cvs commit: ports/www Makefile
ports/www/rubygem-cgi_multipart_eof_fix Makefile distinfo pkg-descr
Philip M. Gollucci
pgollucci at FreeBSD.org
Wed Dec 8 19:18:29 UTC 2010
pgollucci 2010-12-08 19:18:29 UTC
FreeBSD ports repository
Modified files:
www Makefile
Added files:
www/rubygem-cgi_multipart_eof_fix Makefile distinfo pkg-descr
Log:
Fixes an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5.
When multipart boundary attributes contain non-halting regular
expression strings, the boundary searcher in the CGI module does not properly
escape the parameter and will execute arbitrary regular expressions.
This fix adds escaping for the user data.
* Affected application servers: standalone CGI, Mongrel, WEBrick
* Unaffected: FastCGI, Ruby 1.8.6 (all servers)
* Unknown: mod_ruby
This fix will not modify versions of Ruby greater than 1.8.5, and is
cumulative with previous CGI multipart vulnerability fixes.
WWW: http://blog.evanweaver.com/#cgi_multipart_eof_fix
Revision Changes Path
1.2772 +1 -0 ports/www/Makefile
1.1 +19 -0 ports/www/rubygem-cgi_multipart_eof_fix/Makefile (new)
1.1 +2 -0 ports/www/rubygem-cgi_multipart_eof_fix/distinfo (new)
1.1 +14 -0 ports/www/rubygem-cgi_multipart_eof_fix/pkg-descr (new)
More information about the cvs-ports
mailing list