Sat Jun 6 03:31:01 2015 UTC ()
Add several security related fixes from Contao 3.2.21.
Bump PKGREVISION.
(taca)
diff -r1.4 -r1.5 pkgsrc/www/contao34/Makefile
diff -r1.5 -r1.6 pkgsrc/www/contao34/distinfo
diff -r0 -r1.1 pkgsrc/www/contao34/patches/patch-system_helper_functions.php
diff -r0 -r1.1 pkgsrc/www/contao34/patches/patch-system_modules_core_classes_BackendUser.php
diff -r0 -r1.1 pkgsrc/www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php
diff -r0 -r1.1 pkgsrc/www/contao34/patches/patch-system_modules_core_dca_tl__files.php
--- pkgsrc/www/contao34/Attic/Makefile 2015/02/01 04:51:34 1.4
+++ pkgsrc/www/contao34/Attic/Makefile 2015/06/06 03:31:01 1.5
| @@ -1,18 +1,19 @@ | | | @@ -1,18 +1,19 @@ |
1 | # $NetBSD: Makefile,v 1.4 2015/02/01 04:51:34 taca Exp $ | | 1 | # $NetBSD: Makefile,v 1.5 2015/06/06 03:31:01 taca Exp $ |
2 | # | | 2 | # |
3 | | | 3 | |
4 | DISTNAME= contao-${CT_PKGVER} | | 4 | DISTNAME= contao-${CT_PKGVER} |
5 | PKGNAME= contao${CT_VER}-${CT_PKGVER} | | 5 | PKGNAME= contao${CT_VER}-${CT_PKGVER} |
| | | 6 | PKGREVISION= 1 |
6 | CATEGORIES= www | | 7 | CATEGORIES= www |
7 | MASTER_SITES= ${CT_MASTER_SITE} | | 8 | MASTER_SITES= ${CT_MASTER_SITE} |
8 | | | 9 | |
9 | MAINTAINER= taca@NetBSD.org | | 10 | MAINTAINER= taca@NetBSD.org |
10 | HOMEPAGE= http://www.contao.org/ | | 11 | HOMEPAGE= http://www.contao.org/ |
11 | COMMENT= Contao Open Source CMS ${CT_VERSION} | | 12 | COMMENT= Contao Open Source CMS ${CT_VERSION} |
12 | LICENSE= gnu-lgpl-v3 | | 13 | LICENSE= gnu-lgpl-v3 |
13 | | | 14 | |
14 | DEPENDS+= ${PHP_PKG_PREFIX}-dom>=5.3.7:../../textproc/php-dom | | 15 | DEPENDS+= ${PHP_PKG_PREFIX}-dom>=5.3.7:../../textproc/php-dom |
15 | DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.3.7:../../graphics/php-gd | | 16 | DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.3.7:../../graphics/php-gd |
16 | DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.3.7:../../converters/php-mbstring | | 17 | DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.3.7:../../converters/php-mbstring |
17 | DEPENDS+= ${PHP_PKG_PREFIX}-{mysql,mysqli}>=5.3.7:../../databases/php-mysqli | | 18 | DEPENDS+= ${PHP_PKG_PREFIX}-{mysql,mysqli}>=5.3.7:../../databases/php-mysqli |
18 | DEPENDS+= ${PHP_PKG_PREFIX}-mcrypt>=5.3.7:../../security/php-mcrypt | | 19 | DEPENDS+= ${PHP_PKG_PREFIX}-mcrypt>=5.3.7:../../security/php-mcrypt |
--- pkgsrc/www/contao34/Attic/distinfo 2015/03/28 04:21:42 1.5
+++ pkgsrc/www/contao34/Attic/distinfo 2015/06/06 03:31:01 1.6
| @@ -1,5 +1,9 @@ | | | @@ -1,5 +1,9 @@ |
1 | $NetBSD: distinfo,v 1.5 2015/03/28 04:21:42 taca Exp $ | | 1 | $NetBSD: distinfo,v 1.6 2015/06/06 03:31:01 taca Exp $ |
2 | | | 2 | |
3 | SHA1 (contao-3.4.5.tar.gz) = 0ae1b47a85f33e74550a77fa4fa44fa5c3b6e674 | | 3 | SHA1 (contao-3.4.5.tar.gz) = 0ae1b47a85f33e74550a77fa4fa44fa5c3b6e674 |
4 | RMD160 (contao-3.4.5.tar.gz) = dcca780d1d67d71e5cbeade268608e296d4d847b | | 4 | RMD160 (contao-3.4.5.tar.gz) = dcca780d1d67d71e5cbeade268608e296d4d847b |
5 | Size (contao-3.4.5.tar.gz) = 11544130 bytes | | 5 | Size (contao-3.4.5.tar.gz) = 11544130 bytes |
| | | 6 | SHA1 (patch-system_helper_functions.php) = e5ee8f1e08b2712030f8809f20166bf6550f266b |
| | | 7 | SHA1 (patch-system_modules_core_classes_BackendUser.php) = 527074d91cd550be242f6b4dfe005f6351fd1f35 |
| | | 8 | SHA1 (patch-system_modules_core_controllers_BackendPopup.php) = 29d2abf5bb149297da84ad198365b7656304fcb9 |
| | | 9 | SHA1 (patch-system_modules_core_dca_tl__files.php) = 8c1d1fb73cfe0e76e30eeb1b4036beb7b56fd71e |
$NetBSD: patch-system_helper_functions.php,v 1.1 2015/06/06 03:31:01 taca Exp $
Security improvement as Contao 3.2.21.
