diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index c4a19e5d8..9b3f2bff4 100755 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -217,7 +217,7 @@ sub get_std_net_ip }elsif($val eq 'BLUE'){ return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; }elsif($val eq 'RED'){ - return "0.0.0.0/0 -o $con"; + return "0.0.0.0/0"; }elsif($val =~ /OpenVPN/i){ return "$ovpnsettings{'DOVPN_SUBNET'}"; }elsif($val =~ /IPsec/i){ @@ -226,6 +226,23 @@ sub get_std_net_ip return ; } } +sub get_interface +{ + my $net=shift; + if($net eq "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"){ + return "$netsettings{'GREEN_DEV'}"; + } + if($net eq "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"){ + return "$netsettings{'ORANGE_DEV'}"; + } + if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){ + return "$netsettings{'BLUE_DEV'}"; + } + if($net eq "0.0.0.0/0"){ + return "$netsettings{'RED_DEV'}"; + } + return ""; +} sub get_net_ip { my $val=shift; @@ -305,9 +322,9 @@ sub get_address # address. Otherwise, we assume that it is an IP address. if ($key ~~ ["src_addr", "tgt_addr"]) { if (&General::validmac($value)) { - push(@ret, "-m mac --mac-source $value"); + push(@ret, ["-m mac --mac-source $value", ""]); } else { - push(@ret, $value); + push(@ret, [$value, ""]); } # If a default network interface (GREEN, BLUE, etc.) is selected, we @@ -316,88 +333,90 @@ sub get_address my $external_interface = &get_external_interface(); my $network_address = &get_std_net_ip($value, $external_interface); + if ($network_address) { - push(@ret, $network_address); + my $interface = &get_interface($network_address); + push(@ret, [$network_address, $interface]); } # Custom networks. } elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) { my $network_address = &get_net_ip($value); if ($network_address) { - push(@ret, $network_address); + push(@ret, [$network_address, ""]); } # Custom hosts. } elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) { my $host_address = &get_host_ip($value, $type); if ($host_address) { - push(@ret, $host_address); + push(@ret, [$host_address, ""]); } # OpenVPN networks. } elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) { my $network_address = &get_ovpn_net_ip($value, 1); if ($network_address) { - push(@ret, $network_address); + push(@ret, [$network_address, ""]); } # OpenVPN hosts. } elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) { my $host_address = &get_ovpn_host_ip($value, 33); if ($host_address) { - push(@ret, $host_address); + push(@ret, [$host_address, ""]); } # OpenVPN N2N. } elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) { my $network_address = &get_ovpn_n2n_ip($value, 11); if ($network_address) { - push(@ret, $network_address); + push(@ret, [$network_address, ""]); } # IPsec networks. } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) { my $network_address = &get_ipsec_net_ip($value, 11); if ($network_address) { - push(@ret, $network_address); + push(@ret, [$network_address, ""]); } # The firewall's own IP addresses. } elsif ($key ~~ ["ipfire", "ipfire_src"]) { # ALL if ($value eq "ALL") { - push(@ret, "0/0"); + push(@ret, ["0/0", ""]); # GREEN } elsif ($value eq "GREEN") { - push(@ret, $netsettings{"GREEN_ADDRESS"}); + push(@ret, [$netsettings{"GREEN_ADDRESS"}, ""]); # BLUE } elsif ($value eq "BLUE") { - push(@ret, $netsettings{"BLUE_ADDRESS"}); + push(@ret, [$netsettings{"BLUE_ADDRESS"}, ""]); # ORANGE } elsif ($value eq "ORANGE") { - push(@ret, $netsettings{"ORANGE_ADDRESS"}); + push(@ret, [$netsettings{"ORANGE_ADDRESS"}, ""]); # RED } elsif ($value ~~ ["RED", "RED1"]) { my $address = &get_external_address(); if ($address) { - push(@ret, $address); + push(@ret, [$address, ""]); } # Aliases } else { my $alias = &get_alias($value); if ($alias) { - push(@ret, $alias); + push(@ret, [$alias, ""]); } } # If nothing was selected, we assume "any". } else { - push(@ret, "0/0"); + push(@ret, ["0/0", ""]); } return @ret; diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index aa8870cdc..40fb8dd2a 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -268,6 +268,33 @@ sub buildrules { } } + # Concurrent connection limit + my @ratelimit_options = (); + if ($$hash{$key}[32] eq 'ON') { + my $conn_limit = $$hash{$key}[33]; + + if ($conn_limit ge 1) { + push(@ratelimit_options, ("-m", "connlimit")); + + # Use the the entire source IP address + push(@ratelimit_options, "--connlimit-saddr"); + push(@ratelimit_options, ("--connlimit-mask", "32")); + + # Apply the limit + push(@ratelimit_options, ("--connlimit-upto", $conn_limit)); + } + } + + # Ratelimit + if ($$hash{$key}[34] eq 'ON') { + my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]"; + + if ($rate_limit) { + push(@ratelimit_options, ("-m", "limit")); + push(@ratelimit_options, ("--limit", $rate_limit)); + } + } + # Check which protocols are used in this rule and so that we can # later group rules by protocols. my @protocols = &get_protocols($hash, $key); @@ -295,22 +322,26 @@ sub buildrules { next unless ($src); # Sanitize source. - my $source = $src; + my $source = @$src[0]; if ($source ~~ @ANY_ADDRESSES) { $source = ""; } + my $source_intf = @$src[1]; + foreach my $dst (@destinations) { # Skip invalid rules. next unless (defined $dst); next if (!$dst || ($dst eq "none")); # Sanitize destination. - my $destination = $dst; + my $destination = @$dst[0]; if ($destination ~~ @ANY_ADDRESSES) { $destination = ""; } + my $destination_intf = @$dst[1]; + # Array with iptables arguments. my @options = (); @@ -327,15 +358,26 @@ sub buildrules { push(@source_options, ("-s", $source)); } + if ($source_intf) { + push(@source_options, ("-i", $source_intf)); + } + # Prepare destination options. my @destination_options = (); if ($destination) { push(@destination_options, ("-d", $destination)); } + if ($destination_intf) { + push(@destination_options, ("-o", $destination_intf)); + } + # Add time constraint options. push(@options, @time_options); + # Add ratelimiting option + push(@options, @ratelimit_options); + my $firewall_is_in_source_subnet = 1; if ($source) { $firewall_is_in_source_subnet = &firewall_is_in_subnet($source); @@ -366,7 +408,7 @@ sub buildrules { # Make port-forwardings useable from the internal networks. my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1); unless ($nat_address ~~ @internal_addresses) { - &add_dnat_mangle_rules($nat_address, @nat_options); + &add_dnat_mangle_rules($nat_address, $source_intf, @nat_options); } push(@nat_options, @source_options); @@ -457,6 +499,10 @@ sub buildrules { } } } + #Reload firewall.local if present + if ( -f '/etc/sysconfig/firewall.local'){ + run("/etc/sysconfig/firewall.local reload"); + } } # Formats the given timestamp into the iptables format which is "hh:mm" UTC. @@ -683,6 +729,7 @@ sub get_dnat_target_port { sub add_dnat_mangle_rules { my $nat_address = shift; + my $interface = shift; my @options = @_; my $mark = 0; @@ -693,6 +740,8 @@ sub add_dnat_mangle_rules { next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); next unless (exists $defaultNetworks{$zone . "_NETMASK"}); + next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"}); + my @mangle_options = @options; my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"}; diff --git a/config/rootfiles/common/bash b/config/rootfiles/common/bash index 84f587f3c..a2b6a87e3 100644 --- a/config/rootfiles/common/bash +++ b/config/rootfiles/common/bash @@ -57,3 +57,42 @@ bin/bash #usr/share/locale/zh_TW/LC_MESSAGES/bash.mo #usr/share/man/man1/bash.1 #usr/share/man/man1/bashbug.1 +#usr/share/locale/af +#usr/share/locale/af/LC_MESSAGES +#usr/share/locale/af/LC_MESSAGES/bash.mo +#usr/share/locale/bg/LC_MESSAGES/bash.mo +#usr/share/locale/ca/LC_MESSAGES/bash.mo +#usr/share/locale/cs/LC_MESSAGES/bash.mo +#usr/share/locale/da/LC_MESSAGES/bash.mo +#usr/share/locale/de/LC_MESSAGES/bash.mo +#usr/share/locale/el/LC_MESSAGES/bash.mo +#usr/share/locale/en@boldquot +#usr/share/locale/en@boldquot/LC_MESSAGES +#usr/share/locale/en@boldquot/LC_MESSAGES/bash.mo +#usr/share/locale/en@quot/LC_MESSAGES/bash.mo +#usr/share/locale/eo/LC_MESSAGES/bash.mo +#usr/share/locale/es/LC_MESSAGES/bash.mo +#usr/share/locale/et/LC_MESSAGES/bash.mo +#usr/share/locale/fi/LC_MESSAGES/bash.mo +#usr/share/locale/fr/LC_MESSAGES/bash.mo +#usr/share/locale/ga/LC_MESSAGES/bash.mo +#usr/share/locale/gl/LC_MESSAGES/bash.mo +#usr/share/locale/hr/LC_MESSAGES/bash.mo +#usr/share/locale/hu/LC_MESSAGES/bash.mo +#usr/share/locale/id/LC_MESSAGES/bash.mo +#usr/share/locale/it/LC_MESSAGES/bash.mo +#usr/share/locale/ja/LC_MESSAGES/bash.mo +#usr/share/locale/lt/LC_MESSAGES/bash.mo +#usr/share/locale/nl/LC_MESSAGES/bash.mo +#usr/share/locale/pl/LC_MESSAGES/bash.mo +#usr/share/locale/pt_BR/LC_MESSAGES/bash.mo +#usr/share/locale/ro/LC_MESSAGES/bash.mo +#usr/share/locale/ru/LC_MESSAGES/bash.mo +#usr/share/locale/sk/LC_MESSAGES/bash.mo +#usr/share/locale/sl/LC_MESSAGES/bash.mo +#usr/share/locale/sr +#usr/share/locale/sr/LC_MESSAGES +#usr/share/locale/sr/LC_MESSAGES/bash.mo +#usr/share/locale/sv/LC_MESSAGES/bash.mo +#usr/share/locale/tr/LC_MESSAGES/bash.mo +#usr/share/locale/uk/LC_MESSAGES/bash.mo diff --git a/config/rootfiles/core/82/exclude b/config/rootfiles/core/84/exclude similarity index 100% rename from config/rootfiles/core/82/exclude rename to config/rootfiles/core/84/exclude diff --git a/config/rootfiles/core/84/filelists/bash b/config/rootfiles/core/84/filelists/bash new file mode 120000 index 000000000..de970cb1d --- /dev/null +++ b/config/rootfiles/core/84/filelists/bash @@ -0,0 +1 @@ +../../../common/bash \ No newline at end of file diff --git a/config/rootfiles/core/84/filelists/dnsmasq b/config/rootfiles/core/84/filelists/dnsmasq new file mode 120000 index 000000000..d469c7463 --- /dev/null +++ b/config/rootfiles/core/84/filelists/dnsmasq @@ -0,0 +1 @@ +../../../common/dnsmasq \ No newline at end of file diff --git a/config/rootfiles/core/84/filelists/files b/config/rootfiles/core/84/filelists/files new file mode 100644 index 000000000..c26e2ea09 --- /dev/null +++ b/config/rootfiles/core/84/filelists/files @@ -0,0 +1,10 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/firewall +etc/rc.d/init.d/network +srv/web/ipfire/cgi-bin/firewall.cgi +srv/web/ipfire/cgi-bin/fwhosts.cgi +srv/web/ipfire/cgi-bin/urlfilter.cgi +usr/lib/firewall/firewall-lib.pl +usr/lib/firewall/rules.pl +var/ipfire/langs diff --git a/config/rootfiles/core/84/filelists/readline b/config/rootfiles/core/84/filelists/readline new file mode 120000 index 000000000..84209f189 --- /dev/null +++ b/config/rootfiles/core/84/filelists/readline @@ -0,0 +1 @@ +../../../common/readline \ No newline at end of file diff --git a/config/rootfiles/core/82/meta b/config/rootfiles/core/84/meta similarity index 100% rename from config/rootfiles/core/82/meta rename to config/rootfiles/core/84/meta diff --git a/config/rootfiles/core/84/update.sh b/config/rootfiles/core/84/update.sh new file mode 100644 index 000000000..1b8332664 --- /dev/null +++ b/config/rootfiles/core/84/update.sh @@ -0,0 +1,58 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2014 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=84 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services +/etc/init.d/dnsmasq stop + +# Remove old files + +# Extract files +extract_files + +# Start services +/etc/init.d/dnsmasq start + +# Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +sync + +# This update need a reboot... +touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/82/exclude b/config/rootfiles/oldcore/82/exclude new file mode 100644 index 000000000..18e9b4d24 --- /dev/null +++ b/config/rootfiles/oldcore/82/exclude @@ -0,0 +1,20 @@ +boot/config.txt +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/82/filelists/armv5tel/gmp b/config/rootfiles/oldcore/82/filelists/armv5tel/gmp similarity index 100% rename from config/rootfiles/core/82/filelists/armv5tel/gmp rename to config/rootfiles/oldcore/82/filelists/armv5tel/gmp diff --git a/config/rootfiles/core/82/filelists/batctl b/config/rootfiles/oldcore/82/filelists/batctl similarity index 100% rename from config/rootfiles/core/82/filelists/batctl rename to config/rootfiles/oldcore/82/filelists/batctl diff --git a/config/rootfiles/core/82/filelists/boost b/config/rootfiles/oldcore/82/filelists/boost similarity index 100% rename from config/rootfiles/core/82/filelists/boost rename to config/rootfiles/oldcore/82/filelists/boost diff --git a/config/rootfiles/core/82/filelists/files b/config/rootfiles/oldcore/82/filelists/files similarity index 100% rename from config/rootfiles/core/82/filelists/files rename to config/rootfiles/oldcore/82/filelists/files diff --git a/config/rootfiles/core/82/filelists/i586/gmp b/config/rootfiles/oldcore/82/filelists/i586/gmp similarity index 100% rename from config/rootfiles/core/82/filelists/i586/gmp rename to config/rootfiles/oldcore/82/filelists/i586/gmp diff --git a/config/rootfiles/core/82/filelists/iputils b/config/rootfiles/oldcore/82/filelists/iputils similarity index 100% rename from config/rootfiles/core/82/filelists/iputils rename to config/rootfiles/oldcore/82/filelists/iputils diff --git a/config/rootfiles/core/82/filelists/libnl-3 b/config/rootfiles/oldcore/82/filelists/libnl-3 similarity index 100% rename from config/rootfiles/core/82/filelists/libnl-3 rename to config/rootfiles/oldcore/82/filelists/libnl-3 diff --git a/config/rootfiles/core/82/filelists/mpfr b/config/rootfiles/oldcore/82/filelists/mpfr similarity index 100% rename from config/rootfiles/core/82/filelists/mpfr rename to config/rootfiles/oldcore/82/filelists/mpfr diff --git a/config/rootfiles/core/82/filelists/openssl-compat b/config/rootfiles/oldcore/82/filelists/openssl-compat similarity index 100% rename from config/rootfiles/core/82/filelists/openssl-compat rename to config/rootfiles/oldcore/82/filelists/openssl-compat diff --git a/config/rootfiles/core/82/filelists/ppp b/config/rootfiles/oldcore/82/filelists/ppp similarity index 100% rename from config/rootfiles/core/82/filelists/ppp rename to config/rootfiles/oldcore/82/filelists/ppp diff --git a/config/rootfiles/oldcore/82/meta b/config/rootfiles/oldcore/82/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/oldcore/82/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/82/update.sh b/config/rootfiles/oldcore/82/update.sh similarity index 100% rename from config/rootfiles/core/82/update.sh rename to config/rootfiles/oldcore/82/update.sh diff --git a/config/rootfiles/oldcore/83/exclude b/config/rootfiles/oldcore/83/exclude new file mode 100644 index 000000000..18e9b4d24 --- /dev/null +++ b/config/rootfiles/oldcore/83/exclude @@ -0,0 +1,20 @@ +boot/config.txt +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/oldcore/83/filelists/bash b/config/rootfiles/oldcore/83/filelists/bash new file mode 120000 index 000000000..de970cb1d --- /dev/null +++ b/config/rootfiles/oldcore/83/filelists/bash @@ -0,0 +1 @@ +../../../common/bash \ No newline at end of file diff --git a/config/rootfiles/oldcore/83/filelists/files b/config/rootfiles/oldcore/83/filelists/files new file mode 100644 index 000000000..5c0b6fefb --- /dev/null +++ b/config/rootfiles/oldcore/83/filelists/files @@ -0,0 +1,6 @@ +etc/system-release +etc/issue +srv/web/ipfire/cgi-bin/logs.cgi/ids.dat +srv/web/ipfire/cgi-bin/proxy.cgi +srv/web/ipfire/cgi-bin/urlfilter.cgi +var/ipfire/general-functions.pl diff --git a/config/rootfiles/oldcore/83/filelists/findutils b/config/rootfiles/oldcore/83/filelists/findutils new file mode 120000 index 000000000..545280ac5 --- /dev/null +++ b/config/rootfiles/oldcore/83/filelists/findutils @@ -0,0 +1 @@ +../../../common/findutils \ No newline at end of file diff --git a/config/rootfiles/oldcore/83/filelists/squid b/config/rootfiles/oldcore/83/filelists/squid new file mode 120000 index 000000000..2dc8372a0 --- /dev/null +++ b/config/rootfiles/oldcore/83/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/oldcore/83/meta b/config/rootfiles/oldcore/83/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/oldcore/83/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/oldcore/83/update.sh b/config/rootfiles/oldcore/83/update.sh new file mode 100644 index 000000000..c766b42a4 --- /dev/null +++ b/config/rootfiles/oldcore/83/update.sh @@ -0,0 +1,59 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2014 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=83 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services + +# Remove old files + +# Extract files +extract_files + +# reload init because glibc/linker changed +telinit -u + +# Start services + +# Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +sync + +# This update need a reboot... +touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Don't report the exitcode last command +exit 0 diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index e6ae5272a..badee6b3c 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -161,6 +161,22 @@ print<"; @@ -241,14 +257,14 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configinputfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31],$configinputfw{$key}[32],$configinputfw{$key}[33],$configinputfw{$key}[34],$configinputfw{$key}[35],$configinputfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'} ) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; $fwdfwsettings{'nosave2'} = 'on'; @@ -266,8 +282,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') my $maxkey=&General::findhasharraykey(\%configoutgoingfw); if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %configoutgoingfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31],$configoutgoingfw{$key}[32],$configoutgoingfw{$key}[33],$configoutgoingfw{$key}[34],$configoutgoingfw{$key}[35],$configoutgoingfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; @@ -285,14 +301,14 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configoutgoingfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31],$configoutgoingfw{$key}[32],$configoutgoingfw{$key}[33],$configoutgoingfw{$key}[34],$configoutgoingfw{$key}[35],$configoutgoingfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'} ) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'nosave2'} = 'on'; $errormessage=''; @@ -312,8 +328,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ #check if we have an identical rule already foreach my $key (sort keys %configfwdfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31],$configfwdfw{$key}[32],$configfwdfw{$key}[33],$configfwdfw{$key}[34],$configfwdfw{$key}[35],$configfwdfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; @@ -331,19 +347,35 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configfwdfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31],$configfwdfw{$key}[32],$configfwdfw{$key}[33],$configfwdfw{$key}[34],$configfwdfw{$key}[35],$configfwdfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}){ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'nosave2'} = 'on'; $errormessage=''; } } + #check max concurrent connections per ip address + if ($fwdfwsettings{'LIMIT_CON_CON'} eq 'ON'){ + if (!($fwdfwsettings{'concon'} =~ /^(\d+)$/)) { + $errormessage.=$Lang::tr{'fwdfw err concon'}; + } + }else{ + $fwdfwsettings{'concon'}=''; + } + #check ratelimit value + if ($fwdfwsettings{'RATE_LIMIT'} eq 'ON'){ + if (!($fwdfwsettings{'ratecon'} =~ /^(\d+)$/)) { + $errormessage.=$Lang::tr{'fwdfw err ratecon'}; + } + }else{ + $fwdfwsettings{'ratecon'}=''; + } #increase counters if (!$errormessage){ if ($fwdfwsettings{'nosave2'} ne 'on'){ @@ -1064,7 +1096,6 @@ print< + + + + + $Lang::tr{'fwdfw limitconcon'} + + + + + + + + +
 $Lang::tr{'fwdfw maxconcon'}:
+ + + + + + + $Lang::tr{'fwdfw ratelimit'} + + + + + + + + +
 $Lang::tr{'fwdfw numcon'}: / + +
+ +
END @@ -2044,6 +2127,7 @@ END +
END @@ -2180,6 +2264,11 @@ sub saverule $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; $$hash{$key}[31] = $fwdfwsettings{'nat'}; + $$hash{$key}[32] = $fwdfwsettings{'LIMIT_CON_CON'}; + $$hash{$key}[33] = $fwdfwsettings{'concon'}; + $$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'}; + $$hash{$key}[35] = $fwdfwsettings{'ratecon'}; + $$hash{$key}[36] = $fwdfwsettings{'RATETIME'}; &General::writehasharray("$config", $hash); }else{ foreach my $key (sort {$a <=> $b} keys %$hash){ @@ -2216,6 +2305,11 @@ sub saverule $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; $$hash{$key}[31] = $fwdfwsettings{'nat'}; + $$hash{$key}[32] = $fwdfwsettings{'LIMIT_CON_CON'}; + $$hash{$key}[33] = $fwdfwsettings{'concon'}; + $$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'}; + $$hash{$key}[35] = $fwdfwsettings{'ratecon'}; + $$hash{$key}[36] = $fwdfwsettings{'RATETIME'}; last; } } diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 1f96336a6..c3642f0f0 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -291,42 +291,13 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) $errormessage=$errormessage.$Lang::tr{'fwhost err sub32'}; } if($fwhostsettings{'error'} ne 'on'){ - #check if we use one of ipfire's networks (green,orange,blue) - if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'GREEN_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'GREEN_NETMASK'})) - { - $errormessage=$errormessage.$Lang::tr{'ccd err green'}."
"; - $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} - } - if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'ORANGE_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'ORANGE_NETMASK'})) - { - $errormessage=$errormessage.$Lang::tr{'ccd err orange'}."
"; - $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} - } - if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'BLUE_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'BLUE_NETMASK'})) - { - $errormessage=$errormessage.$Lang::tr{'ccd err blue'}."
"; - $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} - } - if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'RED_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'RED_NETMASK'})) - { - $errormessage=$errormessage.$Lang::tr{'ccd err red'}."
"; - $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} - } + my $fullip="$fwhostsettings{'IP'}/".&General::iporsubtocidr($fwhostsettings{'SUBNET'}); + $errormessage=$errormessage.&General::checksubnets($fwhostsettings{'HOSTNAME'},$fullip,""); } #only check plausi when no error till now if (!$errormessage){ &plausicheck("editnet"); } - #check if network ip is part of an already used one - if(&checksubnet(\%customnetwork)) - { - $errormessage=$errormessage.$Lang::tr{'fwhost err partofnet'}; - $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - } if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newnet'} ne 'on' && $errormessage) { $fwhostsettings{'actualize'} = ''; @@ -338,9 +309,8 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) $customnetwork{$key}[3] = $fwhostsettings{'orgnetremark'}; &General::writehasharray("$confignet", \%customnetwork); undef %customnetwork; - } + } if (!$errormessage){ - &General::readhasharray("$confignet", \%customnetwork); if ($fwhostsettings{'ACTION'} eq 'updatenet'){ if ($fwhostsettings{'update'} == '0'){ @@ -392,7 +362,7 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) &General::writehasharray("$fwconfiginp", \%fwinp); } } - } + } my $key = &General::findhasharraykey (\%customnetwork); foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";} $fwhostsettings{'SUBNET'} = &General::iporsubtocidr($fwhostsettings{'SUBNET'}); @@ -416,7 +386,8 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) } &addnet; &viewtablenet; - }else { + }else{ + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; &addnet; &viewtablenet; } @@ -1644,7 +1615,10 @@ sub getcolor $tdcolor="$c"; return $tdcolor; } - + if ("$sip/$scidr" eq "0.0.0.0/0"){ + $tdcolor="$c"; + return $tdcolor; + } #Check if IP is part of OpenVPN N2N subnet foreach my $key (sort keys %ccdhost){ if ($ccdhost{$key}[3] eq 'net'){ @@ -2501,6 +2475,9 @@ sub getipforgroup &General::readhash("${General::swroot}/vpn/settings",\%hash); return $hash{'RW_NET'}; } + if ($name eq 'RED'){ + return "0.0.0.0/0"; + } } } sub decrease diff --git a/html/cgi-bin/logs.cgi/ids.dat b/html/cgi-bin/logs.cgi/ids.dat index 86207c2aa..44b3abdac 100644 --- a/html/cgi-bin/logs.cgi/ids.dat +++ b/html/cgi-bin/logs.cgi/ids.dat @@ -336,7 +336,7 @@ print <$sid\n"; } else { print $sid; diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 772852bb8..ba2455a96 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -3221,6 +3221,48 @@ END print FILE "\n"; } + open (PORTS,"$acl_ports_ssl"); + my @ssl_ports = ; + close PORTS; + + if (@ssl_ports) { + foreach (@ssl_ports) { + print FILE "acl SSL_ports port $_"; + } + } + + open (PORTS,"$acl_ports_safe"); + my @safe_ports = ; + close PORTS; + + if (@safe_ports) { + foreach (@safe_ports) { + print FILE "acl Safe_ports port $_"; + } + } + + print FILE < 0) { print FILE <; -close PORTS; - -if (@ssl_ports) { - foreach (@ssl_ports) { - print FILE "acl SSL_ports port $_"; - } -} - -open (PORTS,"$acl_ports_safe"); -my @safe_ports = ; -close PORTS; - -if (@safe_ports) { - foreach (@safe_ports) { - print FILE "acl Safe_ports port $_"; - } -} - - print FILE < 'Für NAT-Regeln muss ein einzelner Port oder Portbereich angegeben werden.', 'fwdfw dnat porterr2' => 'Externer Port (NAT) darf nur angegeben werden, wenn ein Ziel-Port definiert ist.', 'fwdfw edit' => 'Bearbeiten', +'fwdfw err concon' => 'Ungültige Zahl für gleichzeitige Verbindungen', 'fwdfw err nosrc' => 'Keine Quelle ausgewählt', 'fwdfw err nosrcip' => 'Bitte Quell-IP-Adresse angeben', 'fwdfw err notgt' => 'Kein Ziel ausgewählt', 'fwdfw err notgtip' => 'Bitte Ziel-IP-Adresse angeben', 'fwdfw err prot_port' => 'Bei dem gewählten Protokoll sind Quell- und Zielport nicht erlaubt', 'fwdfw err prot_port1' => 'Bei Nutzung von Quell- oder Zielport muss als Protokoll TCP oder UDP gewählt werden.', +'fwdfw err ratecon' => 'Ungültiger Wert bei Anzahl der Verbindungen für Ratenlimitierung', 'fwdfw err remark' => 'Die Bemerkung enthält ungültige Zeichen', 'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits', 'fwdfw err same' => 'Quelle und Ziel sind identisch', @@ -1006,15 +1008,18 @@ 'fwdfw hint mac' => 'Sie nutzen MAC-Adressen in der Zielgruppe. Diese werden bei der Regelerstellung übersprungen.', 'fwdfw iface' => 'Interface', 'fwdfw ipsec network' => 'IPsec-Netzwerke:', +'fwdfw limitconcon' => 'Beschränke gleichzeitige Verbindungen je IP-Adresse', 'fwdfw log' => 'Log', 'fwdfw log rule' => 'Logging aktivieren', 'fwdfw man port' => 'Port(s):', 'fwdfw many' => 'Diverse', +'fwdfw maxconcon' => 'Max. gleichzeitige Verbindungen', 'fwdfw menu' => 'Firewall', 'fwdfw movedown' => 'Herunter', 'fwdfw moveup' => 'Herauf', 'fwdfw natport used' => 'Der eingegebene Port wird bereits von einer anderen DNAT-Regel benutzt.', 'fwdfw newrule' => 'Neue Regel erstellen', +'fwdfw numcon' => 'Anzahl der Verbindungen', 'fwdfw p2p txt' => 'P2P-Netzwerke erlauben/verbieten.', 'fwdfw pol allow' => 'Zugelassen', 'fwdfw pol block' => 'Blockiert', @@ -1023,6 +1028,7 @@ 'fwdfw pol title' => 'Standardverhalten der Firewall', 'fwdfw prot41' => 'IPv6 Encapsulation (Protokoll 41)', 'fwdfw prot41 short' => 'IPv6 Encap', +'fwdfw ratelimit' => 'Ratenlimitierung für neue Verbindungen', 'fwdfw red' => 'ROT', 'fwdfw reread' => 'Änderungen übernehmen', 'fwdfw rule action' => 'Regelaktion:', @@ -1111,7 +1117,7 @@ 'fwhost err remark' => 'Ungültige Bemerkung. Erlaubte Zeichen: Klein- und Großbuchstaben, Bindestrich, Unterstrich, Runde Klammern, Semikolon, Punkt.', 'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits', 'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', -'fwhost err sub32' => 'Bitte einen einzelnen Host hinzufügen, keine Netzwerke', +'fwhost err sub32' => 'Bitte Netzwerke hinzufügen, keinen einzelnen Host', 'fwhost green' => 'Grün', 'fwhost hint' => 'Hinweis', 'fwhost hosts' => 'Firewall-Hosts', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b537868d2..198640934 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1009,12 +1009,14 @@ 'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT', 'fwdfw dnat porterr2' => 'Cannot use external port (NAT) when no destination port is defined.', 'fwdfw edit' => 'Edit', +'fwdfw err concon' => 'Invalid number for concurrent connections', 'fwdfw err nosrc' => 'No source selected.', 'fwdfw err nosrcip' => 'Please provide a source IP address.', 'fwdfw err notgt' => 'No destination selected.', 'fwdfw err notgtip' => 'Please provide a destination IP address.', 'fwdfw err prot_port' => 'Source- or targetport are not allowed with selected protocol', 'fwdfw err prot_port1' => 'When using Source- or targetport you have to select TCP or UDP for protocol', +'fwdfw err ratecon' => 'Invalid value for connections in Rate-limit', 'fwdfw err remark' => 'Invalid characters in remark.', 'fwdfw err ruleexists' => 'This rule already exists.', 'fwdfw err same' => 'Source and destination are identical.', @@ -1033,15 +1035,18 @@ 'fwdfw hint mac' => 'The destination group contains MAC addresses, which will be skipped during rule creation.', 'fwdfw iface' => 'Interface', 'fwdfw ipsec network' => 'IPsec networks:', +'fwdfw limitconcon' => 'Limit concurrent connections per IP address', 'fwdfw log' => 'Log', 'fwdfw log rule' => 'Log rule', 'fwdfw man port' => 'Port(s):', 'fwdfw many' => 'Many', +'fwdfw maxconcon' => 'Max. concurrent connections', 'fwdfw menu' => 'Firewall', 'fwdfw movedown' => 'Move down', 'fwdfw moveup' => 'Move up', 'fwdfw natport used' => 'The given port for NAPT is already in use by an other DNAT rule.', 'fwdfw newrule' => 'New rule', +'fwdfw numcon' => 'Number of connections', 'fwdfw p2p txt' => 'Grant/deny access to P2P networks.', 'fwdfw pol allow' => 'Allowed', 'fwdfw pol block' => 'Blocked', @@ -1050,6 +1055,7 @@ 'fwdfw pol title' => 'Default firewall behaviour', 'fwdfw prot41' => 'IPv6 Encapsulation (Protocol 41)', 'fwdfw prot41 short' => 'IPv6 Encap', +'fwdfw ratelimit' => 'Rate-limit new connections', 'fwdfw red' => 'RED', 'fwdfw reread' => 'Apply changes', 'fwdfw rule action' => 'Rule action:', @@ -1138,7 +1144,7 @@ 'fwhost err remark' => 'Invalid remark. Allowed characters: Upper- and lowercase letters, digits, space, dash, braces, semicolon, pipe and dot.', 'fwhost err srv exists' => 'A service with the same name already exists', 'fwhost err srvexist' => 'This service already exists in the group', -'fwhost err sub32' => 'Please add a single host, not a network.', +'fwhost err sub32' => 'Please add a network, not a single host', 'fwhost green' => 'Green', 'fwhost hint' => 'Note', 'fwhost hosts' => 'Firewall Hosts', @@ -2108,8 +2114,8 @@ 'swap usage per' => 'Swap usage per', 'system' => 'System', 'system graphs' => 'System Graphs', -'system has hwrng' => 'This system has got a hardware random number generator.', -'system has rdrand' => 'This system has got support for Intel(R) RDRAND.', +'system has hwrng' => 'This system has a hardware random number generator.', +'system has rdrand' => 'This system has support for Intel(R) RDRAND.', 'system information' => 'System Information', 'system log viewer' => 'System Log Viewer', 'system logs' => 'System Logs', diff --git a/lfs/bash b/lfs/bash index ae5a2837a..79dce5288 100644 --- a/lfs/bash +++ b/lfs/bash @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2014 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -87,7 +87,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) sed -e "s/filename, RTLD_LAZY/filename, RTLD_NOW/" \ -i $(DIR_APP)/builtins/enable.def - for i in $$(seq 1 26); do \ + for i in $$(seq 1 27); do \ cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash/bash43-$$(printf "%03d" "$${i}") || exit 1; \ done diff --git a/lfs/dnsmasq b/lfs/dnsmasq index 58b001755..60dabf4a5 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -24,7 +24,7 @@ include Config -VER = 2.71 +VER = 2.72 THISAPP = dnsmasq-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -42,7 +42,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 9e2e4d59c75e71ee3ca817ff0f9be69e +$(DL_FILE)_MD5 = 0256e0a71e27c8d8a5c89a0d18f3cfe2 install : $(TARGET) @@ -72,9 +72,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-2.71-use-nettle-with-minigmp.