Add update patche to fix XSS from Contao's repository.

Bump PKGREVISION.

5 files changed, 160 insertions, 10 deletions

diff --git a/www/contao29/Makefile b/www/contao29/Makefile
index 76fef2b22e3..5c014221479 100644
--- a/www/contao29/Makefile
+++ b/www/contao29/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.17 2011/10/07 12:28:55 taca Exp $
+# $NetBSD: Makefile,v 1.18 2011/10/10 16:35:10 taca Exp $
 #
 
 DISTNAME=	contao-${CT_VERSION}
 PKGNAME=	contao${CT_VER}-${CT_PKGVER}
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=typolight/}
 
diff --git a/www/contao29/distinfo b/www/contao29/distinfo
index 0113807f7c0..d1796d729de 100644
--- a/www/contao29/distinfo
+++ b/www/contao29/distinfo
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.10 2011/10/07 12:28:55 taca Exp $
+$NetBSD: distinfo,v 1.11 2011/10/10 16:35:10 taca Exp $
 
 SHA1 (contao-2.9.5.tar.gz) = 93c1fb67a396f057eb700ec181aaed839c10cb1d
 RMD160 (contao-2.9.5.tar.gz) = 0a7229382d50f1d08dd05c10274d08b0bdb1b12c
 Size (contao-2.9.5.tar.gz) = 4594817 bytes
-SHA1 (patch-system_modules_frontend_Frontend.php) = 01d545003a265620f7749dffcca15e87bd4b8297
+SHA1 (patch-system_libraries_Input.php) = 57668dde6d82d793ec1a08424df3172ce1d8a758
+SHA1 (patch-system_modules_frontend_Frontend.php) = c5a530951f11407a6bd1914a19c3b6f3ad550077
+SHA1 (patch-system_modules_frontend_ModuleArticlenav.php) = a92c2e4acf097aa00336029e68a59f6139531e0e
diff --git a/www/contao29/patches/patch-system_libraries_Input.php b/www/contao29/patches/patch-system_libraries_Input.php
new file mode 100644
index 00000000000..8ea2ce62d64
--- /dev/null
+++ b/www/contao29/patches/patch-system_libraries_Input.php
@@ -0,0 +1,93 @@
+$NetBSD: patch-system_libraries_Input.php,v 1.1 2011/10/10 16:35:11 taca Exp $
+
+* Fix potential XSS vulnerability, r1044.
+
+--- system/libraries/Input.php.orig	2011-03-02 13:03:27.000000000 +0000
++++ system/libraries/Input.php
+@@ -54,9 +54,14 @@ class Input
+ 
+ 
+ 	/**
+-	 * Prevent direct instantiation (Singleton)
++	 * Clean the keys of the request arrays
+ 	 */
+-	protected function __construct() {}
++	protected function __construct()
++	{
++		$_GET    = $this->cleanKey($_GET);
++		$_POST   = $this->cleanKey($_POST);
++		$_COOKIE = $this->cleanKey($_COOKIE);
++	}
+ 
+ 
+ 	/**
+@@ -234,6 +239,8 @@ class Input
+ 	 */
+ 	public function setGet($strKey, $varValue)
+ 	{
++		$strKey = $this->cleanKey($strKey);
++
+ 		unset($this->arrCache['getEncoded'][$strKey]);
+ 		unset($this->arrCache['getDecoded'][$strKey]);
+ 
+@@ -255,6 +262,8 @@ class Input
+ 	 */
+ 	public function setPost($strKey, $varValue)
+ 	{
++		$strKey = $this->cleanKey($strKey);
++
+ 		unset($this->arrCache['postEncoded'][$strKey]);
+ 		unset($this->arrCache['postDecoded'][$strKey]);
+ 		unset($this->arrCache['postRaw'][$strKey]);
+@@ -277,6 +286,8 @@ class Input
+ 	 */
+ 	public function setCookie($strKey, $varValue)
+ 	{
++		$strKey = $this->cleanKey($strKey);
++
+ 		unset($this->arrCache['cookieEncoded'][$strKey]);
+ 		unset($this->arrCache['cookieDecoded'][$strKey]);
+ 
+@@ -301,6 +312,42 @@ class Input
+ 
+ 
+ 	/**
++	 * Sanitize a key name or an array (thanks to Andreas Schempp)
++	 * @param mixed
++	 * @return mixed
++	 */
++	protected function cleanKey($varValue)
++	{
++		// Recursively clean arrays
++		if (is_array($varValue))
++		{
++			$return = array();
++
++			foreach ($varValue as $k=>$v)
++			{
++				$k = $this->cleanKey($k);
++
++				if (is_array($v))
++				{
++					$v = $this->cleanKey($v);
++				}
++
++				$return[$k] = $v;
++			}
++
++			return $return;
++		}
++
++		$varValue = $this->stripSlashes($varValue);
++		$varValue = $this->decodeEntities($varValue);
++		$varValue = $this->xssClean($varValue, true);
++		$varValue = $this->stripTags($varValue);
++
++		return $varValue;
++	}
++
++
++	/**
+ 	 * Strip slashes
+ 	 * @param  mixed
+ 	 * @return mixed
diff --git a/www/contao29/patches/patch-system_modules_frontend_Frontend.php b/www/contao29/patches/patch-system_modules_frontend_Frontend.php
index aacc171583b..87403bc561a 100644
--- a/www/contao29/patches/patch-system_modules_frontend_Frontend.php
+++ b/www/contao29/patches/patch-system_modules_frontend_Frontend.php
@@ -1,10 +1,10 @@
-$NetBSD: patch-system_modules_frontend_Frontend.php,v 1.1 2011/10/07 12:28:55 taca Exp $
+$NetBSD: patch-system_modules_frontend_Frontend.php,v 1.2 2011/10/10 16:35:11 taca Exp $
 
-* Fix potential XSS vulnerability, r1041.
+* Fix potential XSS vulnerability, r1041 and r1044.
 
