Add update patche to fix XSS from Contao's repository.

Bump PKGREVISION.

10 files changed, 321 insertions, 21 deletions

diff --git a/www/contao29/Makefile b/www/contao29/Makefile
index 76fef2b22e3..5c014221479 100644
--- a/www/contao29/Makefile
+++ b/www/contao29/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.17 2011/10/07 12:28:55 taca Exp $
+# $NetBSD: Makefile,v 1.18 2011/10/10 16:35:10 taca Exp $
 #
 
 DISTNAME=	contao-${CT_VERSION}
 PKGNAME=	contao${CT_VER}-${CT_PKGVER}
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=typolight/}
 
diff --git a/www/contao29/distinfo b/www/contao29/distinfo
index 0113807f7c0..d1796d729de 100644
--- a/www/contao29/distinfo
+++ b/www/contao29/distinfo
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.10 2011/10/07 12:28:55 taca Exp $
+$NetBSD: distinfo,v 1.11 2011/10/10 16:35:10 taca Exp $
 
 SHA1 (contao-2.9.5.tar.gz) = 93c1fb67a396f057eb700ec181aaed839c10cb1d
 RMD160 (contao-2.9.5.tar.gz) = 0a7229382d50f1d08dd05c10274d08b0bdb1b12c
 Size (contao-2.9.5.tar.gz) = 4594817 bytes
-SHA1 (patch-system_modules_frontend_Frontend.php) = 01d545003a265620f7749dffcca15e87bd4b8297
+SHA1 (patch-system_libraries_Input.php) = 57668dde6d82d793ec1a08424df3172ce1d8a758
+SHA1 (patch-system_modules_frontend_Frontend.php) = c5a530951f11407a6bd1914a19c3b6f3ad550077
+SHA1 (patch-system_modules_frontend_ModuleArticlenav.php) = a92c2e4acf097aa00336029e68a59f6139531e0e
diff --git a/www/contao29/patches/patch-system_libraries_Input.php b/www/contao29/patches/patch-system_libraries_Input.php
new file mode 100644
index 00000000000..8ea2ce62d64
--- /dev/null
+++ b/www/contao29/patches/patch-system_libraries_Input.php
@@ -0,0 +1,93 @@
+$NetBSD: patch-system_libraries_Input.php,v 1.1 2011/10/10 16:35:11 taca Exp $
+
+* Fix potential XSS vulnerability, r1044.
+
+--- system/libraries/Input.php.orig	2011-03-02 13:03:27.000000000 +0000
++++ system/libraries/Input.php
+@@ -54,9 +54,14 @@ class Input
+ 
+ 
+ 	/**
+-	 * Prevent direct instantiation (Singleton)
++	 * Clean the keys of the request arrays
+ 	 */
+-	protected function __construct() {}
++	protected function __construct()
++	{
++		$_GET    = $this->cleanKey($_GET);
++		$_POST   = $this->cleanKey($_POST);
++		$_COOKIE = $this->cleanKey($_COOKIE);
++	}
+ 
+ 
+ 	/**
+@@ -234,6 +239,8 @@ class Input
+ 	 */
+ 	public function setGet($strKey, $varValue)
+ 	{
++		$strKey = $this->cleanKey($strKey);
++
+ 		unset($this->arrCache['getEncoded'][$strKey]);
+ 		unset($this->arrCache['getDecoded'][$strKey]);
+ 
+@@ -255,6 +262,8 @@ class Input
+ 	 */
+ 	public function setPost($strKey, $varValue)
+ 	{
++		$strKey = $this->cleanKey($strKey);
++
+ 		unset($this->arrCache['postEncoded'][$strKey]);
+ 		unset($this->arrCache['postDecoded'][$strKey]);
+ 		unset($this->arrCache['postRaw'][$strKey]);
+@@ -277,6 +286,8 @@ class Input
+ 	 */
+ 	public function setCookie($strKey, $varValue)
+ 	{
++		$strKey = $this->cleanKey($strKey);
++
+ 		unset($this->arrCache['cookieEncoded'][$strKey]);
+ 		unset($this->arrCache['cookieDecoded'][$strKey]);
+ 
+@@ -301,6 +312,42 @@ class Input
+ 
+ 
+ 	/**
++	 * Sanitize a key name or an array (thanks to Andreas Schempp)
++	 * @param mixed
++	 * @return mixed
++	 */
++	protected function cleanKey($varValue)
++	{
++		// Recursively clean arrays
++		if (is_array($varValue))
++		{
++			$return = array();
++
++			foreach ($varValue as $k=>$v)
++			{
++				$k = $this->cleanKey($k);
++
++				if (is_array($v))
++				{
++					$v = $this->cleanKey($v);
++				}
++
++				$return[$k] = $v;
++			}
++
++			return $return;
++		}
++
++		$varValue = $this->stripSlashes($varValue);
++		$varValue = $this->decodeEntities($varValue);
++		$varValue = $this->xssClean($varValue, true);
++		$varValue = $this->stripTags($varValue);
++
++		return $varValue;
++	}
++
++
++	/**
+ 	 * Strip slashes
+ 	 * @param  mixed
+ 	 * @return mixed
diff --git a/www/contao29/patches/patch-system_modules_frontend_Frontend.php b/www/contao29/patches/patch-system_modules_frontend_Frontend.php
index aacc171583b..87403bc561a 100644
--- a/www/contao29/patches/patch-system_modules_frontend_Frontend.php
+++ b/www/contao29/patches/patch-system_modules_frontend_Frontend.php
@@ -1,10 +1,10 @@
-$NetBSD: patch-system_modules_frontend_Frontend.php,v 1.1 2011/10/07 12:28:55 taca Exp $
+$NetBSD: patch-system_modules_frontend_Frontend.php,v 1.2 2011/10/10 16:35:11 taca Exp $
 
