Add a patch based r1041 from the repository of Contao to fix potential

XSS vulnerability. Bump PKGREVISION.
author: taca <taca@pkgsrc.org> 2011-10-07 12:28:11 +0000
committer: taca <taca@pkgsrc.org> 2011-10-07 12:28:11 +0000
commit: 89cb0ad5b55ce6d36f1a39cee98de82fb0463f33 (patch)
tree: aac176d12d6bb1246517d3d6e1f71368043be767
parent: 38d1968576b9078d79e8e66f915217a76d2c0b92 (diff)
download: pkgsrc-89cb0ad5b55ce6d36f1a39cee98de82fb0463f33.tar.gz
10 files changed, 112 insertions, 16 deletions
diff --git a/www/contao210/Makefile b/www/contao210/Makefile
index f11bafe186c..3168f4d6014 100644
--- a/www/contao210/Makefile
+++ b/www/contao210/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.2 2011/09/16 05:46:25 obache Exp $
+# $NetBSD: Makefile,v 1.3 2011/10/07 12:28:11 taca Exp $
 #
 
 DISTNAME=	contao-${CT_VERSION}
 PKGNAME=	contao${CT_VER}-${CT_PKGVER}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=typolight/}
 
diff --git a/www/contao210/distinfo b/www/contao210/distinfo
index d3fee5fedcf..f7f1ec1bb6f 100644
--- a/www/contao210/distinfo
+++ b/www/contao210/distinfo
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.2 2011/08/31 14:33:22 taca Exp $
+$NetBSD: distinfo,v 1.3 2011/10/07 12:28:11 taca Exp $
 
 SHA1 (contao-2.10.1.tar.gz) = f8139b1baef077f5ddb2ba5b7d3fc6b6169db147
 RMD160 (contao-2.10.1.tar.gz) = cb71bdadc9414bd03394ef71928b7fb00d3c5f0b
 Size (contao-2.10.1.tar.gz) = 4868666 bytes
+SHA1 (patch-system_modules_frontend_Frontend.php) = 9e3bc3196d93ef28ef1db842750ab40f50eb10f9
diff --git a/www/contao210/patches/patch-system_modules_frontend_Frontend.php b/www/contao210/patches/patch-system_modules_frontend_Frontend.php
new file mode 100644
index 00000000000..366484a1b06
--- /dev/null
+++ b/www/contao210/patches/patch-system_modules_frontend_Frontend.php
@@ -0,0 +1,34 @@
+$NetBSD: patch-system_modules_frontend_Frontend.php,v 1.1 2011/10/07 12:28:11 taca Exp $
+
+* Fix potential XSS vulnerability, r1041.
+
+--- system/modules/frontend/Frontend.php.orig	2011-08-19 12:08:32.000000000 +0000
++++ system/modules/frontend/Frontend.php
+@@ -80,7 +80,7 @@ abstract class Frontend extends Controll
+ 			return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null;
+ 		}
+ 
+-		if (!strlen($this->Environment->request))
++		if ($this->Environment->request == '')
+ 		{
+ 			return null;
+ 		}
+@@ -106,13 +106,15 @@ abstract class Frontend extends Controll
+ 			}
+ 		}
+ 
+-		// Add fragments to $_GET array
++		// DO NOT USE urldecode() HERE (XSS vulnerability)!
++
++		// Add the fragments to the $_GET array
+ 		for ($i=1; $i<count($arrFragments); $i+=2)
+ 		{
+-			$_GET[urldecode($arrFragments[$i])] = urldecode($arrFragments[$i+1]);
++			$_GET[$arrFragments[$i]] = $arrFragments[$i+1];
+ 		}
+ 
+-		return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null;
++		return ($arrFragments[0] != '') ? $arrFragments[0] : null;
+ 	}
+ 
+ 
diff --git a/www/contao29/Makefile b/www/contao29/Makefile
index 5c60db421b7..76fef2b22e3 100644
--- a/www/contao29/Makefile
+++ b/www/contao29/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.16 2011/09/16 05:46:25 obache Exp $
+# $NetBSD: Makefile,v 1.17 2011/10/07 12:28:55 taca Exp $
 #
 