 --- system/modules/frontend/Frontend.php.orig	2011-03-02 13:03:27.000000000 +0000
 +++ system/modules/frontend/Frontend.php
-@@ -80,7 +80,7 @@ abstract class Frontend extends Controll
+@@ -80,14 +80,13 @@ abstract class Frontend extends Controll
  			return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null;
  		}
  
@@ -13,18 +13,25 @@ $NetBSD: patch-system_modules_frontend_Frontend.php,v 1.1 2011/10/07 12:28:55 ta
  		{
  			return null;
  		}
-@@ -106,13 +106,15 @@ abstract class Frontend extends Controll
+ 
+ 		$strRequest = preg_replace('/\?.*$/i', '', $this->Environment->request);
+ 		$strRequest = preg_replace('/' . preg_quote($GLOBALS['TL_CONFIG']['urlSuffix'], '/') . '$/i', '', $strRequest);
+-
+ 		$arrFragments = explode('/', $strRequest);
+ 
+ 		// Skip index.php
+@@ -106,13 +105,15 @@ abstract class Frontend extends Controll
  			}
  		}
  
 -		// Add fragments to $_GET array
-+		// DO NOT USE urldecode() HERE (XSS vulnerability)!
++		$arrFragments = array_map('urldecode', $arrFragments);
 +
 +		// Add the fragments to the $_GET array
  		for ($i=1; $i<count($arrFragments); $i+=2)
  		{
 -			$_GET[urldecode($arrFragments[$i])] = urldecode($arrFragments[$i+1]);
-+			$_GET[$arrFragments[$i]] = $arrFragments[$i+1];
++			$this->Input->setGet($arrFragments[$i], $arrFragments[$i+1]);
  		}
  
 -		return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null;
@@ -32,3 +39,36 @@ $NetBSD: patch-system_modules_frontend_Frontend.php,v 1.1 2011/10/07 12:28:55 ta
  	}
  
  
+@@ -136,7 +137,7 @@ abstract class Frontend extends Controll
+ 
+ 
+ 	/**
+-	 * Overwrite parent method as front end URLs are handled differently
++	 * Overwrite the parent method as front end URLs are handled differently
+ 	 * @param string
+ 	 * @param boolean
+ 	 * @return string
+@@ -170,9 +171,22 @@ abstract class Frontend extends Controll
+ 
+ 		$strParams = '';
+ 
++		// Determine connector and separator
++		if ($GLOBALS['TL_CONFIG']['disableAlias'])
++		{
++			$strConnector = '&amp;';
++			$strSeparator = '=';
++		}
++		else
++		{
++			$strConnector = '/';
++			$strSeparator = '/';
++		}
++
++		// Compile the parameters string
+ 		foreach ($arrGet as $k=>$v)
+ 		{
+-			$strParams .= $GLOBALS['TL_CONFIG']['disableAlias'] ? '&amp;' . $k . '=' . $v  : '/' . $k . '/' . $v;
++			$strParams .= $strConnector . urlencode($k) . $strSeparator . urlencode($v);
+ 		}
+ 
+ 		// Do not use aliases
diff --git a/www/contao29/patches/patch-system_modules_frontend_ModuleArticlenav.php b/www/contao29/patches/patch-system_modules_frontend_ModuleArticlenav.php
new file mode 100644
index 00000000000..8fe2a67d49a
--- /dev/null
+++ b/www/contao29/patches/patch-system_modules_frontend_ModuleArticlenav.php
@@ -0,0 +1,15 @@
+$NetBSD: patch-system_modules_frontend_ModuleArticlenav.php,v 1.1 2011/10/10 16:35:11 taca Exp $
+
+* Fix potential XSS vulnerability, r1044.
+
+--- system/modules/frontend/ModuleArticlenav.php.orig	2011-03-02 13:03:27.000000000 +0000
++++ system/modules/frontend/ModuleArticlenav.php
+@@ -93,7 +93,7 @@ class ModuleArticlenav extends Module
+ 				return '';
+ 			}
+ 
+-			$strAlias = (strlen($this->objArticles->alias) && !$GLOBALS['TL_CONFIG']['disableAlias']) ? $this->objArticles->alias : $this->objArticles->id;
++			$strAlias = ($this->objArticles->alias != '' && !$GLOBALS['TL_CONFIG']['disableAlias']) ? $this->objArticles->alias : $this->objArticles->id;
+ 			$this->redirect($this->addToUrl('articles=' . $strAlias));
+ 		}
+