-* Fix potential XSS vulnerability, r1041.
+* Fix potential XSS vulnerability, r1041 and r1044.
 
 --- system/modules/frontend/Frontend.php.orig	2011-03-02 13:03:27.000000000 +0000
 +++ system/modules/frontend/Frontend.php
-@@ -80,7 +80,7 @@ abstract class Frontend extends Controll
+@@ -80,14 +80,13 @@ abstract class Frontend extends Controll
  			return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null;
  		}
  
@@ -13,18 +13,25 @@ $NetBSD: patch-system_modules_frontend_Frontend.php,v 1.1 2011/10/07 12:28:55 ta
  		{
  			return null;
  		}
-@@ -106,13 +106,15 @@ abstract class Frontend extends Controll
+ 
+ 		$strRequest = preg_replace('/\?.*$/i', '', $this->Environment->request);
+ 		$strRequest = preg_replace('/' . preg_quote($GLOBALS['TL_CONFIG']['urlSuffix'], '/') . '$/i', '', $strRequest);
+-
+ 		$arrFragments = explode('/', $strRequest);
+ 
+ 		// Skip index.php
+@@ -106,13 +105,15 @@ abstract class Frontend extends Controll
  			}
  		}
  
 -		// Add fragments to $_GET array
-+		// DO NOT USE urldecode() HERE (XSS vulnerability)!
++		$arrFragments = array_map('urldecode', $arrFragments);
 +
 +		// Add the fragments to the $_GET array
  		for ($i=1; $i<count($arrFragments); $i+=2)
  		{
 -			$_GET[urldecode($arrFragments[$i])] = urldecode($arrFragments[$i+1]);
-+			$_GET[$arrFragments[$i]] = $arrFragments[$i+1];
++			$this->Input->setGet($arrFragments[$i], $arrFragments[$i+1]);
  		}
  
 -		return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null;
@@ -32,3 +39,36 @@ $NetBSD: patch-system_modules_frontend_Frontend.php,v 1.1 2011/10/07 12:28:55 ta
  	}
  
