Add update patche to fix XSS from Contao's repository. Bump PKGREVISION.diff -r1.15 -r1.16 pkgsrc/www/typolight28/Makefile
(taca)
@@ -1,19 +1,19 @@ | @@ -1,19 +1,19 @@ | |||
1 | # $NetBSD: Makefile,v 1.15 2011/10/07 12:29:41 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.16 2011/10/10 16:35:36 taca Exp $ | |
2 | # | 2 | # | |
3 | 3 | |||
4 | DISTNAME= typolight-${TL_VERSION} | 4 | DISTNAME= typolight-${TL_VERSION} | |
5 | PKGNAME= typolight${TL_VER}-${TL_PKGVER} | 5 | PKGNAME= typolight${TL_VER}-${TL_PKGVER} | |
6 | PKGREVISION= 5 | 6 | PKGREVISION= 6 | |
7 | CATEGORIES= www | 7 | CATEGORIES= www | |
8 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=typolight/} | 8 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=typolight/} | |
9 | 9 | |||
10 | MAINTAINER= taca@NetBSD.org | 10 | MAINTAINER= taca@NetBSD.org | |
11 | HOMEPAGE= http://www.contao.org/ | 11 | HOMEPAGE= http://www.contao.org/ | |
12 | COMMENT= Powerful web content management system (CMS) | 12 | COMMENT= Powerful web content management system (CMS) | |
13 | LICENSE= gnu-lgpl-v3 | 13 | LICENSE= gnu-lgpl-v3 | |
14 | 14 | |||
15 | DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.2.0:../../graphics/php-gd | 15 | DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.2.0:../../graphics/php-gd | |
16 | DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.2.0:../../converters/php-mbstring | 16 | DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.2.0:../../converters/php-mbstring | |
17 | DEPENDS+= ${PHP_PKG_PREFIX}-mysql>=5.2.0:../../databases/php-mysql | 17 | DEPENDS+= ${PHP_PKG_PREFIX}-mysql>=5.2.0:../../databases/php-mysql | |
18 | DEPENDS+= ${PHP_PKG_PREFIX}-mcrypt>=5.2.0:../../security/php-mcrypt | 18 | DEPENDS+= ${PHP_PKG_PREFIX}-mcrypt>=5.2.0:../../security/php-mcrypt | |
19 | DEPENDS+= ${PHP_PKG_PREFIX}-soap>=5.2.0:../../net/php-soap | 19 | DEPENDS+= ${PHP_PKG_PREFIX}-soap>=5.2.0:../../net/php-soap |
@@ -1,8 +1,10 @@ | @@ -1,8 +1,10 @@ | |||
1 | $NetBSD: distinfo,v 1.11 2011/10/07 12:29:41 taca Exp $ | 1 | $NetBSD: distinfo,v 1.12 2011/10/10 16:35:36 taca Exp $ | |
2 | 2 | |||
3 | SHA1 (typolight-2.8.4.tar.gz) = d18d684a06f5dd29ffc6a28d08143feb613cd47b | 3 | SHA1 (typolight-2.8.4.tar.gz) = d18d684a06f5dd29ffc6a28d08143feb613cd47b | |
4 | RMD160 (typolight-2.8.4.tar.gz) = ad82d00e3b7ec4e604640779fec841fcfc65f75c | 4 | RMD160 (typolight-2.8.4.tar.gz) = ad82d00e3b7ec4e604640779fec841fcfc65f75c | |
5 | Size (typolight-2.8.4.tar.gz) = 4097946 bytes | 5 | Size (typolight-2.8.4.tar.gz) = 4097946 bytes | |
6 | SHA1 (patch-ad) = ee5524db7764c9c5ede3affcb99ed0f8864d522e | 6 | SHA1 (patch-ad) = 0654ac44d13f69ca4823a8aec27752244de6181f | |
7 | SHA1 (patch-ae) = eed6db905809b3782acb8324799de6bc8d4e855b | 7 | SHA1 (patch-ae) = eed6db905809b3782acb8324799de6bc8d4e855b | |
8 | SHA1 (patch-af) = 868309cff4ba1855a96745c578737878f8d118d5 | 8 | SHA1 (patch-af) = 868309cff4ba1855a96745c578737878f8d118d5 | |
9 | SHA1 (patch-system_libraries_Input.php) = 4a3e9409d6916a6637e12f646e33268f3067ec99 | |||
10 | SHA1 (patch-system_modules_frontend_ModuleArticlenav.php) = df4d8a8579e010794c3a62c5f458037ea53cc397 |
@@ -1,52 +1,92 @@ | @@ -1,52 +1,92 @@ | |||
1 | $NetBSD: patch-ad,v 1.2 2011/10/07 12:29:42 taca Exp $ | 1 | $NetBSD: patch-ad,v 1.3 2011/10/10 16:35:36 taca Exp $ | |
2 | 2 | |||
3 | * Fix for CSS from repository, r507. | 3 | * Fix for CSS from repository, r507. | |
4 | * Fix potential XSS vulnerability, r1041. | 4 | * Fix potential XSS vulnerability, r1041 and r1044. | |
5 | 5 | |||
6 | --- system/modules/frontend/Frontend.php.orig 2010-04-19 10:22:31.000000000 +0000 | 6 | --- system/modules/frontend/Frontend.php.orig 2010-04-19 10:22:31.000000000 +0000 | |
