[interchange-cvs] interchange - heins modified 6 files

interchange-core@icdevgroup.org interchange-core@icdevgroup.org
Sun Aug 11 11:25:01 2002


User:      heins
Date:      2002-08-11 15:24:03 GMT
Modified:  .        Tag: STABLE_4_8-branch MANIFEST Makefile.PL
Modified:  dist     Tag: STABLE_4_8-branch interchange.cfg.dist
Modified:  lib/Vend Tag: STABLE_4_8-branch Config.pm Server.pm
Modified:  scripts  Tag: STABLE_4_8-branch makecat.PL
Log:
Several changes to ensure security problems are addressed.

* Changed installation directory for man files to "man" instead of "doc",
  meaning no default content is available on internal HTTP server.

* Changed default of TcpMap to localhost:7786 in Config.pm.

* Changed default of TcpMap to localhost:7786 in interchange.cfg.dist file.

* Changed default of Inet_Mode to No in interchange.cfg.dist file.

* Set internal HTTP server to strip ../ from paths and log breakin
  attempt if it encounters this.

* Enhanced makecat to handle adjusting the interchange.cfg file for
  INET mode if the user selects it, and to properly set TcpMap to
  monitor only the port that is to be used.

Revision  Changes    Path
No                   revision



No                   revision



2.17.2.16 +0 -1      interchange/MANIFEST


rev 2.17.2.16, prev_rev 2.17.2.15
Index: MANIFEST
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /anon_cvs/repository/interchange/MANIFEST,v
retrieving revision 2.17.2.15
retrieving revision 2.17.2.16
diff -u -r2.17.2.15 -r2.17.2.16
--- MANIFEST	17 Jun 2002 21:35:33 -0000	2.17.2.15
+++ MANIFEST	11 Aug 2002 15:24:03 -0000	2.17.2.16
@@ -832,7 +832,6 @@
 lib/Vend/Track.pm
 lib/Vend/UserDB.pm
 lib/Vend/Util.pm
-perl/Interchange.pm
 pod/ic_ecommerce.pod
 pod/ic_howto_cvs.pod
 pod/icadvanced.pod



2.9.2.15  +2 -2      interchange/Makefile.PL


rev 2.9.2.15, prev_rev 2.9.2.14
Index: Makefile.PL
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /anon_cvs/repository/interchange/Makefile.PL,v
retrieving revision 2.9.2.14
retrieving revision 2.9.2.15
diff -u -r2.9.2.14 -r2.9.2.15
--- Makefile.PL	22 Jul 2002 14:23:14 -0000	2.9.2.14
+++ Makefile.PL	11 Aug 2002 15:24:03 -0000	2.9.2.15
@@ -440,9 +440,9 @@
 	$X{INSTALLARCHLIB}	=3D "$realdir";
 	$X{INSTALLPRIVLIB}	=3D "$realdir/lib";
 	if(! $MV::Default{final}) {
-		$X{INSTALLMAN1DIR}	=3D "$realdir/doc"
+		$X{INSTALLMAN1DIR}	=3D "$realdir/man"
 			if ! $MV::Default{INSTALLMAN1DIR};
-		$X{INSTALLMAN3DIR}	=3D "$realdir/doc"
+		$X{INSTALLMAN3DIR}	=3D "$realdir/man"
 			if ! $MV::Default{INSTALLMAN3DIR};
 	}
=20



No                   revision



No                   revision



2.0.2.2   +5 -1      interchange/dist/interchange.cfg.dist


rev 2.0.2.2, prev_rev 2.0.2.1
Index: interchange.cfg.dist
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /anon_cvs/repository/interchange/dist/interchange.cfg.dist,v
retrieving revision 2.0.2.1
retrieving revision 2.0.2.2
diff -u -r2.0.2.1 -r2.0.2.2
--- interchange.cfg.dist	26 Nov 2001 22:33:00 -0000	2.0.2.1
+++ interchange.cfg.dist	11 Aug 2002 15:24:03 -0000	2.0.2.2
@@ -95,7 +95,11 @@
 # Additional Safe operations to untrap beyond the standard "ftfile sort".
 SafeUntrap  rand
=20
-TcpMap 7786 -
+TcpMap localhost:7786 -
+
+## Whether INET and UNIX ports will be used
+Unix_Mode Yes
+Inet_Mode No
=20
 # Include back office administration UI if variable set above.
 ifdef UI