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-2.71-support-nettle-3.0.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-2.70-Add-support-to-read-ISC-DHCP-lease-file.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-2.72rc2-Add-support-to-read-ISC-DHCP-lease-file.patch cd $(DIR_APP) && sed -i src/config.h \ -e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \ -e 's|/\* #define HAVE_DNSSEC \*/|#define HAVE_DNSSEC|g' \ diff --git a/lfs/glibc b/lfs/glibc index f0d8aba64..32c494f24 100644 --- a/lfs/glibc +++ b/lfs/glibc @@ -268,6 +268,12 @@ endif cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh966775.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh966778.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh970090.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1008310.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1022022.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1091162.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1098050.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1133809-1.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1133809-2.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-resolv-stack_chk_fail.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-remove-ctors-dtors-output-sections.patch diff --git a/lfs/squid b/lfs/squid index e050b17c5..921feebf2 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 3.4.5 +VER = 3.4.7 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = a831efb36cfbaa419f8dc7a43cba72c9 +$(DL_FILE)_MD5 = 74677634121649ccb87a5655fcd4298d install : $(TARGET) diff --git a/lfs/squid-accounting b/lfs/squid-accounting index 6f0fdc3b2..0dca63f75 100644 --- a/lfs/squid-accounting +++ b/lfs/squid-accounting @@ -15,7 +15,7 @@ THISAPP = squid-accounting-$(VER) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = squid-accounting -PAK_VER = 2 +PAK_VER = 3 DEPS = "perl-DBI perl-DBD-SQLite perl-File-ReadBackwards perl-PDF-API2 sendEmail" diff --git a/make.sh b/make.sh index 8a2ecc6e1..a9c2da16c 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.15" # Version number -CORE="82" # Core Level (Filename) -PAKFIRE_CORE="82" # Core Level (PAKFIRE) +CORE="84" # Core Level (Filename) +PAKFIRE_CORE="83" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index c7f8b679d..66ca432a2 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -402,21 +402,11 @@ case "$1" in boot_mesg "Setting up firewall" iptables_init evaluate_retval - - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local start - fi ;; reload|up) boot_mesg "Reloading firewall" iptables_red_up evaluate_retval - - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local reload - fi ;; down) boot_mesg "Disabling firewall access to RED" @@ -424,10 +414,6 @@ case "$1" in evaluate_retval ;; restart) - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local stop - fi $0 start ;; *) diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network index 5aecd1557..9182e9801 100644 --- a/src/initscripts/init.d/network +++ b/src/initscripts/init.d/network @@ -18,7 +18,6 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) init_networking() { /etc/rc.d/init.d/dnsmasq start - /etc/rc.d/init.d/static-routes start } DO="${1}" @@ -26,7 +25,7 @@ shift if [ -n "${1}" ]; then ALL=0 - for i in green red blue orange; do + for i in green red blue orange; do eval "${i}=0" done else @@ -68,7 +67,9 @@ case "${DO}" in rm -f /var/ipfire/red/{active,device,dial-on-demand,dns1,dns2,local-ipaddress,remote-ipaddress,resolv.conf} [ "$AUTOCONNECT" == "off" ] || /etc/rc.d/init.d/networking/red start fi - fi + fi + + /etc/rc.d/init.d/static-routes start ;; stop) diff --git a/src/paks/squid-accounting/install.sh b/src/paks/squid-accounting/install.sh index f20b85f46..835055ad5 100644 --- a/src/paks/squid-accounting/install.sh +++ b/src/paks/squid-accounting/install.sh @@ -31,5 +31,8 @@ if [ ! -f /var/ipfire/accounting/acct.db ]; then chmod 644 /var/ipfire/accounting/acct.db chown nobody.nobody /var/ipfire/accounting/acct.db fi +#Set right permissions of directory /srv/web/ipfire/html/accounting +chown -R nobody.nobody /srv/web/ipfire/html/accounting +chmod 755 -R /srv/web/ipfire/html/accounting rm -f /var/ipfire/accounting/dbinstall.pl /usr/local/bin/update-lang-cache diff --git a/src/patches/bash/bash32-052 b/src/patches/bash/bash32-052 new file mode 100644 index 000000000..78e7d9270 --- /dev/null +++ b/src/patches/bash/bash32-052 @@ -0,0 +1,104 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 3.2 +Patch-ID: bash32-052 + +Bug-Reported-by: Stephane Chazelas +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +Under certain circumstances, bash will execute user code while processing the +environment for exported function definitions. + +Patch (apply with `patch -p0'): + +*** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500 +--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400 +*************** +*** 34,37 **** +--- 34,39 ---- + + /* Flags for describe_command, shared between type.def and command.def */ ++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++ #define SEVAL_ONECMD 0x100 /* only allow a single command */ + #define CDESC_ALL 0x001 /* type -a */ + #define CDESC_SHORTDESC 0x002 /* command -V */ +*** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500 +--- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400 +*************** +*** 235,238 **** +--- 235,246 ---- + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); +*************** +*** 292,295 **** +--- 300,306 ---- + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } +*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500 +--- variables.c 2014-09-16 19:10:39.000000000 -0400 +*************** +*** 319,328 **** + strcpy (temp_string + char_index + 1, string); + +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +! +! /* Ancient backwards compatibility. Old versions of bash exported +! functions like name()=() {...} */ +! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +! name[char_index - 2] = '\0'; + + if (temp_var = find_function (name)) +--- 319,326 ---- + strcpy (temp_string + char_index + 1, string); + +! /* Don't import function names that are invalid identifiers from the +! environment. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) +*************** +*** 333,340 **** + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) +--- 331,334 ---- +*** ../bash-3.2/patchlevel.h Thu Apr 13 08:31:04 2006 +--- patchlevel.h Mon Oct 16 14:22:54 2006 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 51 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 52 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash32-053 b/src/patches/bash/bash32-053 new file mode 100644 index 000000000..e7efce71a --- /dev/null +++ b/src/patches/bash/bash32-053 @@ -0,0 +1,54 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 3.2 +Patch-ID: bash32-053 + +Bug-Reported-by: Tavis Ormandy +Bug-Reference-ID: +Bug-Reference-URL: http://twitter.com/taviso/statuses/514887394294652929 + +Bug-Description: + +Under certain circumstances, bash can incorrectly save a lookahead character and +return it on a subsequent call, even when reading a new line. + +Patch: + +*** ../bash-3.2.52/parse.y 2008-04-29 21:24:55.000000000 -0400 +--- parse.y 2014-09-25 16:18:41.000000000 -0400 +*************** +*** 2504,2507 **** +--- 2504,2509 ---- + word_desc_to_read = (WORD_DESC *)NULL; + ++ eol_ungetc_lookahead = 0; ++ + last_read_token = '\n'; + token_to_read = '\n'; +*** ../bash-3.2.52/y.tab.c 2006-09-25 08:15:16.000000000 -0400 +--- y.tab.c 2014-09-25 20:28:17.000000000 -0400 +*************** +*** 3833,3836 **** +--- 3833,3838 ---- + word_desc_to_read = (WORD_DESC *)NULL; + ++ eol_ungetc_lookahead = 0; ++ + last_read_token = '\n'; + token_to_read = '\n'; +*** ../bash-3.2/patchlevel.h Thu Apr 13 08:31:04 2006 +--- patchlevel.h Mon Oct 16 14:22:54 2006 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 52 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 53 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash43-027 b/src/patches/bash/bash43-027 new file mode 100644 index 000000000..ef48bd82d --- /dev/null +++ b/src/patches/bash/bash43-027 @@ -0,0 +1,221 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.3 +Patch-ID: bash43-027 + +Bug-Reported-by: Florian Weimer +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +This patch changes the encoding bash uses for exported functions to avoid +clashes with shell variables and to avoid depending only on an environment +variable's contents to determine whether or not to interpret it as a shell +function. + +Patch (apply with `patch -p0'): + +*** ../bash-4.3.26/variables.c 2014-09-25 23:02:18.000000000 -0400 +--- variables.c 2014-09-27 20:52:04.000000000 -0400 +*************** +*** 84,87 **** +--- 84,92 ---- + #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0') + ++ #define BASHFUNC_PREFIX "BASH_FUNC_" ++ #define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */ ++ #define BASHFUNC_SUFFIX "%%" ++ #define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */ ++ + extern char **environ; + +*************** +*** 280,284 **** + static void dispose_temporary_env __P((sh_free_func_t *)); + +! static inline char *mk_env_string __P((const char *, const char *)); + static char **make_env_array_from_var_list __P((SHELL_VAR **)); + static char **make_var_export_array __P((VAR_CONTEXT *)); +--- 285,289 ---- + static void dispose_temporary_env __P((sh_free_func_t *)); + +! static inline char *mk_env_string __P((const char *, const char *, int)); + static char **make_env_array_from_var_list __P((SHELL_VAR **)); + static char **make_var_export_array __P((VAR_CONTEXT *)); +*************** +*** 350,369 **** + /* If exported function, define it now. Don't import functions from + the environment in privileged mode. */ +! if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) + { + string_length = strlen (string); +! temp_string = (char *)xmalloc (3 + string_length + char_index); + +! strcpy (temp_string, name); +! temp_string[char_index] = ' '; +! strcpy (temp_string + char_index + 1, string); + + /* Don't import function names that are invalid identifiers from the + environment, though we still allow them to be defined as shell + variables. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + +! if (temp_var = find_function (name)) + { + VSETATTR (temp_var, (att_exported|att_imported)); +--- 355,385 ---- + /* If exported function, define it now. Don't import functions from + the environment in privileged mode. */ +! if (privmode == 0 && read_but_dont_execute == 0 && +! STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) && +! STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) && +! STREQN ("() {", string, 4)) + { ++ size_t namelen; ++ char *tname; /* desired imported function name */ ++ ++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN; ++ ++ tname = name + BASHFUNC_PREFLEN; /* start of func name */ ++ tname[namelen] = '\0'; /* now tname == func name */ ++ + string_length = strlen (string); +! temp_string = (char *)xmalloc (namelen + string_length + 2); + +! memcpy (temp_string, tname, namelen); +! temp_string[namelen] = ' '; +! memcpy (temp_string + namelen + 1, string, string_length + 1); + + /* Don't import function names that are invalid identifiers from the + environment, though we still allow them to be defined as shell + variables. */ +! if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname))) +! parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + +! if (temp_var = find_function (tname)) + { + VSETATTR (temp_var, (att_exported|att_imported)); +*************** +*** 378,383 **** + } + last_command_exit_value = 1; +! report_error (_("error importing function definition for `%s'"), name); + } + } + #if defined (ARRAY_VARS) +--- 394,402 ---- + } + last_command_exit_value = 1; +! report_error (_("error importing function definition for `%s'"), tname); + } ++ ++ /* Restore original suffix */ ++ tname[namelen] = BASHFUNC_SUFFIX[0]; + } + #if defined (ARRAY_VARS) +*************** +*** 2955,2959 **** + + INVALIDATE_EXPORTSTR (var); +! var->exportstr = mk_env_string (name, value); + + array_needs_making = 1; +--- 2974,2978 ---- + + INVALIDATE_EXPORTSTR (var); +! var->exportstr = mk_env_string (name, value, 0); + + array_needs_making = 1; +*************** +*** 3853,3871 **** + + static inline char * +! mk_env_string (name, value) + const char *name, *value; + { +! int name_len, value_len; +! char *p; + + name_len = strlen (name); + value_len = STRLEN (value); +! p = (char *)xmalloc (2 + name_len + value_len); +! strcpy (p, name); +! p[name_len] = '='; + if (value && *value) +! strcpy (p + name_len + 1, value); + else +! p[name_len + 1] = '\0'; + return (p); + } +--- 3872,3911 ---- + + static inline char * +! mk_env_string (name, value, isfunc) + const char *name, *value; ++ int isfunc; + { +! size_t name_len, value_len; +! char *p, *q; + + name_len = strlen (name); + value_len = STRLEN (value); +! +! /* If we are exporting a shell function, construct the encoded function +! name. */ +! if (isfunc && value) +! { +! p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2); +! q = p; +! memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN); +! q += BASHFUNC_PREFLEN; +! memcpy (q, name, name_len); +! q += name_len; +! memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN); +! q += BASHFUNC_SUFFLEN; +! } +! else +! { +! p = (char *)xmalloc (2 + name_len + value_len); +! memcpy (p, name, name_len); +! q = p + name_len; +! } +! +! q[0] = '='; + if (value && *value) +! memcpy (q + 1, value, value_len + 1); + else +! q[1] = '\0'; +! + return (p); + } +*************** +*** 3953,3957 **** + using the cached exportstr... */ + list[list_index] = USE_EXPORTSTR ? savestring (value) +! : mk_env_string (var->name, value); + + if (USE_EXPORTSTR == 0) +--- 3993,3997 ---- + using the cached exportstr... */ + list[list_index] = USE_EXPORTSTR ? savestring (value) +! : mk_env_string (var->name, value, function_p (var)); + + if (USE_EXPORTSTR == 0) +*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500 +--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 26 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 27 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/dnsmasq-2.71-support-nettle-3.0.patch b/src/patches/dnsmasq-2.71-support-nettle-3.0.patch deleted file mode 100644 index 593a7cd8d..000000000 --- a/src/patches/dnsmasq-2.71-support-nettle-3.0.patch +++ /dev/null @@ -1,65 +0,0 @@ -From cdb755c5f16a6768c3e8b1f345fe15fc9244228d Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Wed, 18 Jun 2014 20:52:53 +0100 -Subject: [PATCH] Fix FTBFS with Nettle-3.0. - ---- - CHANGELOG | 3 +++ - src/dnssec.c | 18 ++++++++++++------ - 2 files changed, 15 insertions(+), 6 deletions(-) - -diff --git a/src/dnssec.c b/src/dnssec.c -index 2ffb75d..69bfc29 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -28,6 +28,12 @@ - #include - #include - -+/* Nettle-3.0 moved to a new API for DSA. We use a name that's defined in the new API -+ to detect Nettle-3, and invoke the backwards compatibility mode. */ -+#ifdef dsa_params_init -+#include -+#endif -+ - - #define SERIAL_UNDEF -100 - #define SERIAL_EQ 0 -@@ -121,8 +127,8 @@ static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char - return 1; - } - --static int rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, -- unsigned char *digest, int algo) -+static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, -+ unsigned char *digest, int algo) - { - unsigned char *p; - size_t exp_len; -@@ -173,8 +179,8 @@ static int rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned - return 0; - } - --static int dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, -- unsigned char *digest, int algo) -+static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, -+ unsigned char *digest, int algo) - { - unsigned char *p; - unsigned int t; -@@ -293,10 +299,10 @@ static int verify(struct blockdata *key_data, unsigned int key_len, unsigned cha - switch (algo) - { - case 1: case 5: case 7: case 8: case 10: -- return rsa_verify(key_data, key_len, sig, sig_len, digest, algo); -+ return dnsmasq_rsa_verify(key_data, key_len, sig, sig_len, digest, algo); - - case 3: case 6: -- return dsa_verify(key_data, key_len, sig, sig_len, digest, algo); -+ return dnsmasq_dsa_verify(key_data, key_len, sig, sig_len, digest, algo); - - #ifndef NO_NETTLE_ECC - case 13: case 14: --- -1.7.10.4 - diff --git a/src/patches/dnsmasq-2.71-use-nettle-with-minigmp.patch b/src/patches/dnsmasq-2.71-use-nettle-with-minigmp.patch deleted file mode 100644 index 374c9eca1..000000000 --- a/src/patches/dnsmasq-2.71-use-nettle-with-minigmp.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 063efb330a3f341c2548e2cf1f67f83e49cd6395 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Tue, 17 Jun 2014 19:49:31 +0100 -Subject: [PATCH] Build config: add -DNO_GMP for use with nettle/mini-gmp - ---- - Makefile | 2 +- - bld/pkg-wrapper | 9 +++++++-- - src/config.h | 7 +++++++ - src/dnssec.c | 3 ++- - 4 files changed, 17 insertions(+), 4 deletions(-) - -diff --git a/Makefile b/Makefile -index c58b50b..17eeb27 100644 ---- a/Makefile -+++ b/Makefile -@@ -61,7 +61,7 @@ lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CON - lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.1` - nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed` - nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed` --gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --copy -lgmp` -+gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp` - sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi` - version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"' - -diff --git a/bld/pkg-wrapper b/bld/pkg-wrapper -index 9f9332d..0ddb678 100755 ---- a/bld/pkg-wrapper -+++ b/bld/pkg-wrapper -@@ -11,9 +11,14 @@ in=`cat` - - if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \ - echo $in | grep $search >/dev/null 2>&1; then -- -+# Nasty, nasty, in --copy, arg 2 is another config to search for, use with NO_GMP - if [ $op = "--copy" ]; then -- pkg="$*" -+ if grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \ -+ echo $in | grep $pkg >/dev/null 2>&1; then -+ pkg="" -+ else -+ pkg="$*" -+ fi - elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ - echo $in | grep ${search}_STATIC >/dev/null 2>&1; then - pkg=`$pkg --static $op $*` -diff --git a/src/config.h b/src/config.h -index 2155544..ee6d218 100644 ---- a/src/config.h -+++ b/src/config.h -@@ -105,6 +105,8 @@ HAVE_AUTH - define this to include the facility to act as an authoritative DNS - server for one or more zones. - -+HAVE_DNSSEC -+ include DNSSEC validator. - - NO_IPV6 - NO_TFTP -@@ -118,6 +120,11 @@ NO_AUTH - which are enabled by default in the distributed source tree. Building dnsmasq - with something like "make COPTS=-DNO_SCRIPT" will do the trick. - -+NO_NETTLE_ECC -+ Don't include the ECDSA cypher in DNSSEC validation. Needed for older Nettle versions. -+NO_GMP -+ Don't use and link against libgmp, Useful if nettle is built with --enable-mini-gmp. -+ - LEASEFILE - CONFFILE - RESOLVFILE -diff --git a/src/dnssec.c b/src/dnssec.c -index 44d626b..2ffb75d 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -26,7 +26,8 @@ - # include - #endif - #include --#include -+#include -+ - - #define SERIAL_UNDEF -100 - #define SERIAL_EQ 0 --- -1.7.10.4 - diff --git a/src/patches/dnsmasq-2.70-Add-support-to-read-ISC-DHCP-lease-file.patch b/src/patches/dnsmasq-2.72rc2-Add-support-to-read-ISC-DHCP-lease-file.patch similarity index 94% rename from src/patches/dnsmasq-2.70-Add-support-to-read-ISC-DHCP-lease-file.patch rename to src/patches/dnsmasq-2.72rc2-Add-support-to-read-ISC-DHCP-lease-file.patch index 3194e1f22..9912c7ca9 100644 --- a/src/patches/dnsmasq-2.70-Add-support-to-read-ISC-DHCP-lease-file.patch +++ b/src/patches/dnsmasq-2.72rc2-Add-support-to-read-ISC-DHCP-lease-file.patch @@ -1,18 +1,18 @@ diff --git a/Makefile b/Makefile -index 292c8bd..5e0cdbe 100644 +index 58a7975..616c6b7 100644 --- a/Makefile +++ b/Makefile @@ -69,7 +69,7 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ -- domain.o dnssec.o blockdata.o -+ domain.o dnssec.o blockdata.o isc.o +- domain.o dnssec.o blockdata.o tables.o loop.o ++ domain.o dnssec.o blockdata.o tables.o loop.o isc.o hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ dns-protocol.h radv-protocol.h ip6addr.h diff --git a/src/cache.c b/src/cache.c -index 5cec918..1f5657f 100644 +index 2c3a498..77a7046 100644 --- a/src/cache.c +++ b/src/cache.c @@ -17,7 +17,7 @@ @@ -65,10 +65,10 @@ index 5cec918..1f5657f 100644 cache_hash(crec); diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index 1c96a0e..156ac9a 100644 +index f4a89fc..a448ec4 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c -@@ -934,6 +934,11 @@ int main (int argc, char **argv) +@@ -940,6 +940,11 @@ int main (int argc, char **argv) poll_resolv(0, daemon->last_resolv != 0, now); daemon->last_resolv = now; @@ -81,18 +81,24 @@ index 1c96a0e..156ac9a 100644 if (FD_ISSET(piperead, &rset)) diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index 3032546..a40b2a9 100644 +index e74b15a..4a35168 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -1447,3 +1447,8 @@ void slaac_add_addrs(struct dhcp_lease *lease, time_t now, int force); - time_t periodic_slaac(time_t now, struct dhcp_lease *leases); +@@ -1463,9 +1463,13 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases); void slaac_ping_reply(struct in6_addr *sender, unsigned char *packet, char *interface, struct dhcp_lease *leases); #endif -+ + +/* isc.c */ +#ifdef HAVE_ISC_READER +void load_dhcp(time_t now); +#endif ++ + /* loop.c */ + #ifdef HAVE_LOOP + void loop_send_probes(); + int detect_loop(char *query, int type); + #endif +- diff --git a/src/isc.c b/src/isc.c new file mode 100644 index 0000000..5106442 @@ -351,10 +357,10 @@ index 0000000..5106442 + +#endif diff --git a/src/option.c b/src/option.c -index daa728f..d16c982 100644 +index 45d8875..29c9ee5 100644 --- a/src/option.c +++ b/src/option.c -@@ -1642,7 +1642,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma +@@ -1669,7 +1669,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma ret_err(_("bad MX target")); break; diff --git a/src/patches/glibc/glibc-rh1008310.patch b/src/patches/glibc/glibc-rh1008310.patch new file mode 100644 index 000000000..3658a9f31 --- /dev/null +++ b/src/patches/glibc/glibc-rh1008310.patch @@ -0,0 +1,45 @@ +diff -Nrup a/malloc/malloc.c b/malloc/malloc.c +--- a/malloc/malloc.c 2013-09-23 17:08:33.698331221 -0400 ++++ b/malloc/malloc.c 2013-09-23 21:04:25.901270645 -0400 +@@ -3879,6 +3879,13 @@ public_mEMALIGn(size_t alignment, size_t + /* Otherwise, ensure that it is at least a minimum chunk size */ + if (alignment < MINSIZE) alignment = MINSIZE; + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - alignment - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + arena_get(ar_ptr, bytes + alignment + MINSIZE); + if(!ar_ptr) + return 0; +@@ -3924,6 +3931,13 @@ public_vALLOc(size_t bytes) + + size_t pagesz = mp_.pagesize; + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - pagesz - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, + __const __malloc_ptr_t)) = + force_reg (__memalign_hook); +@@ -3975,6 +3989,13 @@ public_pVALLOc(size_t bytes) + size_t page_mask = mp_.pagesize - 1; + size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, + __const __malloc_ptr_t)) = + force_reg (__memalign_hook); diff --git a/src/patches/glibc/glibc-rh1022022.patch b/src/patches/glibc/glibc-rh1022022.patch new file mode 100644 index 000000000..6d23bb1e1 --- /dev/null +++ b/src/patches/glibc/glibc-rh1022022.patch @@ -0,0 +1,20 @@ +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 81e928a..05883bd 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -832,8 +832,13 @@ gaih_inet (const char *name, const struct gaih_service *service, + while (!no_more) + { + no_data = 0; +- nss_gethostbyname4_r fct4 +- = __nss_lookup_function (nip, "gethostbyname4_r"); ++ nss_gethostbyname4_r fct4 = NULL; ++ ++ /* gethostbyname4_r sends out parallel A and AAAA queries and ++ is thus only suitable for PF_UNSPEC. */ ++ if (req->ai_family == PF_UNSPEC) ++ fct4 = __nss_lookup_function (nip, "gethostbyname4_r"); ++ + if (fct4 != NULL) + { + int herrno; diff --git a/src/patches/glibc/glibc-rh1091162.patch b/src/patches/glibc/glibc-rh1091162.patch new file mode 100644 index 000000000..782568282 --- /dev/null +++ b/src/patches/glibc/glibc-rh1091162.patch @@ -0,0 +1,58 @@ +commit 362b47fe09ca9a928d444c7e2f7992f7f61bfc3e +Author: Maxim Kuvyrkov +Date: Tue Dec 24 09:44:50 2013 +1300 + + Fix race in free() of fastbin chunk: BZ #15073 + + Perform sanity check only if we have_lock. Due to lockless nature of fastbins + we need to be careful derefencing pointers to fastbin entries (chunksize(old) + in this case) in multithreaded environments. + + The fix is to add have_lock to the if-condition checks. The rest of the patch + only makes code more readable. + + * malloc/malloc.c (_int_free): Perform sanity check only if we + have_lock. + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index b1668b5..5e419ad 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -3783,25 +3783,29 @@ _int_free(mstate av, mchunkptr p, int have_lock) + fb = &fastbin (av, idx); + + #ifdef ATOMIC_FASTBINS +- mchunkptr fd; +- mchunkptr old = *fb; ++ /* Atomically link P to its fastbin: P->FD = *FB; *FB = P; */ ++ mchunkptr old = *fb, old2; + unsigned int old_idx = ~0u; + do + { +- /* Another simple check: make sure the top of the bin is not the +- record we are going to add (i.e., double free). */ ++ /* Check that the top of the bin is not the record we are going to add ++ (i.e., double free). */ + if (__builtin_expect (old == p, 0)) + { + errstr = "double free or corruption (fasttop)"; + goto errout; + } +- if (old != NULL) ++ /* Check that size of fastbin chunk at the top is the same as ++ size of the chunk that we are adding. We can dereference OLD ++ only if we have the lock, otherwise it might have already been ++ deallocated. See use of OLD_IDX below for the actual check. */ ++ if (have_lock && old != NULL) + old_idx = fastbin_index(chunksize(old)); +- p->fd = fd = old; ++ p->fd = old2 = old; + } +- while ((old = catomic_compare_and_exchange_val_rel (fb, p, fd)) != fd); ++ while ((old = catomic_compare_and_exchange_val_rel (fb, p, old2)) != old2); + +- if (fd != NULL && __builtin_expect (old_idx != idx, 0)) ++ if (have_lock && old != NULL && __builtin_expect (old_idx != idx, 0)) + { + errstr = "invalid fastbin entry (free)"; + goto errout; diff --git a/src/patches/glibc/glibc-rh1098050.patch b/src/patches/glibc/glibc-rh1098050.patch new file mode 100644 index 000000000..e5ff3ca1b --- /dev/null +++ b/src/patches/glibc/glibc-rh1098050.patch @@ -0,0 +1,28 @@ +commit cf26a0cb6a0bbaca46a01ddad6662e5e5159a32a +Author: Siddhesh Poyarekar +Date: Thu May 15 12:33:11 2014 +0530 + + Return EAI_AGAIN for AF_UNSPEC when herrno is TRY_AGAIN (BZ #16849) + + getaddrinfo correctly returns EAI_AGAIN for AF_INET and AF_INET6 + queries. For AF_UNSPEC however, an older change + (a682a1bf553b1efe4dbb03207fece5b719cec482) broke the check and due to + that the returned error was EAI_NONAME. + + This patch fixes the check so that a non-authoritative not-found is + returned as EAI_AGAIN to the user instead of EAI_NONAME. + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 6258330..8f392b9 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -867,8 +867,7 @@ gaih_inet (const char *name, const struct gaih_service *service, + if (status != NSS_STATUS_TRYAGAIN + || rc != ERANGE || herrno != NETDB_INTERNAL) + { +- if (status == NSS_STATUS_TRYAGAIN +- && herrno == TRY_AGAIN) ++ if (herrno == TRY_AGAIN) + no_data = EAI_AGAIN; + else + no_data = herrno == NO_DATA; diff --git a/src/patches/glibc/glibc-rh1133809-1.patch b/src/patches/glibc/glibc-rh1133809-1.patch new file mode 100644 index 000000000..12b99499f --- /dev/null +++ b/src/patches/glibc/glibc-rh1133809-1.patch @@ -0,0 +1,199 @@ +2014-08-21 Florian Weimer + + [BZ #17187] + * iconv/gconv_trans.c (struct known_trans, search_tree, lock, + trans_compare, open_translit, __gconv_translit_find): + Remove module loading code. + +diff --git a/iconv/gconv_trans.c b/iconv/gconv_trans.c +index 1e25854..d71c029 100644 +--- a/iconv/gconv_trans.c ++++ b/iconv/gconv_trans.c +@@ -238,181 +238,11 @@ __gconv_transliterate (struct __gconv_step *step, + return __GCONV_ILLEGAL_INPUT; + } + +- +-/* Structure to represent results of found (or not) transliteration +- modules. */ +-struct known_trans +-{ +- /* This structure must remain the first member. */ +- struct trans_struct info; +- +- char *fname; +- void *handle; +- int open_count; +-}; +- +- +-/* Tree with results of previous calls to __gconv_translit_find. */ +-static void *search_tree; +- +-/* We modify global data. */ +-__libc_lock_define_initialized (static, lock); +- +- +-/* Compare two transliteration entries. */ +-static int +-trans_compare (const void *p1, const void *p2) +-{ +- const struct known_trans *s1 = (const struct known_trans *) p1; +- const struct known_trans *s2 = (const struct known_trans *) p2; +- +- return strcmp (s1->info.name, s2->info.name); +-} +- +- +-/* Open (maybe reopen) the module named in the struct. Get the function +- and data structure pointers we need. */ +-static int +-open_translit (struct known_trans *trans) +-{ +- __gconv_trans_query_fct queryfct; +- +- trans->handle = __libc_dlopen (trans->fname); +- if (trans->handle == NULL) +- /* Not available. */ +- return 1; +- +- /* Find the required symbol. */ +- queryfct = __libc_dlsym (trans->handle, "gconv_trans_context"); +- if (queryfct == NULL) +- { +- /* We cannot live with that. */ +- close_and_out: +- __libc_dlclose (trans->handle); +- trans->handle = NULL; +- return 1; +- } +- +- /* Get the context. */ +- if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames) +- != 0) +- goto close_and_out; +- +- /* Of course we also have to have the actual function. */ +- trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans"); +- if (trans->info.trans_fct == NULL) +- goto close_and_out; +- +- /* Now the optional functions. */ +- trans->info.trans_init_fct = +- __libc_dlsym (trans->handle, "gconv_trans_init"); +- trans->info.trans_context_fct = +- __libc_dlsym (trans->handle, "gconv_trans_context"); +- trans->info.trans_end_fct = +- __libc_dlsym (trans->handle, "gconv_trans_end"); +- +- trans->open_count = 1; +- +- return 0; +-} +- +- + int + internal_function + __gconv_translit_find (struct trans_struct *trans) + { +- struct known_trans **found; +- const struct path_elem *runp; +- int res = 1; +- +- /* We have to have a name. */ +- assert (trans->name != NULL); +- +- /* Acquire the lock. */ +- __libc_lock_lock (lock); +- +- /* See whether we know this module already. */ +- found = __tfind (trans, &search_tree, trans_compare); +- if (found != NULL) +- { +- /* Is this module available? */ +- if ((*found)->handle != NULL) +- { +- /* Maybe we have to reopen the file. */ +- if ((*found)->handle != (void *) -1) +- /* The object is not unloaded. */ +- res = 0; +- else if (open_translit (*found) == 0) +- { +- /* Copy the data. */ +- *trans = (*found)->info; +- (*found)->open_count++; +- res = 0; +- } +- } +- } +- else +- { +- size_t name_len = strlen (trans->name) + 1; +- int need_so = 0; +- struct known_trans *newp; +- +- /* We have to continue looking for the module. */ +- if (__gconv_path_elem == NULL) +- __gconv_get_path (); +- +- /* See whether we have to append .so. */ +- if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0) +- need_so = 1; +- +- /* Create a new entry. */ +- newp = (struct known_trans *) malloc (sizeof (struct known_trans) +- + (__gconv_max_path_elem_len +- + name_len + 3) +- + name_len); +- if (newp != NULL) +- { +- char *cp; +- +- /* Clear the struct. */ +- memset (newp, '\0', sizeof (struct known_trans)); +- +- /* Store a copy of the module name. */ +- newp->info.name = cp = (char *) (newp + 1); +- cp = __mempcpy (cp, trans->name, name_len); +- +- newp->fname = cp; +- +- /* Search in all the directories. */ +- for (runp = __gconv_path_elem; runp->name != NULL; ++runp) +- { +- cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name), +- trans->name, name_len); +- if (need_so) +- memcpy (cp, ".so", sizeof (".so")); +- +- if (open_translit (newp) == 0) +- { +- /* We found a module. */ +- res = 0; +- break; +- } +- } +- +- if (res) +- newp->fname = NULL; +- +- /* In any case we'll add the entry to our search tree. */ +- if (__tsearch (newp, &search_tree, trans_compare) == NULL) +- { +- /* Yickes, this should not happen. Unload the object. */ +- res = 1; +- /* XXX unload here. */ +- } +- } +- } +- +- __libc_lock_unlock (lock); +- +- return res; ++ /* This function always fails. Transliteration module loading is ++ not implemented. */ ++ return 1; + } +-- +1.9.3 + diff --git a/src/patches/glibc/glibc-rh1133809-2.patch b/src/patches/glibc/glibc-rh1133809-2.patch new file mode 100644 index 000000000..8148abbbc --- /dev/null +++ b/src/patches/glibc/glibc-rh1133809-2.patch @@ -0,0 +1,625 @@ +commit 585367266923156ac6fb789939a923641ba5aaf4 +Author: Florian Weimer +Date: Wed May 28 14:05:03 2014 +0200 + + manual: Update the locale documentation + +commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3 +Author: Florian Weimer +Date: Mon May 12 15:24:12 2014 +0200 + + _nl_find_locale: Improve handling of crafted locale names [BZ #17137] + + Prevent directory traversal in locale-related environment variables + (CVE-2014-0475). + +commit d183645616b0533b3acee28f1a95570bffbdf50f +Author: Florian Weimer +Date: Wed May 28 14:41:52 2014 +0200 + + setlocale: Use the heap for the copy of the locale argument + + This avoids alloca calls with potentially large arguments. + +diff -pruN glibc-2.18/locale/findlocale.c glibc-2.18.patched/locale/findlocale.c +--- glibc-2.18/locale/findlocale.c 2013-08-11 04:22:55.000000000 +0530 ++++ glibc-2.18.patched/locale/findlocale.c 2014-08-26 16:14:50.403253778 +0530 +@@ -17,6 +17,7 @@ + 02111-1307 USA. */ + + #include ++#include + #include + #include + #include +@@ -57,6 +58,45 @@ struct loaded_l10nfile *_nl_locale_file_ + + const char _nl_default_locale_path[] attribute_hidden = LOCALEDIR; + ++/* Checks if the name is actually present, that is, not NULL and not ++ empty. */ ++static inline int ++name_present (const char *name) ++{ ++ return name != NULL && name[0] != '\0'; ++} ++ ++/* Checks that the locale name neither extremely long, nor contains a ++ ".." path component (to prevent directory traversal). */ ++static inline int ++valid_locale_name (const char *name) ++{ ++ /* Not set. */ ++ size_t namelen = strlen (name); ++ /* Name too long. The limit is arbitrary and prevents stack overflow ++ issues later. */ ++ if (__builtin_expect (namelen > 255, 0)) ++ return 0; ++ /* Directory traversal attempt. */ ++ static const char slashdot[4] = {'/', '.', '.', '/'}; ++ if (__builtin_expect (memmem (name, namelen, ++ slashdot, sizeof (slashdot)) != NULL, 0)) ++ return 0; ++ if (namelen == 2 && __builtin_expect (name[0] == '.' && name [1] == '.', 0)) ++ return 0; ++ if (namelen >= 3 ++ && __builtin_expect (((name[0] == '.' ++ && name[1] == '.' ++ && name[2] == '/') ++ || (name[namelen - 3] == '/' ++ && name[namelen - 2] == '.' ++ && name[namelen - 1] == '.')), 0)) ++ return 0; ++ /* If there is a slash in the name, it must start with one. */ ++ if (__builtin_expect (memchr (name, '/', namelen) != NULL, 0) && name[0] != '/') ++ return 0; ++ return 1; ++} + + struct __locale_data * + internal_function +@@ -65,7 +105,7 @@ _nl_find_locale (const char *locale_path + { + int mask; + /* Name of the locale for this category. */ +- char *loc_name; ++ char *loc_name = (char *) *name; + const char *language; + const char *modifier; + const char *territory; +@@ -73,31 +113,39 @@ _nl_find_locale (const char *locale_path + const char *normalized_codeset; + struct loaded_l10nfile *locale_file; + +- if ((*name)[0] == '\0') ++ if (loc_name[0] == '\0') + { + /* The user decides which locale to use by setting environment + variables. */ +- *name = getenv ("LC_ALL"); +- if (*name == NULL || (*name)[0] == '\0') +- *name = getenv (_nl_category_names.str ++ loc_name = getenv ("LC_ALL"); ++ if (!name_present (loc_name)) ++ loc_name = getenv (_nl_category_names.str + + _nl_category_name_idxs[category]); +- if (*name == NULL || (*name)[0] == '\0') +- *name = getenv ("LANG"); ++ if (!name_present (loc_name)) ++ loc_name = getenv ("LANG"); ++ if (!name_present (loc_name)) ++ loc_name = (char *) _nl_C_name; + } + +- if (*name == NULL || (*name)[0] == '\0' +- || (__builtin_expect (__libc_enable_secure, 0) +- && strchr (*name, '/') != NULL)) +- *name = (char *) _nl_C_name; ++ /* We used to fall back to the C locale if the name contains a slash ++ character '/', but we now check for directory traversal in ++ valid_locale_name, so this is no longer necessary. */ + +- if (__builtin_expect (strcmp (*name, _nl_C_name), 1) == 0 +- || __builtin_expect (strcmp (*name, _nl_POSIX_name), 1) == 0) ++ if (__builtin_expect (strcmp (loc_name, _nl_C_name), 1) == 0 ++ || __builtin_expect (strcmp (loc_name, _nl_POSIX_name), 1) == 0) + { + /* We need not load anything. The needed data is contained in + the library itself. */ + *name = (char *) _nl_C_name; + return _nl_C[category]; + } ++ else if (!valid_locale_name (loc_name)) ++ { ++ __set_errno (EINVAL); ++ return NULL; ++ } ++ ++ *name = loc_name; + + /* We really have to load some data. First we try the archive, + but only if there was no LOCPATH environment variable specified. */ +diff -pruN glibc-2.18/locale/setlocale.c glibc-2.18.patched/locale/setlocale.c +--- glibc-2.18/locale/setlocale.c 2013-08-11 04:22:55.000000000 +0530 ++++ glibc-2.18.patched/locale/setlocale.c 2014-08-26 16:14:50.401253764 +0530 +@@ -272,6 +272,8 @@ setlocale (int category, const char *loc + of entries of the form `CATEGORY=VALUE'. */ + const char *newnames[__LC_LAST]; + struct __locale_data *newdata[__LC_LAST]; ++ /* Copy of the locale argument, for in-place splitting. */ ++ char *locale_copy = NULL; + + /* Set all name pointers to the argument name. */ + for (category = 0; category < __LC_LAST; ++category) +@@ -281,7 +283,13 @@ setlocale (int category, const char *loc + if (__builtin_expect (strchr (locale, ';') != NULL, 0)) + { + /* This is a composite name. Make a copy and split it up. */ +- char *np = strdupa (locale); ++ locale_copy = strdup (locale); ++ if (__builtin_expect (locale_copy == NULL, 0)) ++ { ++ __libc_rwlock_unlock (__libc_setlocale_lock); ++ return NULL; ++ } ++ char *np = locale_copy; + char *cp; + int cnt; + +@@ -299,6 +307,7 @@ setlocale (int category, const char *loc + { + error_return: + __libc_rwlock_unlock (__libc_setlocale_lock); ++ free (locale_copy); + + /* Bogus category name. */ + ERROR_RETURN; +@@ -391,8 +400,9 @@ setlocale (int category, const char *loc + /* Critical section left. */ + __libc_rwlock_unlock (__libc_setlocale_lock); + +- /* Free the resources (the locale path variable). */ ++ /* Free the resources. */ + free (locale_path); ++ free (locale_copy); + + return composite; + } +diff -pruN glibc-2.18/localedata/Makefile glibc-2.18.patched/localedata/Makefile +--- glibc-2.18/localedata/Makefile 2014-08-26 16:15:22.656474571 +0530 ++++ glibc-2.18.patched/localedata/Makefile 2014-08-26 16:14:50.403253778 +0530 +@@ -77,7 +77,7 @@ locale_test_suite := tst_iswalnum tst_is + + tests = $(locale_test_suite) tst-digits tst-setlocale bug-iconv-trans \ + tst-leaks tst-mbswcs6 tst-xlocale1 tst-xlocale2 bug-usesetlocale \ +- tst-strfmon1 tst-sscanf tst-strptime ++ tst-strfmon1 tst-sscanf tst-strptime tst-setlocale3 + ifeq (yes,$(build-shared)) + ifneq (no,$(PERL)) + tests: $(objpfx)mtrace-tst-leaks +@@ -288,6 +288,7 @@ tst-strfmon1-ENV = $(TEST_MBWC_ENV) + tst-strptime-ENV = $(TEST_MBWC_ENV) + + tst-setlocale-ENV = LOCPATH=$(common-objpfx)localedata LC_ALL=ja_JP.EUC-JP ++tst-setlocale3-ENV = LOCPATH=$(common-objpfx)localedata + + bug-iconv-trans-ENV = LOCPATH=$(common-objpfx)localedata + +diff -pruN glibc-2.18/localedata/tst-setlocale3.c glibc-2.18.patched/localedata/tst-setlocale3.c +--- glibc-2.18/localedata/tst-setlocale3.c 1970-01-01 05:30:00.000000000 +0530 ++++ glibc-2.18.patched/localedata/tst-setlocale3.c 2014-08-26 16:14:50.403253778 +0530 +@@ -0,0 +1,203 @@ ++/* Regression test for setlocale invalid environment variable handling. ++ Copyright (C) 2014 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++ ++/* The result of setlocale may be overwritten by subsequent calls, so ++ this wrapper makes a copy. */ ++static char * ++setlocale_copy (int category, const char *locale) ++{ ++ const char *result = setlocale (category, locale); ++ if (result == NULL) ++ return NULL; ++ return strdup (result); ++} ++ ++static char *de_locale; ++ ++static void ++setlocale_fail (const char *envstring) ++{ ++ setenv ("LC_CTYPE", envstring, 1); ++ if (setlocale (LC_CTYPE, "") != NULL) ++ { ++ printf ("unexpected setlocale success for \"%s\" locale\n", envstring); ++ exit (1); ++ } ++ const char *newloc = setlocale (LC_CTYPE, NULL); ++ if (strcmp (newloc, de_locale) != 0) ++ { ++ printf ("failed setlocale call \"%s\" changed locale to \"%s\"\n", ++ envstring, newloc); ++ exit (1); ++ } ++} ++ ++static void ++setlocale_success (const char *envstring) ++{ ++ setenv ("LC_CTYPE", envstring, 1); ++ char *newloc = setlocale_copy (LC_CTYPE, ""); ++ if (newloc == NULL) ++ { ++ printf ("setlocale for \"%s\": %m\n", envstring); ++ exit (1); ++ } ++ if (strcmp (newloc, de_locale) == 0) ++ { ++ printf ("setlocale with LC_CTYPE=\"%s\" left locale at \"%s\"\n", ++ envstring, de_locale); ++ exit (1); ++ } ++ if (setlocale (LC_CTYPE, de_locale) == NULL) ++ { ++ printf ("restoring locale \"%s\" with LC_CTYPE=\"%s\": %m\n", ++ de_locale, envstring); ++ exit (1); ++ } ++ char *newloc2 = setlocale_copy (LC_CTYPE, newloc); ++ if (newloc2 == NULL) ++ { ++ printf ("restoring locale \"%s\" following \"%s\": %m\n", ++ newloc, envstring); ++ exit (1); ++ } ++ if (strcmp (newloc, newloc2) != 0) ++ { ++ printf ("representation of locale \"%s\" changed from \"%s\" to \"%s\"", ++ envstring, newloc, newloc2); ++ exit (1); ++ } ++ free (newloc); ++ free (newloc2); ++ ++ if (setlocale (LC_CTYPE, de_locale) == NULL) ++ { ++ printf ("restoring locale \"%s\" with LC_CTYPE=\"%s\": %m\n", ++ de_locale, envstring); ++ exit (1); ++ } ++} ++ ++/* Checks that a known-good locale still works if LC_ALL contains a ++ value which should be ignored. */ ++static void ++setlocale_ignore (const char *to_ignore) ++{ ++ const char *fr_locale = "fr_FR.UTF-8"; ++ setenv ("LC_CTYPE", fr_locale, 1); ++ char *expected_locale = setlocale_copy (LC_CTYPE, ""); ++ if (expected_locale == NULL) ++ { ++ printf ("setlocale with LC_CTYPE=\"%s\" failed: %m\n", fr_locale); ++ exit (1); ++ } ++ if (setlocale (LC_CTYPE, de_locale) == NULL) ++ { ++ printf ("failed to restore locale: %m\n"); ++ exit (1); ++ } ++ unsetenv ("LC_CTYPE"); ++ ++ setenv ("LC_ALL", to_ignore, 1); ++ setenv ("LC_CTYPE", fr_locale, 1); ++ const char *actual_locale = setlocale (LC_CTYPE, ""); ++ if (actual_locale == NULL) ++ { ++ printf ("setlocale with LC_ALL, LC_CTYPE=\"%s\" failed: %m\n", ++ fr_locale); ++ exit (1); ++ } ++ if (strcmp (actual_locale, expected_locale) != 0) ++ { ++ printf ("setlocale under LC_ALL failed: got \"%s\", expected \"%s\"\n", ++ actual_locale, expected_locale); ++ exit (1); ++ } ++ unsetenv ("LC_CTYPE"); ++ setlocale_success (fr_locale); ++ unsetenv ("LC_ALL"); ++ free (expected_locale); ++} ++ ++static int ++do_test (void) ++{ ++ /* The glibc test harness sets this environment variable ++ uncondionally. */ ++ unsetenv ("LC_ALL"); ++ ++ de_locale = setlocale_copy (LC_CTYPE, "de_DE.UTF-8"); ++ if (de_locale == NULL) ++ { ++ printf ("setlocale (LC_CTYPE, \"de_DE.UTF-8\"): %m\n"); ++ return 1; ++ } ++ setlocale_success ("C"); ++ setlocale_success ("en_US.UTF-8"); ++ setlocale_success ("/en_US.UTF-8"); ++ setlocale_success ("//en_US.UTF-8"); ++ setlocale_ignore (""); ++ ++ setlocale_fail ("does-not-exist"); ++ setlocale_fail ("/"); ++ setlocale_fail ("/../localedata/en_US.UTF-8"); ++ setlocale_fail ("en_US.UTF-8/"); ++ setlocale_fail ("en_US.UTF-8/.."); ++ setlocale_fail ("en_US.UTF-8/../en_US.UTF-8"); ++ setlocale_fail ("../localedata/en_US.UTF-8"); ++ { ++ size_t large_length = 1024; ++ char *large_name = malloc (large_length + 1); ++ if (large_name == NULL) ++ { ++ puts ("malloc failure"); ++ return 1; ++ } ++ memset (large_name, '/', large_length); ++ const char *suffix = "en_US.UTF-8"; ++ strcpy (large_name + large_length - strlen (suffix), suffix); ++ setlocale_fail (large_name); ++ free (large_name); ++ } ++ { ++ size_t huge_length = 64 * 1024 * 1024; ++ char *huge_name = malloc (huge_length + 1); ++ if (huge_name == NULL) ++ { ++ puts ("malloc failure"); ++ return 1; ++ } ++ memset (huge_name, 'X', huge_length); ++ huge_name[huge_length] = '\0'; ++ /* Construct a composite locale specification. */ ++ const char *prefix = "LC_CTYPE=de_DE.UTF-8;LC_TIME="; ++ memcpy (huge_name, prefix, strlen (prefix)); ++ setlocale_fail (huge_name); ++ free (huge_name); ++ } ++ ++ return 0; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +diff -pruN glibc-2.18/manual/locale.texi glibc-2.18.patched/manual/locale.texi +--- glibc-2.18/manual/locale.texi 2013-08-11 04:22:55.000000000 +0530 ++++ glibc-2.18.patched/manual/locale.texi 2014-08-26 16:14:50.404253785 +0530 +@@ -29,6 +29,7 @@ will follow the conventions preferred by + * Setting the Locale:: How a program specifies the locale + with library functions. + * Standard Locales:: Locale names available on all systems. ++* Locale Names:: Format of system-specific locale names. + * Locale Information:: How to access the information for the locale. + * Formatting Numbers:: A dedicated function to format numbers. + * Yes-or-No Questions:: Check a Response against the locale. +@@ -99,14 +100,16 @@ locale named @samp{espana-castellano} to + most of Spain. + + The set of locales supported depends on the operating system you are +-using, and so do their names. We can't make any promises about what +-locales will exist, except for one standard locale called @samp{C} or +-@samp{POSIX}. Later we will describe how to construct locales. +-@comment (@pxref{Building Locale Files}). ++using, and so do their names, except that the standard locale called ++@samp{C} or @samp{POSIX} always exist. @xref{Locale Names}. ++ ++In order to force the system to always use the default locale, the ++user can set the @code{LC_ALL} environment variable to @samp{C}. + + @cindex combining locales +-A user also has the option of specifying different locales for different +-purposes---in effect, choosing a mixture of multiple locales. ++A user also has the option of specifying different locales for ++different purposes---in effect, choosing a mixture of multiple ++locales. @xref{Locale Categories}. + + For example, the user might specify the locale @samp{espana-castellano} + for most purposes, but specify the locale @samp{usa-english} for +@@ -120,7 +123,7 @@ which locales apply. However, the user + for a particular subset of those purposes. + + @node Locale Categories, Setting the Locale, Choosing Locale, Locales +-@section Categories of Activities that Locales Affect ++@section Locale Categories + @cindex categories for locales + @cindex locale categories + +@@ -128,7 +131,11 @@ The purposes that locales serve are grou + that a user or a program can choose the locale for each category + independently. Here is a table of categories; each name is both an + environment variable that a user can set, and a macro name that you can +-use as an argument to @code{setlocale}. ++use as the first argument to @code{setlocale}. ++ ++The contents of the environment variable (or the string in the second ++argument to @code{setlocale}) has to be a valid locale name. ++@xref{Locale Names}. + + @vtable @code + @comment locale.h +@@ -172,7 +179,7 @@ for affirmative and negative responses. + @comment locale.h + @comment ISO + @item LC_ALL +-This is not an environment variable; it is only a macro that you can use ++This is not a category; it is only a macro that you can use + with @code{setlocale} to set a single locale for all purposes. Setting + this environment variable overwrites all selections by the other + @code{LC_*} variables or @code{LANG}. +@@ -225,13 +232,7 @@ The symbols in this section are defined + @comment ISO + @deftypefun {char *} setlocale (int @var{category}, const char *@var{locale}) + The function @code{setlocale} sets the current locale for category +-@var{category} to @var{locale}. A list of all the locales the system +-provides can be created by running +- +-@pindex locale +-@smallexample +- locale -a +-@end smallexample ++@var{category} to @var{locale}. + + If @var{category} is @code{LC_ALL}, this specifies the locale for all + purposes. The other possible values of @var{category} specify an +@@ -256,10 +257,9 @@ is passed in as @var{locale} parameter. + + When you read the current locale for category @code{LC_ALL}, the value + encodes the entire combination of selected locales for all categories. +-In this case, the value is not just a single locale name. In fact, we +-don't make any promises about what it looks like. But if you specify +-the same ``locale name'' with @code{LC_ALL} in a subsequent call to +-@code{setlocale}, it restores the same combination of locale selections. ++If you specify the same ``locale name'' with @code{LC_ALL} in a ++subsequent call to @code{setlocale}, it restores the same combination ++of locale selections. + + To be sure you can use the returned string encoding the currently selected + locale at a later time, you must make a copy of the string. It is not +@@ -275,6 +275,11 @@ for @var{category}. + If a nonempty string is given for @var{locale}, then the locale of that + name is used if possible. + ++The effective locale name (either the second argument to ++@code{setlocale}, or if the argument is an empty string, the name ++obtained from the process environment) must be valid locale name. ++@xref{Locale Names}. ++ + If you specify an invalid locale name, @code{setlocale} returns a null + pointer and leaves the current locale unchanged. + @end deftypefun +@@ -328,7 +323,7 @@ locale categories, and future versions o + portability, assume that any symbol beginning with @samp{LC_} might be + defined in @file{locale.h}. + +-@node Standard Locales, Locale Information, Setting the Locale, Locales ++@node Standard Locales, Locale Names, Setting the Locale, Locales + @section Standard Locales + + The only locale names you can count on finding on all operating systems +@@ -362,7 +357,94 @@ with the environment, rather than trying + locale explicitly by name. Remember, different machines might have + different sets of locales installed. + +-@node Locale Information, Formatting Numbers, Standard Locales, Locales ++@node Locale Names, Locale Information, Standard Locales, Locales ++@section Locale Names ++ ++The following command prints a list of locales supported by the ++system: ++ ++@pindex locale ++@smallexample ++ locale -a ++@end smallexample ++ ++@strong{Portability Note:} With the notable exception of the standard ++locale names @samp{C} and @samp{POSIX}, locale names are ++system-specific. ++ ++Most locale names follow XPG syntax and consist of up to four parts: ++ ++@smallexample ++@var{language}[_@var{territory}[.@var{codeset}]][@@@var{modifier}] ++@end smallexample ++ ++Beside the first part, all of them are allowed to be missing. If the ++full specified locale is not found, less specific ones are looked for. ++The various parts will be stripped off, in the following order: ++ ++@enumerate ++@item ++codeset ++@item ++normalized codeset ++@item ++territory ++@item ++modifier ++@end enumerate ++ ++For example, the locale name @samp{de_AT.iso885915@@euro} denotes a ++German-language locale for use in Austria, using the ISO-8859-15 ++(Latin-9) character set, and with the Euro as the currency symbol. ++ ++In addition to locale names which follow XPG syntax, systems may ++provide aliases such as @samp{german}. Both categories of names must ++not contain the slash character @samp{/}. ++ ++If the locale name starts with a slash @samp{/}, it is treated as a ++path relative to the configured locale directories; see @code{LOCPATH} ++below. The specified path must not contain a component @samp{..}, or ++the name is invalid, and @code{setlocale} will fail. ++ ++@strong{Portability Note:} POSIX suggests that if a locale name starts ++with a slash @samp{/}, it is resolved as an absolute path. However, ++the GNU C Library treats it as a relative path under the directories listed ++in @code{LOCPATH} (or the default locale directory if @code{LOCPATH} ++is unset). ++ ++Locale names which are longer than an implementation-defined limit are ++invalid and cause @code{setlocale} to fail. ++ ++As a special case, locale names used with @code{LC_ALL} can combine ++several locales, reflecting different locale settings for different ++categories. For example, you might want to use a U.S. locale with ISO ++A4 paper format, so you set @code{LANG} to @samp{en_US.UTF-8}, and ++@code{LC_PAPER} to @samp{de_DE.UTF-8}. In this case, the ++@code{LC_ALL}-style combined locale name is ++ ++@smallexample ++LC_CTYPE=en_US.UTF-8;LC_TIME=en_US.UTF-8;LC_PAPER=de_DE.UTF-8;@dots{} ++@end smallexample ++ ++followed by other category settings not shown here. ++ ++@vindex LOCPATH ++The path used for finding locale data can be set using the ++@code{LOCPATH} environment variable. This variable lists the ++directories in which to search for locale definitions, separated by a ++colon @samp{:}. ++ ++The default path for finding locale data is system specific. A typical ++value for the @code{LOCPATH} default is: ++ ++@smallexample ++/usr/share/locale ++@end smallexample ++ ++The value of @code{LOCPATH} is ignored by privileged programs for ++security reasons, and only the default directory is used. ++ ++@node Locale Information, Formatting Numbers, Locale Names, Locales + @section Accessing Locale Information + + There are several ways to access locale information. The simplest diff --git a/src/patches/readline/readline52-001 b/src/patches/readline/readline52-001 deleted file mode 100644 index 0bec9a278..000000000 --- a/src/patches/readline/readline52-001 +++ /dev/null @@ -1,30 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-001 - -Bug-Reported-by: ebb9@byu.net -Bug-Reference-ID: <45540862.9030900@byu.net> -Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2006-11/msg00017.html - http://lists.gnu.org/archive/html/bug-bash/2006-11/msg00016.html - -Bug-Description: - -In some cases, code that is intended to be used in the presence of multibyte -characters is called when no such characters are present, leading to incorrect -display position calculations and incorrect redisplay. - -Patch: - -*** ../readline-5.2/display.c Thu Sep 14 14:20:12 2006 ---- display.c Mon Nov 13 17:55:57 2006 -*************** -*** 2381,2384 **** ---- 2409,2414 ---- - if (end <= start) - return 0; -+ if (MB_CUR_MAX == 1 || rl_byte_oriented) -+ return (end - start); - - memset (&ps, 0, sizeof (mbstate_t)); diff --git a/src/patches/readline/readline52-002 b/src/patches/readline/readline52-002 deleted file mode 100644 index b0d8c9223..000000000 --- a/src/patches/readline/readline52-002 +++ /dev/null @@ -1,49 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-002 - -Bug-Reported-by: Magnus Svensson -Bug-Reference-ID: <45BDC44D.80609@mysql.com> -Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-readline/2007-01/msg00002.html - -Bug-Description: - -Readline neglects to reallocate the array it uses to keep track of wrapped -screen lines when increasing its size. This will eventually result in -segmentation faults when given sufficiently long input. - -Patch: - -*** ../readline-5.2-patched/display.c Thu Sep 14 14:20:12 2006 ---- display.c Fri Feb 2 20:23:17 2007 -*************** -*** 561,574 **** ---- 561,586 ---- - wrap_offset = prompt_invis_chars_first_line = 0; - } - -+ #if defined (HANDLE_MULTIBYTE) - #define CHECK_INV_LBREAKS() \ - do { \ - if (newlines >= (inv_lbsize - 2)) \ - { \ - inv_lbsize *= 2; \ - inv_lbreaks = (int *)xrealloc (inv_lbreaks, inv_lbsize * sizeof (int)); \ -+ _rl_wrapped_line = (int *)xrealloc (_rl_wrapped_line, inv_lbsize * sizeof (int)); \ - } \ - } while (0) -+ #else -+ #define CHECK_INV_LBREAKS() \ -+ do { \ -+ if (newlines >= (inv_lbsize - 2)) \ -+ { \ -+ inv_lbsize *= 2; \ -+ inv_lbreaks = (int *)xrealloc (inv_lbreaks, inv_lbsize * sizeof (int)); \ -+ } \ -+ } while (0) -+ #endif /* HANDLE_MULTIBYTE */ - - #if defined (HANDLE_MULTIBYTE) - #define CHECK_LPOS() \ diff --git a/src/patches/readline/readline52-003 b/src/patches/readline/readline52-003 deleted file mode 100644 index 06916b3b2..000000000 --- a/src/patches/readline/readline52-003 +++ /dev/null @@ -1,37 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-003 - -Bug-Reported-by: Peter Volkov -Bug-Reference-ID: <1171795523.8021.18.camel@localhost> -Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2007-02/msg00054.html - -Bug-Description: - -When moving the cursor, bash sometimes misplaces the cursor when the prompt -contains two or more multibyte characters. The particular circumstance that -uncovered the problem was having the (multibyte) current directory name in -the prompt string. - -Patch: - -*** ../readline-5.2.2/display.c Fri Jan 19 13:34:50 2007 ---- display.c Sat Mar 10 17:25:44 2007 -*************** -*** 1745,1749 **** - { - dpos = _rl_col_width (data, 0, new); -! if (dpos > prompt_last_invisible) /* XXX - don't use woff here */ - { - dpos -= woff; ---- 1745,1752 ---- - { - dpos = _rl_col_width (data, 0, new); -! /* Use NEW when comparing against the last invisible character in the -! prompt string, since they're both buffer indices and DPOS is a -! desired display position. */ -! if (new > prompt_last_invisible) /* XXX - don't use woff here */ - { - dpos -= woff; diff --git a/src/patches/readline/readline52-004 b/src/patches/readline/readline52-004 deleted file mode 100644 index b165ad9f4..000000000 --- a/src/patches/readline/readline52-004 +++ /dev/null @@ -1,70 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-004 - -Bug-Reported-by: Peter Volkov -Bug-Reference-ID: <1173636022.7039.36.camel@localhost> -Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2007-03/msg00039.html - -Bug-Description: - -When restoring