(':'+this.password):'';
++ url += this.host.length > 0 ? this.host:'';
++ url += this.port.length > 0 ? ':'+this.port:'';
++ url += this.path.length > 0 ? encodeURI(this.path):'';
++ url += this.query.length > 0 ? '?'+this.query:'';
++ url += this.reference.length > 0 ? encodeURI('#'+this.reference):'';
+ return url;
+ },
+
diff --git a/zabbix.spec b/zabbix.spec
index 4f51166..568d3f5 100644
--- a/zabbix.spec
+++ b/zabbix.spec
@@ -7,7 +7,7 @@
Name: zabbix
Version: 1.8.2
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Open-source monitoring solution for your IT infrastructure
Group: Applications/Internet
@@ -25,6 +25,8 @@ Patch0: zabbix-1.8.2-config.patch
Patch1: zabbix-1.8.1-cloexec.patch
# local rules for config files - fonts
Patch2: zabbix-1.8.2-fonts-config.patch
+# backported patch for https://support.zabbix.com/browse/ZBX-2326
+Patch3: zabbix-1.8.2-zbx-2326.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -254,6 +256,8 @@ Zabbix web frontend for SQLite
%if 0%{?fedora} || 0%{?rhel} >= 6
%patch2 -p1
+%patch3 -p1
+
# remove included fonts
rm -rf frontends/php/fonts
%endif
@@ -587,6 +591,9 @@ fi
%changelog
+* Wed Aug 11 2010 Dan Horák <dan[at]danny.cz> - 1.8.2-3
+- added patch for XSS in triggers page (#620809, ZBX-2326)
+
* Thu Apr 29 2010 Dan Horák <dan[at]danny.cz> - 1.8.2-2
- DejaVu fonts doesn't exist on EL <= 5
More information about the scm-commits
mailing list