rpms/dap-server/FC-5 dap-server-3.7.4-get_url.patch, NONE, 1.1 dap-server.spec, 1.12, 1.13
Patrice Dumas (pertusus)
fedora-extras-commits at redhat.com
Mon Apr 30 22:28:06 UTC 2007
Author: pertusus
Update of /cvs/extras/rpms/dap-server/FC-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29760
Modified Files:
dap-server.spec
Added Files:
dap-server-3.7.4-get_url.patch
Log Message:
* Mon Apr 30 2007 Patrice Dumas <pertusus at free.fr> 3.6.0-3
- fix security issue using the same patch than for 3.7.4
dap-server-3.7.4-get_url.patch:
--- NEW FILE dap-server-3.7.4-get_url.patch ---
--- dap-server-3.7.4/DODS_Dispatch.pm.get_url 2007-04-30 12:51:23.000000000 +0200
+++ dap-server-3.7.4/DODS_Dispatch.pm 2007-04-30 12:55:06.000000000 +0200
@@ -839,30 +839,21 @@
# Private. Get the remote thing. The param $url should be scanned for shell
# meta-characters.
+# modified as in http://www.opendap.org/server3-patch-04.27.2007.txt
sub get_url {
my $self = shift;
my $url = shift;
- my $transfer = $self->curl() . " --silent " . $url . " |";
- my $buf;
- print( DBG_LOG "About to run curl: $transfer\n" ) if $debug > 1;
-
- # Use the HTML error message format since this is only used via a web
- # browser, never a client built with our library. 11/21/03 jhrg
- open CURL, $transfer
- or print_error_message(
- $self, "Could not transfer $url: \n\
-Unable to open the transfer utility (curl).\n", 0 );
- print( DBG_LOG "Back from curl\n" ) if $debug > 1;
- my $offset = 0;
- my $bytes;
- while ( $bytes = read CURL, $buf, 20, $offset ) {
- $offset += $bytes;
- }
+ use CGI;
+ use LWP::Simple;
+ use FilterDirHTML; # FilterDirHTML is a subclass of HTML::Filter
+
+ print(DBG_LOG "get_url: Getting the directory listing using: $url\n")
+ if $debug > 1;
- close CURL;
+ my $directory_html = &get($url);
- return $buf;
+ return $directory_html
}
sub url_text {
--- dap-server-3.7.4/nph-dods.in.get_url 2007-04-30 12:46:52.000000000 +0200
+++ dap-server-3.7.4/nph-dods.in 2007-04-30 12:47:58.000000000 +0200
@@ -118,7 +118,7 @@
# more information, go to the NASA ESIP Federation web site and search for
# MODSter. 07/22/03 jhrg
-my $dodster = is_dodster( $dispatch->filename() );
+my $dodster = "";
my $compressed = is_compressed( $dispatch->filename() );
if ( $dodster || $compressed ) {
Index: dap-server.spec
===================================================================
RCS file: /cvs/extras/rpms/dap-server/FC-5/dap-server.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- dap-server.spec 3 Mar 2006 12:34:31 -0000 1.12
+++ dap-server.spec 30 Apr 2007 22:27:31 -0000 1.13
@@ -7,16 +7,18 @@
Summary: Basic request handling for OPeNDAP servers
Name: dap-server
Version: 3.6.0
-Release: 2%{?dist}
+Release: 3%{?dist}
License: LGPL
Group: System Environment/Daemons
Source0: ftp://ftp.unidata.ucar.edu/pub/opendap/source/%{name}-%{version}.tar.gz
URL: http://www.opendap.org/
+Patch0: dap-server-3.7.4-get_url.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: curl libdap-devel >= 3.6.0
Requires: curl webserver
Requires: perl perl(HTML::Filter) perl(Time::Local) perl(POSIX)
+Requires: perl(CGI) perl(LWP::Simple)
%description
This is base software for the OPeNDAP (Open-source Project for a Network
@@ -42,6 +44,7 @@
%prep
%setup -q
+%patch0 -p1 -b .get_url
%build
%configure --with-cgidir=%{dap_cgidir}
@@ -93,6 +96,9 @@
%changelog
+* Mon Apr 30 2007 Patrice Dumas <pertusus at free.fr> 3.6.0-3
+- fix security issue using the same patch than for 3.7.4
+
* Fri Mar 3 2006 Patrice Dumas <dumas at centre-cired.fr> 3.6.0-2
- new release
More information about the scm-commits
mailing list