 DISTNAME=	contao-${CT_VERSION}
 PKGNAME=	contao${CT_VER}-${CT_PKGVER}
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=typolight/}
 
diff --git a/www/contao29/distinfo b/www/contao29/distinfo
index 563544003e3..0113807f7c0 100644
--- a/www/contao29/distinfo
+++ b/www/contao29/distinfo
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.9 2011/05/18 13:25:17 taca Exp $
+$NetBSD: distinfo,v 1.10 2011/10/07 12:28:55 taca Exp $
 
 SHA1 (contao-2.9.5.tar.gz) = 93c1fb67a396f057eb700ec181aaed839c10cb1d
 RMD160 (contao-2.9.5.tar.gz) = 0a7229382d50f1d08dd05c10274d08b0bdb1b12c
 Size (contao-2.9.5.tar.gz) = 4594817 bytes
+SHA1 (patch-system_modules_frontend_Frontend.php) = 01d545003a265620f7749dffcca15e87bd4b8297
diff --git a/www/contao29/patches/patch-system_modules_frontend_Frontend.php b/www/contao29/patches/patch-system_modules_frontend_Frontend.php
new file mode 100644
index 00000000000..aacc171583b
--- /dev/null
+++ b/www/contao29/patches/patch-system_modules_frontend_Frontend.php
@@ -0,0 +1,34 @@
+$NetBSD: patch-system_modules_frontend_Frontend.php,v 1.1 2011/10/07 12:28:55 taca Exp $
+
+* Fix potential XSS vulnerability, r1041.
+
+--- system/modules/frontend/Frontend.php.orig	2011-03-02 13:03:27.000000000 +0000
++++ system/modules/frontend/Frontend.php
+@@ -80,7 +80,7 @@ abstract class Frontend extends Controll
+ 			return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null;
+ 		}
+ 
+-		if (!strlen($this->Environment->request))
++		if ($this->Environment->request == '')
+ 		{
+ 			return null;
+ 		}
+@@ -106,13 +106,15 @@ abstract class Frontend extends Controll
+ 			}
+ 		}
+ 
+-		// Add fragments to $_GET array
++		// DO NOT USE urldecode() HERE (XSS vulnerability)!
++
++		// Add the fragments to the $_GET array
+ 		for ($i=1; $i<count($arrFragments); $i+=2)
+ 		{
+-			$_GET[urldecode($arrFragments[$i])] = urldecode($arrFragments[$i+1]);
++			$_GET[$arrFragments[$i]] = $arrFragments[$i+1];
+ 		}
+ 
+-		return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null;
++		return ($arrFragments[0] != '') ? $arrFragments[0] : null;
+ 	}
+ 
+ 
diff --git a/www/typolight28/DESCR b/www/typolight28/DESCR
index ff3a08955c0..3ac4236d5c2 100644
--- a/www/typolight28/DESCR
+++ b/www/typolight28/DESCR
@@ -32,6 +32,3 @@ contemporary websites without being a programmer.
 * Accessible front and back end
 * Easy live update
 * Ajax and PHP 5
-
-Note: Live update feature would work with typolight-liveupdate PKG_OPTION
-enabled, but it might be conflict with regular pkgsrc maintainous.
diff --git a/www/typolight28/Makefile b/www/typolight28/Makefile
index b014d469ed9..04678e5dc6d 100644
--- a/www/typolight28/Makefile
+++ b/www/typolight28/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.14 2011/09/16 05:46:27 obache Exp $
+# $NetBSD: Makefile,v 1.15 2011/10/07 12:29:41 taca Exp $
 #
 
