Pullup ticket #3703 - requested by taca www/contao29: security patch Revisions pulled up: - www/contao29/Makefile 1.20 - www/contao29/distinfo 1.12 - www/contao29/patches/patch-system_initialize.php 1.1 --- Module Name: pkgsrc Committed By: taca Date: Tue Mar 13 03:16:30 UTC 2012 Modified Files: pkgsrc/www/contao29: Makefile distinfo Added Files: pkgsrc/www/contao29/patches: patch-system_initialize.php Log Message: Add a little experimental fix to prevent CSRF. Bump PKGREVISION.diff -r1.19 -r1.19.2.1 pkgsrc/www/contao29/Makefile
(tron)
| @@ -1,19 +1,19 @@ | @@ -1,19 +1,19 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.19 2011/11/17 11:17:39 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.19.2.1 2012/03/14 17:42:33 tron Exp $ | |
| 2 | # | 2 | # | |
| 3 | 3 | |||
| 4 | DISTNAME= contao-${CT_VERSION} | 4 | DISTNAME= contao-${CT_VERSION} | |
| 5 | PKGNAME= contao${CT_VER}-${CT_PKGVER} | 5 | PKGNAME= contao${CT_VER}-${CT_PKGVER} | |
| 6 | PKGREVISION= 5 | 6 | PKGREVISION= 6 | |
| 7 | CATEGORIES= www | 7 | CATEGORIES= www | |
| 8 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=contao/} | 8 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=contao/} | |
| 9 | 9 | |||
| 10 | MAINTAINER= taca@NetBSD.org | 10 | MAINTAINER= taca@NetBSD.org | |
| 11 | HOMEPAGE= http://www.contao.org/ | 11 | HOMEPAGE= http://www.contao.org/ | |
| 12 | COMMENT= Contao Open Source CMS | 12 | COMMENT= Contao Open Source CMS | |
| 13 | LICENSE= gnu-lgpl-v3 | 13 | LICENSE= gnu-lgpl-v3 | |
| 14 | 14 | |||
| 15 | DEPENDS+= ${PHP_PKG_PREFIX}-dom>=5.2.0:../../textproc/php-dom | 15 | DEPENDS+= ${PHP_PKG_PREFIX}-dom>=5.2.0:../../textproc/php-dom | |
| 16 | DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.2.0:../../graphics/php-gd | 16 | DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.2.0:../../graphics/php-gd | |
| 17 | DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.2.0:../../converters/php-mbstring | 17 | DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.2.0:../../converters/php-mbstring | |
| 18 | DEPENDS+= ${PHP_PKG_PREFIX}-mysql>=5.2.0:../../databases/php-mysql | 18 | DEPENDS+= ${PHP_PKG_PREFIX}-mysql>=5.2.0:../../databases/php-mysql | |
| 19 | DEPENDS+= ${PHP_PKG_PREFIX}-mcrypt>=5.2.0:../../security/php-mcrypt | 19 | DEPENDS+= ${PHP_PKG_PREFIX}-mcrypt>=5.2.0:../../security/php-mcrypt |
| @@ -1,8 +1,9 @@ | @@ -1,8 +1,9 @@ | |||
| 1 | $NetBSD: distinfo,v 1.11 2011/10/10 16:35:10 taca Exp $ | 1 | $NetBSD: distinfo,v 1.11.2.1 2012/03/14 17:42:33 tron Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (contao-2.9.5.tar.gz) = 93c1fb67a396f057eb700ec181aaed839c10cb1d | 3 | SHA1 (contao-2.9.5.tar.gz) = 93c1fb67a396f057eb700ec181aaed839c10cb1d | |
| 4 | RMD160 (contao-2.9.5.tar.gz) = 0a7229382d50f1d08dd05c10274d08b0bdb1b12c | 4 | RMD160 (contao-2.9.5.tar.gz) = 0a7229382d50f1d08dd05c10274d08b0bdb1b12c | |
| 5 | Size (contao-2.9.5.tar.gz) = 4594817 bytes | 5 | Size (contao-2.9.5.tar.gz) = 4594817 bytes | |
| 6 | SHA1 (patch-system_initialize.php) = 609c0b9dc91b026f3899db779f25d4140552273f | |||
| 6 | SHA1 (patch-system_libraries_Input.php) = 57668dde6d82d793ec1a08424df3172ce1d8a758 | 7 | SHA1 (patch-system_libraries_Input.php) = 57668dde6d82d793ec1a08424df3172ce1d8a758 | |
| 7 | SHA1 (patch-system_modules_frontend_Frontend.php) = c5a530951f11407a6bd1914a19c3b6f3ad550077 | 8 | SHA1 (patch-system_modules_frontend_Frontend.php) = c5a530951f11407a6bd1914a19c3b6f3ad550077 | |
| 8 | SHA1 (patch-system_modules_frontend_ModuleArticlenav.php) = a92c2e4acf097aa00336029e68a59f6139531e0e | 9 | SHA1 (patch-system_modules_frontend_ModuleArticlenav.php) = a92c2e4acf097aa00336029e68a59f6139531e0e |
$NetBSD: patch-system_initialize.php,v 1.1.2.2 2012/03/14 17:42:33 tron Exp $
* More strict check against POST.
--- system/initialize.php.orig 2011-03-04 14:13:25.000000000 +0000
+++ system/initialize.php
@@ -157,7 +157,7 @@ else
/**
* Check referer address if there are $_POST variables
*/
-if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'])
+if ($_SERVER['REQUEST_METHOD'] == 'POST' && !$GLOBALS['TL_CONFIG']['disableRefererCheck'])
{
$self = parse_url($objEnvironment->url);
$referer = parse_url($objEnvironment->httpReferer);