Wed Jul 28 16:28:51 2010 UTC ()
Add two patches from Contao repository:

* Fix possible XSS problem on frontend module.
* Fix preview problem when URL rewriting is enabled.

Bump PKGREVISION.


(taca)
diff -r1.3 -r1.4 pkgsrc/www/contao29/Makefile
diff -r1.1.1.1 -r1.2 pkgsrc/www/contao29/distinfo
diff -r0 -r1.1 pkgsrc/www/contao29/patches/patch-aa
diff -r0 -r1.1 pkgsrc/www/contao29/patches/patch-ab
cvs diff -r1.3 -r1.4 pkgsrc/www/contao29/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/www/contao29/Attic/Makefile 2010/07/22 14:04:49 1.3
+++ pkgsrc/www/contao29/Attic/Makefile 2010/07/28 16:28:51 1.4
@@ -1,19 +1,19 @@ @@ -1,19 +1,19 @@
1# $NetBSD: Makefile,v 1.3 2010/07/22 14:04:49 taca Exp $ 1# $NetBSD: Makefile,v 1.4 2010/07/28 16:28:51 taca Exp $
2# 2#
3 3
4DISTNAME= contao-${CT_VERSION} 4DISTNAME= contao-${CT_VERSION}
5PKGNAME= contao${CT_VER}-${CT_PKGVER} 5PKGNAME= contao${CT_VER}-${CT_PKGVER}
6PKGREVISION= 2 6PKGREVISION= 3
7CATEGORIES= www 7CATEGORIES= www
8MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=typolight/} 8MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=typolight/}
9 9
10MAINTAINER= taca@NetBSD.org 10MAINTAINER= taca@NetBSD.org
11HOMEPAGE= http://www.contao.org/ 11HOMEPAGE= http://www.contao.org/
12COMMENT= Contao Open Source CMS 12COMMENT= Contao Open Source CMS
13LICENSE= gnu-lgpl-v3 13LICENSE= gnu-lgpl-v3
14 14
15DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.2.0:../../graphics/php-gd 15DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.2.0:../../graphics/php-gd
16DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.2.0:../../converters/php-mbstring 16DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.2.0:../../converters/php-mbstring
17DEPENDS+= ${PHP_PKG_PREFIX}-mysql>=5.2.0:../../databases/php-mysql 17DEPENDS+= ${PHP_PKG_PREFIX}-mysql>=5.2.0:../../databases/php-mysql
18DEPENDS+= ${PHP_PKG_PREFIX}-mcrypt>=5.2.0:../../security/php-mcrypt 18DEPENDS+= ${PHP_PKG_PREFIX}-mcrypt>=5.2.0:../../security/php-mcrypt
19DEPENDS+= ${PHP_PKG_PREFIX}-soap>=5.2.0:../../net/php-soap 19DEPENDS+= ${PHP_PKG_PREFIX}-soap>=5.2.0:../../net/php-soap
cvs diff -r1.1.1.1 -r1.2 pkgsrc/www/contao29/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/www/contao29/Attic/distinfo 2010/07/05 14:45:22 1.1.1.1
+++ pkgsrc/www/contao29/Attic/distinfo 2010/07/28 16:28:51 1.2
@@ -1,5 +1,7 @@ @@ -1,5 +1,7 @@
1$NetBSD: distinfo,v 1.1.1.1 2010/07/05 14:45:22 taca Exp $ 1$NetBSD: distinfo,v 1.2 2010/07/28 16:28:51 taca Exp $
2 2
3SHA1 (contao-2.9.0.tar.gz) = 9635d7d9251e4dfe965392ed2b2cc1f2a55f8cf9 3SHA1 (contao-2.9.0.tar.gz) = 9635d7d9251e4dfe965392ed2b2cc1f2a55f8cf9
4RMD160 (contao-2.9.0.tar.gz) = cbe78ac77e2222c8d6571d9a67a25c796e60b89e 4RMD160 (contao-2.9.0.tar.gz) = cbe78ac77e2222c8d6571d9a67a25c796e60b89e
5Size (contao-2.9.0.tar.gz) = 4335596 bytes 5Size (contao-2.9.0.tar.gz) = 4335596 bytes
 6SHA1 (patch-aa) = d49fa25b1549764f95d0354b10a80cf31de6ec19
 7SHA1 (patch-ab) = 207ce919bb6fa7148108f8bd075d3a7d7ad1eeb9
File Added: pkgsrc/www/contao29/patches/Attic/patch-aa
$NetBSD: patch-aa,v 1.1 2010/07/28 16:28:51 taca Exp $

Fix preview problem when URL rewriting is enabled from repository, r513.