  
+@@ -136,7 +137,7 @@ abstract class Frontend extends Controll
+ 
+ 
+ 	/**
+-	 * Overwrite parent method as front end URLs are handled differently
++	 * Overwrite the parent method as front end URLs are handled differently
+ 	 * @param string
+ 	 * @param boolean
+ 	 * @return string
+@@ -170,9 +171,22 @@ abstract class Frontend extends Controll
+ 
+ 		$strParams = '';
+ 
++		// Determine connector and separator
++		if ($GLOBALS['TL_CONFIG']['disableAlias'])
++		{
++			$strConnector = '&amp;';
++			$strSeparator = '=';
++		}
++		else
++		{
++			$strConnector = '/';
++			$strSeparator = '/';
++		}
++
++		// Compile the parameters string
+ 		foreach ($arrGet as $k=>$v)
+ 		{
+-			$strParams .= $GLOBALS['TL_CONFIG']['disableAlias'] ? '&amp;' . $k . '=' . $v  : '/' . $k . '/' . $v;
++			$strParams .= $strConnector . urlencode($k) . $strSeparator . urlencode($v);
+ 		}
+ 
+ 		// Do not use aliases
diff --git a/www/contao29/patches/patch-system_modules_frontend_ModuleArticlenav.php b/www/contao29/patches/patch-system_modules_frontend_ModuleArticlenav.php
new file mode 100644
index 00000000000..8fe2a67d49a
--- /dev/null
+++ b/www/contao29/patches/patch-system_modules_frontend_ModuleArticlenav.php
@@ -0,0 +1,15 @@
+$NetBSD: patch-system_modules_frontend_ModuleArticlenav.php,v 1.1 2011/10/10 16:35:11 taca Exp $
+
+* Fix potential XSS vulnerability, r1044.
+
+--- system/modules/frontend/ModuleArticlenav.php.orig	2011-03-02 13:03:27.000000000 +0000
++++ system/modules/frontend/ModuleArticlenav.php
+@@ -93,7 +93,7 @@ class ModuleArticlenav extends Module
+ 				return '';
+ 			}
+ 
+-			$strAlias = (strlen($this->objArticles->alias) && !$GLOBALS['TL_CONFIG']['disableAlias']) ? $this->objArticles->alias : $this->objArticles->id;
++			$strAlias = ($this->objArticles->alias != '' && !$GLOBALS['TL_CONFIG']['disableAlias']) ? $this->objArticles->alias : $this->objArticles->id;
+ 			$this->redirect($this->addToUrl('articles=' . $strAlias));
+ 		}
+ 
diff --git a/www/typolight28/Makefile b/www/typolight28/Makefile
index 04678e5dc6d..56f54558ed9 100644
--- a/www/typolight28/Makefile
+++ b/www/typolight28/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.15 2011/10/07 12:29:41 taca Exp $
+# $NetBSD: Makefile,v 1.16 2011/10/10 16:35:36 taca Exp $
 #
 
 DISTNAME=	typolight-${TL_VERSION}
 PKGNAME=	typolight${TL_VER}-${TL_PKGVER}
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=typolight/}
 
diff --git a/www/typolight28/distinfo b/www/typolight28/distinfo
index 8ee5cda3e26..0c64c3f25f7 100644
--- a/www/typolight28/distinfo
+++ b/www/typolight28/distinfo
@@ -1,8 +1,10 @@
-$NetBSD: distinfo,v 1.11 2011/10/07 12:29:41 taca Exp $
+$NetBSD: distinfo,v 1.12 2011/10/10 16:35:36 taca Exp $
 
 SHA1 (typolight-2.8.4.tar.gz) = d18d684a06f5dd29ffc6a28d08143feb613cd47b
 RMD160 (typolight-2.8.4.tar.gz) = ad82d00e3b7ec4e604640779fec841fcfc65f75c
 Size (typolight-2.8.4.tar.gz) = 4097946 bytes
-SHA1 (patch-ad) = ee5524db7764c9c5ede3affcb99ed0f8864d522e
+SHA1 (patch-ad) = 0654ac44d13f69ca4823a8aec27752244de6181f
 SHA1 (patch-ae) = eed6db905809b3782acb8324799de6bc8d4e855b
 SHA1 (patch-af) = 868309cff4ba1855a96745c578737878f8d118d5
+SHA1 (patch-system_libraries_Input.php) = 4a3e9409d6916a6637e12f646e33268f3067ec99
+SHA1 (patch-system_modules_frontend_ModuleArticlenav.php) = df4d8a8579e010794c3a62c5f458037ea53cc397
diff --git a/www/typolight28/patches/patch-ad b/www/typolight28/patches/patch-ad
index 37a6044105b..6238f08659e 100644
--- a/www/typolight28/patches/patch-ad
+++ b/www/typolight28/patches/patch-ad
@@ -1,11 +1,11 @@
-$NetBSD: patch-ad,v 1.2 2011/10/07 12:29:42 taca Exp $
+$NetBSD: patch-ad,v 1.3 2011/10/10 16:35:36 taca Exp $
 
 * Fix for CSS from repository, r507.
-* Fix potential XSS vulnerability, r1041.
+* Fix potential XSS vulnerability, r1041 and r1044.
 
