[zabbix/f13/master] * Wed Aug 11 2010 Dan Horák <dan[at]danny.cz> - 1.8.2-2 - added patch for XSS in triggers page (#62
Dan Horák
sharkcz at fedoraproject.org
Wed Aug 11 09:12:24 UTC 2010
commit ef91193b1031645eddc5db944df4568b614fed95
Author: Dan Horák <dan at danny.cz>
Date: Wed Aug 11 11:12:21 2010 +0200
* Wed Aug 11 2010 Dan Horák <dan[at]danny.cz> - 1.8.2-2
- added patch for XSS in triggers page (#620809, ZBX-2326)
zabbix-1.8.2-zbx-2326.patch | 53 +++++++++++++++++++++++++++++++++++++++++++
zabbix.spec | 8 +++++-
2 files changed, 60 insertions(+), 1 deletions(-)
---
diff --git a/zabbix-1.8.2-zbx-2326.patch b/zabbix-1.8.2-zbx-2326.patch
new file mode 100644
index 0000000..4588b8b
--- /dev/null
+++ b/zabbix-1.8.2-zbx-2326.patch
@@ -0,0 +1,53 @@
+diff -up zabbix-1.8.2/frontends/php/js/class.curl.js.orig zabbix-1.8.2/frontends/php/js/class.curl.js
+--- zabbix-1.8.2/frontends/php/js/class.curl.js.orig 2010-03-29 19:22:44.000000000 +0200
++++ zabbix-1.8.2/frontends/php/js/class.curl.js 2010-08-11 09:32:21.000000000 +0200
+@@ -114,13 +114,13 @@ initialize: function(url){
+ formatQuery: function(){
+ if(this.args.lenght < 1) return;
+
+- var query = '';
++ var query = new Array();
+ for(var key in this.args){
+ if((typeof(this.args[key]) != 'undefined') && !is_null(this.args[key])){
+- query+=key+'='+this.args[key]+'&';
++ query.push(key+'='+encodeURIComponent(this.args[key]));
+ }
+ }
+- this.query = query.substring(0,query.length-1);
++ this.query = query.join('&');
+ },
+
+ formatArguments: function(){
+@@ -131,7 +131,7 @@ formatArguments: function(){
+
+ for(var i=0; i<args.length; i++){
+ keyval = args[i].split('=');
+- this.args[keyval[0]] = (keyval.length>1)?keyval[1]:'';
++ this.args[keyval[0]] = keyval.length > 1 ? decodeURIComponent(keyval[1]):'';
+ }
+ },
+
+@@ -157,15 +157,14 @@ getArguments: function(){
+ getUrl: function(){
+ this.formatQuery();
+
+- var url = (this.protocol.length > 0)?(this.protocol+'://'):'';
+- url += encodeURI((this.username.length > 0)?(this.username):'');
+- url += encodeURI((this.password.length > 0)?(':'+this.password):'');
+- url += (this.host.length > 0)?(this.host):'';
+- url += (this.port.length > 0)?(':'+this.port):'';
+- url += encodeURI((this.path.length > 0)?(this.path):'');
+- url += encodeURI((this.query.length > 0)?('?'+this.query):'');
+- url += encodeURI((this.reference.length > 0)?('#'+this.reference):'');
+-//alert(url);
++ var url = this.protocol.length > 0 ? this.protocol+'://':'';
++ url += this.username.length > 0 ? encodeURI(this.username):'';
++ url += this.password.length > 0 ? encodeURI(':'+this.password):'';
++ url += this.host.length > 0 ? this.host:'';
++ url += this.port.length > 0 ? ':'+this.port:'';
++ url += this.path.length > 0 ? encodeURI(this.path):'';
++ url += this.query.length > 0 ? '?'+this.query:'';
++ url += this.reference.length > 0 ? encodeURI('#'+this.reference):'';
+ return url;
+ },
+
diff --git a/zabbix.spec b/zabbix.spec
index e92aed8..1a6a86e 100644
--- a/zabbix.spec
+++ b/zabbix.spec
@@ -7,7 +7,7 @@
Name: zabbix
Version: 1.8.2
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Open-source monitoring solution for your IT infrastructure
Group: Applications/Internet
@@ -23,6 +23,8 @@ Source5: zabbix-logrotate.in
Patch0: zabbix-1.8.2-config.patch
# close fd on exec - https://bugzilla.redhat.com/show_bug.cgi?id=559221
Patch1: zabbix-1.8.1-cloexec.patch
+# backported patch for https://support.zabbix.com/browse/ZBX-2326
+Patch2: zabbix-1.8.2-zbx-2326.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -244,6 +246,7 @@ Zabbix web frontend for SQLite
%setup0 -q
%patch0 -p1
%patch1 -p1 -b .cloexec
+%patch2 -p1
# remove included fonts
rm -rf frontends/php/fonts
@@ -577,6 +580,9 @@ fi
%changelog
+* Wed Aug 11 2010 Dan Horák <dan[at]danny.cz> - 1.8.2-2
+- added patch for XSS in triggers page (#620809, ZBX-2326)
+
* Tue Mar 30 2010 Dan Horák <dan[at]danny.cz> - 1.8.2-1
- Update to 1.8.2
More information about the scm-commits
mailing list