#! /bin/sh /usr/share/dpatch/dpatch-run
## securityfix.dpatch by Hector Romojaro <hromojaro@dia.uned.es>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/packages/acs-api-browser/www/content-page-view.tcl trunk/packages/acs-api-browser/www/content-page-view.tcl
--- trunk~/packages/acs-api-browser/www/content-page-view.tcl 2003-05-17 11:38:28.000000000 +0200
+++ trunk/packages/acs-api-browser/www/content-page-view.tcl 2010-11-25 13:35:05.000000000 +0100
@@ -50,6 +50,11 @@
set filename "[acs_root_dir]/$path"
+if {[regsub -all {[.][.]/} $filename "" shortened_filename]} {
+ ns_log notice "INTRUDER ALERT:\n\nsomesone tried to snarf '$filename'!\n file exists: [file exists $filename]\n user_id: [ad_conn user_id]\n peer: [ad_conn peeraddr]\n"
+ set filename shortened_filename
+}
+
if {![file exists $filename] || [file isdirectory $filename]} {
set file_contents "file '$filename' not found"
} else {
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)