Add unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9. Bump PKGREVISION.diff -r1.1.1.1 -r1.2 pkgsrc/www/contao211/MESSAGE
(taca)
@@ -1,13 +1,18 @@ | @@ -1,13 +1,18 @@ | |||
1 | =========================================================================== | 1 | =========================================================================== | |
2 | $NetBSD: MESSAGE,v 1.1.1.1 2012/02/19 10:54:07 taca Exp $ | 2 | $NetBSD: MESSAGE,v 1.2 2012/03/28 15:14:43 taca Exp $ | |
3 | 3 | |||
4 | To complete the setup, please read: | 4 | To complete the setup, please read: | |
5 | 5 | |||
6 | ${PREFIX}/share/doc/contao${CT_VER}/README | 6 | ${PREFIX}/share/doc/contao${CT_VER}/README | |
7 | 7 | |||
8 | To use minify the HTML markup function, you'll have to install the | 8 | To use minify the HTML markup function, you'll have to install the | |
9 | following package: | 9 | following package: | |
10 | 10 | |||
11 | www/php-tidy | 11 | www/php-tidy | |
12 | 12 | |||
13 | This package contains unofficial fix for CVE-2012-1297. If there are any | |||
14 | problem by this fix, add a below line to system/config/localconfig.php. | |||
15 | ||||
16 | $GLOBALS['TL_CONFIG']['disableCompatRefererCheck'] = true; | |||
17 | ||||
13 | =========================================================================== | 18 | =========================================================================== |
@@ -1,18 +1,19 @@ | @@ -1,18 +1,19 @@ | |||
1 | # $NetBSD: Makefile,v 1.1.1.1 2012/02/19 10:54:07 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.2 2012/03/28 15:14:43 taca Exp $ | |
2 | # | 2 | # | |
3 | 3 | |||
4 | DISTNAME= contao-${CT_VERSION} | 4 | DISTNAME= contao-${CT_VERSION} | |
5 | PKGNAME= contao${CT_VER}-${CT_PKGVER} | 5 | PKGNAME= contao${CT_VER}-${CT_PKGVER} | |
6 | PKGREVISION= 1 | |||
6 | CATEGORIES= www | 7 | CATEGORIES= www | |
7 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=contao/} | 8 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=contao/} | |
8 | DIST_SUBDIR= ${CT_DIST_SUBDIR} | 9 | DIST_SUBDIR= ${CT_DIST_SUBDIR} | |
9 | 10 | |||
10 | MAINTAINER= taca@NetBSD.org | 11 | MAINTAINER= taca@NetBSD.org | |
11 | HOMEPAGE= http://www.contao.org/ | 12 | HOMEPAGE= http://www.contao.org/ | |
12 | COMMENT= Contao Open Source CMS | 13 | COMMENT= Contao Open Source CMS | |
13 | LICENSE= gnu-lgpl-v3 | 14 | LICENSE= gnu-lgpl-v3 | |
14 | 15 | |||
15 | DEPENDS+= ${PHP_PKG_PREFIX}-dom>=5.2.0:../../textproc/php-dom | 16 | DEPENDS+= ${PHP_PKG_PREFIX}-dom>=5.2.0:../../textproc/php-dom | |
16 | DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.2.0:../../graphics/php-gd | 17 | DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.2.0:../../graphics/php-gd | |
17 | DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.2.0:../../converters/php-mbstring | 18 | DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.2.0:../../converters/php-mbstring | |
18 | DEPENDS+= ${PHP_PKG_PREFIX}-{mysql,mysqli}>=5.2.0:../../databases/php-mysqli | 19 | DEPENDS+= ${PHP_PKG_PREFIX}-{mysql,mysqli}>=5.2.0:../../databases/php-mysqli |
@@ -1,5 +1,6 @@ | @@ -1,5 +1,6 @@ | |||
1 | $NetBSD: distinfo,v 1.5 2012/03/14 16:24:35 taca Exp $ | 1 | $NetBSD: distinfo,v 1.6 2012/03/28 15:14:43 taca Exp $ | |
2 | 2 | |||
3 | SHA1 (contao-2.11.2.tar.gz) = 0cf939e6a4c8b49a4d21a51bd50ae718dfbe024e | 3 | SHA1 (contao-2.11.2.tar.gz) = 0cf939e6a4c8b49a4d21a51bd50ae718dfbe024e | |
4 | RMD160 (contao-2.11.2.tar.gz) = 580553e29b92ea7bc5b04e38946edb269bc2ac78 | 4 | RMD160 (contao-2.11.2.tar.gz) = 580553e29b92ea7bc5b04e38946edb269bc2ac78 | |
5 | Size (contao-2.11.2.tar.gz) = 5319511 bytes | 5 | Size (contao-2.11.2.tar.gz) = 5319511 bytes | |
6 | SHA1 (patch-system_initialize.php) = 109f381bef4bae32617549709601eb2a30bbb01a |
$NetBSD: patch-system_initialize.php,v 1.1 2012/03/28 15:14:43 taca Exp $
* Unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.
--- system/initialize.php.orig 2012-03-14 15:13:14.000000000 +0000
+++ system/initialize.php
@@ -168,10 +168,28 @@ if (file_exists(TL_ROOT . '/system/confi
/**
* Check the request token upon POST requests
*/
-if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'] && !defined('BYPASS_TOKEN_CHECK'))
+if (!$GLOBALS['TL_CONFIG']['disableRefererCheck'] &&
+ ($_POST && !defined('BYPASS_TOKEN_CHECK') ||
+ $_SERVER['REQUEST_METHOD'] == 'POST' && !$GLOBALS['TL_CONFIG']['disableCompatRefererCheck']))
{
- // Exit if the token cannot be validated
- if (!$objToken->validate($objInput->post('REQUEST_TOKEN')))
+ $bad = false;
+
+ // Exit if traditional referer check is enabled.
+ if (!$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'])
+ {
+ $self = parse_url($objEnvironment->url);
+ $referer = parse_url($objEnvironment->httpReferer);
+
+ $bad = (!strlen($referer['host']) || $referer['host'] != $self['host']);
+ }
+
+ if (!$bad)
+ {
+ // Exit if the token cannot be validated
+ $bad = !$objToken->validate($objInput->post('REQUEST_TOKEN'));
+ }
+
+ if ($bad)
{
// Force JavaScript redirect upon Ajax requests (IE requires absolute link)
if ($objEnvironment->isAjaxRequest)