diff options
| author | taca <taca@pkgsrc.org> | 2015-06-06 03:31:01 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2015-06-06 03:31:01 +0000 |
| commit | 5a4021f65fe7c6161d3f61a7beebe91bf6d258d8 (patch) | |
| tree | 28297daefc195e55dc0e4ce3023adb25bd8341ff /www | |
| parent | 7b9e5f6a4953b5112e4ebf9078f506cc5e122877 (diff) | |
| download | pkgsrc-5a4021f65fe7c6161d3f61a7beebe91bf6d258d8.tar.gz | |
Add several security related fixes from Contao 3.2.21.
Bump PKGREVISION.
Diffstat (limited to 'www')
6 files changed, 148 insertions, 2 deletions
diff --git a/www/contao34/Makefile b/www/contao34/Makefile index d45720b8c27..be81345f7f8 100644 --- a/www/contao34/Makefile +++ b/www/contao34/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.4 2015/02/01 04:51:34 taca Exp $ +# $NetBSD: Makefile,v 1.5 2015/06/06 03:31:01 taca Exp $ # DISTNAME= contao-${CT_PKGVER} PKGNAME= contao${CT_VER}-${CT_PKGVER} +PKGREVISION= 1 CATEGORIES= www MASTER_SITES= ${CT_MASTER_SITE} diff --git a/www/contao34/distinfo b/www/contao34/distinfo index 2b3ad9f2c33..02c9df8b3fd 100644 --- a/www/contao34/distinfo +++ b/www/contao34/distinfo @@ -1,5 +1,9 @@ -$NetBSD: distinfo,v 1.5 2015/03/28 04:21:42 taca Exp $ +$NetBSD: distinfo,v 1.6 2015/06/06 03:31:01 taca Exp $ SHA1 (contao-3.4.5.tar.gz) = 0ae1b47a85f33e74550a77fa4fa44fa5c3b6e674 RMD160 (contao-3.4.5.tar.gz) = dcca780d1d67d71e5cbeade268608e296d4d847b Size (contao-3.4.5.tar.gz) = 11544130 bytes +SHA1 (patch-system_helper_functions.php) = e5ee8f1e08b2712030f8809f20166bf6550f266b +SHA1 (patch-system_modules_core_classes_BackendUser.php) = 527074d91cd550be242f6b4dfe005f6351fd1f35 +SHA1 (patch-system_modules_core_controllers_BackendPopup.php) = 29d2abf5bb149297da84ad198365b7656304fcb9 +SHA1 (patch-system_modules_core_dca_tl__files.php) = 8c1d1fb73cfe0e76e30eeb1b4036beb7b56fd71e diff --git a/www/contao34/patches/patch-system_helper_functions.php b/www/contao34/patches/patch-system_helper_functions.php new file mode 100644 index 00000000000..ad7c731ac5c --- /dev/null +++ b/www/contao34/patches/patch-system_helper_functions.php @@ -0,0 +1,27 @@ +$NetBSD: patch-system_helper_functions.php,v 1.1 2015/06/06 03:31:01 taca Exp $ + +Security improvement as Contao 3.2.21. + +--- system/helper/functions.php.orig 2015-03-27 08:53:59.000000000 +0000 ++++ system/helper/functions.php +@@ -216,9 +216,10 @@ function scan($strFolder, $blnUncached=f + * entities are never double converted. + * @param string + * @param boolean ++ * @param boolean + * @return string + */ +-function specialchars($strString, $blnStripInsertTags=false) ++function specialchars($strString, $blnStripInsertTags=false, $blnDoubleEncode=false) + { + if ($blnStripInsertTags) + { +@@ -226,7 +227,7 @@ function specialchars($strString, $blnSt + } + + // Use ENT_COMPAT here (see #4889) +- return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], false); ++ return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], $blnDoubleEncode); + } + + diff --git a/www/contao34/patches/patch-system_modules_core_classes_BackendUser.php b/www/contao34/patches/patch-system_modules_core_classes_BackendUser.php new file mode 100644 index 00000000000..97a6d44be98 --- /dev/null +++ b/www/contao34/patches/patch-system_modules_core_classes_BackendUser.php @@ -0,0 +1,34 @@ +$NetBSD: patch-system_modules_core_classes_BackendUser.php,v 1.1 2015/06/06 03:31:01 taca Exp $ + +Security improvement as Contao 3.2.21. + +--- system/modules/core/classes/BackendUser.php.orig 2015-03-27 08:53:59.000000000 +0000 ++++ system/modules/core/classes/BackendUser.php +@@ -285,7 +285,7 @@ class BackendUser extends \User + ->limit(1) + ->execute($pid); + +- while (!$row['chmod'] && $pid > 0 && $objParentPage->numRows) ++ while ($row['chmod'] === false && $pid > 0 && $objParentPage->numRows) + { + $pid = $objParentPage->pid; + +@@ -299,15 +299,15 @@ class BackendUser extends \User + } + + // Set default values +- if (!$row['chmod']) ++ if (!