pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2015Q1]: pkgsrc/www/contao34 Pullup ticket #4740 - requested b...
details: https://anonhg.NetBSD.org/pkgsrc/rev/938da2a73a35
branches: pkgsrc-2015Q1
changeset: 649274:938da2a73a35
user: tron <tron%pkgsrc.org@localhost>
date: Fri Jun 12 22:44:26 2015 +0000
description:
Pullup ticket #4740 - requested by taca
www/contao34: security patch
Revisions pulled up:
- www/contao34/Makefile 1.5
- www/contao34/distinfo 1.6
- www/contao34/patches/patch-system_helper_functions.php 1.1
- www/contao34/patches/patch-system_modules_core_classes_BackendUser.php 1.1
- www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php 1.1
- www/contao34/patches/patch-system_modules_core_dca_tl__files.php 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jun 6 03:31:01 UTC 2015
Modified Files:
pkgsrc/www/contao34: Makefile distinfo
Added Files:
pkgsrc/www/contao34/patches: patch-system_helper_functions.php
patch-system_modules_core_classes_BackendUser.php
patch-system_modules_core_controllers_BackendPopup.php
patch-system_modules_core_dca_tl__files.php
Log Message:
Add several security related fixes from Contao 3.2.21.
Bump PKGREVISION.
diffstat:
www/contao34/Makefile | 3 +-
www/contao34/distinfo | 6 +-
www/contao34/patches/patch-system_helper_functions.php | 27 ++++
www/contao34/patches/patch-system_modules_core_classes_BackendUser.php | 34 +++++
www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php | 15 ++
www/contao34/patches/patch-system_modules_core_dca_tl__files.php | 65 ++++++++++
6 files changed, 148 insertions(+), 2 deletions(-)
diffs (185 lines):
diff -r 1b00bf8973da -r 938da2a73a35 www/contao34/Makefile
--- a/www/contao34/Makefile Fri Jun 12 22:06:59 2015 +0000
+++ b/www/contao34/Makefile Fri Jun 12 22:44:26 2015 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.4 2015/02/01 04:51:34 taca Exp $
+# $NetBSD: Makefile,v 1.4.2.1 2015/06/12 22:44:26 tron Exp $
#
DISTNAME= contao-${CT_PKGVER}
PKGNAME= contao${CT_VER}-${CT_PKGVER}
+PKGREVISION= 1
CATEGORIES= www
MASTER_SITES= ${CT_MASTER_SITE}
diff -r 1b00bf8973da -r 938da2a73a35 www/contao34/distinfo
--- a/www/contao34/distinfo Fri Jun 12 22:06:59 2015 +0000
+++ b/www/contao34/distinfo Fri Jun 12 22:44:26 2015 +0000
@@ -1,5 +1,9 @@
-$NetBSD: distinfo,v 1.5 2015/03/28 04:21:42 taca Exp $
+$NetBSD: distinfo,v 1.5.2.1 2015/06/12 22:44:26 tron Exp $
SHA1 (contao-3.4.5.tar.gz) = 0ae1b47a85f33e74550a77fa4fa44fa5c3b6e674
RMD160 (contao-3.4.5.tar.gz) = dcca780d1d67d71e5cbeade268608e296d4d847b
Size (contao-3.4.5.tar.gz) = 11544130 bytes
+SHA1 (patch-system_helper_functions.php) = e5ee8f1e08b2712030f8809f20166bf6550f266b
+SHA1 (patch-system_modules_core_classes_BackendUser.php) = 527074d91cd550be242f6b4dfe005f6351fd1f35
+SHA1 (patch-system_modules_core_controllers_BackendPopup.php) = 29d2abf5bb149297da84ad198365b7656304fcb9
+SHA1 (patch-system_modules_core_dca_tl__files.php) = 8c1d1fb73cfe0e76e30eeb1b4036beb7b56fd71e
diff -r 1b00bf8973da -r 938da2a73a35 www/contao34/patches/patch-system_helper_functions.php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao34/patches/patch-system_helper_functions.php Fri Jun 12 22:44:26 2015 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-system_helper_functions.php,v 1.1.2.2 2015/06/12 22:44:26 tron Exp $
+
+Security improvement as Contao 3.2.21.
+
+--- system/helper/functions.php.orig 2015-03-27 08:53:59.000000000 +0000
++++ system/helper/functions.php
+@@ -216,9 +216,10 @@ function scan($strFolder, $blnUncached=f
+ * entities are never double converted.
+ * @param string
+ * @param boolean
++ * @param boolean
+ * @return string
+ */
+-function specialchars($strString, $blnStripInsertTags=false)
++function specialchars($strString, $blnStripInsertTags=false, $blnDoubleEncode=false)
+ {
+ if ($blnStripInsertTags)
+ {
+@@ -226,7 +227,7 @@ function specialchars($strString, $blnSt
+ }
+
+ // Use ENT_COMPAT here (see #4889)
+- return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], false);
++ return htmlspecialchars($strString, ENT_COMPAT, $GLOBALS['TL_CONFIG']['characterSet'], $blnDoubleEncode);
+ }
+
+
diff -r 1b00bf8973da -r 938da2a73a35 www/contao34/patches/patch-system_modules_core_classes_BackendUser.php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao34/patches/patch-system_modules_core_classes_BackendUser.php Fri Jun 12 22:44:26 2015 +0000
@@ -0,0 +1,34 @@
+$NetBSD: patch-system_modules_core_classes_BackendUser.php,v 1.1.2.2 2015/06/12 22:44:26 tron Exp $
+
+Security improvement as Contao 3.2.21.
