Bug#660828: [fex] Security fix is too minimal ( initialisation missing)

Wed, 22 Feb 2012 00:45:19 -0800 

Package: fex
Version: 20100208+debian1-1+squeeze2
Severity: grave

--- Please enter the report below this line. ---

Following lines are missing for the security-patch to work:

--- bin/fexsrv
+++ bin/fexsrv
@@ -137,7 +137,7 @@
 
 seek $log,0,SEEK_END;
 
-$ENV{REQUEST_URI} = '';
+$ENV{REQUEST_URI} = $uri = '';
 $http_req = $cgi = '';
 $hl = 0;
 
@@ -225,7 +225,7 @@
     goto REQUEST; # uh-uhhhh! ugly! ;-)
   } elsif (/^(GET|HEAD|POST)\s+(.+)\s(HTTP\/[\d\.]+$)/i) {
     $ENV{REQUEST_METHOD} = uc($1);
-    $ENV{REQUEST_URI}    = $cgi = $2;
+    $ENV{REQUEST_URI}    = $uri = $cgi = $2;
     $ENV{HTTP_VERSION}   = $protocol = $3;
     $ENV{QUERY_STRING}   = $1               if $cgi =~ s/\?(.*)//;



--- System information. ---

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.





-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to