diff options
| author | tron <tron@pkgsrc.org> | 2015-06-12 22:44:26 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2015-06-12 22:44:26 +0000 |
| commit | c2e2796beeac8354302d2107a8ed226f5d772795 (patch) | |
| tree | 20c68ec06bf8c6462d2f4cff40020f4478544c48 | |
| parent | 66836762d5005b1eb476376671cf8e4657dd9f59 (diff) | |
| download | pkgsrc-c2e2796beeac8354302d2107a8ed226f5d772795.tar.gz | |
Pullup ticket #4740 - requested by taca
www/contao34: security patch
Revisions pulled up:
- www/contao34/Makefile 1.5
- www/contao34/distinfo 1.6
- www/contao34/patches/patch-system_helper_functions.php 1.1
- www/contao34/patches/patch-system_modules_core_classes_BackendUser.php 1.1
- www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php 1.1
- www/contao34/patches/patch-system_modules_core_dca_tl__files.php 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jun 6 03:31:01 UTC 2015
Modified Files:
pkgsrc/www/contao34: Makefile distinfo
Added Files:
pkgsrc/www/contao34/patches: patch-system_helper_functions.php
patch-system_modules_core_classes_BackendUser.php
patch-system_modules_core_controllers_BackendPopup.php
patch-system_modules_core_dca_tl__files.php
Log Message:
Add several security related fixes from Contao 3.2.21.
Bump PKGREVISION.
6 files changed, 148 insertions, 2 deletions
diff --git a/www/contao34/Makefile b/www/contao34/Makefile index d45720b8c27..ead4fbb0552 100644 --- a/www/contao34/Makefile +++ b/www/contao34/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.4 2015/02/01 04:51:34 taca Exp $ +# $NetBSD: Makefile,v 1.4.2.1 2015/06/12 22:44:26 tron Exp $ # DISTNAME= contao-${CT_PKGVER} PKGNAME= contao${CT_VER}-${CT_PKGVER} +PKGREVISION= 1 CATEGORIES= www MASTER_SITES= ${CT_MASTER_SITE} diff --git a/www/contao34/distinfo b/www/contao34/distinfo index 2b3ad9f2c33..28afb5e6820 100644 --- a/www/contao34/distinfo +++ b/www/contao34/distinfo @@ -1,5 +1,9 @@ -$NetBSD: distinfo,v 1.5 2015/03/28 04:21:42 taca Exp $ +$NetBSD: distinfo,v 1.5.2.1 2015/06/12 22:44:26 tron Exp $ SHA1 (contao-3.4.5.tar.gz) = 0ae1b47a85f33e74550a77fa4fa44fa5c3b6e674 RMD160 (contao-3.4.5.tar.gz) = dcca780d1d67d71e5cbeade268608e296d4d847b Size (contao-3.4.5.tar.gz) = 11544130 bytes +SHA1 (patch-system_helper_functions.php) = e5ee8f1e08b2712030f8809f20166bf6550f266b +SHA1 (patch-system_modules_core_classes_BackendUser.php) = 527074d91cd550be242f6b4dfe005f6351fd1f35 +SHA1 (patch-system_modules_core_controllers_BackendPopup.php) = 29d2abf5bb149297da84ad198365b7656304fcb9 +SHA1 (patch-system_modules_core_dca_tl__files.php) = 8c1d1fb73cfe0e76e30eeb1b4036beb7b56fd71e diff --git a/www/contao34/patches/patch-system_helper_functions.php b/www/contao34/patches/patch-system_helper_functions.php new file mode 100644 index 00000000000..b61361e00ad --- /dev/null +++ b/www/contao34/patches/patch-system_helper_functions.php @@ -0,0 +1,27 @@ +$NetBSD: patch-system_helper_functions.php,v 1.1.2.2 2015/06/12 22:44:26 tron Exp $ + +Security improvement as Contao 3.2.21. + +--- system/helper/functions.php.orig 2015-03-27 08:53:59.000000000 +0000 ++++ system/helper/functions.php +@@ -216,9 +216,10 @@ function scan($strFolder, $blnUncached=f + * entities are never double converted. + * @param string + * @param boolean ++ * @param boolean + * @return string + */ +-function specialchars($strString, $blnStripInsertTags=false) ++function specialchars($strString, $blnStripInsertTags=false, $blnDoubleEncode=false) + { + if ($blnStripInsertTags) + { +@@ -226,7 +227,7 @@ function specialchars($strString, $blnSt + } + + // Use ENT_COMPAT here (see #4889) +- return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], false); ++ return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], $blnDoubleEncode); + } + + diff --git a/www/contao34/patches/patch-system_modules_core_classes_BackendUser.php b/www/contao34/patches/patch-system_modules_core_classes_BackendUser.php new file mode 100644 index 00000000000..d7561423ab9 --- /dev/null +++ b/www/contao34/patches/patch-system_modules_core_classes_BackendUser.php @@ -0,0 +1,34 @@ +$NetBSD: patch-system_modules_core_classes_BackendUser.php,v 1.1.2.2 2015/06/12 22:44:26 tron Exp $ + +Security improvement as Contao 3.2.21. + +--- system/modules/core/classes/BackendUser.php.orig 2015-03-27 08:53:59.000000000 +0000 ++++ system/modules/core/classes/BackendUser.php +@@ -285,7 +285,7 @@ class BackendUser extends \User + ->limit(1) + ->execute($pid); + +- while (!