Pullup ticket #4033 - requested by taca

pkgsrc/databases/phpldapadmin: security patch Revisions pulled up: - databases/phpldapadmin/Makefile 1.34 - databases/phpldapadmin/distinfo 1.12-1.13 - databases/phpldapadmin/patches/patch-htdocs_add__value__form.php 1.1 - databases/phpldapadmin/patches/patch-htdocs_export.php 1.1 - databases/phpldapadmin/patches/patch-htdocs_logout.php 1.1 - databases/phpldapadmin/patches/patch-lib_QueryRender.php 1.1-1.2 - databases/phpldapadmin/patches/patch-lib_export__functions.php 1.1 - databases/phpldapadmin/patches/patch-lib_functions.php 1.1 --- Module Name: pkgsrc Committed By: taca Date: Mon Jan 21 12:43:23 UTC 2013 Modified Files: pkgsrc/databases/phpldapadmin: Makefile distinfo Added Files: pkgsrc/databases/phpldapadmin/patches: patch-htdocs_add__value__form.php patch-htdocs_export.php patch-htdocs_logout.php patch-lib_QueryRender.php patch-lib_export__functions.php patch-lib_functions.php Log Message: Add some patches from development repository. * Add fix for CVE-2012-1114/CVE-2012-1115 from repository. * Unset $_SESSION['ACTIVITY'] on logout from repository. * Fix XSS in query from repository. * Add support for SHA512 with OpenLDAP from repository. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: obache Date: Tue Jan 22 11:49:33 UTC 2013 Modified Files: pkgsrc/databases/phpldapadmin: distinfo pkgsrc/databases/phpldapadmin/patches: patch-lib_QueryRender.php Log Message: Note CVE-2012-0834
author: tron <tron> 2013-01-23 20:18:31 +0000
committer: tron <tron> 2013-01-23 20:18:31 +0000
commit: f7b45c8f474c52a13bdedd6ce4347c79822d0ec8 (patch)
tree: fe0c93720415175396b90fc41e04b712084d6fdc
parent: 5e48fdba1b55debe54965ce0295110ccc73758f2 (diff)
download: pkgsrc-f7b45c8f474c52a13bdedd6ce4347c79822d0ec8.tar.gz
8 files changed, 238 insertions, 4 deletions
diff --git a/databases/phpldapadmin/Makefile b/databases/phpldapadmin/Makefile
index a8950eeca67..eb7cf2e8673 100644
--- a/databases/phpldapadmin/Makefile
+++ b/databases/phpldapadmin/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.33 2012/10/02 21:25:40 asau Exp $
+# $NetBSD: Makefile,v 1.33.2.1 2013/01/23 20:18:31 tron Exp $
 
 DISTNAME=	phpldapadmin-${VERSION}
+PKGREVISION=	1
 CATEGORIES=	databases www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=phpldapadmin/}
 EXTRACT_SUFX=	.tgz
@@ -48,8 +49,8 @@ do-install:
 	${INSTALL_DATA} ${WRKSRC}/index.php \
 		${DESTDIR}${PREFIX}/share/phpldapadmin
 .for i in ${PAX_DIRS}
-	cd ${WRKSRC}/${i:Q} && pax \
-		-rwppm . ${DESTDIR}${PREFIX}/share/phpldapadmin/${i:Q}
+	cd ${WRKSRC}/${i:Q} && ${FIND} . -type f \! -name '*.orig' -print | \
+		 pax -rwppm  ${DESTDIR}${PREFIX}/share/phpldapadmin/${i:Q}
 .endfor
 	${INSTALL_DATA} ${WRKSRC}/INSTALL \
 		${DESTDIR}${PREFIX}/share/doc/phpldapadmin
diff --git a/databases/phpldapadmin/distinfo b/databases/phpldapadmin/distinfo
index 6ac1fc88d7e..a7b4180de02 100644
--- a/databases/phpldapadmin/distinfo
+++ b/databases/phpldapadmin/distinfo
@@ -1,5 +1,11 @@
-$NetBSD: distinfo,v 1.11 2011/11/17 12:44:02 obache Exp $
+$NetBSD: distinfo,v 1.11.10.1 2013/01/23 20:18:31 tron Exp $
 
 SHA1 (phpldapadmin-1.2.2.tgz) = 2904923eb25173d108b556c70fb3d42cd6e0e289
 RMD160 (phpldapadmin-1.2.2.tgz) = dd93d9558c9780b014f066d070b496e2804b9565
