From 3dca347fc28d6cffdcde5f8c64dc16460f589bab Mon Sep 17 00:00:00 2001 From: taca Date: Sun, 13 Sep 2009 01:15:10 +0000 Subject: Update Geeklog 1.5.2sr5 by adding patches since 1.5.2sr5 isn't provided as full release. And add updated fckeditor for Geeklog. These updates should fix known security problems, Secunia SA36372. Jul 30, 2009 (1.5.2sr5) ------------ This release addresses the following security issues: - Gerendi Sandor Attila reported an XSS in the forms to email a user and to email a story to a friend. - The "Mail Story to a Friend" function didn't check story permissions, so that it was possible to email a story even if you didn't have the permissions to view it on the site. --- www/geeklog/Makefile | 13 +++++-- www/geeklog/PLIST | 83 ++++++++++++++++++++++++-------------------- www/geeklog/distinfo | 15 ++++++-- www/geeklog/patches/patch-aa | 4 ++- www/geeklog/patches/patch-aj | 55 +++++++++++++++++++++++++++-- www/geeklog/patches/patch-ak | 14 ++++++++ www/geeklog/patches/patch-al | 14 ++++++++ www/geeklog/patches/patch-ba | 26 ++++++++++++++ www/geeklog/patches/patch-bb | 24 +++++++++++++ www/geeklog/patches/patch-bc | 54 ++++++++++++++++++++++++++++ www/geeklog/patches/patch-bd | 17 +++++++++ 11 files changed, 272 insertions(+), 47 deletions(-) create mode 100644 www/geeklog/patches/patch-ak create mode 100644 www/geeklog/patches/patch-al create mode 100644 www/geeklog/patches/patch-ba create mode 100644 www/geeklog/patches/patch-bb create mode 100644 www/geeklog/patches/patch-bc create mode 100644 www/geeklog/patches/patch-bd (limited to 'www/geeklog') diff --git a/www/geeklog/Makefile b/www/geeklog/Makefile index e92b08aebbf..ce408867682 100644 --- a/www/geeklog/Makefile +++ b/www/geeklog/Makefile @@ -1,10 +1,11 @@ -# $NetBSD: Makefile,v 1.22 2009/05/26 14:19:29 taca Exp $ +# $NetBSD: Makefile,v 1.23 2009/09/13 01:15:10 taca Exp $ # DISTNAME= geeklog-${VER} -PKGNAME= geeklog-${VER:C/(sr|-)/./g} +PKGNAME= geeklog-${VER:C/(sr|-)4/.5/g} CATEGORIES= www MASTER_SITES= http://www.geeklog.net/filemgmt/upload_dir/ +DISTFILES= ${DEFAULT_DISTFILES} ${FCKEDITOR_UPDATE} MAINTAINER= taca@NetBSD.org HOMEPAGE= http://www.geeklog.net/ @@ -13,6 +14,8 @@ LICENSE= gnu-gpl-v2 PKG_DESTDIR_SUPPORT= user-destdir PRIVILEGED_STAGES+= clean +EXTRACT_ONLY= ${DEFAULT_DISTFILES} +FCKEDITOR_UPDATE= fckeditor-2.6.4.1-updated.tar.gz DEPENDS+= ${APACHE_PKG_PREFIX}-${PHP_PKG_PREFIX}>=4.3.3:../../www/ap-php DEPENDS+= ${PHP_PKG_PREFIX}-mysql>=4.3.0:../../databases/php-mysql @@ -91,10 +94,14 @@ INSTALLATION_DIRS= ${GEEKLOG_BASE} ${GEEKLOG_PUB} ${GL_TMPL}/images \ share/examples/geeklog ${GL_DOC} ${GL_EG} post-extract: + ${RUN} extract_file=${_DISTDIR:Q}/${FCKEDITOR_UPDATE:Q}; \ + export extract_file; cd ${WRKSRC}/public_html && ${EXTRACT_CMD} + cd ${WRKSRC}/public_html && ${RM} -f README.txt \ + fckeditor/editor/filemanager/browser/default/images/icons/default.icon.gif0000644 ${CP} ${FILESDIR}/README ${FILESDIR}/geeklog.conf ${WRKDIR} pre-install: - ${FIND} ${WRKSRC:Q} -type f -name "*.orig" -exec ${RM} -f {} \; + ${FIND} ${WRKSRC} -type f -name "*.orig" -exec ${RM} -f {} \; cd ${WRKSRC}/public_html; \ ${FIND} ${GL_TMPL_SUB} -type f -exec ${CHMOD} -x {} \; ${CHMOD} 0664 ${WRKSRC}/public_html/backend/geeklog.rss diff --git a/www/geeklog/PLIST b/www/geeklog/PLIST index 8fef4d6ba80..5153a88ca82 100644 --- a/www/geeklog/PLIST +++ b/www/geeklog/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.9 2009/06/14 22:00:22 joerg Exp $ +@comment $NetBSD: PLIST,v 1.10 2009/09/13 01:15:10 taca Exp $ ${GEEKLOG_BASE}/emailgeeklogstories ${GEEKLOG_BASE}/language/afrikaans.php ${GEEKLOG_BASE}/language/afrikaans_utf-8.php @@ -404,30 +404,32 @@ ${GEEKLOG_BASE}/system/lib-webservices.php ${GEEKLOG_BASE}/system/memberdetail.thtml ${GEEKLOG_BASE}/system/pear/Archive/Tar.php ${GEEKLOG_BASE}/system/pear/Archive/Zip.php +${GEEKLOG_BASE}/system/pear/Auth/SASL.php ${GEEKLOG_BASE}/system/pear/Auth/SASL/Anonymous.php ${GEEKLOG_BASE}/system/pear/Auth/SASL/Common.php ${GEEKLOG_BASE}/system/pear/Auth/SASL/CramMD5.php ${GEEKLOG_BASE}/system/pear/Auth/SASL/DigestMD5.php ${GEEKLOG_BASE}/system/pear/Auth/SASL/Login.php ${GEEKLOG_BASE}/system/pear/Auth/SASL/Plain.php -${GEEKLOG_BASE}/system/pear/Auth/SASL.php ${GEEKLOG_BASE}/system/pear/Console/Getopt.php +${GEEKLOG_BASE}/system/pear/Date.php ${GEEKLOG_BASE}/system/pear/Date/Calc.php ${GEEKLOG_BASE}/system/pear/Date/Human.php ${GEEKLOG_BASE}/system/pear/Date/Span.php ${GEEKLOG_BASE}/system/pear/Date/TimeZone.php -${GEEKLOG_BASE}/system/pear/Date.php -${GEEKLOG_BASE}/system/pear/HTTP/Request/Listener.php ${GEEKLOG_BASE}/system/pear/HTTP/Request.php +${GEEKLOG_BASE}/system/pear/HTTP/Request/Listener.php +${GEEKLOG_BASE}/system/pear/Mail.php ${GEEKLOG_BASE}/system/pear/Mail/RFC822.php ${GEEKLOG_BASE}/system/pear/Mail/mail.php ${GEEKLOG_BASE}/system/pear/Mail/null.php ${GEEKLOG_BASE}/system/pear/Mail/sendmail.php ${GEEKLOG_BASE}/system/pear/Mail/smtp.php -${GEEKLOG_BASE}/system/pear/Mail.php +${GEEKLOG_BASE}/system/pear/Net/DNS.php ${GEEKLOG_BASE}/system/pear/Net/DNS/Header.php ${GEEKLOG_BASE}/system/pear/Net/DNS/Packet.php ${GEEKLOG_BASE}/system/pear/Net/DNS/Question.php +${GEEKLOG_BASE}/system/pear/Net/DNS/RR.php ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/A.php ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/AAAA.php ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/CNAME.php @@ -440,17 +442,17 @@ ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/SOA.php ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/SRV.php ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/TSIG.php ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/TXT.php -${GEEKLOG_BASE}/system/pear/Net/DNS/RR.php ${GEEKLOG_BASE}/system/pear/Net/DNS/Resolver.php -${GEEKLOG_BASE}/system/pear/Net/DNS.php ${GEEKLOG_BASE}/system/pear/Net/SMTP.php ${GEEKLOG_BASE}/system/pear/Net/Socket.php ${GEEKLOG_BASE}/system/pear/Net/URL.php ${GEEKLOG_BASE}/system/pear/OS/Guess.php +${GEEKLOG_BASE}/system/pear/PEAR.php ${GEEKLOG_BASE}/system/pear/PEAR/Autoloader.php ${GEEKLOG_BASE}/system/pear/PEAR/Builder.php -${GEEKLOG_BASE}/system/pear/PEAR/ChannelFile/Parser.php ${GEEKLOG_BASE}/system/pear/PEAR/ChannelFile.php +${GEEKLOG_BASE}/system/pear/PEAR/ChannelFile/Parser.php +${GEEKLOG_BASE}/system/pear/PEAR/Command.php ${GEEKLOG_BASE}/system/pear/PEAR/Command/Auth.php ${GEEKLOG_BASE}/system/pear/PEAR/Command/Auth.xml ${GEEKLOG_BASE}/system/pear/PEAR/Command/Build.php @@ -474,19 +476,20 @@ ${GEEKLOG_BASE}/system/pear/PEAR/Command/Remote.php ${GEEKLOG_BASE}/system/pear/PEAR/Command/Remote.xml ${GEEKLOG_BASE}/system/pear/PEAR/Command/Test.php ${GEEKLOG_BASE}/system/pear/PEAR/Command/Test.xml -${GEEKLOG_BASE}/system/pear/PEAR/Command.php ${GEEKLOG_BASE}/system/pear/PEAR/Common.php ${GEEKLOG_BASE}/system/pear/PEAR/Config.php ${GEEKLOG_BASE}/system/pear/PEAR/Dependency.php ${GEEKLOG_BASE}/system/pear/PEAR/Dependency2.php ${GEEKLOG_BASE}/system/pear/PEAR/DependencyDB.php -${GEEKLOG_BASE}/system/pear/PEAR/Downloader/Package.php ${GEEKLOG_BASE}/system/pear/PEAR/Downloader.php +${GEEKLOG_BASE}/system/pear/PEAR/Downloader/Package.php ${GEEKLOG_BASE}/system/pear/PEAR/ErrorStack.php ${GEEKLOG_BASE}/system/pear/PEAR/Exception.php ${GEEKLOG_BASE}/system/pear/PEAR/FixPHP5PEARWarnings.php -${GEEKLOG_BASE}/system/pear/PEAR/Frontend/CLI.php ${GEEKLOG_BASE}/system/pear/PEAR/Frontend.php +${GEEKLOG_BASE}/system/pear/PEAR/Frontend/CLI.php +${GEEKLOG_BASE}/system/pear/PEAR/Installer.php +${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role.php ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Cfg.php ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Cfg.xml ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Common.php @@ -506,41 +509,40 @@ ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Test.php ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Test.xml ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Www.php ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Www.xml -${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role.php -${GEEKLOG_BASE}/system/pear/PEAR/Installer.php +${GEEKLOG_BASE}/system/pear/PEAR/PackageFile.php ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/Generator/v1.php ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/Generator/v2.php ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/Parser/v1.php ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/Parser/v2.php ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/v1.php +${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/v2.php ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/v2/Validator.php ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/v2/rw.php -${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/v2.php -${GEEKLOG_BASE}/system/pear/PEAR/PackageFile.php ${GEEKLOG_BASE}/system/pear/PEAR/Packager.php +${GEEKLOG_BASE}/system/pear/PEAR/REST.php ${GEEKLOG_BASE}/system/pear/PEAR/REST/10.php ${GEEKLOG_BASE}/system/pear/PEAR/REST/11.php ${GEEKLOG_BASE}/system/pear/PEAR/REST/13.php -${GEEKLOG_BASE}/system/pear/PEAR/REST.php ${GEEKLOG_BASE}/system/pear/PEAR/Registry.php ${GEEKLOG_BASE}/system/pear/PEAR/Remote.php ${GEEKLOG_BASE}/system/pear/PEAR/RunTest.php ${GEEKLOG_BASE}/system/pear/PEAR/Task/Common.php -${GEEKLOG_BASE}/system/pear/PEAR/Task/Postinstallscript/rw.php ${GEEKLOG_BASE}/system/pear/PEAR/Task/Postinstallscript.php -${GEEKLOG_BASE}/system/pear/PEAR/Task/Replace/rw.php +${GEEKLOG_BASE}/system/pear/PEAR/Task/Postinstallscript/rw.php ${GEEKLOG_BASE}/system/pear/PEAR/Task/Replace.php -${GEEKLOG_BASE}/system/pear/PEAR/Task/Unixeol/rw.php +${GEEKLOG_BASE}/system/pear/PEAR/Task/Replace/rw.php ${GEEKLOG_BASE}/system/pear/PEAR/Task/Unixeol.php -${GEEKLOG_BASE}/system/pear/PEAR/Task/Windowseol/rw.php +${GEEKLOG_BASE}/system/pear/PEAR/Task/Unixeol/rw.php ${GEEKLOG_BASE}/system/pear/PEAR/Task/Windowseol.php +${GEEKLOG_BASE}/system/pear/PEAR/Task/Windowseol/rw.php ${GEEKLOG_BASE}/system/pear/PEAR/Validate.php ${GEEKLOG_BASE}/system/pear/PEAR/Validator/PECL.php ${GEEKLOG_BASE}/system/pear/PEAR/XMLParser.php -${GEEKLOG_BASE}/system/pear/PEAR.php ${GEEKLOG_BASE}/system/pear/README ${GEEKLOG_BASE}/system/pear/System.php +${GEEKLOG_BASE}/system/pear/Text/Wiki.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Default.php +${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Anchor.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Blockquote.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Bold.php @@ -579,7 +581,8 @@ ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Tt.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Underline.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Url.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Wikilink.php -${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse.php +${GEEKLOG_BASE}/system/pear/Text/Wiki/Render.php +${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Anchor.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Blockquote.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Bold.php @@ -625,7 +628,7 @@ ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Tt.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Underline.