pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/www/typolight26 Add security fix patches, refering htt...
details: https://anonhg.NetBSD.org/pkgsrc/rev/10bf5ae536a8
branches: trunk
changeset: 568793:10bf5ae536a8
user: taca <taca%pkgsrc.org@localhost>
date: Sun Dec 20 04:21:05 2009 +0000
description:
Add security fix patches, refering http://www.typolight.org/news/items/major-security-hole-in-the-typolight-install-tool.html.
Bump PKGREVISION.
diffstat:
www/typolight26/Makefile | 4 +-
www/typolight26/distinfo | 4 ++-
www/typolight26/patches/patch-ad | 52 ++++++++++++++++++++++++++++++++++++++++
www/typolight26/patches/patch-ae | 52 ++++++++++++++++++++++++++++++++++++++++
4 files changed, 109 insertions(+), 3 deletions(-)
diffs (142 lines):
diff -r ae8f448d405c -r 10bf5ae536a8 www/typolight26/Makefile
--- a/www/typolight26/Makefile Sun Dec 20 02:37:05 2009 +0000
+++ b/www/typolight26/Makefile Sun Dec 20 04:21:05 2009 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.4 2009/11/29 06:46:21 taca Exp $
+# $NetBSD: Makefile,v 1.5 2009/12/20 04:21:05 taca Exp $
#
DISTNAME= typolight-${TL_VERSION}
PKGNAME= typolight${TL_VER}-${TL_PKGVER}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=typolight/}
diff -r ae8f448d405c -r 10bf5ae536a8 www/typolight26/distinfo
--- a/www/typolight26/distinfo Sun Dec 20 02:37:05 2009 +0000
+++ b/www/typolight26/distinfo Sun Dec 20 04:21:05 2009 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.2 2009/04/30 13:12:40 taca Exp $
+$NetBSD: distinfo,v 1.3 2009/12/20 04:21:05 taca Exp $
SHA1 (typolight-2.6.7.tar.gz) = d360d5a974c3663488576f856302710c0529b500
RMD160 (typolight-2.6.7.tar.gz) = b15e3c1c910f3fc9bf3797ffd0dfd6dfc3dd7d5a
@@ -6,3 +6,5 @@
SHA1 (patch-aa) = 254a1fef4e0baff7c5f10c25ceb9d1501f315684
SHA1 (patch-ab) = a005f8650564eb031def1f94156dcdc72799a758
SHA1 (patch-ac) = 035f7703721774b1cc9eaf99ffdbc6aa60489076
+SHA1 (patch-ad) = 1302dfb77f76f3d407f123b3e1f1d9f8dfe6e740
+SHA1 (patch-ae) = 7498d750dc902294163efd32cae3ac20feb08c08
diff -r ae8f448d405c -r 10bf5ae536a8 www/typolight26/patches/patch-ad
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/typolight26/patches/patch-ad Sun Dec 20 04:21:05 2009 +0000
@@ -0,0 +1,52 @@
+$NetBSD: patch-ad,v 1.1 2009/12/20 04:21:05 taca Exp $
+
+* Security fix:
+ http://www.typolight.org/news/items/major-security-hole-in-the-typolight-install-tool.html
+
+--- typolight/ftp.php.orig 2008-12-13 15:27:05.000000000 +0000
++++ typolight/ftp.php
+@@ -88,6 +88,9 @@ class FtpCheck extends Controller
+ */
+ if ($this->Input->post('FORM_SUBMIT') == 'tl_login')
+ {
++ $_SESSION['TL_INSTALL_AUTH'] = '';
++ $_SESSION['TL_INSTALL_EXPIRE'] = 0;
++
+ $password = sha1($this->Input->post('password', true));
+
+ if (strlen($password) && $password != 'da39a3ee5e6b4b0d3255bfef95601890afd80709')
+@@ -95,7 +98,10 @@ class FtpCheck extends Controller
+ // Set cookie
+ if ($password == $GLOBALS['TL_CONFIG']['installPassword'])
+ {
+- $this->setCookie('TL_INSTALL_AUTH', md5($this->Environment->ip.session_id()), (time()+300), $GLOBALS['TL_CONFIG']['websitePath']);
++ $_SESSION['TL_INSTALL_EXPIRE'] = (time() + 300);
++ $_SESSION['TL_INSTALL_AUTH'] = md5(uniqid('', true) . $this->Environment->ip . session_id());
++
++ $this->setCookie('TL_INSTALL_AUTH', $_SESSION['TL_INSTALL_AUTH'], $_SESSION['TL_INSTALL_EXPIRE'], $GLOBALS['TL_CONFIG']['websitePath']);
