 @@ -1,18 +1,19 @@
-# $NetBSD: Makefile,v 1.4 2015/02/01 04:51:34 taca Exp $
+# $NetBSD: Makefile,v 1.5 2015/06/06 03:31:01 taca Exp $
+#
 DISTNAME=	contao-${CT_PKGVER}
 PKGNAME=	contao${CT_VER}-${CT_PKGVER}
 PKGREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${CT_MASTER_SITE}
 MAINTAINER=	taca@NetBSD.org
 HOMEPAGE=	http://www.contao.org/
 COMMENT=	Contao Open Source CMS ${CT_VERSION}
 LICENSE=	gnu-lgpl-v3
 DEPENDS+=	${PHP_PKG_PREFIX}-dom>=5.3.7:../../textproc/php-dom
 DEPENDS+=	${PHP_PKG_PREFIX}-gd>=5.3.7:../../graphics/php-gd
 DEPENDS+=	${PHP_PKG_PREFIX}-mbstring>=5.3.7:../../converters/php-mbstring
 DEPENDS+=	${PHP_PKG_PREFIX}-{mysql,mysqli}>=5.3.7:../../databases/php-mysqli
 DEPENDS+=	${PHP_PKG_PREFIX}-mcrypt>=5.3.7:../../security/php-mcrypt

 @@ -1,5 +1,9 @@
-$NetBSD: distinfo,v 1.5 2015/03/28 04:21:42 taca Exp $
+$NetBSD: distinfo,v 1.6 2015/06/06 03:31:01 taca Exp $
 SHA1 (contao-3.4.5.tar.gz) = 0ae1b47a85f33e74550a77fa4fa44fa5c3b6e674
 RMD160 (contao-3.4.5.tar.gz) = dcca780d1d67d71e5cbeade268608e296d4d847b
 Size (contao-3.4.5.tar.gz) = 11544130 bytes
 SHA1 (patch-system_helper_functions.php) = e5ee8f1e08b2712030f8809f20166bf6550f266b
 SHA1 (patch-system_modules_core_classes_BackendUser.php) = 527074d91cd550be242f6b4dfe005f6351fd1f35
 SHA1 (patch-system_modules_core_controllers_BackendPopup.php) = 29d2abf5bb149297da84ad198365b7656304fcb9
 SHA1 (patch-system_modules_core_dca_tl__files.php) = 8c1d1fb73cfe0e76e30eeb1b4036beb7b56fd71e

$NetBSD: patch-system_helper_functions.php,v 1.1 2015/06/06 03:31:01 taca Exp $ Security improvement as Contao 3.2.21. --- system/helper/functions.php.orig 2015-03-27 08:53:59.000000000 +0000 +++ system/helper/functions.php @@ -216,9 +216,10 @@ function scan($strFolder, $blnUncached=f * entities are never double converted. * @param string * @param boolean + * @param boolean * @return string */ -function specialchars($strString, $blnStripInsertTags=false) +function specialchars($strString, $blnStripInsertTags=false, $blnDoubleEncode=false) { if ($blnStripInsertTags) { @@ -226,7 +227,7 @@ function specialchars($strString, $blnSt } // Use ENT_COMPAT here (see #4889) - return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], false); + return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], $blnDoubleEncode); }

$NetBSD: patch-system_modules_core_classes_BackendUser.php,v 1.1 2015/06/06 03:31:01 taca Exp $ Security improvement as Contao 3.2.21. --- system/modules/core/classes/BackendUser.php.orig 2015-03-27 08:53:59.000000000 +0000 +++ system/modules/core/classes/BackendUser.php @@ -285,7 +285,7 @@ class BackendUser extends \User ->limit(1) ->execute($pid); - while (!$row['chmod'] && $pid > 0 && $objParentPage->numRows) + while ($row['chmod'] === false && $pid > 0 && $objParentPage->numRows) { $pid = $objParentPage->pid; @@ -299,15 +299,15 @@ class BackendUser extends \User } // Set default values - if (!$row['chmod']) + if (!$row['chmod'] === false) { $row['chmod'] = \Config::get('defaultChmod'); } - if (!$row['cuser']) + if (!$row['cuser'] === false) { $row['cuser'] = intval(\Config::get('defaultUser')); } - if (!$row['cgroup']) + if (!$row['cgroup'] === false) { $row['cgroup'] = intval(\Config::get('defaultGroup')); }

$NetBSD: patch-system_modules_core_controllers_BackendPopup.php,v 1.1 2015/06/06 03:31:01 taca Exp $ Security improvement as Contao 3.2.21. --- system/modules/core/controllers/BackendPopup.php.orig 2015-03-27 08:53:59.000000000 +0000 +++ system/modules/core/controllers/BackendPopup.php @@ -128,7 +128,7 @@ class BackendPopup extends \Backend $this->Template->ctime = \Date::parse(\Config::get('datimFormat'), $objFile->ctime); $this->Template->mtime = \Date::parse(\Config::get('datimFormat'), $objFile->mtime); $this->Template->atime = \Date::parse(\Config::get('datimFormat'), $objFile->atime); - $this->Template->path = $this->strFile; + $this->Template->path = specialchars($this->strFile); $this->output(); }

$NetBSD: patch-system_modules_core_dca_tl__files.php,v 1.1 2015/06/06 03:31:01 taca Exp $ Security improvement as Contao 3.2.21. --- system/modules/core/dca/tl_files.php.orig 2015-03-27 08:53:59.000000000 +0000 +++ system/modules/core/dca/tl_files.php @@ -488,7 +488,7 @@ class tl_files extends Backend */ public function editFile($row, $href, $label, $title, $icon, $attributes) { - return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; } @@ -504,7 +504,7 @@ class tl_files extends Backend */ public function copyFile($row, $href, $label, $title, $icon, $attributes) { - return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; } @@ -520,7 +520,7 @@ class tl_files extends Backend */ public function cutFile($row, $href, $label, $title, $icon, $attributes) { - return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; } @@ -538,11 +538,11 @@ class tl_files extends Backend { if (is_dir(TL_ROOT . '/' . $row['id']) && count(scan(TL_ROOT . '/' . $row['id'])) > 0) { - return $this->User->hasAccess('f4', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + return ($this->User->isAdmin || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; } else { - return ($this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + return ($this->User->isAdmin || $this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; } } @@ -578,7 +578,7 @@ class tl_files extends Backend return Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; } - return '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> '; + return '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> '; } @@ -600,7 +600,7 @@ class tl_files extends Backend } else { - return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title).'"'.$attributes.' onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return false">'.Image::getHtml($icon, $label).'</a> '; + return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title, false, true).'"'.$attributes.' onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return false">'.Image::getHtml($icon, $label).'</a> '; } }