[debian-edu-commits] debian-edu/slbackup-php.git (#9) - edu-wheezy (branch) updated: debian/0.3-2.2-8-gee23f46
Mike Gabriel
sunweaver at alioth.debian.org
Fri Aug 9 10:05:27 UTC 2013
The branch, edu-wheezy has been updated
via ee23f46f15af9a632b6af9850617261221c8560c (commit)
from 4e2f2da9fc7944564a630c0373cfa1af7d451de2 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
debian/changelog | 1 +
.../001_slbackup-php_cookie+request-merge.patch | 31 +++++++++++++++-----
2 files changed, 25 insertions(+), 7 deletions(-)
The diff of changes is:
diff --git a/debian/changelog b/debian/changelog
index f8a766d..9c5af20 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ slbackup-php (0.3-2.3) UNRELEASED; urgency=low
* Add generic README.source that explains the usage of quilt.
* Add patch: 101_slbackup-php_i18n-de.patch, German translation for SL-Backup
(WebGuI).
+ * Update patch: 001_slbackup-php_cookie+request-merge.patch. Add sanity checks.
-- Mike Gabriel <mike.gabriel at das-netzwerkteam.de> Sun, 15 Jan 2012 13:40:20 +0100
diff --git a/debian/patches/001_slbackup-php_cookie+request-merge.patch b/debian/patches/001_slbackup-php_cookie+request-merge.patch
index cce246a..66fad53 100644
--- a/debian/patches/001_slbackup-php_cookie+request-merge.patch
+++ b/debian/patches/001_slbackup-php_cookie+request-merge.patch
@@ -1,16 +1,32 @@
-root at tjener:/usr/share/slbackup-php/web# diff -u index.php index.php.fixed
---- a/src/index.php 2007-04-25 10:15:47.000000000 +0200
-+++ b/src/index.php 2012-01-15 12:28:24.000000000 +0100
-@@ -582,9 +582,17 @@
+--- a/src/index.php 2012-01-15 12:53:18.000000000 +0100
++++ b/src/index.php 2012-01-15 14:36:19.000000000 +0100
+@@ -570,21 +570,33 @@
+ loadConfig () ;
+ require('/usr/share/php/smarty/libs/Smarty.class.php') ;
+ session_start() ;
+-$authenticated = ($_COOKIE['Authenticated'] == "True") ;
+ loadLocale () ;
+ ob_start ();
+
+ $smarty = new Smarty();
+ $smarty->template_dir = $smarty_templ ;
+ $smarty->compile_dir = $smarty_compile ;
++unset ($_COOKIE['smarty_templ']);
++unset ($_COOKIE['smarty_compile']);
+
+ # fetch script to use whith passing the ssh-password
$ssh_askpass = sprintf ("%s/script/mypass.sh",
dirname (dirname ($_SERVER["SCRIPT_FILENAME"])));
+$arguments = $_REQUEST;
+
+# merge _COOKIE and _REQUEST
++$allowed_cookie_keys = array('nonhttps', 'xorstring', 'PHPSESSID');
+foreach ($_COOKIE as $key => $value) {
-+ if (! array_key_exists($key, $arguments)) {
-+ $arguments[$key] = $value;
++ if ((! array_key_exists($key, $arguments)) && (in_array($key, $allowed_cookie_keys))) {
++if (is_string($key) && is_string($value)) {
++$arguments[$key] = $value;
++}
+ }
+}
@@ -20,7 +36,7 @@ root at tjener:/usr/share/slbackup-php/web# diff -u index.php index.php.fixed
switch ($key) {
case "smarty_templ":
case "smarty_compile":
-@@ -640,6 +648,8 @@
+@@ -640,6 +652,8 @@
}
}
@@ -29,3 +45,4 @@ root at tjener:/usr/share/slbackup-php/web# diff -u index.php index.php.fixed
if ($submit == "logout") {
unset ($passwd) ;
unset ($xorstring) ;
+
hooks/post-receive
--
slbackup-php.git (Debian package slbackup-php)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "slbackup-php.git" (Debian package slbackup-php).
More information about the debian-edu-commits
mailing list