$row['chmod'] === false) + { + $row['chmod'] = \Config::get('defaultChmod'); + } +- if (!$row['cuser']) ++ if (!$row['cuser'] === false) + { + $row['cuser'] = intval(\Config::get('defaultUser')); + } +- if (!$row['cgroup']) ++ if (!$row['cgroup'] === false) + { + $row['cgroup'] = intval(\Config::get('defaultGroup')); + } diff --git a/www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php b/www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php new file mode 100644 index 00000000000..b4cbef3589c --- /dev/null +++ b/www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php @@ -0,0 +1,15 @@ +$NetBSD: patch-system_modules_core_controllers_BackendPopup.php,v 1.1 2015/06/06 03:31:01 taca Exp $ + +Security improvement as Contao 3.2.21. + +--- system/modules/core/controllers/BackendPopup.php.orig 2015-03-27 08:53:59.000000000 +0000 ++++ system/modules/core/controllers/BackendPopup.php +@@ -128,7 +128,7 @@ class BackendPopup extends \Backend + $this->Template->ctime = \Date::parse(\Config::get('datimFormat'), $objFile->ctime); + $this->Template->mtime = \Date::parse(\Config::get('datimFormat'), $objFile->mtime); + $this->Template->atime = \Date::parse(\Config::get('datimFormat'), $objFile->atime); +- $this->Template->path = $this->strFile; ++ $this->Template->path = specialchars($this->strFile); + + $this->output(); + } diff --git a/www/contao34/patches/patch-system_modules_core_dca_tl__files.php b/www/contao34/patches/patch-system_modules_core_dca_tl__files.php new file mode 100644 index 00000000000..cce1c2cd876 --- /dev/null +++ b/www/contao34/patches/patch-system_modules_core_dca_tl__files.php @@ -0,0 +1,65 @@ +$NetBSD: patch-system_modules_core_dca_tl__files.php,v 1.1 2015/06/06 03:31:01 taca Exp $ + +Security improvement as Contao 3.2.21. + +--- system/modules/core/dca/tl_files.php.orig 2015-03-27 08:53:59.000000000 +0000 ++++ system/modules/core/dca/tl_files.php +@@ -488,7 +488,7 @@ class tl_files extends Backend + */ + public function editFile($row, $href, $label, $title, $icon, $attributes) + { +- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; ++ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + + +@@ -504,7 +504,7 @@ class tl_files extends Backend + */ + public function copyFile($row, $href, $label, $title, $icon, $attributes) + { +- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; ++ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + + +@@ -520,7 +520,7 @@ class tl_files extends Backend + */ + public function cutFile($row, $href, $label, $title, $icon, $attributes) + { +- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; ++ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + + +@@ -538,11 +538,11 @@ class tl_files extends Backend + { + if (is_dir(TL_ROOT . '/' . $row['id']) && count(scan(TL_ROOT . '/' . $row['id'])) > 0) + { +- return $this->User->hasAccess('f4', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; ++ return ($this->User->isAdmin || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + else + { +- return ($this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; ++ return ($this->User->isAdmin || $this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + } + +@@ -578,7 +578,7 @@ class tl_files extends Backend + return Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' '; + } + +- return '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> '; ++ return '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> '; + } + + +@@ -600,7 +600,7 @@ class tl_files extends Backend + } + else + { +- return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title).'"'.$attributes.' onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return false">'.Image::getHtml($icon, $label).'</a> '; ++ return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title, false, true).'"'.$attributes.' onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return false">'.Image::getHtml($icon, $label).'</a> '; + } + } + |