Mon Oct 10 16:35:36 2011 UTC ()
Add update patche to fix XSS from Contao's repository.

Bump PKGREVISION.


(taca)
diff -r1.15 -r1.16 pkgsrc/www/typolight28/Makefile
diff -r1.11 -r1.12 pkgsrc/www/typolight28/distinfo
diff -r1.2 -r1.3 pkgsrc/www/typolight28/patches/patch-ad
diff -r0 -r1.1 pkgsrc/www/typolight28/patches/patch-system_libraries_Input.php
diff -r0 -r1.1 pkgsrc/www/typolight28/patches/patch-system_modules_frontend_ModuleArticlenav.php
cvs diff -r1.15 -r1.16 pkgsrc/www/typolight28/Attic/Makefile (expand / switch to context diff)
--- pkgsrc/www/typolight28/Attic/Makefile 2011/10/07 12:29:41 1.15
+++ pkgsrc/www/typolight28/Attic/Makefile 2011/10/10 16:35:36 1.16
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.15 2011/10/07 12:29:41 taca Exp $
+# $NetBSD: Makefile,v 1.16 2011/10/10 16:35:36 taca Exp $
 #
 
 DISTNAME=	typolight-${TL_VERSION}
 PKGNAME=	typolight${TL_VER}-${TL_PKGVER}
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=typolight/}
cvs diff -r1.11 -r1.12 pkgsrc/www/typolight28/Attic/distinfo (expand / switch to context diff)
--- pkgsrc/www/typolight28/Attic/distinfo 2011/10/07 12:29:41 1.11
+++ pkgsrc/www/typolight28/Attic/distinfo 2011/10/10 16:35:36 1.12
@@ -1,8 +1,10 @@
-$NetBSD: distinfo,v 1.11 2011/10/07 12:29:41 taca Exp $
+$NetBSD: distinfo,v 1.12 2011/10/10 16:35:36 taca Exp $
 
 SHA1 (typolight-2.8.4.tar.gz) = d18d684a06f5dd29ffc6a28d08143feb613cd47b
 RMD160 (typolight-2.8.4.tar.gz) = ad82d00e3b7ec4e604640779fec841fcfc65f75c
 Size (typolight-2.8.4.tar.gz) = 4097946 bytes
-SHA1 (patch-ad) = ee5524db7764c9c5ede3affcb99ed0f8864d522e
+SHA1 (patch-ad) = 0654ac44d13f69ca4823a8aec27752244de6181f
 SHA1 (patch-ae) = eed6db905809b3782acb8324799de6bc8d4e855b
 SHA1 (patch-af) = 868309cff4ba1855a96745c578737878f8d118d5
+SHA1 (patch-system_libraries_Input.php) = 4a3e9409d6916a6637e12f646e33268f3067ec99
+SHA1 (patch-system_modules_frontend_ModuleArticlenav.php) = df4d8a8579e010794c3a62c5f458037ea53cc397
cvs diff -r1.2 -r1.3 pkgsrc/www/typolight28/patches/Attic/patch-ad (expand / switch to context diff)
--- pkgsrc/www/typolight28/patches/Attic/patch-ad 2011/10/07 12:29:42 1.2
+++ pkgsrc/www/typolight28/patches/Attic/patch-ad 2011/10/10 16:35:36 1.3
@@ -1,11 +1,11 @@
-$NetBSD: patch-ad,v 1.2 2011/10/07 12:29:42 taca Exp $
+$NetBSD: patch-ad,v 1.3 2011/10/10 16:35:36 taca Exp $
 
 * Fix for CSS from repository, r507.
-* Fix potential XSS vulnerability, r1041.
+* Fix potential XSS vulnerability, r1041 and r1044.
 
 --- system/modules/frontend/Frontend.php.orig	2010-04-19 10:22:31.000000000 +0000
 +++ system/modules/frontend/Frontend.php
-@@ -78,7 +78,7 @@ abstract class Frontend extends Controll
+@@ -78,14 +78,13 @@ abstract class Frontend extends Controll
  			return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null;
  		}
  
@@ -14,18 +14,25 @@
  		{
  			return null;
  		}
-@@ -104,13 +104,15 @@ abstract class Frontend extends Controll
+ 
+ 		$strRequest = preg_replace('/\?.*$/i', '', $this->Environment->request);
+ 		$strRequest = preg_replace('/' . preg_quote($GLOBALS['TL_CONFIG']['urlSuffix'], '/') . '$/i', '', $strRequest);
+-
+ 		$arrFragments = explode('/', $strRequest);
+ 
+ 		// Skip index.php
+@@ -104,13 +103,15 @@ abstract class Frontend extends Controll
  			}
  		}
  
 -		// Add fragments to $_GET array
-+		// DO NOT USE urldecode() HERE (XSS vulnerability)!
++		$arrFragments = array_map('urldecode', $arrFragments);
 +
 +		// Add the fragments to the $_GET array
  		for ($i=1; $i<count($arrFragments); $i+=2)
  		{
 -			$_GET[urldecode($arrFragments[$i])] = urldecode($arrFragments[$i+1]);
-+			$_GET[$arrFragments[$i]] = $arrFragments[$i+1];
++			$this->Input->setGet($arrFragments[$i], $arrFragments[$i+1]);
  		}
  
 -		return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null;
@@ -33,7 +40,16 @@
  	}
  
