pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/www Add unofficial fix for CVE-2012-1297 by checking R...
details: https://anonhg.NetBSD.org/pkgsrc/rev/4deb439099d4
branches: trunk
changeset: 601785:4deb439099d4
user: taca <taca%pkgsrc.org@localhost>
date: Wed Mar 28 15:14:24 2012 +0000
description:
Add unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.
Bump PKGREVISION.
diffstat:
www/contao210/MESSAGE | 7 +++-
www/contao210/Makefile | 4 +-
www/contao210/distinfo | 3 +-
www/contao210/patches/patch-system_initialize.php | 33 +++++++++++++++++++
www/contao211/MESSAGE | 7 +++-
www/contao211/Makefile | 3 +-
www/contao211/distinfo | 3 +-
www/contao211/patches/patch-system_initialize.php | 38 +++++++++++++++++++++++
8 files changed, 91 insertions(+), 7 deletions(-)
diffs (173 lines):
diff -r 43718accd7ce -r 4deb439099d4 www/contao210/MESSAGE
--- a/www/contao210/MESSAGE Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao210/MESSAGE Wed Mar 28 15:14:24 2012 +0000
@@ -1,5 +1,5 @@
===========================================================================
-$NetBSD: MESSAGE,v 1.2 2011/08/31 14:33:22 taca Exp $
+$NetBSD: MESSAGE,v 1.3 2012/03/28 15:14:24 taca Exp $
To complete the setup, please read:
@@ -10,4 +10,9 @@
www/php-tidy
+This package contains unofficial fix for CVE-2012-1297. If there are any
+problem by this fix, add a below line to system/config/localconfig.php.
+
+$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'] = true;
+
===========================================================================
diff -r 43718accd7ce -r 4deb439099d4 www/contao210/Makefile
--- a/www/contao210/Makefile Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao210/Makefile Wed Mar 28 15:14:24 2012 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.10 2012/03/14 16:35:29 taca Exp $
+# $NetBSD: Makefile,v 1.11 2012/03/28 15:14:24 taca Exp $
#
DISTNAME= contao-${CT_VERSION}
PKGNAME= contao${CT_VER}-${CT_PKGVER}
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=contao/}
DIST_SUBDIR= ${CT_DIST_SUBDIR}
diff -r 43718accd7ce -r 4deb439099d4 www/contao210/distinfo
--- a/www/contao210/distinfo Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao210/distinfo Wed Mar 28 15:14:24 2012 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.9 2012/03/14 16:35:29 taca Exp $
+$NetBSD: distinfo,v 1.10 2012/03/28 15:14:24 taca Exp $
SHA1 (contao210-201201020/contao-2.10.4.tar.gz) = 1a27453f9ecac540a509f299efd5caa495fa6964
RMD160 (contao210-201201020/contao-2.10.4.tar.gz) = 89f5a3435d67f82c36884f080f630403a8495c22
Size (contao210-201201020/contao-2.10.4.tar.gz) = 4880113 bytes
SHA1 (patch-contao_popup.php) = 61747c25cc8d2e74aecba107f694be462371d898
SHA1 (patch-system_drivers_DC__Table.php) = 3c927c6093df90b8fc54a993f28844d369b1a43d
+SHA1 (patch-system_initialize.php) = a1c79e9930ef71f1a0efacbcb239daf8690fe62b
SHA1 (patch-system_modules_backend_StyleSheets.php) = e510727d99a505d1309bd0bbbaaa21fd21e95ea3
diff -r 43718accd7ce -r 4deb439099d4 www/contao210/patches/patch-system_initialize.php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao210/patches/patch-system_initialize.php Wed Mar 28 15:14:24 2012 +0000
@@ -0,0 +1,33 @@
+$NetBSD: patch-system_initialize.php,v 1.1 2012/03/28 15:14:24 taca Exp $
+
+* Unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.
+
+--- system/initialize.php.orig 2011-12-30 09:00:10.000000000 +0000
++++ system/initialize.php
+@@ -166,8 +166,24 @@ include(TL_ROOT . '/system/config/initco
+ */
+ if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'] && !defined('BYPASS_TOKEN_CHECK'))
+ {
+- // Exit if the token cannot be validated
+- if (!$objInput->post('REQUEST_TOKEN') || !is_array($_SESSION['REQUEST_TOKEN'][TL_MODE]) || !in_array($objInput->post('REQUEST_TOKEN'), $_SESSION['REQUEST_TOKEN'][TL_MODE]))
++ $bad = false;
++
++ // Exit if traditional referer check is enabled.
