Add unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.

Bump PKGREVISION.

8 files changed, 91 insertions, 7 deletions

diff --git a/www/contao210/MESSAGE b/www/contao210/MESSAGE
index 9fe53a7717a..0b6bf9cdfd6 100644
--- a/www/contao210/MESSAGE
+++ b/www/contao210/MESSAGE
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.2 2011/08/31 14:33:22 taca Exp $
+$NetBSD: MESSAGE,v 1.3 2012/03/28 15:14:24 taca Exp $
 
 To complete the setup, please read:
 
@@ -10,4 +10,9 @@ following package:
 
 	www/php-tidy
 
+This package contains unofficial fix for CVE-2012-1297.  If there are any
+problem by this fix, add a below line to system/config/localconfig.php.
+
+$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'] = true;
+
 ===========================================================================
diff --git a/www/contao210/Makefile b/www/contao210/Makefile
index ca2e57dc7ee..c3a6a965411 100644
--- a/www/contao210/Makefile
+++ b/www/contao210/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.10 2012/03/14 16:35:29 taca Exp $
+# $NetBSD: Makefile,v 1.11 2012/03/28 15:14:24 taca Exp $
 #
 
 DISTNAME=	contao-${CT_VERSION}
 PKGNAME=	contao${CT_VER}-${CT_PKGVER}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=contao/}
 DIST_SUBDIR=	${CT_DIST_SUBDIR}
diff --git a/www/contao210/distinfo b/www/contao210/distinfo
index 3bf87a2d817..abb97b76b6c 100644
--- a/www/contao210/distinfo
+++ b/www/contao210/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.9 2012/03/14 16:35:29 taca Exp $
+$NetBSD: distinfo,v 1.10 2012/03/28 15:14:24 taca Exp $
 
 SHA1 (contao210-201201020/contao-2.10.4.tar.gz) = 1a27453f9ecac540a509f299efd5caa495fa6964
 RMD160 (contao210-201201020/contao-2.10.4.tar.gz) = 89f5a3435d67f82c36884f080f630403a8495c22
 Size (contao210-201201020/contao-2.10.4.tar.gz) = 4880113 bytes
 SHA1 (patch-contao_popup.php) = 61747c25cc8d2e74aecba107f694be462371d898
 SHA1 (patch-system_drivers_DC__Table.php) = 3c927c6093df90b8fc54a993f28844d369b1a43d
+SHA1 (patch-system_initialize.php) = a1c79e9930ef71f1a0efacbcb239daf8690fe62b
 SHA1 (patch-system_modules_backend_StyleSheets.php) = e510727d99a505d1309bd0bbbaaa21fd21e95ea3
diff --git a/www/contao210/patches/patch-system_initialize.php b/www/contao210/patches/patch-system_initialize.php
new file mode 100644
index 00000000000..ccdb5625ccc
--- /dev/null
+++ b/www/contao210/patches/patch-system_initialize.php
@@ -0,0 +1,33 @@
+$NetBSD: patch-system_initialize.php,v 1.1 2012/03/28 15:14:24 taca Exp $
+
+* Unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.
+
+--- system/initialize.php.orig	2011-12-30 09:00:10.000000000 +0000
++++ system/initialize.php
+@@ -166,8 +166,24 @@ include(TL_ROOT . '/system/config/initco
+  */
+ if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'] && !defined('BYPASS_TOKEN_CHECK'))
+ {
+-	// Exit if the token cannot be validated
+-	if (!$objInput->post('REQUEST_TOKEN') || !is_array($_SESSION['REQUEST_TOKEN'][TL_MODE]) || !in_array($objInput->post('REQUEST_TOKEN'), $_SESSION['REQUEST_TOKEN'][TL_MODE]))
++    $bad = false;
++
++	// Exit if traditional referer check is enabled.
++    if (!$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'])
++    {
++        $self = parse_url($objEnvironment->url);
++        $referer = parse_url($objEnvironment->httpReferer);
++
++        $bad = (!strlen($referer['host']) || $referer['host'] != $self['host']);
++    }
++
++    if (!$bad)
++    {
++        // Exit if the token cannot be validated
++        $bad = (!$objInput->post('REQUEST_TOKEN') || !is_array($_SESSION['REQUEST_TOKEN'][TL_MODE]) || !in_array($objInput->post('REQUEST_TOKEN'), $_SESSION['REQUEST_TOKEN'][TL_MODE]));
++    }
++    
++	if ($bad)
+ 	{
+ 		header('HTTP/1.1 400 Bad Request');
+ 
diff --git a/www/contao211/MESSAGE b/www/contao211/MESSAGE
index 7a0d8278a3d..ddb34ee1d7e 100644
--- a/www/contao211/MESSAGE
+++ b/www/contao211/MESSAGE
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.1.1.1 2012/02/19 10:54:07 taca Exp $
+$NetBSD: MESSAGE,v 1.2 2012/03/28 15:14:43 taca Exp $
 