--- contao/main.php.orig	2010-06-04 11:45:49.000000000 +0000
+++ contao/main.php
@@ -235,53 +235,57 @@ class Main extends Backend
 		$this->Template->be27 = !$GLOBALS['TL_CONFIG']['oldBeTheme'];
 		$this->Template->home = $GLOBALS['TL_LANG']['MSC']['home'];
 		$this->Template->backToTop = $GLOBALS['TL_LANG']['MSC']['backToTop'];
+		$this->Template->frontendFile = $GLOBALS['TL_CONFIG']['rewriteURL'] ? '' : 'index.php';
 
-		$this->Template->frontendFile = 'index.php';
-
-		// Preview pages
-		if ($this->Input->get('do') == 'page' && strlen(CURRENT_ID))
+		// Front end preview links
+		if (CURRENT_ID != '')
 		{
-			$objPreview = $this->Database->prepare("SELECT id, alias FROM tl_page WHERE id=?")
-										 ->limit(1)
-										 ->execute(CURRENT_ID);
-
-			if ($objPreview->numRows)
+			// Pages
+			if ($this->Input->get('do') == 'page')
 			{
-				if ($GLOBALS['TL_CONFIG']['disableAlias'])
-				{
-					$this->Template->frontendFile = 'index.php?id=' . $objPreview->id;
-				}
-				else
+				$objPreview = $this->Database->prepare("SELECT id, alias FROM tl_page WHERE id=?")
+											 ->limit(1)
+											 ->execute(CURRENT_ID);
+
+				if ($objPreview->numRows)
 				{
-					$this->Template->frontendFile = 'index.php/' . (strlen($objPreview->alias) ? $objPreview->alias : $objPreview->id) . $GLOBALS['TL_CONFIG']['urlSuffix'];
+					if ($GLOBALS['TL_CONFIG']['disableAlias'])
+					{
+						$this->Template->frontendFile .= '?id=' . $objPreview->id;
+					}
+					else
+					{
+						$this->Template->frontendFile .= ($GLOBALS['TL_CONFIG']['rewriteURL'] ? '' : '/') . (($objPreview->alias != '') ? $objPreview->alias : $objPreview->id) . $GLOBALS['TL_CONFIG']['urlSuffix'];
+					}
 				}
 			}
-		}
-
-		// Preview article
-		if ($this->Input->get('do') == 'article' && strlen(CURRENT_ID))
-		{
-			$objPreview = $this->Database->prepare("SELECT p.id AS pid, p.alias AS palias, a.id AS aid, a.alias AS aalias, a.inColumn AS acolumn FROM tl_article a, tl_page p WHERE a.id=? AND a.pid=p.id")
-										 ->limit(1)
-										 ->execute(CURRENT_ID);
-
-			if ($objPreview->numRows)
+			// Articles
+			elseif ($this->Input->get('do') == 'article')
 			{
-				$strColumn = '';
+				$objPreview = $this->Database->prepare("SELECT p.id AS pid, p.alias AS palias, a.id AS aid, a.alias AS aalias, a.inColumn AS acolumn FROM tl_article a, tl_page p WHERE a.id=? AND a.pid=p.id")
+											 ->limit(1)
+											 ->execute(CURRENT_ID);
 
-				if ($objPreview->acolumn != 'main')
+				if ($objPreview->numRows)
 				{
-					$strColumn = $objPreview->acolumn . ':';
-				}
+					$strColumn = '';
 
-				if ($GLOBALS['TL_CONFIG']['disableAlias'])
-				{
-					$this->Template->frontendFile = 'index.php?id=' . $objPreview->pid . '&articles=' . $strColumn . $objPreview->aid;
-				}
-				else
-				{
-					$this->Template->frontendFile = 'index.php/' . (strlen($objPreview->palias) ? $objPreview->palias : $objPreview->pid) . '/articles/' . $strColumn . (strlen($objPreview->aalias) ? $objPreview->aalias : $objPreview->aid) . $GLOBALS['TL_CONFIG']['urlSuffix'];
+					if ($objPreview->acolumn != 'main')
+					{
+						$strColumn = $objPreview->acolumn . ':';
+					}
+
+					if ($GLOBALS['TL_CONFIG']['disableAlias'])
+					{
+						$this->Template->frontendFile .= '?id=' . $objPreview->pid . '&articles=' . $strColumn . $objPreview->aid;
+					}
+					else
+					{
+						$this->Template->frontendFile .= ($GLOBALS['TL_CONFIG']['rewriteURL'] ? '' : '/') . (($objPreview->palias != '') ? $objPreview->palias : $objPreview->pid) . '/articles/' . $strColumn . (($objPreview->aalias != '') ? $objPreview->aalias : $objPreview->aid) . $GLOBALS['TL_CONFIG']['urlSuffix'];
+					}
 				}
+		
+			$this->Template->frontendFile = str_replace(array('?', '&', '='), array('%3F', '%26', '%3D'), $this->Template->frontendFile);
 			}
 		}
File Added: pkgsrc/www/contao29/patches/Attic/patch-ab
$NetBSD: patch-ab,v 1.1 2010/07/28 16:28:51 taca Exp $

Fix for CSS from repository, r507.

--- system/modules/frontend/Frontend.php.orig	2010-04-19 10:22:31.000000000 +0000
+++ system/modules/frontend/Frontend.php
@@ -166,8 +166,16 @@ abstract class Frontend extends Controll
 	protected function addToUrl($strRequest, $blnIgnoreParams=false)
 	{
 		$arrGet = $blnIgnoreParams ? array() : $_GET;
+
+		// Clean the $_GET values (thanks to thyon)
+		foreach (array_keys($arrGet) as $key)
+		{
+			$arrGet[$key] = $this->Input->get($key, true);
+		}
+
 		$arrFragments = preg_split('/&(amp;)?/i', $strRequest);
 
+		// Merge the new request string
 		foreach ($arrFragments as $strFragment)
 		{
 			list($key, $value) = explode('=', $strFragment);