++ if (!$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'])
++ {
++ $self = parse_url($objEnvironment->url);
++ $referer = parse_url($objEnvironment->httpReferer);
++
++ $bad = (!strlen($referer['host']) || $referer['host'] != $self['host']);
++ }
++
++ if (!$bad)
++ {
++ // Exit if the token cannot be validated
++ $bad = (!$objInput->post('REQUEST_TOKEN') || !is_array($_SESSION['REQUEST_TOKEN'][TL_MODE]) || !in_array($objInput->post('REQUEST_TOKEN'), $_SESSION['REQUEST_TOKEN'][TL_MODE]));
++ }
++
++ if ($bad)
+ {
+ header('HTTP/1.1 400 Bad Request');
+
diff -r 43718accd7ce -r 4deb439099d4 www/contao211/MESSAGE
--- a/www/contao211/MESSAGE Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao211/MESSAGE Wed Mar 28 15:14:24 2012 +0000
@@ -1,5 +1,5 @@
===========================================================================
-$NetBSD: MESSAGE,v 1.1.1.1 2012/02/19 10:54:07 taca Exp $
+$NetBSD: MESSAGE,v 1.2 2012/03/28 15:14:43 taca Exp $
To complete the setup, please read:
@@ -10,4 +10,9 @@
www/php-tidy
+This package contains unofficial fix for CVE-2012-1297. If there are any
+problem by this fix, add a below line to system/config/localconfig.php.
+
+$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'] = true;
+
===========================================================================
diff -r 43718accd7ce -r 4deb439099d4 www/contao211/Makefile
--- a/www/contao211/Makefile Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao211/Makefile Wed Mar 28 15:14:24 2012 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.1.1.1 2012/02/19 10:54:07 taca Exp $
+# $NetBSD: Makefile,v 1.2 2012/03/28 15:14:43 taca Exp $
#
DISTNAME= contao-${CT_VERSION}
PKGNAME= contao${CT_VER}-${CT_PKGVER}
+PKGREVISION= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=contao/}
DIST_SUBDIR= ${CT_DIST_SUBDIR}
diff -r 43718accd7ce -r 4deb439099d4 www/contao211/distinfo
--- a/www/contao211/distinfo Wed Mar 28 14:24:59 2012 +0000
+++ b/www/contao211/distinfo Wed Mar 28 15:14:24 2012 +0000
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.5 2012/03/14 16:24:35 taca Exp $
+$NetBSD: distinfo,v 1.6 2012/03/28 15:14:43 taca Exp $
SHA1 (contao-2.11.2.tar.gz) = 0cf939e6a4c8b49a4d21a51bd50ae718dfbe024e
RMD160 (contao-2.11.2.tar.gz) = 580553e29b92ea7bc5b04e38946edb269bc2ac78
Size (contao-2.11.2.tar.gz) = 5319511 bytes
+SHA1 (patch-system_initialize.php) = 109f381bef4bae32617549709601eb2a30bbb01a
diff -r 43718accd7ce -r 4deb439099d4 www/contao211/patches/patch-system_initialize.php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao211/patches/patch-system_initialize.php Wed Mar 28 15:14:24 2012 +0000
@@ -0,0 +1,38 @@
+$NetBSD: patch-system_initialize.php,v 1.1 2012/03/28 15:14:43 taca Exp $
+
+* Unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.
+
+--- system/initialize.php.orig 2012-03-14 15:13:14.000000000 +0000
++++ system/initialize.php
+@@ -168,10 +168,28 @@ if (file_exists(TL_ROOT . '/system/confi
+ /**
+ * Check the request token upon POST requests
+ */
+-if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'] && !defined('BYPASS_TOKEN_CHECK'))
++if (!$GLOBALS['TL_CONFIG']['disableRefererCheck'] &&
++ ($_POST && !defined('BYPASS_TOKEN_CHECK') ||
++ $_SERVER['REQUEST_METHOD'] == 'POST' && !$GLOBALS['TL_CONFIG']['disableCompatRefererCheck']))
+ {
+- // Exit if the token cannot be validated
+- if (!$objToken->validate($objInput->post('REQUEST_TOKEN')))
++ $bad = false;
++
++ // Exit if traditional referer check is enabled.
++ if (!$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'])
++ {
++ $self = parse_url($objEnvironment->url);
++ $referer = parse_url($objEnvironment->httpReferer);
++
++ $bad = (!strlen($referer['host']) || $referer['host'] != $self['host']);
++ }
++
++ if (!$bad)
++ {
++ // Exit if the token cannot be validated
++ $bad = !$objToken->validate($objInput->post('REQUEST_TOKEN'));
++ }
++
++ if ($bad)
+ {
+ // Force JavaScript redirect upon Ajax requests (IE requires absolute link)
+ if ($objEnvironment->isAjaxRequest)
Home |
Main Index |
Thread Index |
Old Index