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Url.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Wikilink.php -${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex.php +${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Anchor.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Blockquote.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Bold.php @@ -671,7 +674,7 @@ ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Tt.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Underline.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Url.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Wikilink.php -${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain.php +${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Address.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Anchor.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Blockquote.php @@ -718,12 +721,9 @@ ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Tt.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Underline.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Url.php ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Wikilink.php -${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml.php -${GEEKLOG_BASE}/system/pear/Text/Wiki/Render.php -${GEEKLOG_BASE}/system/pear/Text/Wiki.php +${GEEKLOG_BASE}/system/pear/XML/RPC.php ${GEEKLOG_BASE}/system/pear/XML/RPC/Dump.php ${GEEKLOG_BASE}/system/pear/XML/RPC/Server.php -${GEEKLOG_BASE}/system/pear/XML/RPC.php ${GEEKLOG_BASE}/system/pear/scripts/pear.bat ${GEEKLOG_BASE}/system/pear/scripts/pear.sh ${GEEKLOG_BASE}/system/pear/scripts/pearcmd.php @@ -771,6 +771,7 @@ ${GL_TMPL}/images/topics/topic_gl.gif ${GL_TMPL}/images/topics/topic_news.gif ${GL_TMPL}/images/userphotos/index.html ${GEEKLOG_PUB}/404.php +${GEEKLOG_PUB}/article.php ${GL_ADMIN}/auth.inc.php ${GL_ADMIN}/block.php ${GL_ADMIN}/configuration.php @@ -797,6 +798,7 @@ ${GL_ADMIN}/install/success.php ${GL_ADMIN}/install/toinnodb.php ${GL_ADMIN}/mail.php ${GL_ADMIN}/moderation.php +${GL_ADMIN}/plugins.php ${GL_ADMIN}/plugins/calendar/index.php ${GL_ADMIN}/plugins/calendar/install.php ${GL_ADMIN}/plugins/links/category.php @@ -809,14 +811,12 @@ ${GL_ADMIN}/plugins/spamx/index.php ${GL_ADMIN}/plugins/spamx/install.php ${GL_ADMIN}/plugins/staticpages/index.php ${GL_ADMIN}/plugins/staticpages/install.php -${GL_ADMIN}/plugins.php ${GL_ADMIN}/sectest.php ${GL_ADMIN}/story.php ${GL_ADMIN}/syndication.php ${GL_ADMIN}/topic.php ${GL_ADMIN}/trackback.php ${GL_ADMIN}/user.php -${GEEKLOG_PUB}/article.php ${GEEKLOG_PUB}/calendar/event.php ${GEEKLOG_PUB}/calendar/images/calendar.png ${GEEKLOG_PUB}/calendar/images/delete_event.gif @@ -921,6 +921,7 @@ ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckcodeformatter.js ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckcommands.js ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckconfig.js ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckdebug.js +${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckdebug_empty.js ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckdialog.js ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckdocumentprocessor.js ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckdomtools.js @@ -973,35 +974,37 @@ ${GEEKLOG_PUB}/fckeditor/editor/dialog/common/fck_dialog_common.js ${GEEKLOG_PUB}/fckeditor/editor/dialog/common/images/locked.gif ${GEEKLOG_PUB}/fckeditor/editor/dialog/common/images/reset.gif ${GEEKLOG_PUB}/fckeditor/editor/dialog/common/images/unlocked.gif +${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_about.