No                   revision



No                   revision



2.2.2.12  +3 -3      interchange/lib/Vend/Config.pm


rev 2.2.2.12, prev_rev 2.2.2.11
Index: Config.pm
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /anon_cvs/repository/interchange/lib/Vend/Config.pm,v
retrieving revision 2.2.2.11
retrieving revision 2.2.2.12
diff -u -r2.2.2.11 -r2.2.2.12
--- Config.pm	11 Aug 2002 14:17:45 -0000	2.2.2.11
+++ Config.pm	11 Aug 2002 15:24:03 -0000	2.2.2.12
@@ -1,6 +1,6 @@
 # Vend::Config - Configure Interchange
 #
-# $Id: Config.pm,v 2.2.2.11 2002/08/11 14:17:45 mheins Exp $
+# $Id: Config.pm,v 2.2.2.12 2002/08/11 15:24:03 mheins Exp $
 #
 # Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -95,7 +95,7 @@
 use Vend::Parse;
 use Vend::Util;
=20
-$VERSION =3D substr(q$Revision: 2.2.2.11 $, 10);
+$VERSION =3D substr(q$Revision: 2.2.2.12 $, 10);
=20
 my %CDname;
=20
@@ -1946,7 +1946,7 @@
 						$Global::TcpMap =3D {};
 					}
 					return 1 if @sets;
-					$Global::TcpMap->{7786} =3D '-';
+					$Global::TcpMap->{'localhost:7786'} =3D '-';
 					return 1;
 				},
 		Database =3D> sub {



2.0.2.6   +7 -3      interchange/lib/Vend/Server.pm


rev 2.0.2.6, prev_rev 2.0.2.5
Index: Server.pm
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /anon_cvs/repository/interchange/lib/Vend/Server.pm,v
retrieving revision 2.0.2.5
retrieving revision 2.0.2.6
diff -u -r2.0.2.5 -r2.0.2.6
--- Server.pm	8 Jul 2002 22:44:26 -0000	2.0.2.5
+++ Server.pm	11 Aug 2002 15:24:03 -0000	2.0.2.6
@@ -1,6 +1,6 @@
 # Vend::Server - Listen for Interchange CGI requests as a background server
 #
-# $Id: Server.pm,v 2.0.2.5 2002/07/08 22:44:26 edl Exp $
+# $Id: Server.pm,v 2.0.2.6 2002/08/11 15:24:03 mheins Exp $
 #
 # Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -25,7 +25,7 @@
 package Vend::Server;
=20
 use vars qw($VERSION);
-$VERSION =3D substr(q$Revision: 2.0.2.5 $, 10);
+$VERSION =3D substr(q$Revision: 2.0.2.6 $, 10);
=20
 use POSIX qw(setsid strftime);
 use Vend::Util;
@@ -770,6 +770,10 @@
=20
 	my (@path) =3D $url->path_components();
 	my $path =3D $url->path();
+	if($path =3D~ m{\.\./}) {
+		logGlobal("Attempted breakin using path=3D$path, will show 404");
+		$path =3D~ s{\.\./}{}g;
+	}
 	my $doc;
 	my $status =3D 200;
=20
@@ -807,7 +811,7 @@
 	else {
 		$status =3D 404;
 		$Vend::StatusLine =3D "HTTP/1.0 404 Not found";
-		$doc =3D "$path not a Interchange catalog or help file.\n";
+		$doc =3D "Not an Interchange catalog or help file.\n";
 	}
=20
 	if($$env{REQUEST_METHOD} eq 'HEAD') {