7 | +++ system/modules/frontend/Frontend.php | 7 | +++ system/modules/frontend/Frontend.php | |
8 | @@ -78,7 +78,7 @@ abstract class Frontend extends Controll | 8 | @@ -78,14 +78,13 @@ abstract class Frontend extends Controll | |
9 | return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null; | 9 | return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null; | |
10 | } | 10 | } | |
11 | 11 | |||
12 | - if (!strlen($this->Environment->request)) | 12 | - if (!strlen($this->Environment->request)) | |
13 | + if ($this->Environment->request == '') | 13 | + if ($this->Environment->request == '') | |
14 | { | 14 | { | |
15 | return null; | 15 | return null; | |
16 | } | 16 | } | |
17 | @@ -104,13 +104,15 @@ abstract class Frontend extends Controll | 17 | ||
18 | $strRequest = preg_replace('/\?.*$/i', '', $this->Environment->request); | |||
19 | $strRequest = preg_replace('/' . preg_quote($GLOBALS['TL_CONFIG']['urlSuffix'], '/') . '$/i', '', $strRequest); | |||
20 | - | |||
21 | $arrFragments = explode('/', $strRequest); | |||
22 | ||||
23 | // Skip index.php | |||
24 | @@ -104,13 +103,15 @@ abstract class Frontend extends Controll | |||
18 | } | 25 | } | |
19 | } | 26 | } | |
20 | 27 | |||
21 | - // Add fragments to $_GET array | 28 | - // Add fragments to $_GET array | |
22 | + // DO NOT USE urldecode() HERE (XSS vulnerability)! | 29 | + $arrFragments = array_map('urldecode', $arrFragments); | |
23 | + | 30 | + | |
24 | + // Add the fragments to the $_GET array | 31 | + // Add the fragments to the $_GET array | |
25 | for ($i=1; $i<count($arrFragments); $i+=2) | 32 | for ($i=1; $i<count($arrFragments); $i+=2) | |
26 | { | 33 | { | |
27 | - $_GET[urldecode($arrFragments[$i])] = urldecode($arrFragments[$i+1]); | 34 | - $_GET[urldecode($arrFragments[$i])] = urldecode($arrFragments[$i+1]); | |
28 | + $_GET[$arrFragments[$i]] = $arrFragments[$i+1]; | 35 | + $this->Input->setGet($arrFragments[$i], $arrFragments[$i+1]); | |
29 | } | 36 | } | |
30 | 37 | |||
31 | - return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null; | 38 | - return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null; | |
32 | + return ($arrFragments[0] != '') ? $arrFragments[0] : null; | 39 | + return ($arrFragments[0] != '') ? $arrFragments[0] : null; | |
33 | } | 40 | } | |
34 | 41 | |||
35 | 42 | |||
36 | @@ -166,8 +168,16 @@ abstract class Frontend extends Controll | 43 | @@ -158,7 +159,7 @@ abstract class Frontend extends Controll | |
44 | ||||
45 | ||||
46 | /** | |||
47 | - * Overwrite parent method as front end URLs are handled differently | |||
48 | + * Overwrite the parent method as front end URLs are handled differently | |||
49 | * @param string | |||
50 | * @param boolean | |||
51 | * @return string | |||
52 | @@ -166,8 +167,16 @@ abstract class Frontend extends Controll | |||
37 | protected function addToUrl($strRequest, $blnIgnoreParams=false) | 53 | protected function addToUrl($strRequest, $blnIgnoreParams=false) | |
38 | { | 54 | { | |
39 | $arrGet = $blnIgnoreParams ? array() : $_GET; | 55 | $arrGet = $blnIgnoreParams ? array() : $_GET; | |
40 | + | 56 | + | |
41 | + // Clean the $_GET values (thanks to thyon) | 57 | + // Clean the $_GET values (thanks to thyon) | |
42 | + foreach (array_keys($arrGet) as $key) | 58 | + foreach (array_keys($arrGet) as $key) | |
43 | + { | 59 | + { | |
44 | + $arrGet[$key] = $this->Input->get($key, true); | 60 | + $arrGet[$key] = $this->Input->get($key, true); | |
45 | + } | 61 | + } | |
46 | + | 62 | + | |
47 | $arrFragments = preg_split('/&(amp;)?/i', $strRequest); | 63 | $arrFragments = preg_split('/&(amp;)?/i', $strRequest); | |
48 | 64 | |||
49 | + // Merge the new request string | 65 | + // Merge the new request string | |