$row['chmod'] && $pid > 0 && $objParentPage->numRows) ++ while ($row['chmod'] === false && $pid > 0 && $objParentPage->numRows) + { + $pid = $objParentPage->pid; + +@@ -299,15 +299,15 @@ class BackendUser extends \User + } + + // Set default values +- if (!$row['chmod']) ++ if (!$row['chmod'] === false) + { + $row['chmod'] = \Config::get('defaultChmod'); + } +- if (!$row['cuser']) ++ if (!$row['cuser'] === false) + { + $row['cuser'] = intval(\Config::get('defaultUser')); + } +- if (!$row['cgroup']) ++ if (!$row['cgroup'] === false) + { + $row['cgroup'] = intval(\Config::get('defaultGroup')); + } diff --git a/www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php b/www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php new file mode 100644 index 00000000000..2e068f6b9d1 --- /dev/null +++ b/www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php @@ -0,0 +1,15 @@ +$NetBSD: patch-system_modules_core_controllers_BackendPopup.php,v 1.1.2.2 2015/06/12 22:44:26 tron Exp $ + +Security improvement as Contao 3.2.21. + +--- system/modules/core/controllers/BackendPopup.php.orig 2015-03-27 08:53:59.000000000 +0000 ++++ system/modules/core/controllers/BackendPopup.php +@@ -128,7 +128,7 @@ class BackendPopup extends \Backend + $this->Template->ctime = \Date::parse(\Config::get('datimFormat'), $objFile->ctime); + $this->Template->mtime = \Date::parse(\Config::get('datimFormat'), $objFile->mtime); + $this->Template->atime = \Date::parse(\Config::get('datimFormat'), $objFile->atime); +- $this->Template->path = $this->strFile; ++ $this->Template->path = specialchars($this->strFile); + + $this->output(); + } diff --git a/www/contao34/patches/patch-system_modules_core_dca_tl__files.php b/www/contao34/patches/patch-system_modules_core_dca_tl__files.php new file mode 100644 index 00000000000..1c414448c7f --- /dev/null +++ b/www/contao34/patches/patch-system_modules_core_dca_tl__files.php @@ -0,0 +1,65 @@ +$NetBSD: patch-system_modules_core_dca_tl__files.php,v 1.1.2.2 2015/06/12 22:44:26 tron Exp $ + +Security improvement as Contao 3.2.21. + +--- system/modules/core/dca/tl_files.php.orig 2015-03-27 08:53:59.000000000 +0000 ++++ system/modules/core/dca/tl_files.php +@@ -488,7 +488,7 @@ class tl_files extends Backend + */ + public function editFile($row, $href, $label, $title, $icon, $attributes) + { +- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; ++ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + + +@@ -504,7 +504,7 @@ class tl_files extends Backend + */ + public function copyFile($row, $href, $label, $title, $icon, $attributes) + { +- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; ++ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + + +@@ -520,7 +520,7 @@ class tl_files extends Backend + */ + public function cutFile($row, $href, $label, $title, $icon, $attributes) + { +- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; ++ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + + +@@ -538,11 +538,11 @@ class tl_files extends Backend + { + if (is_dir(TL_ROOT . '/' . $row['id']) && count(scan(TL_ROOT . '/' . $row['id'])) > 0) + { +- return $this->User->hasAccess('f4', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; ++ return ($this->User->isAdmin || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + else + { +- return ($this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; ++ return ($this->User->isAdmin || $this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + } + +@@ -578,7 +578,7 @@ class tl_files extends Backend + return Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + +- return '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> '; ++ return '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> '; + } + + +@@ -600,7 +600,7 @@ class tl_files extends Backend + } + else + { +- return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title).'"'.$attributes.' onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return false">'.Image::getHtml($icon, $label).'</a> '; ++ return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title, false, true).'"'.$attributes.' onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return false">'.Image::getHtml($icon, $label).'</a> '; + } + } + |