  
-@@ -166,8 +168,16 @@ abstract class Frontend extends Controll
+@@ -158,7 +159,7 @@ abstract class Frontend extends Controll
+ 
+ 
+ 	/**
+-	 * Overwrite parent method as front end URLs are handled differently
++	 * Overwrite the parent method as front end URLs are handled differently
+ 	 * @param string
+ 	 * @param boolean
+ 	 * @return string
+@@ -166,8 +167,16 @@ abstract class Frontend extends Controll
  	protected function addToUrl($strRequest, $blnIgnoreParams=false)
  	{
  		$arrGet = $blnIgnoreParams ? array() : $_GET;
@@ -50,3 +66,27 @@
  		foreach ($arrFragments as $strFragment)
  		{
  			list($key, $value) = explode('=', $strFragment);
+@@ -184,9 +193,22 @@ abstract class Frontend extends Controll
+ 
+ 		$strParams = '';
+ 
++		// Determine connector and separator
++		if ($GLOBALS['TL_CONFIG']['disableAlias'])
++		{
++			$strConnector = '&amp;';
++			$strSeparator = '=';
++		}
++		else
++		{
++			$strConnector = '/';
++			$strSeparator = '/';
++		}
++
++		// Compile the parameters string
+ 		foreach ($arrGet as $k=>$v)
+ 		{
+-			$strParams .= $GLOBALS['TL_CONFIG']['disableAlias'] ? '&amp;' . $k . '=' . $v  : '/' . $k . '/' . $v;
++			$strParams .= $strConnector . urlencode($k) . $strSeparator . urlencode($v);
+ 		}
+ 
+ 		// Do not use aliases
File Added: pkgsrc/www/typolight28/patches/Attic/patch-system_libraries_Input.php
$NetBSD: patch-system_libraries_Input.php,v 1.1 2011/10/10 16:35:36 taca Exp $

* Fix potential XSS vulnerability, r1044.

--- system/libraries/Input.php.orig	2010-04-12 13:08:16.000000000 +0000
+++ system/libraries/Input.php
@@ -52,9 +52,14 @@ class Input
 
 
 	/**
-	 * Prevent direct instantiation (Singleton)
+	 * Clean the keys of the request arrays
 	 */
-	protected function __construct() {}
+	protected function __construct()
+	{
+		$_GET    = $this->cleanKey($_GET);
+		$_POST   = $this->cleanKey($_POST);
+		$_COOKIE = $this->cleanKey($_COOKIE);
+	}
 
 
 	/**
@@ -232,6 +237,8 @@ class Input
 	 */
 	public function setGet($strKey, $varValue)
 	{
+		$strKey = $this->cleanKey($strKey);
+
 		unset($this->arrCache['getEncoded'][$strKey]);
 		unset($this->arrCache['getDecoded'][$strKey]);
 
@@ -246,6 +253,8 @@ class Input
 	 */
 	public function setPost($strKey, $varValue)
 	{
+		$strKey = $this->cleanKey($strKey);
+
 		unset($this->arrCache['postEncoded'][$strKey]);
 		unset($this->arrCache['postDecoded'][$strKey]);
 		unset($this->arrCache['postRaw'][$strKey]);
@@ -261,6 +270,8 @@ class Input
 	 */
 	public function setCookie($strKey, $varValue)
 	{
+		$strKey = $this->cleanKey($strKey);
+
 		unset($this->arrCache['cookieEncoded'][$strKey]);
 		unset($this->arrCache['cookieDecoded'][$strKey]);
 
@@ -278,6 +289,42 @@ class Input
 
 
 	/**
+	 * Sanitize a key name or an array (thanks to Andreas Schempp)
+	 * @param mixed
+	 * @return mixed
+	 */
+	protected function cleanKey($varValue)
+	{
+		// Recursively clean arrays
+		if (is_array($varValue))
+		{
+			$return = array();
+
+			foreach ($varValue as $k=>$v)
+			{
+				$k = $this->cleanKey($k);
+
+				if (is_array($v))
+				{
+					$v = $this->cleanKey($v);
+				}
+
+				$return[$k] = $v;
+			}
+
+			return $return;
+		}
+
+		$varValue = $this->stripSlashes($varValue);
+		$varValue = $this->decodeEntities($varValue);
+		$varValue = $this->xssClean($varValue, true);
+		$varValue = $this->stripTags($varValue);
+
+		return $varValue;
+	}
+
+
+	/**
 	 * Strip slashes
 	 * @param  mixed
 	 * @return mixed
File Added: pkgsrc/www/typolight28/patches/Attic/patch-system_modules_frontend_ModuleArticlenav.php
$NetBSD: patch-system_modules_frontend_ModuleArticlenav.php,v 1.1 2011/10/10 16:35:36 taca Exp $

* Fix potential XSS vulnerability, r1044.

--- system/modules/frontend/ModuleArticlenav.php.orig	2009-11-21 12:49:18.000000000 +0000
+++ system/modules/frontend/ModuleArticlenav.php
@@ -91,7 +91,7 @@ class ModuleArticlenav extends Module
 				return '';
 			}
 
-			$strAlias = (strlen($this->objArticles->alias) && !$GLOBALS['TL_CONFIG']['disableAlias']) ? $this->objArticles->alias : $this->objArticles->id;
+			$strAlias = ($this->objArticles->alias != '' && !$GLOBALS['TL_CONFIG']['disableAlias']) ? $this->objArticles->alias : $this->objArticles->id;
 			$this->redirect($this->addToUrl('articles=' . $strAlias));
 		}