pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/www Add unofficial fix for CVE-2012-1297 by checking R...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/4deb439099d4
branches:  trunk
changeset: 601785:4deb439099d4
user:      taca <taca%pkgsrc.org@localhost>
date:      Wed Mar 28 15:14:24 2012 +0000

description:
Add unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.

Bump PKGREVISION.

diffstat:

 www/contao210/MESSAGE                             |   7 +++-
 www/contao210/Makefile                            |   4 +-
 www/contao210/distinfo                            |   3 +-
 www/contao210/patches/patch-system_initialize.php |  33 +++++++++++++++++++
 www/contao211/MESSAGE                             |   7 +++-
 www/contao211/Makefile                            |   3 +-
 www/contao211/distinfo                            |   3 +-
 www/contao211/patches/patch-system_initialize.php |  38 +++++++++++++++++++++++
 8 files changed, 91 insertions(+), 7 deletions(-)

diffs (173 lines):

diff -r 43718accd7ce -r 4deb439099d4 www/contao210/MESSAGE
--- a/www/contao210/MESSAGE     Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao210/MESSAGE     Wed Mar 28 15:14:24 2012 +0000
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.2 2011/08/31 14:33:22 taca Exp $
+$NetBSD: MESSAGE,v 1.3 2012/03/28 15:14:24 taca Exp $
 
 To complete the setup, please read:
 
@@ -10,4 +10,9 @@
 
        www/php-tidy
 
+This package contains unofficial fix for CVE-2012-1297.  If there are any
+problem by this fix, add a below line to system/config/localconfig.php.
+
+$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'] = true;
+
 ===========================================================================
diff -r 43718accd7ce -r 4deb439099d4 www/contao210/Makefile
--- a/www/contao210/Makefile    Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao210/Makefile    Wed Mar 28 15:14:24 2012 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.10 2012/03/14 16:35:29 taca Exp $
+# $NetBSD: Makefile,v 1.11 2012/03/28 15:14:24 taca Exp $
 #
 
 DISTNAME=      contao-${CT_VERSION}
 PKGNAME=       contao${CT_VER}-${CT_PKGVER}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=contao/}
 DIST_SUBDIR=   ${CT_DIST_SUBDIR}
diff -r 43718accd7ce -r 4deb439099d4 www/contao210/distinfo
--- a/www/contao210/distinfo    Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao210/distinfo    Wed Mar 28 15:14:24 2012 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.9 2012/03/14 16:35:29 taca Exp $
+$NetBSD: distinfo,v 1.10 2012/03/28 15:14:24 taca Exp $
 
 SHA1 (contao210-201201020/contao-2.10.4.tar.gz) = 1a27453f9ecac540a509f299efd5caa495fa6964
 RMD160 (contao210-201201020/contao-2.10.4.tar.gz) = 89f5a3435d67f82c36884f080f630403a8495c22
 Size (contao210-201201020/contao-2.10.4.tar.gz) = 4880113 bytes
 SHA1 (patch-contao_popup.php) = 61747c25cc8d2e74aecba107f694be462371d898
 SHA1 (patch-system_drivers_DC__Table.php) = 3c927c6093df90b8fc54a993f28844d369b1a43d
+SHA1 (patch-system_initialize.php) = a1c79e9930ef71f1a0efacbcb239daf8690fe62b
 SHA1 (patch-system_modules_backend_StyleSheets.php) = e510727d99a505d1309bd0bbbaaa21fd21e95ea3
diff -r 43718accd7ce -r 4deb439099d4 www/contao210/patches/patch-system_initialize.php
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao210/patches/patch-system_initialize.php Wed Mar 28 15:14:24 2012 +0000
@@ -0,0 +1,33 @@
+$NetBSD: patch-system_initialize.php,v 1.1 2012/03/28 15:14:24 taca Exp $
+
+* Unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.
+
+--- system/initialize.php.orig 2011-12-30 09:00:10.000000000 +0000
++++ system/initialize.php
+@@ -166,8 +166,24 @@ include(TL_ROOT . '/system/config/initco
+  */
+ if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'] && !defined('BYPASS_TOKEN_CHECK'))
+ {
+-      // Exit if the token cannot be validated
+-      if (!$objInput->post('REQUEST_TOKEN') || !is_array($_SESSION['REQUEST_TOKEN'][TL_MODE]) || !in_array($objInput->post('REQUEST_TOKEN'), $_SESSION['REQUEST_TOKEN'][TL_MODE]))
++    $bad = false;
++
++      // Exit if traditional referer check is enabled.
++    if (!$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'])
++    {
++        $self = parse_url($objEnvironment->url);
++        $referer = parse_url($objEnvironment->httpReferer);
++
++        $bad = (!strlen($referer['host']) || $referer['host'] != $self['host']);
++    }
++
++    if (!$bad)
++    {
++        // Exit if the token cannot be validated
++        $bad = (!$objInput->post('REQUEST_TOKEN') || !is_array($_SESSION['REQUEST_TOKEN'][TL_MODE]) || !in_array($objInput->post('REQUEST_TOKEN'), $_SESSION['REQUEST_TOKEN'][TL_MODE]));
++    }
++    
++      if ($bad)
+       {
+               header('HTTP/1.1 400 Bad Request');
+ 
diff -r 43718accd7ce -r 4deb439099d4 www/contao211/MESSAGE
--- a/www/contao211/MESSAGE     Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao211/MESSAGE     Wed Mar 28 15:14:24 2012 +0000
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.1.1.1 2012/02/19 10:54:07 taca Exp $
+$NetBSD: MESSAGE,v 1.2 2012/03/28 15:14:43 taca Exp $
 
