Fix cross site scripting vulnerability, bump PORTREVISION

Fix CVE-2009-4422: Multiple cross-site scripting (XSS) vulnerabilities in the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph 3.0.6 allow remote attackers to inject arbitrary web script or HTML via a key to csim_in_html_ex1.php, and other unspecified vectors. Despite ports tree version is 3.0.7, this vulnerability has not been fixed. The solution is taken from http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded While on it: - Fix typo in port creator's mail address - Add LICENSE* - Add NO_ARCH=yes (port only installs scripts) PR: 207001 Submitted by: venture37@geeklan.co.uk MFH: 2016Q1 Security: CVE-2009-4422
svn path=/head/; revision=410998
2024-12-02 01:20:54 +00:00 · 2016-03-13 16:19:27 +00:00 · 2016-03-13 16:19:27 +00:00 · f923d51199 · 2021-03-31 03:12:20 +00:00
commit f923d51199
parent ae96710903
2 changed files with 38 additions and 1 deletions
--- a/graphics/jpgraph2/Makefile
+++ b/graphics/jpgraph2/Makefile
@ -1,8 +1,9 @@
-# Created by: Alex Dupre <ale@FreeBSD.org:
+# Created by: Alex Dupre <ale@FreeBSD.org>
 # $FreeBSD$

 PORTNAME=	jpgraph
 PORTVERSION=	3.0.7
+PORTREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	http://hem.bredband.net/jpgraph2/
 PKGNAMESUFFIX=	2
@ -10,7 +11,13 @@ PKGNAMESUFFIX=	2
 MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Draw both "quick and dirty" graphs with a minimum of code

+LICENSE=	jpgraph
+LICENSE_NAME=	JpGraph license
+LICENSE_FILE=	${WRKSRC}/README
+LICENSE_PERMS=	dist-mirror pkg-mirror auto-accept
+
 USES=		tar:bzip2
+NO_ARCH=	yes
 NO_BUILD=	yes
 NO_WRKSUBDIR=	yes
 USE_PHP=	gd
--- a/graphics/jpgraph2/files/patch-src_jpgraph.php
+++ b/graphics/jpgraph2/files/patch-src_jpgraph.php
@ -0,0 +1,30 @@
+--- src/jpgraph.php.orig	2016-02-07 15:28:23 UTC
+++ src/jpgraph.php
+@@ -1286,11 +1286,11 @@ class Graph {
+         while( list($key,$value) = each($_GET) ) {
+             if( is_array($value) ) {
+                 foreach ( $value as $k => $v ) {
+-                    $urlarg .= '&amp;'.$key.'%5B'.$k.'%5D='.urlencode($v);
+                    $urlarg .= '&amp;'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
+                 }
+             }
+             else {
+-                $urlarg .= '&amp;'.$key.'='.urlencode($value);
+                $urlarg .= '&amp;'.urlencode($key).'='.urlencode($value);
+             }
+         }
+ 
+@@ -1301,11 +1301,11 @@ class Graph {
+         while( list($key,$value) = each($_POST) ) {
+             if( is_array($value) ) {
+                 foreach ( $value as $k => $v ) {
+-                    $urlarg .= '&amp;'.$key.'%5B'.$k.'%5D='.urlencode($v);
+                    $urlarg .= '&amp;'.urlencode($key).'%5B'.urlencode($k).'%5D='.urlencode($v);
+                 }
+             }
+             else {
+-                $urlarg .= '&amp;'.$key.'='.urlencode($value);
+                $urlarg .= '&amp;'.urlencode($key).'='.urlencode($value);
+             }
+         }
+