 --- system/modules/frontend/Frontend.php.orig	2010-04-19 10:22:31.000000000 +0000
 +++ system/modules/frontend/Frontend.php
-@@ -78,7 +78,7 @@ abstract class Frontend extends Controll
+@@ -78,14 +78,13 @@ abstract class Frontend extends Controll
  			return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null;
  		}
  
@@ -14,18 +14,25 @@ $NetBSD: patch-ad,v 1.2 2011/10/07 12:29:42 taca Exp $
  		{
  			return null;
  		}
-@@ -104,13 +104,15 @@ abstract class Frontend extends Controll
+ 
+ 		$strRequest = preg_replace('/\?.*$/i', '', $this->Environment->request);
+ 		$strRequest = preg_replace('/' . preg_quote($GLOBALS['TL_CONFIG']['urlSuffix'], '/') . '$/i', '', $strRequest);
+-
+ 		$arrFragments = explode('/', $strRequest);
+ 
+ 		// Skip index.php
+@@ -104,13 +103,15 @@ abstract class Frontend extends Controll
  			}
  		}
  
 -		// Add fragments to $_GET array
-+		// DO NOT USE urldecode() HERE (XSS vulnerability)!
++		$arrFragments = array_map('urldecode', $arrFragments);
 +
 +		// Add the fragments to the $_GET array
  		for ($i=1; $i<count($arrFragments); $i+=2)
  		{
 -			$_GET[urldecode($arrFragments[$i])] = urldecode($arrFragments[$i+1]);
-+			$_GET[$arrFragments[$i]] = $arrFragments[$i+1];
++			$this->Input->setGet($arrFragments[$i], $arrFragments[$i+1]);
  		}
  
 -		return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null;
@@ -33,7 +40,16 @@ $NetBSD: patch-ad,v 1.2 2011/10/07 12:29:42 taca Exp $
  	}
  
