rpms/dap-server/FC-5 dap-server-3.7.4-get_url.patch, NONE, 1.1 dap-server.spec, 1.12, 1.13

[Patrice Dumas (pertusus)]

Author: pertusus

Update of /cvs/extras/rpms/dap-server/FC-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29760

Modified Files:
	dap-server.spec 
Added Files:
	dap-server-3.7.4-get_url.patch 
Log Message:
* Mon Apr 30 2007  Patrice Dumas <pertusus at free.fr> 3.6.0-3
- fix security issue using the same patch than for 3.7.4


dap-server-3.7.4-get_url.patch:

--- NEW FILE dap-server-3.7.4-get_url.patch ---
--- dap-server-3.7.4/DODS_Dispatch.pm.get_url	2007-04-30 12:51:23.000000000 +0200
+++ dap-server-3.7.4/DODS_Dispatch.pm	2007-04-30 12:55:06.000000000 +0200
@@ -839,30 +839,21 @@
 
 # Private. Get the remote thing. The param $url should be scanned for shell
 # meta-characters.
+# modified as in http://www.opendap.org/server3-patch-04.27.2007.txt
 sub get_url {
     my $self = shift;
     my $url  = shift;
 
-    my $transfer = $self->curl() . " --silent " . $url . " |";
-    my $buf;
-    print( DBG_LOG "About to run curl: $transfer\n" ) if $debug > 1;
-
-    # Use the HTML error message format since this is only used via a web
-    # browser, never a client built with our library. 11/21/03 jhrg
-    open CURL, $transfer
-      or print_error_message(
-        $self, "Could not transfer $url: \n\
-Unable to open the transfer utility (curl).\n", 0 );
-    print( DBG_LOG "Back from curl\n" ) if $debug > 1;
-    my $offset = 0;
-    my $bytes;
-    while ( $bytes = read CURL, $buf, 20, $offset ) {
-        $offset += $bytes;
-    }
+    use CGI;
+    use LWP::Simple;
+    use FilterDirHTML;      # FilterDirHTML is a subclass of HTML::Filter
+
+    print(DBG_LOG "get_url: Getting the directory listing using: $url\n")
+       if $debug > 1;
 
-    close CURL;
+    my $directory_html = &get($url);
 
-    return $buf;
+    return $directory_html 
 }
 
 sub url_text {
--- dap-server-3.7.4/nph-dods.in.get_url	2007-04-30 12:46:52.000000000 +0200
+++ dap-server-3.7.4/nph-dods.in	2007-04-30 12:47:58.000000000 +0200
@@ -118,7 +118,7 @@
 # more information, go to the NASA ESIP Federation web site and search for
 # MODSter. 07/22/03 jhrg
 
-my $dodster    = is_dodster( $dispatch->filename() );
+my $dodster    = "";
 my $compressed = is_compressed( $dispatch->filename() );
 
 if ( $dodster || $compressed ) {


Index: dap-server.spec
===================================================================
RCS file: /cvs/extras/rpms/dap-server/FC-5/dap-server.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- dap-server.spec	3 Mar 2006 12:34:31 -0000	1.12
+++ dap-server.spec	30 Apr 2007 22:27:31 -0000	1.13
@@ -7,16 +7,18 @@
 Summary:         Basic request handling for OPeNDAP servers 
 Name:            dap-server
 Version:         3.6.0
-Release:         2%{?dist}
+Release:         3%{?dist}
 License:         LGPL
 Group:           System Environment/Daemons 
 Source0:         ftp://ftp.unidata.ucar.edu/pub/opendap/source/%{name}-%{version}.tar.gz
 URL:             http://www.opendap.org/
+Patch0:          dap-server-3.7.4-get_url.patch 
 
 BuildRoot:       %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:   curl libdap-devel >= 3.6.0
 Requires:        curl webserver
 Requires:        perl perl(HTML::Filter) perl(Time::Local) perl(POSIX)
+Requires:        perl(CGI) perl(LWP::Simple)
 
 %description
 This is base software for the OPeNDAP (Open-source Project for a Network 
@@ -42,6 +44,7 @@
 
 %prep 
 %setup -q
+%patch0 -p1 -b .get_url
 
 %build
 %configure --with-cgidir=%{dap_cgidir}
@@ -93,6 +96,9 @@
 
 
 %changelog
+* Mon Apr 30 2007  Patrice Dumas <pertusus at free.fr> 3.6.0-3
+- fix security issue using the same patch than for 3.7.4
+
 * Fri Mar  3 2006 Patrice Dumas <dumas at centre-cired.fr> 3.6.0-2
 - new release