the original prompt after finishing an incremental search, -bash sometimes places the cursor incorrectly if the primary prompt contains -invisible characters. - -Patch: - -*** ../readline-5.2.3/display.c Fri Apr 20 13:30:16 2007 ---- display.c Fri Apr 20 15:17:01 2007 -*************** -*** 1599,1604 **** - if (temp > 0) - { - _rl_output_some_chars (nfd, temp); -! _rl_last_c_pos += _rl_col_width (nfd, 0, temp);; - } - } ---- 1599,1618 ---- - if (temp > 0) - { -+ /* If nfd begins at the prompt, or before the invisible -+ characters in the prompt, we need to adjust _rl_last_c_pos -+ in a multibyte locale to account for the wrap offset and -+ set cpos_adjusted accordingly. */ - _rl_output_some_chars (nfd, temp); -! if (MB_CUR_MAX > 1 && rl_byte_oriented == 0) -! { -! _rl_last_c_pos += _rl_col_width (nfd, 0, temp); -! if (current_line == 0 && wrap_offset && ((nfd - new) <= prompt_last_invisible)) -! { -! _rl_last_c_pos -= wrap_offset; -! cpos_adjusted = 1; -! } -! } -! else -! _rl_last_c_pos += temp; - } - } -*************** -*** 1608,1613 **** ---- 1622,1639 ---- - if (temp > 0) - { -+ /* If nfd begins at the prompt, or before the invisible -+ characters in the prompt, we need to adjust _rl_last_c_pos -+ in a multibyte locale to account for the wrap offset and -+ set cpos_adjusted accordingly. */ - _rl_output_some_chars (nfd, temp); - _rl_last_c_pos += col_temp; /* XXX */ -+ if (MB_CUR_MAX > 1 && rl_byte_oriented == 0) -+ { -+ if (current_line == 0 && wrap_offset && ((nfd - new) <= prompt_last_invisible)) -+ { -+ _rl_last_c_pos -= wrap_offset; -+ cpos_adjusted = 1; -+ } -+ } - } - lendiff = (oe - old) - (ne - new); diff --git a/src/patches/readline/readline52-005 b/src/patches/readline/readline52-005 deleted file mode 100644 index d192ac152..000000000 --- a/src/patches/readline/readline52-005 +++ /dev/null @@ -1,328 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-005 - -Bug-Reported-by: Thomas Loeber -Bug-Reference-ID: <200703082223.08919.ifp@loeber1.de> -Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2007-03/msg00036.html - -Bug-Description: - -When rl_read_key returns -1, indicating that readline's controlling terminal -has been invalidated for some reason (e.g., receiving a SIGHUP), the error -status was not reported correctly to the caller. This could cause input -loops. - -Patch: - -*** ../readline-5.2/complete.c Fri Jul 28 11:35:49 2006 ---- complete.c Tue Mar 13 08:50:16 2007 -*************** -*** 429,433 **** - if (c == 'n' || c == 'N' || c == RUBOUT) - return (0); -! if (c == ABORT_CHAR) - _rl_abort_internal (); - if (for_pager && (c == NEWLINE || c == RETURN)) ---- 440,444 ---- - if (c == 'n' || c == 'N' || c == RUBOUT) - return (0); -! if (c == ABORT_CHAR || c < 0) - _rl_abort_internal (); - if (for_pager && (c == NEWLINE || c == RETURN)) -*** ../readline-5.2/input.c Wed Aug 16 15:15:16 2006 ---- input.c Wed May 2 16:07:59 2007 -*************** -*** 514,518 **** - int size; - { -! int mb_len = 0; - size_t mbchar_bytes_length; - wchar_t wc; ---- 522,526 ---- - int size; - { -! int mb_len, c; - size_t mbchar_bytes_length; - wchar_t wc; -*************** -*** 521,531 **** - memset(&ps, 0, sizeof (mbstate_t)); - memset(&ps_back, 0, sizeof (mbstate_t)); -! - while (mb_len < size) - { - RL_SETSTATE(RL_STATE_MOREINPUT); -! mbchar[mb_len++] = rl_read_key (); - RL_UNSETSTATE(RL_STATE_MOREINPUT); - - mbchar_bytes_length = mbrtowc (&wc, mbchar, mb_len, &ps); - if (mbchar_bytes_length == (size_t)(-1)) ---- 529,545 ---- - memset(&ps, 0, sizeof (mbstate_t)); - memset(&ps_back, 0, sizeof (mbstate_t)); -! -! mb_len = 0; - while (mb_len < size) - { - RL_SETSTATE(RL_STATE_MOREINPUT); -! c = rl_read_key (); - RL_UNSETSTATE(RL_STATE_MOREINPUT); - -+ if (c < 0) -+ break; -+ -+ mbchar[mb_len++] = c; -+ - mbchar_bytes_length = mbrtowc (&wc, mbchar, mb_len, &ps); - if (mbchar_bytes_length == (size_t)(-1)) -*************** -*** 565,569 **** - c = first; - memset (mb, 0, mlen); -! for (i = 0; i < mlen; i++) - { - mb[i] = (char)c; ---- 579,583 ---- - c = first; - memset (mb, 0, mlen); -! for (i = 0; c >= 0 && i < mlen; i++) - { - mb[i] = (char)c; -*** ../readline-5.2/isearch.c Mon Dec 26 17:18:53 2005 ---- isearch.c Fri Mar 9 14:30:59 2007 -*************** -*** 328,333 **** - - f = (rl_command_func_t *)NULL; -! -! /* Translate the keys we do something with to opcodes. */ - if (c >= 0 && _rl_keymap[c].type == ISFUNC) - { ---- 328,340 ---- - - f = (rl_command_func_t *)NULL; -! -! if (c < 0) -! { -! cxt->sflags |= SF_FAILED; -! cxt->history_pos = cxt->last_found_line; -! return -1; -! } -! -! /* Translate the keys we do something with to opcodes. */ - if (c >= 0 && _rl_keymap[c].type == ISFUNC) - { -*** ../readline-5.2/misc.c Mon Dec 26 17:20:46 2005 ---- misc.c Fri Mar 9 14:44:11 2007 -*************** -*** 147,150 **** ---- 147,152 ---- - rl_clear_message (); - RL_UNSETSTATE(RL_STATE_NUMERICARG); -+ if (key < 0) -+ return -1; - return (_rl_dispatch (key, _rl_keymap)); - } -*** ../readline-5.2/readline.c Wed Aug 16 15:00:36 2006 ---- readline.c Fri Mar 9 14:47:24 2007 -*************** -*** 646,649 **** ---- 669,677 ---- - { - nkey = _rl_subseq_getchar (cxt->okey); -+ if (nkey < 0) -+ { -+ _rl_abort_internal (); -+ return -1; -+ } - r = _rl_dispatch_subseq (nkey, cxt->dmap, cxt->subseq_arg); - cxt->flags |= KSEQ_DISPATCHED; -*** ../readline-5.2/text.c Fri Jul 28 11:55:27 2006 ---- text.c Sun Mar 25 13:41:38 2007 -*************** -*** 858,861 **** ---- 864,870 ---- - RL_UNSETSTATE(RL_STATE_MOREINPUT); - -+ if (c < 0) -+ return -1; -+ - #if defined (HANDLE_SIGNALS) - if (RL_ISSTATE (RL_STATE_CALLBACK) == 0) -*************** -*** 1521,1524 **** ---- 1530,1536 ---- - mb_len = _rl_read_mbchar (mbchar, MB_LEN_MAX); - -+ if (mb_len <= 0) -+ return -1; -+ - if (count < 0) - return (_rl_char_search_internal (-count, bdir, mbchar, mb_len)); -*************** -*** 1537,1540 **** ---- 1549,1555 ---- - RL_UNSETSTATE(RL_STATE_MOREINPUT); - -+ if (c < 0) -+ return -1; -+ - if (count < 0) - return (_rl_char_search_internal (-count, bdir, c)); -*** ../readline-5.2/vi_mode.c Sat Jul 29 16:42:28 2006 ---- vi_mode.c Fri Mar 9 15:02:11 2007 -*************** -*** 887,890 **** ---- 887,897 ---- - c = rl_read_key (); - RL_UNSETSTATE(RL_STATE_MOREINPUT); -+ -+ if (c < 0) -+ { -+ *nextkey = 0; -+ return -1; -+ } -+ - *nextkey = c; - -*************** -*** 903,906 **** ---- 910,918 ---- - c = rl_read_key (); /* real command */ - RL_UNSETSTATE(RL_STATE_MOREINPUT); -+ if (c < 0) -+ { -+ *nextkey = 0; -+ return -1; -+ } - *nextkey = c; - } -*************** -*** 1225,1236 **** - _rl_callback_generic_arg *data; - { - #if defined (HANDLE_MULTIBYTE) -! _rl_vi_last_search_mblen = _rl_read_mbchar (_rl_vi_last_search_mbchar, MB_LEN_MAX); - #else - RL_SETSTATE(RL_STATE_MOREINPUT); -! _rl_vi_last_search_char = rl_read_key (); - RL_UNSETSTATE(RL_STATE_MOREINPUT); - #endif - - _rl_callback_func = 0; - _rl_want_redisplay = 1; ---- 1243,1262 ---- - _rl_callback_generic_arg *data; - { -+ int c; - #if defined (HANDLE_MULTIBYTE) -! c = _rl_vi_last_search_mblen = _rl_read_mbchar (_rl_vi_last_search_mbchar, MB_LEN_MAX); - #else - RL_SETSTATE(RL_STATE_MOREINPUT); -! c = rl_read_key (); - RL_UNSETSTATE(RL_STATE_MOREINPUT); - #endif - -+ if (c <= 0) -+ return -1; -+ -+ #if !defined (HANDLE_MULTIBYTE) -+ _rl_vi_last_search_char = c; -+ #endif -+ - _rl_callback_func = 0; - _rl_want_redisplay = 1; -*************** -*** 1248,1251 **** ---- 1274,1278 ---- - int count, key; - { -+ int c; - #if defined (HANDLE_MULTIBYTE) - static char *target; -*************** -*** 1294,1302 **** - { - #if defined (HANDLE_MULTIBYTE) -! _rl_vi_last_search_mblen = _rl_read_mbchar (_rl_vi_last_search_mbchar, MB_LEN_MAX); - #else - RL_SETSTATE(RL_STATE_MOREINPUT); -! _rl_vi_last_search_char = rl_read_key (); - RL_UNSETSTATE(RL_STATE_MOREINPUT); - #endif - } ---- 1321,1335 ---- - { - #if defined (HANDLE_MULTIBYTE) -! c = _rl_read_mbchar (_rl_vi_last_search_mbchar, MB_LEN_MAX); -! if (c <= 0) -! return -1; -! _rl_vi_last_search_mblen = c; - #else - RL_SETSTATE(RL_STATE_MOREINPUT); -! c = rl_read_key (); - RL_UNSETSTATE(RL_STATE_MOREINPUT); -+ if (c < 0) -+ return -1; -+ _rl_vi_last_search_char = c; - #endif - } -*************** -*** 1468,1471 **** ---- 1501,1507 ---- - RL_UNSETSTATE(RL_STATE_MOREINPUT); - -+ if (c < 0) -+ return -1; -+ - #if defined (HANDLE_MULTIBYTE) - if (MB_CUR_MAX > 1 && rl_byte_oriented == 0) -*************** -*** 1486,1489 **** ---- 1522,1528 ---- - _rl_vi_last_replacement = c = _rl_vi_callback_getchar (mb, MB_LEN_MAX); - -+ if (c < 0) -+ return -1; -+ - _rl_callback_func = 0; - _rl_want_redisplay = 1; -*************** -*** 1517,1520 **** ---- 1556,1562 ---- - _rl_vi_last_replacement = c = _rl_vi_callback_getchar (mb, MB_LEN_MAX); - -+ if (c < 0) -+ return -1; -+ - return (_rl_vi_change_char (count, c, mb)); - } -*************** -*** 1651,1655 **** - RL_UNSETSTATE(RL_STATE_MOREINPUT); - -! if (ch < 'a' || ch > 'z') - { - rl_ding (); ---- 1693,1697 ---- - RL_UNSETSTATE(RL_STATE_MOREINPUT); - -! if (ch < 0 || ch < 'a' || ch > 'z') /* make test against 0 explicit */ - { - rl_ding (); -*************** -*** 1703,1707 **** - return 0; - } -! else if (ch < 'a' || ch > 'z') - { - rl_ding (); ---- 1745,1749 ---- - return 0; - } -! else if (ch < 0 || ch < 'a' || ch > 'z') /* make test against 0 explicit */ - { - rl_ding (); diff --git a/src/patches/readline/readline52-006 b/src/patches/readline/readline52-006 deleted file mode 100644 index d7391438d..000000000 --- a/src/patches/readline/readline52-006 +++ /dev/null @@ -1,62 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-006 - -Bug-Reported-by: Peter Volkov -Bug-Reference-ID: <1178376645.9063.25.camel@localhost> -Bug-Reference-URL: http://bugs.gentoo.org/177095 - -Bug-Description: - -The readline display code miscalculated the screen position when performing -a redisplay in which the new text occupies more screen space that the old, -but takes fewer bytes to do so (e.g., when replacing a shorter string -containing multibyte characters with a longer one containing only ASCII). - -Patch: - -*** ../readline-5.2/display.c Thu Apr 26 11:38:22 2007 ---- display.c Thu Jul 12 23:10:10 2007 -*************** -*** 1519,1527 **** - /* Non-zero if we're increasing the number of lines. */ - int gl = current_line >= _rl_vis_botlin && inv_botlin > _rl_vis_botlin; - /* Sometimes it is cheaper to print the characters rather than - use the terminal's capabilities. If we're growing the number - of lines, make sure we actually cause the new line to wrap - around on auto-wrapping terminals. */ -! if (_rl_terminal_can_insert && ((2 * col_temp) >= col_lendiff || _rl_term_IC) && (!_rl_term_autowrap || !gl)) - { - /* If lendiff > prompt_visible_length and _rl_last_c_pos == 0 and ---- 1568,1596 ---- - /* Non-zero if we're increasing the number of lines. */ - int gl = current_line >= _rl_vis_botlin && inv_botlin > _rl_vis_botlin; -+ /* If col_lendiff is > 0, implying that the new string takes up more -+ screen real estate than the old, but lendiff is < 0, meaning that it -+ takes fewer bytes, we need to just output the characters starting -+ from the first difference. These will overwrite what is on the -+ display, so there's no reason to do a smart update. This can really -+ only happen in a multibyte environment. */ -+ if (lendiff < 0) -+ { -+ _rl_output_some_chars (nfd, temp); -+ _rl_last_c_pos += _rl_col_width (nfd, 0, temp); -+ /* If nfd begins before any invisible characters in the prompt, -+ adjust _rl_last_c_pos to account for wrap_offset and set -+ cpos_adjusted to let the caller know. */ -+ if (current_line == 0 && wrap_offset && ((nfd - new) <= prompt_last_invisible)) -+ { -+ _rl_last_c_pos -= wrap_offset; -+ cpos_adjusted = 1; -+ } -+ return; -+ } - /* Sometimes it is cheaper to print the characters rather than - use the terminal's capabilities. If we're growing the number - of lines, make sure we actually cause the new line to wrap - around on auto-wrapping terminals. */ -! else if (_rl_terminal_can_insert && ((2 * col_temp) >= col_lendiff || _rl_term_IC) && (!_rl_term_autowrap || !gl)) - { - /* If lendiff > prompt_visible_length and _rl_last_c_pos == 0 and diff --git a/src/patches/readline/readline52-007 b/src/patches/readline/readline52-007 deleted file mode 100644 index f75f53fc6..000000000 --- a/src/patches/readline/readline52-007 +++ /dev/null @@ -1,65 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-007 - -Bug-Reported-by: Tom Bjorkholm -Bug-Reference-ID: -Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-readline/2007-04/msg00004.html - - -Bug-Description: - -An off-by-one error in readline's input buffering caused readline to drop -each 511th character of buffered input (e.g., when pasting a large amount -of data into a terminal window). - -Patch: - -*** ../readline-5.2/input.c Wed Aug 16 15:15:16 2006 ---- input.c Tue Jul 17 09:24:21 2007 -*************** -*** 134,139 **** - - *key = ibuffer[pop_index++]; -! - if (pop_index >= ibuffer_len) - pop_index = 0; - ---- 134,142 ---- - - *key = ibuffer[pop_index++]; -! #if 0 - if (pop_index >= ibuffer_len) -+ #else -+ if (pop_index > ibuffer_len) -+ #endif - pop_index = 0; - -*************** -*** 251,255 **** - { - k = (*rl_getc_function) (rl_instream); -! rl_stuff_char (k); - if (k == NEWLINE || k == RETURN) - break; ---- 254,259 ---- - { - k = (*rl_getc_function) (rl_instream); -! if (rl_stuff_char (k) == 0) -! break; /* some problem; no more room */ - if (k == NEWLINE || k == RETURN) - break; -*************** -*** 374,378 **** ---- 378,386 ---- - } - ibuffer[push_index++] = key; -+ #if 0 - if (push_index >= ibuffer_len) -+ #else -+ if (push_index > ibuffer_len) -+ #endif - push_index = 0; - diff --git a/src/patches/readline/readline52-008 b/src/patches/readline/readline52-008 deleted file mode 100644 index 1d7f3277f..000000000 --- a/src/patches/readline/readline52-008 +++ /dev/null @@ -1,70 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-008 - -Bug-Reported-by: dAniel hAhler -Bug-Reference-ID: <4702ED8A.5000503@thequod.de> -Bug-Reference-URL: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/119938 - -Bug-Description: - -When updating the display after displaying, for instance, a list of possible -completions, readline will place the cursor at the wrong position if the -prompt contains invisible characters and a newline. - -Patch: - -*** ../readline-5.2-patched/display.c Mon Aug 6 14:26:29 2007 ---- display.c Wed Oct 10 22:43:58 2007 -*************** -*** 1049,1053 **** - else - tx = nleft; -! if (_rl_last_c_pos > tx) - { - _rl_backspace (_rl_last_c_pos - tx); /* XXX */ ---- 1049,1053 ---- - else - tx = nleft; -! if (tx >= 0 && _rl_last_c_pos > tx) - { - _rl_backspace (_rl_last_c_pos - tx); /* XXX */ -*************** -*** 1205,1209 **** - { - register char *ofd, *ols, *oe, *nfd, *nls, *ne; -! int temp, lendiff, wsatend, od, nd; - int current_invis_chars; - int col_lendiff, col_temp; ---- 1205,1209 ---- - { - register char *ofd, *ols, *oe, *nfd, *nls, *ne; -! int temp, lendiff, wsatend, od, nd, o_cpos; - int current_invis_chars; - int col_lendiff, col_temp; -*************** -*** 1466,1469 **** ---- 