pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/www/contao34 Add several security related fixes from C...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/2a67a6dd7c72
branches:  trunk
changeset: 652644:2a67a6dd7c72
user:      taca <taca%pkgsrc.org@localhost>
date:      Sat Jun 06 03:31:01 2015 +0000

description:
Add several security related fixes from Contao 3.2.21.

Bump PKGREVISION.

diffstat:

 www/contao34/Makefile                                                       |   3 +-
 www/contao34/distinfo                                                       |   6 +-
 www/contao34/patches/patch-system_helper_functions.php                      |  27 ++++
 www/contao34/patches/patch-system_modules_core_classes_BackendUser.php      |  34 +++++
 www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php |  15 ++
 www/contao34/patches/patch-system_modules_core_dca_tl__files.php            |  65 ++++++++++
 6 files changed, 148 insertions(+), 2 deletions(-)

diffs (185 lines):

diff -r 8e97dddd6f86 -r 2a67a6dd7c72 www/contao34/Makefile
--- a/www/contao34/Makefile     Sat Jun 06 03:29:33 2015 +0000
+++ b/www/contao34/Makefile     Sat Jun 06 03:31:01 2015 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.4 2015/02/01 04:51:34 taca Exp $
+# $NetBSD: Makefile,v 1.5 2015/06/06 03:31:01 taca Exp $
 #
 
 DISTNAME=      contao-${CT_PKGVER}
 PKGNAME=       contao${CT_VER}-${CT_PKGVER}
+PKGREVISION=   1
 CATEGORIES=    www
 MASTER_SITES=  ${CT_MASTER_SITE}
 
diff -r 8e97dddd6f86 -r 2a67a6dd7c72 www/contao34/distinfo
--- a/www/contao34/distinfo     Sat Jun 06 03:29:33 2015 +0000
+++ b/www/contao34/distinfo     Sat Jun 06 03:31:01 2015 +0000
@@ -1,5 +1,9 @@
-$NetBSD: distinfo,v 1.5 2015/03/28 04:21:42 taca Exp $
+$NetBSD: distinfo,v 1.6 2015/06/06 03:31:01 taca Exp $
 