--- system/helper/functions.php.orig 2015-03-27 08:53:59.000000000 +0000
+++ system/helper/functions.php
@@ -216,9 +216,10 @@ function scan($strFolder, $blnUncached=f
* entities are never double converted.
* @param string
* @param boolean
+ * @param boolean
* @return string
*/
-function specialchars($strString, $blnStripInsertTags=false)
+function specialchars($strString, $blnStripInsertTags=false, $blnDoubleEncode=false)
{
if ($blnStripInsertTags)
{
@@ -226,7 +227,7 @@ function specialchars($strString, $blnSt
}
// Use ENT_COMPAT here (see #4889)
- return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], false);
+ return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], $blnDoubleEncode);
}
$NetBSD: patch-system_modules_core_classes_BackendUser.php,v 1.1 2015/06/06 03:31:01 taca Exp $
Security improvement as Contao 3.2.21.
--- system/modules/core/classes/BackendUser.php.orig 2015-03-27 08:53:59.000000000 +0000
+++ system/modules/core/classes/BackendUser.php
@@ -285,7 +285,7 @@ class BackendUser extends \User
->limit(1)
->execute($pid);
- while (!$row['chmod'] && $pid > 0 && $objParentPage->numRows)
+ while ($row['chmod'] === false && $pid > 0 && $objParentPage->numRows)
{
$pid = $objParentPage->pid;
@@ -299,15 +299,15 @@ class BackendUser extends \User
}
// Set default values
- if (!$row['chmod'])
+ if (!$row['chmod'] === false)
{
$row['chmod'] = \Config::get('defaultChmod');
}
- if (!$row['cuser'])
+ if (!$row['cuser'] === false)
{
$row['cuser'] = intval(\Config::get('defaultUser'));
}
- if (!$row['cgroup'])
+ if (!$row['cgroup'] === false)
{
$row['cgroup'] = intval(\Config::get('defaultGroup'));
}
$NetBSD: patch-system_modules_core_controllers_BackendPopup.php,v 1.1 2015/06/06 03:31:01 taca Exp $
Security improvement as Contao 3.2.21.
--- system/modules/core/controllers/BackendPopup.php.orig 2015-03-27 08:53:59.000000000 +0000
+++ system/modules/core/controllers/BackendPopup.php
@@ -128,7 +128,7 @@ class BackendPopup extends \Backend
$this->Template->ctime = \Date::parse(\Config::get('datimFormat'), $objFile->ctime);
$this->Template->mtime = \Date::parse(\Config::get('datimFormat'), $objFile->mtime);
$this->Template->atime = \Date::parse(\Config::get('datimFormat'), $objFile->atime);
- $this->Template->path = $this->strFile;
+ $this->Template->path = specialchars($this->strFile);
$this->output();
}
$NetBSD: patch-system_modules_core_dca_tl__files.php,v 1.1 2015/06/06 03:31:01 taca Exp $
Security improvement as Contao 3.2.21.
--- system/modules/core/dca/tl_files.php.orig 2015-03-27 08:53:59.000000000 +0000
+++ system/modules/core/dca/tl_files.php
@@ -488,7 +488,7 @@ class tl_files extends Backend
*/
public function editFile($row, $href, $label, $title, $icon, $attributes)
{
- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
}
@@ -504,7 +504,7 @@ class tl_files extends Backend
*/
public function copyFile($row, $href, $label, $title, $icon, $attributes)
{
- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
}
@@ -520,7 +520,7 @@ class tl_files extends Backend
*/
public function cutFile($row, $href, $label, $title, $icon, $attributes)
{
- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
}
@@ -538,11 +538,11 @@ class tl_files extends Backend
{
if (is_dir(TL_ROOT . '/' . $row['id']) && count(scan(TL_ROOT . '/' . $row['id'])) > 0)
{
- return $this->User->hasAccess('f4', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ return ($this->User->isAdmin || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
}
else
{
- return ($this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ return ($this->User->isAdmin || $this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
}
}
@@ -578,7 +578,7 @@ class tl_files extends Backend
return Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
}
- return '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ';
+ return '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ';
}
@@ -600,7 +600,7 @@ class tl_files extends Backend
}
else
{
- return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title).'"'.$attributes.' onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return false">'.Image::getHtml($icon, $label).'</a> ';
+ return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title, false, true).'"'.$attributes.' onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return false">'.Image::getHtml($icon, $label).'</a> ';
}
}