1466,1471 ---- - } - -+ o_cpos = _rl_last_c_pos; -+ - /* When this function returns, _rl_last_c_pos is correct, and an absolute - cursor postion in multibyte mode, but a buffer index when not in a -*************** -*** 1475,1479 **** - invisible characters in the prompt string. Let's see if setting this when - we make sure we're at the end of the drawn prompt string works. */ -! if (current_line == 0 && MB_CUR_MAX > 1 && rl_byte_oriented == 0 && _rl_last_c_pos == prompt_physical_chars) - cpos_adjusted = 1; - #endif ---- 1477,1483 ---- - invisible characters in the prompt string. Let's see if setting this when - we make sure we're at the end of the drawn prompt string works. */ -! if (current_line == 0 && MB_CUR_MAX > 1 && rl_byte_oriented == 0 && -! (_rl_last_c_pos > 0 || o_cpos > 0) && -! _rl_last_c_pos == prompt_physical_chars) - cpos_adjusted = 1; - #endif diff --git a/src/patches/readline/readline52-009 b/src/patches/readline/readline52-009 deleted file mode 100644 index af9e38174..000000000 --- a/src/patches/readline/readline52-009 +++ /dev/null @@ -1,45 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-009 - -Bug-Reported-by: dAniel hAhler -Bug-Reference-ID: -Bug-Reference-URL: - -Bug-Description: - -Under some circumstances, readline will incorrectly display a prompt string -containing invisible characters after the final newline. - -Patch: - -*** ../readline-5.2-patched/display.c 2007-08-25 13:47:08.000000000 -0400 ---- display.c 2007-11-10 17:51:29.000000000 -0500 -*************** -*** 392,396 **** - local_prompt = expand_prompt (p, &prompt_visible_length, - &prompt_last_invisible, -! (int *)NULL, - &prompt_physical_chars); - c = *t; *t = '\0'; ---- 420,424 ---- - local_prompt = expand_prompt (p, &prompt_visible_length, - &prompt_last_invisible, -! &prompt_invis_chars_first_line, - &prompt_physical_chars); - c = *t; *t = '\0'; -*************** -*** 399,403 **** - local_prompt_prefix = expand_prompt (prompt, &prompt_prefix_length, - (int *)NULL, -! &prompt_invis_chars_first_line, - (int *)NULL); - *t = c; ---- 427,431 ---- - local_prompt_prefix = expand_prompt (prompt, &prompt_prefix_length, - (int *)NULL, -! (int *)NULL, - (int *)NULL); - *t = c; diff --git a/src/patches/readline/readline52-010 b/src/patches/readline/readline52-010 deleted file mode 100644 index ee5c026f8..000000000 --- a/src/patches/readline/readline52-010 +++ /dev/null @@ -1,47 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-010 - -Bug-Reported-by: Miroslav Lichvar -Bug-Reference-ID: Fri, 02 Nov 2007 14:07:45 +0100 -Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-readline/2007-11/msg00000.html - -Bug-Description: - -In certain cases when outputting characters at the end of the line, -e.g., when displaying the prompt string, readline positions the cursor -incorrectly if the prompt string contains invisible characters and the -text being drawn begins before the last invisible character in the line. - -Patch: - -*** ../readline-5.2-patched/display.c 2007-08-25 13:47:08.000000000 -0400 ---- display.c 2007-11-10 17:51:29.000000000 -0500 -*************** -*** 1566,1574 **** - else - { -- /* We have horizontal scrolling and we are not inserting at -- the end. We have invisible characters in this line. This -- is a dumb update. */ - _rl_output_some_chars (nfd, temp); - _rl_last_c_pos += col_temp; - return; - } ---- 1619,1632 ---- - else - { - _rl_output_some_chars (nfd, temp); - _rl_last_c_pos += col_temp; -+ /* If nfd begins before any invisible characters in the prompt, -+ adjust _rl_last_c_pos to account for wrap_offset and set -+ cpos_adjusted to let the caller know. */ -+ if (current_line == 0 && wrap_offset && ((nfd - new) <= prompt_last_invisible)) -+ { -+ _rl_last_c_pos -= wrap_offset; -+ cpos_adjusted = 1; -+ } - return; - } diff --git a/src/patches/readline/readline52-011 b/src/patches/readline/readline52-011 deleted file mode 100644 index a1197ede6..000000000 --- a/src/patches/readline/readline52-011 +++ /dev/null @@ -1,32 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-011 - -Bug-Reported-by: Uwe Doering -Bug-Reference-ID: <46F3DD72.2090801@geminix.org> -Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2007-09/msg00102.html - -Bug-Description: - -There is an off-by-one error in the code that buffers characters received -very quickly in succession, causing characters to be dropped. - -Patch: - -*** ../readline-5.2-patched/input.c 2007-08-25 13:47:10.000000000 -0400 ---- input.c 2007-10-12 22:55:25.000000000 -0400 -*************** -*** 155,159 **** - pop_index--; - if (pop_index < 0) -! pop_index = ibuffer_len - 1; - ibuffer[pop_index] = key; - return (1); ---- 155,159 ---- - pop_index--; - if (pop_index < 0) -! pop_index = ibuffer_len; - ibuffer[pop_index] = key; - return (1); diff --git a/src/patches/readline/readline52-012 b/src/patches/readline/readline52-012 deleted file mode 100644 index 7b370240c..000000000 --- a/src/patches/readline/readline52-012 +++ /dev/null @@ -1,150 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-012 - -Bug-Reported-by: Chet Ramey -Bug-Reference-ID: -Bug-Reference-URL: - -Bug-Description: - -This updates the options required to create shared libraries on several -systems, including Mac OS X 10.5 (darwin9.x), FreeBSD, NetBSD, OpenBSD, -AIX, and HP/UX. - -Patch: - -*** ../readline-5.2-patched/support/shobj-conf 2006-04-11 09:15:43.000000000 -0400 ---- support/shobj-conf 2007-12-06 23:46:41.000000000 -0500 -*************** -*** 11,15 **** - # chet@po.cwru.edu - -! # Copyright (C) 1996-2002 Free Software Foundation, Inc. - # - # This program is free software; you can redistribute it and/or modify ---- 11,15 ---- - # chet@po.cwru.edu - -! # Copyright (C) 1996-2007 Free Software Foundation, Inc. - # - # This program is free software; you can redistribute it and/or modify -*************** -*** 115,119 **** - ;; - -! freebsd2* | netbsd*) - SHOBJ_CFLAGS=-fpic - SHOBJ_LD=ld ---- 115,119 ---- - ;; - -! freebsd2*) - SHOBJ_CFLAGS=-fpic - SHOBJ_LD=ld -*************** -*** 126,130 **** - # FreeBSD-3.x ELF - freebsd[3-9]*|freebsdelf[3-9]*|freebsdaout[3-9]*|dragonfly*) -! SHOBJ_CFLAGS=-fpic - SHOBJ_LD='${CC}' - ---- 126,130 ---- - # FreeBSD-3.x ELF - freebsd[3-9]*|freebsdelf[3-9]*|freebsdaout[3-9]*|dragonfly*) -! SHOBJ_CFLAGS=-fPIC - SHOBJ_LD='${CC}' - -*************** -*** 143,147 **** - - # Darwin/MacOS X -! darwin8*) - SHOBJ_STATUS=supported - SHLIB_STATUS=supported ---- 143,147 ---- - - # Darwin/MacOS X -! darwin[89]*) - SHOBJ_STATUS=supported - SHLIB_STATUS=supported -*************** -*** 154,158 **** - SHLIB_LIBSUFF='dylib' - -! SHOBJ_LDFLAGS='-undefined dynamic_lookup' - SHLIB_XLDFLAGS='-dynamiclib -arch_only `/usr/bin/arch` -install_name $(libdir)/$@ -current_version $(SHLIB_MAJOR)$(SHLIB_MINOR) -compatibility_version $(SHLIB_MAJOR) -v' - ---- 154,158 ---- - SHLIB_LIBSUFF='dylib' - -! SHOBJ_LDFLAGS='-dynamiclib -dynamic -undefined dynamic_lookup -arch_only `/usr/bin/arch`' - SHLIB_XLDFLAGS='-dynamiclib -arch_only `/usr/bin/arch` -install_name $(libdir)/$@ -current_version $(SHLIB_MAJOR)$(SHLIB_MINOR) -compatibility_version $(SHLIB_MAJOR) -v' - -*************** -*** 172,176 **** - - case "${host_os}" in -! darwin[78]*) SHOBJ_LDFLAGS='' - SHLIB_XLDFLAGS='-dynamiclib -arch_only `/usr/bin/arch` -install_name $(libdir)/$@ -current_version $(SHLIB_MAJOR)$(SHLIB_MINOR) -compatibility_version $(SHLIB_MAJOR) -v' - ;; ---- 172,176 ---- - - case "${host_os}" in -! darwin[789]*) SHOBJ_LDFLAGS='' - SHLIB_XLDFLAGS='-dynamiclib -arch_only `/usr/bin/arch` -install_name $(libdir)/$@ -current_version $(SHLIB_MAJOR)$(SHLIB_MINOR) -compatibility_version $(SHLIB_MAJOR) -v' - ;; -*************** -*** 183,187 **** - ;; - -! openbsd*) - SHOBJ_CFLAGS=-fPIC - SHOBJ_LD='${CC}' ---- 183,187 ---- - ;; - -! openbsd*|netbsd*) - SHOBJ_CFLAGS=-fPIC - SHOBJ_LD='${CC}' -*************** -*** 248,252 **** - ;; - -! aix4.[2-9]*-*gcc*) # lightly tested by jik@cisco.com - SHOBJ_CFLAGS=-fpic - SHOBJ_LD='ld' ---- 248,252 ---- - ;; - -! aix4.[2-9]*-*gcc*|aix[5-9].*-*gcc*) # lightly tested by jik@cisco.com - SHOBJ_CFLAGS=-fpic - SHOBJ_LD='ld' -*************** -*** 259,263 **** - ;; - -! aix4.[2-9]*) - SHOBJ_CFLAGS=-K - SHOBJ_LD='ld' ---- 259,263 ---- - ;; - -! aix4.[2-9]*|aix[5-9].*) - SHOBJ_CFLAGS=-K - SHOBJ_LD='ld' -*************** -*** 330,334 **** - # if you have problems linking here, moving the `-Wl,+h,$@' from - # SHLIB_XLDFLAGS to SHOBJ_LDFLAGS has been reported to work -! SHOBJ_LDFLAGS='-shared -Wl,-b -Wl,+s' - - SHLIB_XLDFLAGS='-Wl,+h,$@ -Wl,+b,$(libdir)' ---- 330,334 ---- - # if you have problems linking here, moving the `-Wl,+h,$@' from - # SHLIB_XLDFLAGS to SHOBJ_LDFLAGS has been reported to work -! SHOBJ_LDFLAGS='-shared -fpic -Wl,-b -Wl,+s' - - SHLIB_XLDFLAGS='-Wl,+h,$@ -Wl,+b,$(libdir)' diff --git a/src/patches/readline/readline52-013 b/src/patches/readline/readline52-013 deleted file mode 100644 index 82a18972a..000000000 --- a/src/patches/readline/readline52-013 +++ /dev/null @@ -1,135 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-013 - -Bug-Reported-by: slinkp -Bug-Reference-ID: -Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2008-05/msg00085.html - -Bug-Description: - -The presence of invisible characters in a prompt longer than the screenwidth -with invisible characters on the first and last prompt lines caused readline -to place the cursor in the wrong physical location. - -Patch: - -*** ../readline-5.2-patched/display.c 2007-12-14 21:12:40.000000000 -0500 ---- display.c 2008-10-23 09:39:46.000000000 -0400 -*************** -*** 911,914 **** ---- 944,951 ---- - OFFSET (which has already been calculated above). */ - -+ #define INVIS_FIRST() (prompt_physical_chars > _rl_screenwidth ? prompt_invis_chars_first_line : wrap_offset) -+ #define WRAP_OFFSET(line, offset) ((line == 0) \ -+ ? (offset ? INVIS_FIRST() : 0) \ -+ : ((line == prompt_last_screen_line) ? wrap_offset-prompt_invis_chars_first_line : 0)) - #define W_OFFSET(line, offset) ((line) == 0 ? offset : 0) - #define VIS_LLEN(l) ((l) > _rl_vis_botlin ? 0 : (vis_lbreaks[l+1] - vis_lbreaks[l])) -*************** -*** 945,949 **** - _rl_last_c_pos > wrap_offset && - o_cpos < prompt_last_invisible) -! _rl_last_c_pos -= wrap_offset; - - /* If this is the line with the prompt, we might need to ---- 982,992 ---- - _rl_last_c_pos > wrap_offset && - o_cpos < prompt_last_invisible) -! _rl_last_c_pos -= prompt_invis_chars_first_line; /* XXX - was wrap_offset */ -! else if (linenum == prompt_last_screen_line && prompt_physical_chars > _rl_screenwidth && -! (MB_CUR_MAX > 1 && rl_byte_oriented == 0) && -! cpos_adjusted == 0 && -! _rl_last_c_pos != o_cpos && -! _rl_last_c_pos > (prompt_last_invisible - _rl_screenwidth - prompt_invis_chars_first_line)) -! _rl_last_c_pos -= (wrap_offset-prompt_invis_chars_first_line); - - /* If this is the line with the prompt, we might need to -*************** -*** 1205,1209 **** - { - register char *ofd, *ols, *oe, *nfd, *nls, *ne; -! int temp, lendiff, wsatend, od, nd, o_cpos; - int current_invis_chars; - int col_lendiff, col_temp; ---- 1264,1268 ---- - { - register char *ofd, *ols, *oe, *nfd, *nls, *ne; -! int temp, lendiff, wsatend, od, nd, twidth, o_cpos; - int current_invis_chars; - int col_lendiff, col_temp; -*************** -*** 1221,1225 **** - temp = _rl_last_c_pos; - else -! temp = _rl_last_c_pos - W_OFFSET(_rl_last_v_pos, visible_wrap_offset); - if (temp == _rl_screenwidth && _rl_term_autowrap && !_rl_horizontal_scroll_mode - && _rl_last_v_pos == current_line - 1) ---- 1280,1284 ---- - temp = _rl_last_c_pos; - else -! temp = _rl_last_c_pos - WRAP_OFFSET (_rl_last_v_pos, visible_wrap_offset); - if (temp == _rl_screenwidth && _rl_term_autowrap && !_rl_horizontal_scroll_mode - && _rl_last_v_pos == current_line - 1) -*************** -*** 1587,1599 **** - { - _rl_output_some_chars (nfd + lendiff, temp - lendiff); -- #if 1 - /* XXX -- this bears closer inspection. Fixes a redisplay bug - reported against bash-3.0-alpha by Andreas Schwab involving - multibyte characters and prompt strings with invisible - characters, but was previously disabled. */ -! _rl_last_c_pos += _rl_col_width (nfd+lendiff, 0, temp-col_lendiff); -! #else -! _rl_last_c_pos += _rl_col_width (nfd+lendiff, 0, temp-lendiff); -! #endif - } - } ---- 1648,1660 ---- - { - _rl_output_some_chars (nfd + lendiff, temp - lendiff); - /* XXX -- this bears closer inspection. Fixes a redisplay bug - reported against bash-3.0-alpha by Andreas Schwab involving - multibyte characters and prompt strings with invisible - characters, but was previously disabled. */ -! if (MB_CUR_MAX > 1 && rl_byte_oriented == 0) -! twidth = _rl_col_width (nfd+lendiff, 0, temp-col_lendiff); -! else -! twidth = temp - lendiff; -! _rl_last_c_pos += twidth; - } - } -*************** -*** 1789,1793 **** - int cpos, dpos; /* current and desired cursor positions */ - -! woff = W_OFFSET (_rl_last_v_pos, wrap_offset); - cpos = _rl_last_c_pos; - #if defined (HANDLE_MULTIBYTE) ---- 1850,1854 ---- - int cpos, dpos; /* current and desired cursor positions */ - -! woff = WRAP_OFFSET (_rl_last_v_pos, wrap_offset); - cpos = _rl_last_c_pos; - #if defined (HANDLE_MULTIBYTE) -*************** -*** 1803,1807 **** - prompt string, since they're both buffer indices and DPOS is a - desired display position. */ -! if (new > prompt_last_invisible) /* XXX - don't use woff here */ - { - dpos -= woff; ---- 1864,1872 ---- - prompt string, since they're both buffer indices and DPOS is a - desired display position. */ -! if ((new > prompt_last_invisible) || /* XXX - don't use woff here */ -! (prompt_physical_chars > _rl_screenwidth && -! _rl_last_v_pos == prompt_last_screen_line && -! wrap_offset != woff && -! new > (prompt_last_invisible-_rl_screenwidth-wrap_offset))) - { - dpos -= woff; diff --git a/src/patches/readline/readline52-014 b/src/patches/readline/readline52-014 deleted file mode 100644 index 8dfaae45d..000000000 --- a/src/patches/readline/readline52-014 +++ /dev/null @@ -1,49 +0,0 @@ - READLINE PATCH REPORT - ===================== - -Readline-Release: 5.2 -Patch-ID: readline52-014 - -Bug-Reported-by: Len Lattanzi -Bug-Reference-ID: <52B1297F-6675-45CC-B63E-24745337D006@apple.com> -Bug-Reference-URL: - -Bug-Description: - -On systems where mbrtowc() returns -2 when passed a length argument with -value 0, when using a multibyte locale, Readline's emacs-mode forward-char -at the end of a line will leave the point beyond the end of the line. - -Patch: - -*** ../readline-5.2-patched/mbutil.c 2009-05-29 23:09:26.000000000 -0400 ---- mbutil.c 2009-05-29 23:10:12.000000000 -0400 -*************** -*** 78,82 **** - int seed, count, find_non_zero; - { -! size_t tmp; - mbstate_t ps; - int point; ---- 78,82 ---- - int seed, count, find_non_zero; - { -! size_t tmp, len; - mbstate_t ps; - int point; -*************** -*** 99,103 **** - while (count > 0) - { -! tmp = mbrtowc (&wc, string+point, strlen(string + point), &ps); - if (MB_INVALIDCH ((size_t)tmp)) - { ---- 99,106 ---- - while (count > 0) - { -! len = strlen (string + point); -! if (len == 0) -! break; -! tmp = mbrtowc (&wc, string+point, len, &ps); - if (MB_INVALIDCH ((size_t)tmp)) - {