 SHA1 (contao-3.4.5.tar.gz) = 0ae1b47a85f33e74550a77fa4fa44fa5c3b6e674
 RMD160 (contao-3.4.5.tar.gz) = dcca780d1d67d71e5cbeade268608e296d4d847b
 Size (contao-3.4.5.tar.gz) = 11544130 bytes
+SHA1 (patch-system_helper_functions.php) = e5ee8f1e08b2712030f8809f20166bf6550f266b
+SHA1 (patch-system_modules_core_classes_BackendUser.php) = 527074d91cd550be242f6b4dfe005f6351fd1f35
+SHA1 (patch-system_modules_core_controllers_BackendPopup.php) = 29d2abf5bb149297da84ad198365b7656304fcb9
+SHA1 (patch-system_modules_core_dca_tl__files.php) = 8c1d1fb73cfe0e76e30eeb1b4036beb7b56fd71e
diff -r 8e97dddd6f86 -r 2a67a6dd7c72 www/contao34/patches/patch-system_helper_functions.php
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao34/patches/patch-system_helper_functions.php    Sat Jun 06 03:31:01 2015 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-system_helper_functions.php,v 1.1 2015/06/06 03:31:01 taca Exp $
+
+Security improvement as Contao 3.2.21.
+
+--- system/helper/functions.php.orig   2015-03-27 08:53:59.000000000 +0000
++++ system/helper/functions.php
+@@ -216,9 +216,10 @@ function scan($strFolder, $blnUncached=f
+  * entities are never double converted.
+  * @param string
+  * @param boolean
++ * @param boolean
+  * @return string
+  */
+-function specialchars($strString, $blnStripInsertTags=false)
++function specialchars($strString, $blnStripInsertTags=false, $blnDoubleEncode=false)
+ {
+       if ($blnStripInsertTags)
+       {
+@@ -226,7 +227,7 @@ function specialchars($strString, $blnSt
+       }
+ 
+       // Use ENT_COMPAT here (see #4889)
+-      return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], false);
++      return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], $blnDoubleEncode);
+ }
+ 
+ 
diff -r 8e97dddd6f86 -r 2a67a6dd7c72 www/contao34/patches/patch-system_modules_core_classes_BackendUser.php
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao34/patches/patch-system_modules_core_classes_BackendUser.php    Sat Jun 06 03:31:01 2015 +0000
@@ -0,0 +1,34 @@
+$NetBSD: patch-system_modules_core_classes_BackendUser.php,v 1.1 2015/06/06 03:31:01 taca Exp $
+
+Security improvement as Contao 3.2.21.
+
+--- system/modules/core/classes/BackendUser.php.orig   2015-03-27 08:53:59.000000000 +0000
++++ system/modules/core/classes/BackendUser.php
+@@ -285,7 +285,7 @@ class BackendUser extends \User
+                                                                                       ->limit(1)
+                                                                                       ->execute($pid);
+ 
+-                      while (!$row['chmod'] && $pid > 0 && $objParentPage->numRows)
++                      while ($row['chmod'] === false && $pid > 0 && $objParentPage->numRows)
+                       {
+                               $pid = $objParentPage->pid;
+ 
+@@ -299,15 +299,15 @@ class BackendUser extends \User
+                       }
+ 
+                       // Set default values
+-                      if (!$row['chmod'])
++                      if (!$row['chmod'] === false)
+                       {
+                               $row['chmod'] = \Config::get('defaultChmod');
+                       }
+-                      if (!$row['cuser'])
++                      if (!$row['cuser'] === false)
+                       {
+                               $row['cuser'] = intval(\Config::get('defaultUser'));
+                       }
+-                      if (!$row['cgroup'])
++                      if (!$row['cgroup'] === false)
+                       {
+                               $row['cgroup'] = intval(\Config::get('defaultGroup'));
+                       }
diff -r 8e97dddd6f86 -r 2a67a6dd7c72 www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php       Sat Jun 06 03:31:01 2015 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-system_modules_core_controllers_BackendPopup.php,v 1.1 2015/06/06 03:31:01 taca Exp $
+
+Security improvement as Contao 3.2.21.
+
+--- system/modules/core/controllers/BackendPopup.php.orig      2015-03-27 08:53:59.000000000 +0000
++++ system/modules/core/controllers/BackendPopup.php
+@@ -128,7 +128,7 @@ class BackendPopup extends \Backend
+               $this->Template->ctime = \Date::parse(\Config::get('datimFormat'), $objFile->ctime);
+               $this->Template->mtime = \Date::parse(\Config::get('datimFormat'), $objFile->mtime);
+               $this->Template->atime = \Date::parse(\Config::get('datimFormat'), $objFile->atime);
+-              $this->Template->path = $this->strFile;
++              $this->Template->path = specialchars($this->strFile);
+ 
+               $this->output();
+       }
diff -r 8e97dddd6f86 -r 2a67a6dd7c72 www/contao34/patches/patch-system_modules_core_dca_tl__files.php
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao34/patches/patch-system_modules_core_dca_tl__files.php  Sat Jun 06 03:31:01 2015 +0000
@@ -0,0 +1,65 @@
+$NetBSD: patch-system_modules_core_dca_tl__files.php,v 1.1 2015/06/06 03:31:01 taca Exp $
+
+Security improvement as Contao 3.2.21.
+
+--- system/modules/core/dca/tl_files.php.orig  2015-03-27 08:53:59.000000000 +0000
++++ system/modules/core/dca/tl_files.php
+@@ -488,7 +488,7 @@ class tl_files extends Backend
+        */
+       public function editFile($row, $href, $label, $title, $icon, $attributes)
+       {
+-              return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, 
$label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
++              return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title, false, 
true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+       }
+ 
+ 
+@@ -504,7 +504,7 @@ class tl_files extends Backend
+        */
+       public function copyFile($row, $href, $label, $title, $icon, $attributes)
+       {
+-              return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, 
$label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
++              return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title, false, 
true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+       }
+ 
+ 
+@@ -520,7 +520,7 @@ class tl_files extends Backend
+        */
+       public function cutFile($row, $href, $label, $title, $icon, $attributes)
+       {
+-              return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, 
$label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
++              return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title, false, 
true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+       }
+ 
+ 
+@@ -538,11 +538,11 @@ class tl_files extends Backend
+       {
+               if (is_dir(TL_ROOT . '/' . $row['id']) && count(scan(TL_ROOT . '/' . $row['id'])) > 0)
+               {
+-                      return $this->User->hasAccess('f4', 'fop') ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" 
title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
++                      return ($this->User->isAdmin || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title, false, 
true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+               }
+               else
+               {
+-                      return ($this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" 
title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
++                      return ($this->User->isAdmin || $this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" 
title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+               }
+       }
+ 
+@@ -578,7 +578,7 @@ class tl_files extends Backend
+                       return Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+               }
+ 
+-              return '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ';
++              return '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ';
+       }
+ 
+ 
+@@ -600,7 +600,7 @@ class tl_files extends Backend
+               }
+               else
+               {
+-                      return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title).'"'.$attributes.' 
onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return 
false">'.Image::getHtml($icon, $label).'</a> ';
++                      return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title, false, true).'"'.$attributes.' 
onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return 
false">'.Image::getHtml($icon, $label).'</a> ';
+               }
+       }
+ 



Home | Main Index | Thread Index | Old Index