Add unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.

Bump PKGREVISION.

4 files changed, 48 insertions, 3 deletions

diff --git a/www/contao211/MESSAGE b/www/contao211/MESSAGE
index 7a0d8278a3d..ddb34ee1d7e 100644
--- a/www/contao211/MESSAGE
+++ b/www/contao211/MESSAGE
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.1.1.1 2012/02/19 10:54:07 taca Exp $
+$NetBSD: MESSAGE,v 1.2 2012/03/28 15:14:43 taca Exp $
 
 To complete the setup, please read:
 
@@ -10,4 +10,9 @@ following package:
 
 	www/php-tidy
 
+This package contains unofficial fix for CVE-2012-1297.  If there are any
+problem by this fix, add a below line to system/config/localconfig.php.
+
+$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'] = true;
+
 ===========================================================================
diff --git a/www/contao211/Makefile b/www/contao211/Makefile
index be4aa087c56..3c429b11208 100644
--- a/www/contao211/Makefile
+++ b/www/contao211/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.1.1.1 2012/02/19 10:54:07 taca Exp $
+# $NetBSD: Makefile,v 1.2 2012/03/28 15:14:43 taca Exp $
 #
 
 DISTNAME=	contao-${CT_VERSION}
 PKGNAME=	contao${CT_VER}-${CT_PKGVER}
+PKGREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=contao/}
 DIST_SUBDIR=	${CT_DIST_SUBDIR}
diff --git a/www/contao211/distinfo b/www/contao211/distinfo
index e35daac29fa..3c25c3d5188 100644
--- a/www/contao211/distinfo
+++ b/www/contao211/distinfo
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.5 2012/03/14 16:24:35 taca Exp $
+$NetBSD: distinfo,v 1.6 2012/03/28 15:14:43 taca Exp $
 
 SHA1 (contao-2.11.2.tar.gz) = 0cf939e6a4c8b49a4d21a51bd50ae718dfbe024e
 RMD160 (contao-2.11.2.tar.gz) = 580553e29b92ea7bc5b04e38946edb269bc2ac78
 Size (contao-2.11.2.tar.gz) = 5319511 bytes
+SHA1 (patch-system_initialize.php) = 109f381bef4bae32617549709601eb2a30bbb01a
diff --git a/www/contao211/patches/patch-system_initialize.php b/www/contao211/patches/patch-system_initialize.php
new file mode 100644
index 00000000000..b0bca37c3a9
--- /dev/null
+++ b/www/contao211/patches/patch-system_initialize.php
@@ -0,0 +1,38 @@
+$NetBSD: patch-system_initialize.php,v 1.1 2012/03/28 15:14:43 taca Exp $
+
+* Unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.
+
+--- system/initialize.php.orig	2012-03-14 15:13:14.000000000 +0000
++++ system/initialize.php
+@@ -168,10 +168,28 @@ if (file_exists(TL_ROOT . '/system/confi
+ /**
+  * Check the request token upon POST requests
+  */
+-if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'] && !defined('BYPASS_TOKEN_CHECK'))
++if (!$GLOBALS['TL_CONFIG']['disableRefererCheck'] &&
++    ($_POST && !defined('BYPASS_TOKEN_CHECK') ||
++     $_SERVER['REQUEST_METHOD'] == 'POST' && !$GLOBALS['TL_CONFIG']['disableCompatRefererCheck']))
+ {
+-	// Exit if the token cannot be validated
+-	if (!$objToken->validate($objInput->post('REQUEST_TOKEN')))
++    $bad = false;
++
++	// Exit if traditional referer check is enabled.
++    if (!$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'])
++    {
++        $self = parse_url($objEnvironment->url);
++        $referer = parse_url($objEnvironment->httpReferer);
++
++        $bad = (!strlen($referer['host']) || $referer['host'] != $self['host']);
++    }
++
++    if (!$bad)
++    {
++        // Exit if the token cannot be validated
++        $bad = !$objToken->validate($objInput->post('REQUEST_TOKEN'));
++    }
++    
++	if ($bad)
+ 	{
+ 		// Force JavaScript redirect upon Ajax requests (IE requires absolute link)
+ 		if ($objEnvironment->isAjaxRequest)