+
+--- system/modules/core/classes/BackendUser.php.orig 2015-03-27 08:53:59.000000000 +0000
++++ system/modules/core/classes/BackendUser.php
+@@ -285,7 +285,7 @@ class BackendUser extends \User
+ ->limit(1)
+ ->execute($pid);
+
+- while (!$row['chmod'] && $pid > 0 && $objParentPage->numRows)
++ while ($row['chmod'] === false && $pid > 0 && $objParentPage->numRows)
+ {
+ $pid = $objParentPage->pid;
+
+@@ -299,15 +299,15 @@ class BackendUser extends \User
+ }
+
+ // Set default values
+- if (!$row['chmod'])
++ if (!$row['chmod'] === false)
+ {
+ $row['chmod'] = \Config::get('defaultChmod');
+ }
+- if (!$row['cuser'])
++ if (!$row['cuser'] === false)
+ {
+ $row['cuser'] = intval(\Config::get('defaultUser'));
+ }
+- if (!$row['cgroup'])
++ if (!$row['cgroup'] === false)
+ {
+ $row['cgroup'] = intval(\Config::get('defaultGroup'));
+ }
diff -r 1b00bf8973da -r 938da2a73a35 www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao34/patches/patch-system_modules_core_controllers_BackendPopup.php Fri Jun 12 22:44:26 2015 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-system_modules_core_controllers_BackendPopup.php,v 1.1.2.2 2015/06/12 22:44:26 tron Exp $
+
+Security improvement as Contao 3.2.21.
+
+--- system/modules/core/controllers/BackendPopup.php.orig 2015-03-27 08:53:59.000000000 +0000
++++ system/modules/core/controllers/BackendPopup.php
+@@ -128,7 +128,7 @@ class BackendPopup extends \Backend
+ $this->Template->ctime = \Date::parse(\Config::get('datimFormat'), $objFile->ctime);
+ $this->Template->mtime = \Date::parse(\Config::get('datimFormat'), $objFile->mtime);
+ $this->Template->atime = \Date::parse(\Config::get('datimFormat'), $objFile->atime);
+- $this->Template->path = $this->strFile;
++ $this->Template->path = specialchars($this->strFile);
+
+ $this->output();
+ }
diff -r 1b00bf8973da -r 938da2a73a35 www/contao34/patches/patch-system_modules_core_dca_tl__files.php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/contao34/patches/patch-system_modules_core_dca_tl__files.php Fri Jun 12 22:44:26 2015 +0000
@@ -0,0 +1,65 @@
+$NetBSD: patch-system_modules_core_dca_tl__files.php,v 1.1.2.2 2015/06/12 22:44:26 tron Exp $
+
+Security improvement as Contao 3.2.21.
+
+--- system/modules/core/dca/tl_files.php.orig 2015-03-27 08:53:59.000000000 +0000
++++ system/modules/core/dca/tl_files.php
+@@ -488,7 +488,7 @@ class tl_files extends Backend
+ */
+ public function editFile($row, $href, $label, $title, $icon, $attributes)
+ {
+- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon,
$label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
++ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false,
true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ }
+
+
+@@ -504,7 +504,7 @@ class tl_files extends Backend
+ */
+ public function copyFile($row, $href, $label, $title, $icon, $attributes)
+ {
+- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon,
$label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
++ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false,
true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ }
+
+
+@@ -520,7 +520,7 @@ class tl_files extends Backend
+ */
+ public function cutFile($row, $href, $label, $title, $icon, $attributes)
+ {
+- return $this->User->hasAccess('f2', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon,
$label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
++ return ($this->User->isAdmin || $this->User->hasAccess('f2', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false,
true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ }
+
+
+@@ -538,11 +538,11 @@ class tl_files extends Backend
+ {
+ if (is_dir(TL_ROOT . '/' . $row['id']) && count(scan(TL_ROOT . '/' . $row['id'])) > 0)
+ {
+- return $this->User->hasAccess('f4', 'fop') ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'"
title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
++ return ($this->User->isAdmin || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false,
true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ }
+ else
+ {
+- return ($this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'"
title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
++ return ($this->User->isAdmin || $this->User->hasAccess('f3', 'fop') || $this->User->hasAccess('f4', 'fop')) ? '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'"
title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ }
+ }
+
+@@ -578,7 +578,7 @@ class tl_files extends Backend
+ return Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
+ }
+
+- return '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ';
++ return '<a href="'.$this->addToUrl($href.'&id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ';
+ }
+
+
+@@ -600,7 +600,7 @@ class tl_files extends Backend
+ }
+ else
+ {
+- return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title).'"'.$attributes.'
onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return
false">'.Image::getHtml($icon, $label).'</a> ';
++ return '<a href="contao/popup.php?src=' . base64_encode($row['id']) . '" title="'.specialchars($title, false, true).'"'.$attributes.'
onclick="Backend.openModalIframe({\'width\':'.$row['popupWidth'].',\'title\':\''.str_replace("'", "\\'", $row['fileNameEncoded']).'\',\'url\':this.href,\'height\':'.$row['popupHeight'].'});return
false">'.Image::getHtml($icon, $label).'</a> ';
+ }
+ }
+
Home |
Main Index |
Thread Index |
Old Index