 To complete the setup, please read:
 
@@ -10,4 +10,9 @@ following package:
 
 	www/php-tidy
 
+This package contains unofficial fix for CVE-2012-1297.  If there are any
+problem by this fix, add a below line to system/config/localconfig.php.
+
+$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'] = true;
+
 ===========================================================================
diff --git a/www/contao211/Makefile b/www/contao211/Makefile
index be4aa087c56..3c429b11208 100644
--- a/www/contao211/Makefile
+++ b/www/contao211/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.1.1.1 2012/02/19 10:54:07 taca Exp $
+# $NetBSD: Makefile,v 1.2 2012/03/28 15:14:43 taca Exp $
 #
 
 DISTNAME=	contao-${CT_VERSION}
 PKGNAME=	contao${CT_VER}-${CT_PKGVER}
+PKGREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=contao/}
 DIST_SUBDIR=	${CT_DIST_SUBDIR}
diff --git a/www/contao211/distinfo b/www/contao211/distinfo
index e35daac29fa..3c25c3d5188 100644
--- a/www/contao211/distinfo
+++ b/www/contao211/distinfo
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.5 2012/03/14 16:24:35 taca Exp $
+$NetBSD: distinfo,v 1.6 2012/03/28 15:14:43 taca Exp $
 
 SHA1 (contao-2.11.2.tar.gz) = 0cf939e6a4c8b49a4d21a51bd50ae718dfbe024e
 RMD160 (contao-2.11.2.tar.gz) = 580553e29b92ea7bc5b04e38946edb269bc2ac78
 Size (contao-2.11.2.tar.gz) = 5319511 bytes
+SHA1 (patch-system_initialize.php) = 109f381bef4bae32617549709601eb2a30bbb01a
diff --git a/www/contao211/patches/patch-system_initialize.php b/www/contao211/patches/patch-system_initialize.php
new file mode 100644
index 00000000000..b0bca37c3a9
--- /dev/null
+++ b/www/contao211/patches/patch-system_initialize.php
@@ -0,0 +1,38 @@
+$NetBSD: patch-system_initialize.php,v 1.1 2012/03/28 15:14:43 taca Exp $
+
+* Unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.
+
+--- system/initialize.php.orig	2012-03-14 15:13:14.000000000 +0000
++++ system/initialize.php
+@@ -168,10 +168,28 @@ if (file_exists(TL_ROOT . '/system/confi
+ /**
+  * Check the request token upon POST requests
+  */
+-if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'] && !defined('BYPASS_TOKEN_CHECK'))
++if (!$GLOBALS['TL_CONFIG']['disableRefererCheck'] &&
++    ($_POST && !defined('BYPASS_TOKEN_CHECK') ||
++     $_SERVER['REQUEST_METHOD'] == 'POST' && !$GLOBALS['TL_CONFIG']['disableCompatRefererCheck']))
+ {
+-	// Exit if the token cannot be validated
+-	if (!$objToken->validate($objInput->post('REQUEST_TOKEN')))
++    $bad = false;
++
++	// Exit if traditional referer check is enabled.
++    if (!$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'])
++    {
++        $self = parse_url($objEnvironment->url);
++        $referer = parse_url($objEnvironment->httpReferer);
++
++        $bad = (!strlen($referer['host']) || $referer['host'] != $self['host']);
++    }
++
++    if (!$bad)
++    {
++        // Exit if the token cannot be validated
++        $bad = !$objToken->validate($objInput->post('REQUEST_TOKEN'));
++    }
++    
++	if ($bad)
+ 	{
+ 		// Force JavaScript redirect upon Ajax requests (IE requires absolute link)
+ 		if ($objEnvironment->isAjaxRequest)