50 | foreach ($arrFragments as $strFragment) | 66 | foreach ($arrFragments as $strFragment) | |
51 | { | 67 | { | |
52 | list($key, $value) = explode('=', $strFragment); | 68 | list($key, $value) = explode('=', $strFragment); | |
69 | @@ -184,9 +193,22 @@ abstract class Frontend extends Controll | |||
70 | ||||
71 | $strParams = ''; | |||
72 | ||||
73 | + // Determine connector and separator | |||
74 | + if ($GLOBALS['TL_CONFIG']['disableAlias']) | |||
75 | + { | |||
76 | + $strConnector = '&'; | |||
77 | + $strSeparator = '='; | |||
78 | + } | |||
79 | + else | |||
80 | + { | |||
81 | + $strConnector = '/'; | |||
82 | + $strSeparator = '/'; | |||
83 | + } | |||
84 | + | |||
85 | + // Compile the parameters string | |||
86 | foreach ($arrGet as $k=>$v) | |||
87 | { | |||
88 | - $strParams .= $GLOBALS['TL_CONFIG']['disableAlias'] ? '&' . $k . '=' . $v : '/' . $k . '/' . $v; | |||
89 | + $strParams .= $strConnector . urlencode($k) . $strSeparator . urlencode($v); | |||
90 | } | |||
91 | ||||
92 | // Do not use aliases |
$NetBSD: patch-system_libraries_Input.php,v 1.1 2011/10/10 16:35:36 taca Exp $
* Fix potential XSS vulnerability, r1044.
--- system/libraries/Input.php.orig 2010-04-12 13:08:16.000000000 +0000
+++ system/libraries/Input.php
@@ -52,9 +52,14 @@ class Input
/**
- * Prevent direct instantiation (Singleton)
+ * Clean the keys of the request arrays
*/
- protected function __construct() {}
+ protected function __construct()
+ {
+ $_GET = $this->cleanKey($_GET);
+ $_POST = $this->cleanKey($_POST);
+ $_COOKIE = $this->cleanKey($_COOKIE);
+ }
/**
@@ -232,6 +237,8 @@ class Input
*/
public function setGet($strKey, $varValue)
{
+ $strKey = $this->cleanKey($strKey);
+
unset($this->arrCache['getEncoded'][$strKey]);
unset($this->arrCache['getDecoded'][$strKey]);
@@ -246,6 +253,8 @@ class Input
*/
public function setPost($strKey, $varValue)
{
+ $strKey = $this->cleanKey($strKey);
+
unset($this->arrCache['postEncoded'][$strKey]);
unset($this->arrCache['postDecoded'][$strKey]);
unset($this->arrCache['postRaw'][$strKey]);
@@ -261,6 +270,8 @@ class Input
*/
public function setCookie($strKey, $varValue)
{
+ $strKey = $this->cleanKey($strKey);
+
unset($this->arrCache['cookieEncoded'][$strKey]);
unset($this->arrCache['cookieDecoded'][$strKey]);
@@ -278,6 +289,42 @@ class Input
/**
+ * Sanitize a key name or an array (thanks to Andreas Schempp)
+ * @param mixed
+ * @return mixed
+ */
+ protected function cleanKey($varValue)
+ {
+ // Recursively clean arrays
+ if (is_array($varValue))
+ {
+ $return = array();
+
+ foreach ($varValue as $k=>$v)
+ {
+ $k = $this->cleanKey($k);
+
+ if (is_array($v))
+ {
+ $v = $this->cleanKey($v);
+ }
+
+ $return[$k] = $v;
+ }
+
+ return $return;
+ }
+
+ $varValue = $this->stripSlashes($varValue);
+ $varValue = $this->decodeEntities($varValue);
+ $varValue = $this->xssClean($varValue, true);
+ $varValue = $this->stripTags($varValue);
+
+ return $varValue;
+ }
+
+
+ /**
* Strip slashes
* @param mixed
* @return mixed
$NetBSD: patch-system_modules_frontend_ModuleArticlenav.php,v 1.1 2011/10/10 16:35:36 taca Exp $
* Fix potential XSS vulnerability, r1044.
--- system/modules/frontend/ModuleArticlenav.php.orig 2009-11-21 12:49:18.000000000 +0000
+++ system/modules/frontend/ModuleArticlenav.php
@@ -91,7 +91,7 @@ class ModuleArticlenav extends Module
return '';
}
- $strAlias = (strlen($this->objArticles->alias) && !$GLOBALS['TL_CONFIG']['disableAlias']) ? $this->objArticles->alias : $this->objArticles->id;
+ $strAlias = ($this->objArticles->alias != '' && !$GLOBALS['TL_CONFIG']['disableAlias']) ? $this->objArticles->alias : $this->objArticles->id;
$this->redirect($this->addToUrl('articles=' . $strAlias));
}