# Additional changes by Paul Fisher (rao@gnu.org), November 2003
# Additional functionality (v1.1) by Ward Vandewege (ward@gnu.org), May 2004
# Additional changes (syslog) by Justin Baugh (baughj@gnu.org), August 2005
-# Additional testing and bugfixes by Ward Vandewege (ward@gnu.org), Apr 2006 - Jan 2010
+# Additional testing, bugfixes and functionality by Ward Vandewege (ward@gnu.org), Apr 2006 - Jan 2013
use strict;
use Net::SMTP;
my $V1_COMPAT_ALLOWED = 0;
-my $NAME = 'upload-ftp-v1.1.pl';
+my $NAME = 'upload-ftp-v1.2.pl';
my $VERSION = '1.2'; # This is the protocol version
-my $DATE = '2012/09/21 10:18:29';
-my $AUTHOR = "Free Software Foundation <sysadmin\@gnu.org>";
-my $COPYRIGHT = "2003-2012";
+my $DATE = '2013/01/23 20:26:29';
+my $AUTHORS = "Free Software Foundation <sysadmin\@gnu.org>";
+my $COPYRIGHT = "2003-2013";
my $LICENSE = "GPLv3 or later - http://www.fsf.org/licenses/gpl.txt";
my $URL = "http://www.gnu.org/prep/maintain/html_node/Automated-FTP-Uploads.html";
sub version_information {
print "\nThis is $NAME protocol version $VERSION ($DATE)\n";
- print "Copyright (c) $COPYRIGHT by $AUTHOR\n";
+ print "Copyright (c) $COPYRIGHT by $AUTHORS\n";
print "License: $LICENSE\n";
print "More information at $URL\n\n";
exit;
sub parse_directory_line {
my $tainted_val = shift;
my $directive_file_contents = shift;
- $tainted_val =~ s/ *$//; # Throw away trailing whitespace
+ $tainted_val =~ s/\r\n/\n/g; # deal with dos-based line endings...
+ $tainted_val =~ s/\s+$/\n/; # Some people like to put spaces after their commands
+ $tainted_val =~ s/^\s+//; # Or even *before* their commands
+
# $do_not_fail is set to 1 if this sub is called as a last resort in an attempt to find *someone* to report an error to.
# When it is set, this sub will not die with &fatal.
my $do_not_fail = shift;
$valid
or &fatal("gpg verify of upload file ($upload_file) failed",1);
- # Reject an upload tarball if it contains a Makefile.in vulnerable
- # as described in CVE-2009-4029.
- # http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131
- if ($upload_file =~ /\.(tar|)(\.|$)|\.t[bglx]z|\.tbz2$/) {
- # First check if the file contains any Makefile.in files
- ftp_syslog('debug', "($log_style) DEBUG: testing $upload_file for presence of Makefile.in") if $DEBUG;
- my $tar_cmd = "/bin/tar -tf $upload_file";
- open (TAR, "$tar_cmd|")
- or &fatal("failed to run command: $tar_cmd",1);
- my $found_makefile = 0;
- while (defined (my $line = <TAR>)) {
- if ($line =~ /Makefile.in/i) {
- $found_makefile = 1;
- last;
- }
- }
- close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop
- return if (!$found_makefile);
- # If it does, check inside them
- ftp_syslog('debug', "($log_style) DEBUG: found Makefile.in, testing for CVE-2009-4029 and CVE-2012-3386") if $DEBUG;
- $tar_cmd = "/bin/tar --to-stdout -x -f $upload_file 'Makefile.in' --wildcards '*/Makefile.in' 2>/dev/null";
- open (TAR, "$tar_cmd|")
- or &fatal("failed to run command: $tar_cmd",1);
- my $found_cve_2009_4029 = 0;
- my $found_cve_2012_3386 = 0;
- my $error_string = '';
- while (defined (my $line = <TAR>)) {
- if ($line =~ /perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/) {
- $found_cve_2009_4029 = 1;
- }
- if ($line =~ /chmod a\+w \$\(distdir\)/) {
- $found_cve_2012_3386 = 1;
- }
- }
- close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop
-
- # Because CVE-2012-3386 was not fixed until 1.11.6 / 1.12.2, we point people to that version instead
- # of 1.11.1, which fixes CVE-2009-4029. Ward, 2012-07-20
- $found_cve_2009_4029 and $error_string .= "upload rejected: $upload_file contains a vulnerable "
- . "Makefile.in (CVE-2009-4029);\n"
- . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n";
+ use lib '.';
+ use CheckVulnerabilities qw(&check_vulnerabilities);
+ my ($error_string, $error_log_ref) = check_vulnerabilities($upload_file,$log_style,$DEBUG);
- $found_cve_2012_3386 and $error_string .= "upload rejected: $upload_file contains a vulnerable "
- . "Makefile.in (CVE-2012-3386);\n"
- . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n";
+ my @error_log = @$error_log_ref;
+ if ($DEBUG and $#error_log > -1) {
+ foreach (@error_log) {
+ ftp_syslog('debug', $_);
+ }
+ }
- ($found_cve_2009_4029 or $found_cve_2012_3386) and &fatal($error_string,1,'',3);
+ &fatal($error_string,1,'',3) if ($error_string ne '');
- }
ftp_syslog('debug', "($log_style) DEBUG: tested negative for CVE-2009-4029 and CVE-2012-3386") if $DEBUG;
}
projects / gatekeeper.git / commitdiff