From 31076c19c36b04dab53ed2592d67710ff7e8ef79 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 22 Sep 2014 01:00:51 +0200
Subject: [PATCH] Fix #212 CVE-2006-2237

---
 docs/awstats_changelog.txt | 1 +
 wwwroot/cgi-bin/awstats.pl | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/awstats_changelog.txt b/docs/awstats_changelog.txt
index f32ec133e..5fc75f915 100644
--- a/docs/awstats_changelog.txt
+++ b/docs/awstats_changelog.txt
@@ -18,6 +18,7 @@ Fixes:
 - #921 Failure in the help text for geoip_generator.pl
 - #909 awstats_buildstaticpages.pl noisy debug output.
 - #680 Invalid data passed to Time::Local causes global destruction.
+- #212 Fix CVE-2006-2237
 
 
 ***** 7.3 *****
diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
index eb14ae3bc..8e40988c2 100755
--- a/wwwroot/cgi-bin/awstats.pl
+++ b/wwwroot/cgi-bin/awstats.pl
@@ -1322,7 +1322,7 @@ sub debug {
 	if ( $level <= $DEBUGFORCED ) {
 		my $debugstring = $_[0];
 		if ( !$DebugResetDone ) {
-			open( DEBUGFORCEDFILE, "debug.log" );
+			open( DEBUGFORCEDFILE, "<debug.log" );
 			close DEBUGFORCEDFILE;
 			chmod 0666, "debug.log";
 			$DebugResetDone = 1;
@@ -1745,7 +1745,7 @@ sub Read_Config {
 		my $searchdir = $_;
 		if ( $searchdir && $searchdir !~ /[\\\/]$/ ) { $searchdir .= "/"; }
 		
-		if ( -f $searchdir.$PROG.".".$SiteConfig.".conf" &&  open( CONFIG, "$searchdir$PROG.$SiteConfig.conf" ) ) {
+		if ( -f $searchdir.$PROG.".".$SiteConfig.".conf" &&  open( CONFIG, "<$searchdir$PROG.$SiteConfig.conf" ) ) {
 			$FileConfig = "$searchdir$PROG.$SiteConfig.conf";
 			$FileSuffix = ".$SiteConfig";
 			if ($Debug){debug("Opened config: $searchdir$PROG.$SiteConfig.conf", 2);}
@@ -1890,7 +1890,7 @@ sub Parse_Config {
 				next;
 			}
             local( *CONFIG_INCLUDE );   # To avoid having parent file closed when include file is closed
-			if ( open( CONFIG_INCLUDE, $includeFile ) ) {
+			if ( open( CONFIG_INCLUDE, "<$includeFile" ) ) {
 				&Parse_Config( *CONFIG_INCLUDE, $level + 1, $includeFile );
 				close(CONFIG_INCLUDE);
 			}