 Size (phpldapadmin-1.2.2.tgz) = 1415565 bytes
+SHA1 (patch-htdocs_add__value__form.php) = 74e7128a36391c7ccce1a4a25bb115290fd8af3e
+SHA1 (patch-htdocs_export.php) = 822cb73c754d83a8e080bc709db36d3d7d90deb4
+SHA1 (patch-htdocs_logout.php) = f09fdceb60faad2d2c49c37fa9ca01ac3c2e332e
+SHA1 (patch-lib_QueryRender.php) = 976eb66a7c50ed992886a3c4f79d2ae7d3c2f52e
+SHA1 (patch-lib_export__functions.php) = ace9e5b372ea34e54a24a1679cc43c5c5393d038
+SHA1 (patch-lib_functions.php) = a596507eba2a32bf674cac093b307bfe765510bb
diff --git a/databases/phpldapadmin/patches/patch-htdocs_add__value__form.php b/databases/phpldapadmin/patches/patch-htdocs_add__value__form.php
new file mode 100644
index 00000000000..e56db281609
--- /dev/null
+++ b/databases/phpldapadmin/patches/patch-htdocs_add__value__form.php
@@ -0,0 +1,16 @@
+$NetBSD: patch-htdocs_add__value__form.php,v 1.1.2.2 2013/01/23 20:18:31 tron Exp $
+
+* Fix XSS for CVE-2012-1114/CVE-2012-1115 from repository,
+	74434e5ca3fb66018fad60766f833f15689fcbfc.
+
+--- htdocs/add_value_form.php.orig	2011-10-27 02:07:09.000000000 +0000
++++ htdocs/add_value_form.php
+@@ -34,7 +34,7 @@ if ($request['attribute']->isReadOnly())
+ # Render the form
+ if (! strcasecmp($request['attr'],'objectclass') || get_request('meth','REQUEST') != 'ajax') {
+ 	# Render the form.
+-	$request['page']->drawTitle(sprintf('%s <b>%s</b> %s <b>%s</b>',_('Add new'),$request['attr'],_('value to'),get_rdn($request['dn'])));
++    $request['page']->drawTitle(sprintf(_('Add new <b>%s</b> value to <b>%s</b>'), htmlspecialchars($request['attr']),htmlspecialchars(get_rdn($request['dn']))));
+ 	$request['page']->drawSubTitle();
+ 
+ 	if (! strcasecmp($request['attr'],'objectclass')) {
diff --git a/databases/phpldapadmin/patches/patch-htdocs_export.php b/databases/phpldapadmin/patches/patch-htdocs_export.php
new file mode 100644
index 00000000000..b92e3932af5
--- /dev/null
+++ b/databases/phpldapadmin/patches/patch-htdocs_export.php
@@ -0,0 +1,22 @@
+$NetBSD: patch-htdocs_export.php,v 1.1.2.2 2013/01/23 20:18:31 tron Exp $
+
+* Fix XSS for CVE-2012-1114/CVE-2012-1115 from repository,
+	74434e5ca3fb66018fad60766f833f15689fcbfc.
+
+--- htdocs/export.php.orig	2011-10-27 02:07:09.000000000 +0000
++++ htdocs/export.php
+@@ -29,12 +29,12 @@ if ($request['file']) {
+ 
+ 	header('Content-type: application/download');
+ 	header(sprintf('Content-Disposition: inline; filename="%s.%s"','export',$types['extension'].($request['export']->isCompressed() ? '.gz' : '')));
+-	$request['export']->export();
++    echo $request['export']->export();
+ 	die();
+ 
+ } else {
+ 	print '<span style="font-size: 14px; font-family: courier;"><pre>';
+-	$request['export']->export();
++    echo htmlspecialchars($request['export']->export());
+ 	print '</pre></span>';
+ }
+ ?>
diff --git a/databases/phpldapadmin/patches/patch-htdocs_logout.php b/databases/phpldapadmin/patches/patch-htdocs_logout.php
new file mode 100644
index 00000000000..8f439fdb4ad
--- /dev/null
+++ b/databases/phpldapadmin/patches/patch-htdocs_logout.php
@@ -0,0 +1,27 @@
+$NetBSD: patch-htdocs_logout.php,v 1.1.2.2 2013/01/23 20:18:31 tron Exp $
+
+o Unset $_SESSION['ACTIVITY'] on logout from repository,
+	88d41216f957f98bb0a22b1af779df964580fd5c.
