diff options
| author | taca <taca@pkgsrc.org> | 2011-10-07 12:28:11 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2011-10-07 12:28:11 +0000 |
| commit | 89cb0ad5b55ce6d36f1a39cee98de82fb0463f33 (patch) | |
| tree | aac176d12d6bb1246517d3d6e1f71368043be767 /www/typolight28 | |
| parent | 38d1968576b9078d79e8e66f915217a76d2c0b92 (diff) | |
| download | pkgsrc-89cb0ad5b55ce6d36f1a39cee98de82fb0463f33.tar.gz | |
Add a patch based r1041 from the repository of Contao to fix potential
XSS vulnerability.
Bump PKGREVISION.
Diffstat (limited to 'www/typolight28')
| -rw-r--r-- | www/typolight28/DESCR | 3 | ||||
| -rw-r--r-- | www/typolight28/Makefile | 4 | ||||
| -rw-r--r-- | www/typolight28/distinfo | 4 | ||||
| -rw-r--r-- | www/typolight28/patches/patch-ad | 35 |
4 files changed, 36 insertions, 10 deletions
diff --git a/www/typolight28/DESCR b/www/typolight28/DESCR index ff3a08955c0..3ac4236d5c2 100644 --- a/www/typolight28/DESCR +++ b/www/typolight28/DESCR @@ -32,6 +32,3 @@ contemporary websites without being a programmer. * Accessible front and back end * Easy live update * Ajax and PHP 5 - -Note: Live update feature would work with typolight-liveupdate PKG_OPTION -enabled, but it might be conflict with regular pkgsrc maintainous. diff --git a/www/typolight28/Makefile b/www/typolight28/Makefile index b014d469ed9..04678e5dc6d 100644 --- a/www/typolight28/Makefile +++ b/www/typolight28/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.14 2011/09/16 05:46:27 obache Exp $ +# $NetBSD: Makefile,v 1.15 2011/10/07 12:29:41 taca Exp $ # DISTNAME= typolight-${TL_VERSION} PKGNAME= typolight${TL_VER}-${TL_PKGVER} -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=typolight/} diff --git a/www/typolight28/distinfo b/www/typolight28/distinfo index 227f98d2675..8ee5cda3e26 100644 --- a/www/typolight28/distinfo +++ b/www/typolight28/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.10 2011/01/06 14:23:41 taca Exp $ +$NetBSD: distinfo,v 1.11 2011/10/07 12:29:41 taca Exp $ SHA1 (typolight-2.8.4.tar.gz) = d18d684a06f5dd29ffc6a28d08143feb613cd47b RMD160 (typolight-2.8.4.tar.gz) = ad82d00e3b7ec4e604640779fec841fcfc65f75c Size (typolight-2.8.4.tar.gz) = 4097946 bytes -SHA1 (patch-ad) = 207ce919bb6fa7148108f8bd075d3a7d7ad1eeb9 +SHA1 (patch-ad) = ee5524db7764c9c5ede3affcb99ed0f8864d522e SHA1 (patch-ae) = eed6db905809b3782acb8324799de6bc8d4e855b SHA1 (patch-af) = 868309cff4ba1855a96745c578737878f8d118d5 diff --git a/www/typolight28/patches/patch-ad b/www/typolight28/patches/patch-ad index 8391863b260..37a6044105b 100644 --- a/www/typolight28/patches/patch-ad +++ b/www/typolight28/patches/patch-ad @@ -1,10 +1,39 @@ -$NetBSD: patch-ad,v 1.1 2010/07/28 16:24:20 taca Exp $ +$NetBSD: patch-ad,v 1.2 2011/10/07 12:29:42 taca Exp $ -Fix for CSS from repository, r507. +* Fix for CSS from repository, r507. +* Fix potential XSS vulnerability, r1041. --- system/modules/frontend/Frontend.php.orig 2010-04-19 10:22:31.000000000 +0000 +++ system/modules/frontend/Frontend.php -@@ -166,8 +166,16 @@ abstract class Frontend extends Controll +@@ -78,7 +78,7 @@ abstract class Frontend extends Controll + return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null; + } + +- if (!strlen($this->Environment->request)) ++ if ($this->Environment->request == '') + { + return null; + } +@@ -104,13 +104,15 @@ abstract class Frontend extends Controll + } + } + +- // Add fragments to $_GET array ++ // DO NOT USE urldecode() HERE (XSS vulnerability)! ++ ++ // Add the fragments to the $_GET array + for ($i=1; $i<count($arrFragments); $i+=2) + { +- $_GET[urldecode($arrFragments[$i])] = urldecode($arrFragments[$i+1]); ++ $_GET[$arrFragments[$i]] = $arrFragments[$i+1]; + } + +- return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null; ++ return ($arrFragments[0] != '') ? $arrFragments[0] : null; + } + + +@@ -166,8 +168,16 @@ abstract class Frontend extends Controll protected function addToUrl($strRequest, $blnIgnoreParams=false) { $arrGet = $blnIgnoreParams ? array() : $_GET; |