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_about/logo_fckeditor.gif ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_about/logo_fredck.gif ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_about/sponsors/spellchecker_net.gif -${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_about.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_anchor.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_button.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_checkbox.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_colorselector.html -${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_docprops/fck_document_preview.html +${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_div.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_docprops.html +${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_docprops/fck_document_preview.html +${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_flash.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_flash/fck_flash.js ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_flash/fck_flash_preview.html -${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_flash.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_form.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_hiddenfield.html +${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_image.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_image/fck_image.js ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_image/fck_image_preview.html -${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_image.html -${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_link/fck_link.js ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_link.html +${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_link/fck_link.js ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_listprop.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_paste.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_radiobutton.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_replace.html -${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_select/fck_select.js ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_select.html +${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_select/fck_select.js ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_smiley.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_source.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_specialchar.html +${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/blank.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/controlWindow.js ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/controls.html @@ -1012,13 +1015,12 @@ ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/spellChecke ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/spellchecker.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/spellerStyle.css ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/wordWindow.js -${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_table.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_tablecell.html +${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_template.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_template/images/template1.gif ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_template/images/template2.gif ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_template/images/template3.gif -${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_template.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_textarea.html ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_textfield.html ${GEEKLOG_PUB}/fckeditor/editor/dtd/fck_dtd_test.html @@ -1161,10 +1163,12 @@ ${GEEKLOG_PUB}/fckeditor/editor/lang/fo.js ${GEEKLOG_PUB}/fckeditor/editor/lang/fr-ca.js ${GEEKLOG_PUB}/fckeditor/editor/lang/fr.js ${GEEKLOG_PUB}/fckeditor/editor/lang/gl.js +${GEEKLOG_PUB}/fckeditor/editor/lang/gu.js ${GEEKLOG_PUB}/fckeditor/editor/lang/he.js ${GEEKLOG_PUB}/fckeditor/editor/lang/hi.js ${GEEKLOG_PUB}/fckeditor/editor/lang/hr.js ${GEEKLOG_PUB}/fckeditor/editor/lang/hu.js +${GEEKLOG_PUB}/fckeditor/editor/lang/is.js ${GEEKLOG_PUB}/fckeditor/editor/lang/it.js ${GEEKLOG_PUB}/fckeditor/editor/lang/ja.js ${GEEKLOG_PUB}/fckeditor/editor/lang/km.js @@ -1259,6 +1263,9 @@ ${GEEKLOG_PUB}/fckeditor/editor/skins/silver/images/toolbar.end.gif ${GEEKLOG_PUB}/fckeditor/editor/skins/silver/images/toolbar.expand.gif ${GEEKLOG_PUB}/fckeditor/editor/skins/silver/images/toolbar.separator.gif ${GEEKLOG_PUB}/fckeditor/editor/skins/silver/images/toolbar.start.gif +${GEEKLOG_PUB}/fckeditor/editor/wsc/ciframe.html +${GEEKLOG_PUB}/fckeditor/editor/wsc/tmpFrameset.html +${GEEKLOG_PUB}/fckeditor/editor/wsc/w.html ${GEEKLOG_PUB}/fckeditor/fckconfig.js ${GEEKLOG_PUB}/fckeditor/fckeditor.js ${GEEKLOG_PUB}/fckeditor/fckeditor.php diff --git a/www/geeklog/distinfo b/www/geeklog/distinfo index 68c5c86c16c..9fe3f28065b 100644 --- a/www/geeklog/distinfo +++ b/www/geeklog/distinfo @@ -1,7 +1,16 @@ -$NetBSD: distinfo,v 1.9 2009/05/26 14:19:29 taca Exp $ +$NetBSD: distinfo,v 1.10 2009/09/13 01:15:10 taca Exp $ +SHA1 (fckeditor-2.6.4.1-updated.tar.gz) = 60008ea4ee12a9951b7e05cb76922afe5d103fb6 +RMD160 (fckeditor-2.6.4.1-updated.tar.gz) = 75ee469a39508085e5360e6d53168f01d1faa65d +Size (fckeditor-2.6.4.1-updated.tar.gz) = 832636 bytes SHA1 (geeklog-1.5.2sr4.tar.gz) = fa0e1e97a8d3fa7ccdff0835eb0bd0e963d5bc24 RMD160 (geeklog-1.5.2sr4.tar.gz) = a218749173c0c4e1aba322759f7ee32d20ec166d Size (geeklog-1.5.2sr4.tar.gz) = 4499082 bytes -SHA1 (patch-aa) = 56252ea1af7abe3aec8c99f11788f58de0015948 -SHA1 (patch-aj) = 846d860115d4108454799599ce41ead262efba92 +SHA1 (patch-aa) = 61cc381e4c3def555806ed4589446f466f6f8368 +SHA1 (patch-aj) = a7ff9d20a1313ace5f4ea4c46f5e8b087748e4e3 +SHA1 (patch-ak) = 5d49a7fd449b3905fe7a2177a636be3db7b45e33 +SHA1 (patch-al) = 6ebcfe407ad8b84a41130f6f7c2a26cf5b96f6c1 +SHA1 (patch-ba) = 74850e68510f37e4da762b247e5b68992acd7c18 +SHA1 (patch-bb) = cd6586fd10747231aa92efbdc59944f61d1cb7be +SHA1 (patch-bc) = fab4ff8b9fa00b40d96bb580055b6773d0774abb +SHA1 (patch-bd) = d09def0a09c9cbfc846e630acd1208beebfc2224 diff --git a/www/geeklog/patches/patch-aa b/www/geeklog/patches/patch-aa index cb613d97ad4..0847684a512 100644 --- a/www/geeklog/patches/patch-aa +++ b/www/geeklog/patches/patch-aa @@ -1,4 +1,6 @@ -$NetBSD: patch-aa,v 1.3 2009/05/26 14:19:29 taca Exp $ +$NetBSD: patch-aa,v 1.4 2009/09/13 01:15:11 taca Exp $ + +* Correct interpreter path. --- emailgeeklogstories.orig 2008-12-14 18:57:36.000000000 +0900 +++ emailgeeklogstories diff --git a/www/geeklog/patches/patch-aj b/www/geeklog/patches/patch-aj index 5a097e96e05..1bc6c0198ad 100644 --- a/www/geeklog/patches/patch-aj +++ b/www/geeklog/patches/patch-aj @@ -1,8 +1,52 @@ -$NetBSD: patch-aj,v 1.1 2009/05/26 14:19:29 taca Exp $ +$NetBSD: patch-aj,v 1.2 2009/09/13 01:15:11 taca Exp $ + +* make it geeklog 1.5.2sr5. +* Add missing charset parameter. +* Add missing utf8 select button. +* Send correct charset parameter. --- public_html/admin/install/index.php.orig 2009-04-18 16:55:00.000000000 +0900 +++ public_html/admin/install/index.php -@@ -1793,16 +1793,8 @@ function INST_setDefaultCharset($sitecon +@@ -48,7 +48,7 @@ if (!defined("LB")) { + define("LB", "\n"); + } + if (!defined('VERSION')) { +- define('VERSION', '1.5.2sr4'); ++ define('VERSION', '1.5.2sr5'); + } + if (!defined('XHTML')) { + define('XHTML', ' /'); +@@ -178,7 +178,8 @@ function get_SPX_Ver() + */ + function INST_checkPost150Upgrade($dbconfig_path, $siteconfig_path) + { +- global $_CONF, $_TABLES, $_DB, $_DB_dbms, $_DB_host, $_DB_user, $_DB_pass; ++ global $_CONF, $_TABLES, $_DB, $_DB_dbms, $_DB_host, $_DB_user, $_DB_pass, ++ $language; + + require $dbconfig_path; + require $siteconfig_path; +@@ -227,6 +228,7 @@ function INST_checkPost150Upgrade($dbcon + // this is a 1.5.x version, so upgrade directly + $req_string = 'index.php?mode=upgrade&step=3' + . '&dbconfig_path=' . $dbconfig_path ++ . '&language=' . $language + . '&version=' . $version; + + header('Location: ' . $req_string); +@@ -407,6 +409,11 @@ function INST_installEngine($install_typ + if ($install_type == 'install') { + $display .= ' +

'; ++ } else { ++ if ($utf8) { ++ $display .= ' ++ '; ++ } + } + + $display .= ' +@@ -1793,16 +1800,8 @@ function INST_setDefaultCharset($sitecon // | Main | // +---------------------------------------------------------------------------+ @@ -21,3 +65,10 @@ $NetBSD: patch-aj,v 1.1 2009/05/26 14:19:29 taca Exp $ $html_path = str_replace('admin/install/index.php', '', str_replace('admin\install\index.php', '', str_replace('\\', '/', __FILE__))); $siteconfig_path = '../../siteconfig.php'; +@@ -2228,5 +2227,6 @@ $display .= ' + + ' . LB; + ++header('Content-Type: text/html; charset=' . $LANG_CHARSET); + echo $display; + ?> diff --git a/www/geeklog/patches/patch-ak b/www/geeklog/patches/patch-ak new file mode 100644 index 00000000000..a3757819cd9 --- /dev/null +++ b/www/geeklog/patches/patch-ak @@ -0,0 +1,14 @@ +$NetBSD: patch-ak,v 1.1 2009/09/13 01:15:11 taca Exp $ + +* Send correct charset parameter. + +--- public_html/admin/install/configinfo.php.orig 2008-05-11 16:25:08.000000000 +0900 ++++ public_html/admin/install/configinfo.php +@@ -92,6 +92,7 @@ foreach ($_CONF as $option => $value) { + } + $display .= "\n\n"; + ++header('Content-Type: text/html; charset=' . COM_getCharset()); + echo $display; + + ?> diff --git a/www/geeklog/patches/patch-al b/www/geeklog/patches/patch-al new file mode 100644 index 00000000000..831acec24aa --- /dev/null +++ b/www/geeklog/patches/patch-al @@ -0,0 +1,14 @@ +$NetBSD: patch-al,v 1.1 2009/09/13 01:15:11 taca Exp $ + +* Send correct charset parameter. + +--- public_html/admin/install/help.php.orig 2009-01-23 04:19:55.000000000 +0900 ++++ public_html/admin/install/help.php +@@ -141,6 +141,7 @@ $display .= ' + + ' . LB; + ++header('Content-Type: text/html; charset=' . $LANG_CHARSET); + echo $display; + + ?> diff --git a/www/geeklog/patches/patch-ba b/www/geeklog/patches/patch-ba new file mode 100644 index 00000000000..cd0860c1c88 --- /dev/null +++ b/www/geeklog/patches/patch-ba @@ -0,0 +1,26 @@ +$NetBSD: patch-ba,v 1.1 2009/09/13 01:15:11 taca Exp $ + +* Documentation update for Geeklog 1.5.2sr5 which isn't contained in + geeklog-1.5.2sr4-upgrade.tar.gz. + +--- public_html/docs/changes.html.orig 2009-04-18 16:56:05.000000000 +0900 ++++ public_html/docs/changes.html +@@ -16,6 +16,18 @@ and / or obvious changes. For a detailed + ChangeLog. The file docs/changed-files has a list + of files that have been changed since the last release.

+ ++

Geeklog 1.5.2sr5

++ ++

This release addresses the following security issues:

++
    ++
  1. Gerendi Sandor Attila reported an XSS in the forms to email a user and to ++ email a story to a friend.
    2. ++
  2. The "Mail Story to a Friend" function didn't check story permissions, so ++ that it was possible to email a story even if you didn't have the ++ permissions to view it on the site.
    3. ++
++ ++ +

Geeklog 1.5.2sr4

+ +

Bookoo of the Nine Situations Group posted another SQL injection exploit, targetting an old bug in usersettings.php. As with the previous issues, this allowed an attacker to extract the password hash for any account and is fixed with this release.