+
+--- htdocs/logout.php.orig	2011-10-27 02:07:09.000000000 +0000
++++ htdocs/logout.php
+@@ -11,13 +11,16 @@
+ 
+ require './common.php';
+ 
+-if ($app['server']->logout())
++if ($app['server']->logout()) {
++	unset($_SESSION['ACTIVITY'][$app['server']->getIndex()]);
++
+ 	system_message(array(
+-		'title'=>_('Authenticate to server'),
++		'title'=>_('Logout from Server'),
+ 		'body'=>_('Successfully logged out of server.'),
+ 		'type'=>'info'),
+ 		sprintf('index.php?server_id=%s',$app['server']->getIndex()));
+-else
++
++} else
+ 	system_message(array(
+ 		'title'=>_('Failed to Logout of server'),
+ 		'body'=>_('Please report this error to the admins.'),
diff --git a/databases/phpldapadmin/patches/patch-lib_QueryRender.php b/databases/phpldapadmin/patches/patch-lib_QueryRender.php
new file mode 100644
index 00000000000..0cfd1148a5c
--- /dev/null
+++ b/databases/phpldapadmin/patches/patch-lib_QueryRender.php
@@ -0,0 +1,25 @@
+$NetBSD: patch-lib_QueryRender.php,v 1.2.2.2 2013/01/23 20:18:31 tron Exp $
+
+o Fix XSS in query from repository, 7dc8d57d6952fe681cb9e8818df7f103220457bd.
+  CVE-2012-0834
+
+--- lib/QueryRender.php.orig	2011-10-27 02:07:09.000000000 +0000
++++ lib/QueryRender.php
+@@ -497,7 +497,7 @@ class QueryRender extends PageRender {
+ 				$this->getAjaxRef($base),
+ 				$this->getAjaxRef($base),
+ 				($show == $this->getAjaxRef($base) ? '#F0F0F0' : '#E0E0E0'),
+-				$base);
++                   htmlspecialchars($base));
+ 		}
+ 		echo '</tr>';
+ 		echo '</table>';
+@@ -545,7 +545,7 @@ class QueryRender extends PageRender {
+ 		echo ' ]</small>';
+ 
+ 		echo '<br />';
+-		printf('<small>%s: <b>%s</b></small>',_('Base DN'),$base);
++		printf('<small>%s: <b>%s</b></small>',_('Base DN'), htmlspecialchars($base));
+ 
+ 		echo '<br />';
+ 		printf('<small>%s: <b>%s</b></small>',_('Filter performed'),htmlspecialchars($this->template->resultsdata[$base]['filter']));
diff --git a/databases/phpldapadmin/patches/patch-lib_export__functions.php b/databases/phpldapadmin/patches/patch-lib_export__functions.php
new file mode 100644
index 00000000000..6075b8ffffd
--- /dev/null
+++ b/databases/phpldapadmin/patches/patch-lib_export__functions.php
@@ -0,0 +1,55 @@
+$NetBSD: patch-lib_export__functions.php,v 1.1.2.2 2013/01/23 20:18:31 tron Exp $
+
+* Fix XSS for CVE-2012-1114/CVE-2012-1115 from repository,
+	74434e5ca3fb66018fad60766f833f15689fcbfc.
+
+--- lib/export_functions.php.orig	2011-10-27 02:07:09.000000000 +0000
++++ lib/export_functions.php
+@@ -324,9 +324,9 @@ class ExportCSV extends Export {
+ 		}
+ 
+ 		if ($this->compress)
+-			echo gzencode($output);
++			return gzencode($output);
+ 		else
+-			echo $output;
++			return $output;
+ 	}
+ 
+ 	/**
+@@ -428,9 +428,9 @@ class ExportDSML extends Export {
+ 		$output .= sprintf('</dsml>%s',$this->br);
+ 
+ 		if ($this->compress)
+-			echo gzencode($output);
++			return gzencode($output);
+ 		else
+-			echo $output;
++			return $output;
+ 	}
+ }
+ 
+@@ -506,9 +506,9 @@ class ExportLDIF extends Export {
+ 		}
+ 
+ 		if ($this->compress)
+-			echo gzencode($output);
++			return gzencode($output);
+ 		else
+-			echo $output;
++			return $output;
+ 	}
+ 
+ 	/**
+@@ -633,9 +633,9 @@ class ExportVCARD extends Export {
+ 		}
+ 
+ 		if ($this->compress)
+-			echo gzencode($output);
++			return gzencode($output);
+ 		else
+-			echo $output;
++			return $output;
+ 	}
+ }
+ ?>
diff --git a/databases/phpldapadmin/patches/patch-lib_functions.php b/databases/phpldapadmin/patches/patch-lib_functions.php
new file mode 100644
index 00000000000..35bd7da05df
--- /dev/null
+++ b/databases/phpldapadmin/patches/patch-lib_functions.php
@@ -0,0 +1,82 @@
+$NetBSD: patch-lib_functions.php,v 1.1.2.2 2013/01/23 20:18:31 tron Exp $
+
+* Add support for SHA512 with OpenLDAP from repository,
+	21959715c3d6f204dd6c35b2e313eb2d4a01d22a.