 To complete the setup, please read:
 
@@ -10,4 +10,9 @@
 
        www/php-tidy
 
+This package contains unofficial fix for CVE-2012-1297.  If there are any
+problem by this fix, add a below line to system/config/localconfig.php.
+
+$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'] = true;
+
 ===========================================================================
diff -r 43718accd7ce -r 4deb439099d4 www/contao211/Makefile
--- a/www/contao211/Makefile    Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao211/Makefile    Wed Mar 28 15:14:24 2012 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.1.1.1 2012/02/19 10:54:07 taca Exp $
+# $NetBSD: Makefile,v 1.2 2012/03/28 15:14:43 taca Exp $
 #
 
 DISTNAME=      contao-${CT_VERSION}
 PKGNAME=       contao${CT_VER}-${CT_PKGVER}
+PKGREVISION=   1
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=contao/}
 DIST_SUBDIR=   ${CT_DIST_SUBDIR}
diff -r 43718accd7ce -r 4deb439099d4 www/contao211/distinfo
--- a/www/contao211/distinfo    Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao211/distinfo    Wed Mar 28 15:14:24 2012 +0000
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.5 2012/03/14 16:24:35 taca Exp $
+$NetBSD: distinfo,v 1.6 2012/03/28 15:14:43 taca Exp $
 
 SHA1 (contao-2.11.2.tar.gz) = 0cf939e6a4c8b49a4d21a51bd50ae718dfbe024e
 RMD160 (contao-2.11.2.tar.gz) = 580553e29b92ea7bc5b04e38946edb269bc2ac78
 Size (contao-2.11.2.tar.gz) = 5319511 bytes
+SHA1 (patch-system_initialize.php) = 109f381bef4bae32617549709601eb2a30bbb01a
diff -r 43718accd7ce -r 4deb439099d4 www/contao211/patches/patch-system_initialize.php
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao211/patches/patch-system_initialize.php Wed Mar 28 15:14:24 2012 +0000
@@ -0,0 +1,38 @@
+$NetBSD: patch-system_initialize.php,v 1.1 2012/03/28 15:14:43 taca Exp $
+
+* Unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.
+
+--- system/initialize.php.orig 2012-03-14 15:13:14.000000000 +0000
++++ system/initialize.php
+@@ -168,10 +168,28 @@ if (file_exists(TL_ROOT . '/system/confi
+ /**
+  * Check the request token upon POST requests
+  */
+-if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'] && !defined('BYPASS_TOKEN_CHECK'))
++if (!$GLOBALS['TL_CONFIG']['disableRefererCheck'] &&
++    ($_POST && !defined('BYPASS_TOKEN_CHECK') ||
++     $_SERVER['REQUEST_METHOD'] == 'POST' && !$GLOBALS['TL_CONFIG']['disableCompatRefererCheck']))
+ {
+-      // Exit if the token cannot be validated
+-      if (!$objToken->validate($objInput->post('REQUEST_TOKEN')))
++    $bad = false;
++
++      // Exit if traditional referer check is enabled.
++    if (!$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'])
++    {
++        $self = parse_url($objEnvironment->url);
++        $referer = parse_url($objEnvironment->httpReferer);
++
++        $bad = (!strlen($referer['host']) || $referer['host'] != $self['host']);
++    }
++
++    if (!$bad)
++    {
++        // Exit if the token cannot be validated
++        $bad = !$objToken->validate($objInput->post('REQUEST_TOKEN'));
++    }
++    
++      if ($bad)
+       {
+               // Force JavaScript redirect upon Ajax requests (IE requires absolute link)
+               if ($objEnvironment->isAjaxRequest)



Home | Main Index | Thread Index | Old Index