diff --git a/www/geeklog/patches/patch-bb b/www/geeklog/patches/patch-bb new file mode 100644 index 00000000000..a89da300958 --- /dev/null +++ b/www/geeklog/patches/patch-bb @@ -0,0 +1,24 @@ +$NetBSD: patch-bb,v 1.1 2009/09/13 01:15:11 taca Exp $ + +* Documentation update for Geeklog 1.5.2sr5 which isn't contained in + geeklog-1.5.2sr4-upgrade.tar.gz. + +--- public_html/docs/history.orig 2009-04-18 16:47:32.000000000 +0900 ++++ public_html/docs/history +@@ -1,5 +1,16 @@ + Geeklog History/Changes: + ++Jul 30, 2009 (1.5.2sr5) ++------------ ++ ++This release addresses the following security issues: ++- Gerendi Sandor Attila reported an XSS in the forms to email a user and to ++ email a story to a friend. ++- The "Mail Story to a Friend" function didn't check story permissions, so that ++ it was possible to email a story even if you didn't have the permissions to ++ view it on the site. ++ ++ + Apr 18, 2009 (1.5.2sr4) + ------------ + diff --git a/www/geeklog/patches/patch-bc b/www/geeklog/patches/patch-bc new file mode 100644 index 00000000000..889cc2f208f --- /dev/null +++ b/www/geeklog/patches/patch-bc @@ -0,0 +1,54 @@ +$NetBSD: patch-bc,v 1.1 2009/09/13 01:15:11 taca Exp $ + +* An update to Geeklog 1.5.2sr5. + +--- public_html/profiles.php.orig 2009-01-19 02:27:58.000000000 +0900 ++++ public_html/profiles.php +@@ -231,7 +231,7 @@ function contactform ($uid, $subject = ' + $mail_template->set_var ('lang_subject', $LANG08[13]); + $mail_template->set_var ('subject', $subject); + $mail_template->set_var ('lang_message', $LANG08[14]); +- $mail_template->set_var ('message', $message); ++ $mail_template->set_var ('message', htmlspecialchars($message)); + $mail_template->set_var ('lang_nohtml', $LANG08[15]); + $mail_template->set_var ('lang_submit', $LANG08[16]); + $mail_template->set_var ('uid', $uid); +@@ -300,9 +300,13 @@ function mailstory($sid, $to, $toemail, + return $retval; + } + +- $sql = "SELECT uid,title,introtext,bodytext,commentcode,UNIX_TIMESTAMP(date) AS day FROM {$_TABLES['stories']} WHERE sid = '$sid'"; +- $result = DB_query ($sql); +- $A = DB_fetchArray ($result); ++ $sql = "SELECT uid,title,introtext,bodytext,commentcode,UNIX_TIMESTAMP(date) AS day FROM {$_TABLES['stories']} WHERE sid = '$sid'" . COM_getTopicSql('AND') . COM_getPermSql('AND'); ++ $result = DB_query($sql); ++ if (DB_numRows($result) == 0) { ++ return COM_refresh($_CONF['site_url'] . '/index.php'); ++ } ++ $A = DB_fetchArray($result); ++ + $shortmsg = COM_stripslashes ($shortmsg); + $mailtext = sprintf ($LANG08[23], $from, $fromemail) . LB; + if (strlen ($shortmsg) > 0) { +@@ -392,6 +396,12 @@ function mailstoryform ($sid, $to = '', + return $retval; + } + ++ $result = DB_query("SELECT COUNT(*) AS count FROM {$_TABLES['stories']} WHERE sid = '$sid'" . COM_getTopicSql('AND') . COM_getPermSql('AND')); ++ $A = DB_fetchArray($result); ++ if ($A['count'] == 0) { ++ return COM_refresh($_CONF['site_url'] . '/index.php'); ++ } ++ + if ($msg > 0) { + $retval .= COM_showMessage ($msg); + } +@@ -421,7 +431,7 @@ function mailstoryform ($sid, $to = '', + $mail_template->set_var('lang_toemailaddress', $LANG08[19]); + $mail_template->set_var('toemail', $toemail); + $mail_template->set_var('lang_shortmessage', $LANG08[27]); +- $mail_template->set_var('shortmsg', $shortmsg); ++ $mail_template->set_var('shortmsg', htmlspecialchars($shortmsg)); + $mail_template->set_var('lang_warning', $LANG08[22]); + $mail_template->set_var('lang_sendmessage', $LANG08[16]); + $mail_template->set_var('story_id',$sid); diff --git a/www/geeklog/patches/patch-bd b/www/geeklog/patches/patch-bd new file mode 100644 index 00000000000..bad29e3c74e --- /dev/null +++ b/www/geeklog/patches/patch-bd @@ -0,0 +1,17 @@ +$NetBSD: patch-bd,v 1.1 2009/09/13 01:15:11 taca Exp $ + +* An update of Geeklog 1.5.2sr5 which isn't contained in + geeklog-1.5.2sr4-upgrade.tar.gz. This is configuration file and + it will be updated during upgrade from 1.5.2sr4. + +--- public_html/siteconfig.php.orig 2009-04-18 16:54:50.000000000 +0900 ++++ public_html/siteconfig.php +@@ -38,7 +38,7 @@ if (!defined('LB')) { + define('LB',"\n"); + } + if (!defined('VERSION')) { +- define('VERSION', '1.5.2sr4'); ++ define('VERSION', '1.5.2sr5'); + } + + ?> -- cgit v1.2.3