+ $this->Config->update("\$GLOBALS['TL_CONFIG']['installCount']", 0);
+
+ $this->reload();
+@@ -109,14 +115,20 @@ class FtpCheck extends Controller
+ }
+
+ // Check cookie
+- if (!$this->Input->cookie('TL_INSTALL_AUTH'))
++ if (!$this->Input->cookie('TL_INSTALL_AUTH') || $_SESSION['TL_INSTALL_AUTH'] == '' || $this->Input->cookie('TL_INSTALL_AUTH') != $_SESSION['TL_INSTALL_AUTH'] ||
$_SESSION['TL_INSTALL_EXPIRE'] < time())
+ {
+ $this->Template->login = true;
+ $this->outputAndExit();
+ }
+
+ // Renew cookie
+- $this->setCookie('TL_INSTALL_AUTH', md5($this->Environment->ip.session_id()), (time()+300), $GLOBALS['TL_CONFIG']['websitePath']);
++ else
++ {
++ $_SESSION['TL_INSTALL_EXPIRE'] = (time() + 300);
++ $_SESSION['TL_INSTALL_AUTH'] = md5(uniqid('', true) . $this->Environment->ip . session_id());
++
++ $this->setCookie('TL_INSTALL_AUTH', $_SESSION['TL_INSTALL_AUTH'], $_SESSION['TL_INSTALL_EXPIRE'], $GLOBALS['TL_CONFIG']['websitePath']);
++ }
+
+
+ /**
diff -r ae8f448d405c -r 10bf5ae536a8 www/typolight26/patches/patch-ae
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/typolight26/patches/patch-ae Sun Dec 20 04:21:05 2009 +0000
@@ -0,0 +1,52 @@
+$NetBSD: patch-ae,v 1.1 2009/12/20 04:21:05 taca Exp $
+
+* Security fix:
+ http://www.typolight.org/news/items/major-security-hole-in-the-typolight-install-tool.html
+
+--- typolight/install.php.orig 2008-12-13 15:27:05.000000000 +0000
++++ typolight/install.php
+@@ -113,6 +113,9 @@ class InstallTool extends Controller
+ */
+ if ($this->Input->post('FORM_SUBMIT') == 'tl_login')
+ {
++ $_SESSION['TL_INSTALL_AUTH'] = '';
++ $_SESSION['TL_INSTALL_EXPIRE'] = 0;
++
+ $password = sha1($this->Input->post('password', true));
+
+ if (strlen($password) && $password != 'da39a3ee5e6b4b0d3255bfef95601890afd80709')
+@@ -120,7 +123,10 @@ class InstallTool extends Controller
+ // Set cookie
+ if ($password == $GLOBALS['TL_CONFIG']['installPassword'])
+ {
+- $this->setCookie('TL_INSTALL_AUTH', md5($this->Environment->ip.session_id()), (time()+300), $GLOBALS['TL_CONFIG']['websitePath']);
++ $_SESSION['TL_INSTALL_EXPIRE'] = (time() + 300);
++ $_SESSION['TL_INSTALL_AUTH'] = md5(uniqid('', true) . $this->Environment->ip . session_id());
++
++ $this->setCookie('TL_INSTALL_AUTH', $_SESSION['TL_INSTALL_AUTH'], $_SESSION['TL_INSTALL_EXPIRE'], $GLOBALS['TL_CONFIG']['websitePath']);
+ $this->Config->update("\$GLOBALS['TL_CONFIG']['installCount']", 0);
+
+ $this->reload();
+@@ -134,14 +140,20 @@ class InstallTool extends Controller
+ }
+
+ // Check cookie
+- if (!$this->Input->cookie('TL_INSTALL_AUTH'))
++ if (!$this->Input->cookie('TL_INSTALL_AUTH') || $_SESSION['TL_INSTALL_AUTH'] == '' || $this->Input->cookie('TL_INSTALL_AUTH') != $_SESSION['TL_INSTALL_AUTH'] ||
$_SESSION['TL_INSTALL_EXPIRE'] < time())
+ {
+ $this->Template->login = true;
+ $this->outputAndExit();
+ }
+
+ // Renew cookie
+- $this->setCookie('TL_INSTALL_AUTH', md5($this->Environment->ip.session_id()), (time()+300), $GLOBALS['TL_CONFIG']['websitePath']);
++ else
++ {
++ $_SESSION['TL_INSTALL_EXPIRE'] = (time() + 300);
++ $_SESSION['TL_INSTALL_AUTH'] = md5(uniqid('', true) . $this->Environment->ip . session_id());
++
++ $this->setCookie('TL_INSTALL_AUTH', $_SESSION['TL_INSTALL_AUTH'], $_SESSION['TL_INSTALL_EXPIRE'], $GLOBALS['TL_CONFIG']['websitePath']);
++ }
+
+
+ /**
Home |
Main Index |
Thread Index |
Old Index