From 5e97601fb7148277f8f8e63fa61739f0d49ca389 Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Fri, 30 Apr 2021 06:54:27 -0600
Subject: [PATCH] main/awstats: security upgrade to 7.8 (CVE-2020-29600,
 CVE-2020-35176)

---
 main/awstats/APKBUILD             | 12 ++++++++----
 main/awstats/CVE-2020-35176.patch | 30 ++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 4 deletions(-)
 create mode 100644 main/awstats/CVE-2020-35176.patch

diff --git a/main/awstats/APKBUILD b/main/awstats/APKBUILD
index 71d001fc6b7..31fd7de5237 100644
--- a/main/awstats/APKBUILD
+++ b/main/awstats/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=awstats
-pkgver=7.7
+pkgver=7.8
 pkgrel=0
 pkgdesc="Free real-time logfile analyzer to get advanced statistics"
 url="http://awstats.sourceforge.net/"
@@ -10,10 +10,13 @@ license="GPL-3.0-or-later"
 depends="perl perl-uri"
 subpackages="$pkgname-doc"
 options="!check" # no testsuite
-source="https://prdownloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz"
-builddir="$srcdir/$pkgname-$pkgver"
+source="https://prdownloads.sourceforge.net/awstats/awstats-$pkgver.tar.gz
+	CVE-2020-35176.patch"
 
 # secfixes:
+#   7.8-r0:
+#     - CVE-2020-29600
+#     - CVE-2020-35176
 #   7.6-r2:
 #     - CVE-2017-1000501
 
@@ -59,4 +62,5 @@ package() {
 		"$pkgdir"/usr/lib/$pkgname/cgi-bin/plugins/example
 }
 
-sha512sums="8bf32b0650ef0cc900a16eead866da3847d81c2696e7a90fb49833679c958768833d781e5b4becd9b4f6748c7266e2887ff7ff33d98293ce3a0296a810fbe899  awstats-7.7.tar.gz"
+sha512sums="b532f74a8b420841b1ae7eea73fd341049925af01688a06114f53807c14c6a4edc4ca4f671b2b9c1aee8024ba25ccf69b6eae391250e5722d2fd719de4cf87e2  awstats-7.8.tar.gz
+d012866662206ffba9f84af437824324bf402a49ecb67161833b3f9593ccd4327db4b465d305c3ca78e5b29917acd469760faac6f7678055d4de01621f689c63  CVE-2020-35176.patch"
diff --git a/main/awstats/CVE-2020-35176.patch b/main/awstats/CVE-2020-35176.patch
new file mode 100644
index 00000000000..3e707c35dc4
--- /dev/null
+++ b/main/awstats/CVE-2020-35176.patch
@@ -0,0 +1,30 @@
+From 0d4d4c05f8e73be8f71dd361dc55cbd52858b823 Mon Sep 17 00:00:00 2001
+From: Beuc <beuc@beuc.net>
+Date: Thu, 17 Dec 2020 18:14:43 +0100
+Subject: [PATCH] Only look for configuration in dedicated awstats directories
+
+Fixes #195/CVE-2020-35176
+---
+ wwwroot/cgi-bin/awstats.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
+index e709b7f5..8341c0a5 100755
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -1711,13 +1711,13 @@ sub Read_Config {
+ 	# Check config file in common possible directories :
+ 	# Windows :                   				"$DIR" (same dir than awstats.pl)
+ 	# Standard, Mandrake and Debian package :	"/etc/awstats"
+-	# Other possible directories :				"/usr/local/etc/awstats", "/etc"
++	# Other possible directories :				"/usr/local/etc/awstats",
+ 	# FHS standard, Suse package : 				"/etc/opt/awstats"
+ 	my $configdir         = shift;
+ 	my @PossibleConfigDir = (
+ 			"$DIR",
+ 			"/etc/awstats",
+-			"/usr/local/etc/awstats", "/etc",
++			"/usr/local/etc/awstats",
+ 			"/etc/opt/awstats"
+ 		); 
+