  
-@@ -166,8 +168,16 @@ abstract class Frontend extends Controll
+@@ -158,7 +159,7 @@ abstract class Frontend extends Controll
+ 
+ 
+ 	/**
+-	 * Overwrite parent method as front end URLs are handled differently
++	 * Overwrite the parent method as front end URLs are handled differently
+ 	 * @param string
+ 	 * @param boolean
+ 	 * @return string
+@@ -166,8 +167,16 @@ abstract class Frontend extends Controll
  	protected function addToUrl($strRequest, $blnIgnoreParams=false)
  	{
  		$arrGet = $blnIgnoreParams ? array() : $_GET;
@@ -50,3 +66,27 @@ $NetBSD: patch-ad,v 1.2 2011/10/07 12:29:42 taca Exp $
  		foreach ($arrFragments as $strFragment)
  		{
  			list($key, $value) = explode('=', $strFragment);
+@@ -184,9 +193,22 @@ abstract class Frontend extends Controll
+ 
+ 		$strParams = '';
+ 
++		// Determine connector and separator
++		if ($GLOBALS['TL_CONFIG']['disableAlias'])
++		{
++			$strConnector = '&amp;';
++			$strSeparator = '=';
++		}
++		else
++		{
++			$strConnector = '/';
++			$strSeparator = '/';
++		}
++
++		// Compile the parameters string
+ 		foreach ($arrGet as $k=>$v)
+ 		{
+-			$strParams .= $GLOBALS['TL_CONFIG']['disableAlias'] ? '&amp;' . $k . '=' . $v  : '/' . $k . '/' . $v;
++			$strParams .= $strConnector . urlencode($k) . $strSeparator . urlencode($v);
+ 		}
+ 
+ 		// Do not use aliases
diff --git a/www/typolight28/patches/patch-system_libraries_Input.php b/www/typolight28/patches/patch-system_libraries_Input.php
new file mode 100644
index 00000000000..4a192423be2
--- /dev/null
+++ b/www/typolight28/patches/patch-system_libraries_Input.php
@@ -0,0 +1,93 @@
+$NetBSD: patch-system_libraries_Input.php,v 1.1 2011/10/10 16:35:36 taca Exp $
+
+* Fix potential XSS vulnerability, r1044.
+
+--- system/libraries/Input.php.orig	2010-04-12 13:08:16.000000000 +0000
++++ system/libraries/Input.php
+@@ -52,9 +52,14 @@ class Input
+ 
+ 
+ 	/**
+-	 * Prevent direct instantiation (Singleton)
++	 * Clean the keys of the request arrays
+ 	 */
+-	protected function __construct() {}
++	protected function __construct()
++	{
++		$_GET    = $this->cleanKey($_GET);
++		$_POST   = $this->cleanKey($_POST);
++		$_COOKIE = $this->cleanKey($_COOKIE);
++	}
+ 
+ 
+ 	/**
+@@ -232,6 +237,8 @@ class Input
+ 	 */
+ 	public function setGet($strKey, $varValue)
+ 	{
++		$strKey = $this->cleanKey($strKey);
++
+ 		unset($this->arrCache['getEncoded'][$strKey]);
+ 		unset($this->arrCache['getDecoded'][$strKey]);
+ 
+@@ -246,6 +253,8 @@ class Input
+ 	 */
+ 	public function setPost($strKey, $varValue)
+ 	{
++		$strKey = $this->cleanKey($strKey);
++
+ 		unset($this->arrCache['postEncoded'][$strKey]);
+ 		unset($this->arrCache['postDecoded'][$strKey]);
+ 		unset($this->arrCache['postRaw'][$strKey]);
+@@ -261,6 +270,8 @@ class Input
+ 	 */
+ 	public function setCookie($strKey, $varValue)
+ 	{
++		$strKey = $this->cleanKey($strKey);
++
+ 		unset($this->arrCache['cookieEncoded'][$strKey]);
+ 		unset($this->arrCache['cookieDecoded'][$strKey]);
+ 
+@@ -278,6 +289,42 @@ class Input
+ 
+ 
+ 	/**
++	 * Sanitize a key name or an array (thanks to Andreas Schempp)
++	 * @param mixed
++	 * @return mixed
++	 */
++	protected function cleanKey($varValue)
++	{
++		// Recursively clean arrays
++		if (is_array($varValue))
++		{
++			$return = array();
++
++			foreach ($varValue as $k=>$v)
++			{
++				$k = $this->cleanKey($k);
++
++				if (is_array($v))
++				{
++					$v = $this->cleanKey($v);
++				}
++
++				$return[$k] = $v;
++			}
++
++			return $return;
++		}
++
++		$varValue = $this->stripSlashes($varValue);
++		$varValue = $this->decodeEntities($varValue);
++		$varValue = $this->xssClean($varValue, true);
++		$varValue = $this->stripTags($varValue);
++
++		return $varValue;
++	}
++
++
++	/**
+ 	 * Strip slashes
+ 	 * @param  mixed
+ 	 * @return mixed
diff --git a/www/typolight28/patches/patch-system_modules_frontend_ModuleArticlenav.php b/www/typolight28/patches/patch-system_modules_frontend_ModuleArticlenav.php
new file mode 100644
index 00000000000..128fcb1c6d2
--- /dev/null
+++ b/www/typolight28/patches/patch-system_modules_frontend_ModuleArticlenav.php
@@ -0,0 +1,15 @@
+$NetBSD: patch-system_modules_frontend_ModuleArticlenav.php,v 1.1 2011/10/10 16:35:36 taca Exp $
+
+* Fix potential XSS vulnerability, r1044.
+
+--- system/modules/frontend/ModuleArticlenav.php.orig	2009-11-21 12:49:18.000000000 +0000
++++ system/modules/frontend/ModuleArticlenav.php
+@@ -91,7 +91,7 @@ class ModuleArticlenav extends Module
+ 				return '';
+ 			}
+ 
+-			$strAlias = (strlen($this->objArticles->alias) && !$GLOBALS['TL_CONFIG']['disableAlias']) ? $this->objArticles->alias : $this->objArticles->id;
++			$strAlias = ($this->objArticles->alias != '' && !$GLOBALS['TL_CONFIG']['disableAlias']) ? $this->objArticles->alias : $this->objArticles->id;
+ 			$this->redirect($this->addToUrl('articles=' . $strAlias));
+ 		}
+