No                   revision



No                   revision



2.5.2.6   +35 -2     interchange/scripts/makecat.PL


rev 2.5.2.6, prev_rev 2.5.2.5
Index: makecat.PL
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /anon_cvs/repository/interchange/scripts/makecat.PL,v
retrieving revision 2.5.2.5
retrieving revision 2.5.2.6
diff -u -r2.5.2.5 -r2.5.2.6
--- makecat.PL	4 Feb 2002 15:51:08 -0000	2.5.2.5
+++ makecat.PL	11 Aug 2002 15:24:03 -0000	2.5.2.6
@@ -50,7 +50,7 @@
 #
 # Interchange catalog configurator
 #
-# $Id: makecat.PL,v 2.5.2.5 2002/02/04 15:51:08 jon Exp $
+# $Id: makecat.PL,v 2.5.2.6 2002/08/11 15:24:03 mheins Exp $
 #
 # Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -2124,6 +2124,8 @@
 	close ADDL;
 }
 	my $add;
+	my $add_tcp;
+	my $add_inet;
=20
 	umask(07) unless $Conf{noumask};
=20
@@ -2135,6 +2137,13 @@
 	}
 	$add =3D prefix('norunning') ? 'n' : 'y';
=20
+	if($yes and $Inetmode) {
+		$add_tcp =3D prompt "Add port $lp to TcpMap in interchange.cfg if necess=
ary? ", $add;
+		$add_tcp =3D is_yes($add_tcp);
+		$add_inet =3D prompt "Set Interchange to run in INET mode if necessary? =
", $add;
+		$add_inet =3D is_yes($add_inet);
+	}
+
 	if($pid) {
 		$add_to_running =3D prompt "Add catalog to server running on PID $pid? "=
, $add;
 		$add_to_running =3D is_yes($add_to_running);
@@ -2142,6 +2151,7 @@
=20
 	my $full =3D '';
 	my $newcfgline;
+	my $tcpmark;
=20
 	$newcfgline =3D sprintf "%-10s %s %s %s %s\n", 'Catalog',
 				$catalog_name, $Conf{catroot}, $full . $Conf{cgiurl}, $Conf{aliases};
@@ -2174,6 +2184,10 @@
 				if s/^(catalog\s+$catalog_name\s+)/#$1/io;
 			$full =3D is_yes($1)
 				if /^\s*fullurl\s+(.*)/i;
+			if ($add_tcp and /^tcpmap\s+/i and $_ !~ /\b$lh:$lp\b/) {
+				$tcpmark =3D /^tcpmap\s+[^<]+$/i ? $. : $. + 1;
+				$tcpmark-- if $mark;
+			}
 			push @out, $_;
 		}
 		close CFG;
@@ -2192,6 +2206,24 @@
=20
 		$newcfgline =3D sprintf "%-13s %s %s %s %s\n", 'Catalog',
 				$catalog_name, $Conf{catroot}, $full . $Conf{cgiurl}, $Conf{aliases};
+
+		if($tcpmark) {
+			$out[$tcpmark] =3D~ s/\s*$/ $lh:$lp -\n/;
+		}
+=09=09
+		if($add_inet) {
+			my $found_inetmode;
+			for(@out) {
+				next unless /^\s*inet_mode\s+/i;
+				$_ =3D "Inet_Mode Yes\n";
+				$found_inetmode =3D 1;
+				last;
+			}
+			if(! $found_inetmode) {
+				push @out, "Inet_Mode Yes\n";
+			}
+		}
+
 		if (defined $mark) {
 			print NEWCFG @out[0..$mark-1];
 			print NEWCFG $newcfgline;
@@ -2203,6 +2235,7 @@
 			print NEWCFG $newcfgline;
 			print NEWCFG @out;
 		}
+
 		close NEWCFG || die "close: $!\n";
 		unlink $tmpfile;
 		if($isroot) {
@@ -2322,7 +2355,7 @@
=20
 =3Dhead1 VERSION
=20
-# $Id: makecat.PL,v 2.5.2.5 2002/02/04 15:51:08 jon Exp $
+# $Id: makecat.PL,v 2.5.2.6 2002/08/11 15:24:03 mheins Exp $
=20
 =3Dhead1 INTRODUCTION
=20