+
+--- lib/functions.php.orig	2011-10-27 02:07:09.000000000 +0000
++++ lib/functions.php
+@@ -1471,10 +1471,10 @@ function get_next_number($base,$attr,$in
+ 			for ($i=0;$i<count($autonum);$i++) {
+ 				$num = $autonum[$i] < $minNumber ? $minNumber : $autonum[$i];
+ 
+-				/* If we're at the end of the list, or we've found a gap between this number and the 
+-				   following, use the next available number in the gap. */ 
+-				if ($i+1 == count($autonum) || $autonum[$i+1] > $num+1) 
+-					return $autonum[$i] >= $num ? $num+1 : $num; 
++				/* If we're at the end of the list, or we've found a gap between this number and the
++				   following, use the next available number in the gap. */
++				if ($i+1 == count($autonum) || $autonum[$i+1] > $num+1)
++					return $autonum[$i] >= $num ? $num+1 : $num;
+ 			}
+ 
+ 			# If we didnt find a suitable gap and are all above the minNumber, we'll just return the $minNumber
+@@ -2114,7 +2114,7 @@ function password_types() {
+ 		'md5crypt'=>'md5crypt',
+ 		'sha'=>'sha',
+ 		'smd5'=>'smd5',
+-		'ssha'=>'ssha'
++		'ssh512'=>'ssh512'
+ 	);
+ }
+ 
+@@ -2123,7 +2123,7 @@ function password_types() {
+  *
+  * @param string The password to hash in clear text.
+  * @param string Standard LDAP encryption type which must be one of
+- *        crypt, ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, or clear.
++ *        crypt, ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, sha512, or clear.
+  * @return string The hashed password.
+  */
+ function password_hash($password_clear,$enc_type) {
+@@ -2216,6 +2216,16 @@ function password_hash($password_clear,$
+ 
+ 			break;
+ 
++		case 'sha512':
++			if (function_exists('openssl_digest') && function_exists('base64_encode')) {
++				$new_value = sprintf('{SHA512}%s', base64_encode(openssl_digest($password_clear, 'sha512', true)));
++
++			} else {
++				error(_('Your PHP install doest not have the openssl_digest() or base64_encode() function. Cannot do SHA512 hashes. '),'error','index.php');
++			}
++
++            break;
++
+ 		case 'clear':
+ 		default:
+ 			$new_value = $password_clear;
+@@ -2379,6 +2389,15 @@ function password_check($cryptedpassword
+ 
+ 			break;
+ 
++			# SHA512 crypted passwords
++		case 'sha512':
++			if (strcasecmp(password_hash($plainpassword,'sha512'),'{SHA512}'.$cryptedpassword) == 0)
++				return true;
++			else
++				return false;
++
++			break;
++
+ 		# No crypt is given assume plaintext passwords are used
+ 		default:
+ 			if ($plainpassword == $cryptedpassword)
+@@ -2782,7 +2801,7 @@ function draw_formatted_dn($server,$entr
+ 
+ 	$formats = $_SESSION[APPCONFIG]->getValue('appearance','tree_display_format');
+ 
+-	foreach ($formats as $format) { 
++	foreach ($formats as $format) {
+ 		$has_none = false;
+ 		preg_match_all('/%[a-zA-Z_0-9]+/',$format,$tokens);
+ 		$tokens = $tokens[0];
author	tron <tron>	2013-01-23 20:18:31 +0000
committer	tron <tron>	2013-01-23 20:18:31 +0000
commit	f7b45c8f474c52a13bdedd6ce4347c79822d0ec8 (patch)
tree	fe0c93720415175396b90fc41e04b712084d6fdc
parent	5e48fdba1b55debe54965ce0295110ccc73758f2 (diff)
download	pkgsrc-f7b45c8f474c52a13bdedd6ce4347c79822d0ec8.tar.gz