 DISTNAME=	typolight-${TL_VERSION}
 PKGNAME=	typolight${TL_VER}-${TL_PKGVER}
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=typolight/}
 
diff --git a/www/typolight28/distinfo b/www/typolight28/distinfo
index 227f98d2675..8ee5cda3e26 100644
--- a/www/typolight28/distinfo
+++ b/www/typolight28/distinfo
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.10 2011/01/06 14:23:41 taca Exp $
+$NetBSD: distinfo,v 1.11 2011/10/07 12:29:41 taca Exp $
 
 SHA1 (typolight-2.8.4.tar.gz) = d18d684a06f5dd29ffc6a28d08143feb613cd47b
 RMD160 (typolight-2.8.4.tar.gz) = ad82d00e3b7ec4e604640779fec841fcfc65f75c
 Size (typolight-2.8.4.tar.gz) = 4097946 bytes
-SHA1 (patch-ad) = 207ce919bb6fa7148108f8bd075d3a7d7ad1eeb9
+SHA1 (patch-ad) = ee5524db7764c9c5ede3affcb99ed0f8864d522e
 SHA1 (patch-ae) = eed6db905809b3782acb8324799de6bc8d4e855b
 SHA1 (patch-af) = 868309cff4ba1855a96745c578737878f8d118d5
diff --git a/www/typolight28/patches/patch-ad b/www/typolight28/patches/patch-ad
index 8391863b260..37a6044105b 100644
--- a/www/typolight28/patches/patch-ad
+++ b/www/typolight28/patches/patch-ad
@@ -1,10 +1,39 @@
-$NetBSD: patch-ad,v 1.1 2010/07/28 16:24:20 taca Exp $
+$NetBSD: patch-ad,v 1.2 2011/10/07 12:29:42 taca Exp $
 
-Fix for CSS from repository, r507.
+* Fix for CSS from repository, r507.
+* Fix potential XSS vulnerability, r1041.
 
 --- system/modules/frontend/Frontend.php.orig	2010-04-19 10:22:31.000000000 +0000
 +++ system/modules/frontend/Frontend.php
-@@ -166,8 +166,16 @@ abstract class Frontend extends Controll
+@@ -78,7 +78,7 @@ abstract class Frontend extends Controll
+ 			return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null;
+ 		}
+ 
+-		if (!strlen($this->Environment->request))
++		if ($this->Environment->request == '')
+ 		{
+ 			return null;
+ 		}
+@@ -104,13 +104,15 @@ abstract class Frontend extends Controll
+ 			}
+ 		}
+ 
+-		// Add fragments to $_GET array
++		// DO NOT USE urldecode() HERE (XSS vulnerability)!
++
++		// Add the fragments to the $_GET array
+ 		for ($i=1; $i<count($arrFragments); $i+=2)
+ 		{
+-			$_GET[urldecode($arrFragments[$i])] = urldecode($arrFragments[$i+1]);
++			$_GET[$arrFragments[$i]] = $arrFragments[$i+1];
+ 		}
+ 
+-		return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null;
++		return ($arrFragments[0] != '') ? $arrFragments[0] : null;
+ 	}
+ 
+ 
+@@ -166,8 +168,16 @@ abstract class Frontend extends Controll
  	protected function addToUrl($strRequest, $blnIgnoreParams=false)
  	{
  		$arrGet = $blnIgnoreParams ? array() : $_GET;
author	taca <taca@pkgsrc.org>	2011-10-07 12:28:11 +0000
committer	taca <taca@pkgsrc.org>	2011-10-07 12:28:11 +0000
commit	89cb0ad5b55ce6d36f1a39cee98de82fb0463f33 (patch)
tree	aac176d12d6bb1246517d3d6e1f71368043be767
parent	38d1968576b9078d79e8e66f915217a76d2c0b92 (diff)
download	pkgsrc-89cb0ad5b55ce6d36f1a39cee98de82fb0463f33.tar.gz