[debian-edu-commits] debian-edu/pkg-team/ 01/02: debian/patches: Add 0004_RequestHeader-no-underscores-apache24.patch. Since Apache2.4: Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped. (Closes: #753419).

Mike Gabriel sunweaver at debian.org
Tue Jul 1 18:46:49 UTC 2014


This is an automated email from the git hooks/post-receive script.

sunweaver pushed a commit to branch master
in repository gosa.

commit 9fc217c20daad97f697f02cae603bae92a5ac4a6
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Tue Jul 1 20:36:45 2014 +0200

    debian/patches: Add 0004_RequestHeader-no-underscores-apache24.patch. Since Apache2.4: Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped. (Closes: #753419).
---
 ...003_RequestHeader-no-underscores-apache24.patch | 45 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 46 insertions(+)

diff --git a/debian/patches/1003_RequestHeader-no-underscores-apache24.patch b/debian/patches/1003_RequestHeader-no-underscores-apache24.patch
new file mode 100644
index 0000000..d9cf6e2
--- /dev/null
+++ b/debian/patches/1003_RequestHeader-no-underscores-apache24.patch
@@ -0,0 +1,45 @@
+Description: Don't use underscores in request header variables
+Andreas B. Mundt <andi.mundt at web.de>
+ Since Apache2.4: Translation of headers to environment variables is more
+ strict than before to mitigate some possible cross-site-scripting attacks
+ via header injection. Headers containing invalid characters (including
+ underscores) are now silently dropped.
+
+Index: gosa-core/bin/gosa-encrypt-passwords
+===================================================================
+--- a/gosa-core/bin/gosa-encrypt-passwords
++++ b/gosa-core/bin/gosa-encrypt-passwords
+@@ -51,7 +51,7 @@ if (file_exists("/etc/gosa/gosa.secrets"
+ } else {
+   echo "* creating /etc/gosa/gosa.secrets\n";
+   $fp = fopen("/etc/gosa/gosa.secrets", 'w') or die("Cannot open /etc/gosa/gosa.secrets for writing - aborted");
+-  fwrite($fp, "RequestHeader set GOSA_KEY $master_key\n");
++  fwrite($fp, "RequestHeader set GOSAKEY $master_key\n");
+   fclose($fp);
+   chmod ("/etc/gosa/gosa.secrets", 0600);
+   chown ("/etc/gosa/gosa.secrets", "root");
+Index: gosa-2.7.4+reloaded1/gosa-core/include/class_config.inc
+===================================================================
+--- a/gosa-core/include/class_config.inc
++++ b/gosa-core/include/class_config.inc
+@@ -301,14 +301,14 @@ class config  {
+ 
+     function get_credentials($creds)
+     {
+-        if (isset($_SERVER['HTTP_GOSA_KEY'])){
+-            if (!session::global_is_set('HTTP_GOSA_KEY_CACHE')){
+-                session::global_set('HTTP_GOSA_KEY_CACHE',array());
++        if (isset($_SERVER['HTTP_GOSAKEY'])){
++            if (!session::global_is_set('HTTP_GOSAKEY_CACHE')){
++                session::global_set('HTTP_GOSAKEY_CACHE',array());
+             }
+-            $cache = session::global_get('HTTP_GOSA_KEY_CACHE');
++            $cache = session::global_get('HTTP_GOSAKEY_CACHE');
+             if(!isset($cache[$creds])){
+-                $cache[$creds] = cred_decrypt($creds, $_SERVER['HTTP_GOSA_KEY']);
+-                session::global_set('HTTP_GOSA_KEY_CACHE',$cache);
++                $cache[$creds] = cred_decrypt($creds, $_SERVER['HTTP_GOSAKEY']);
++                session::global_set('HTTP_GOSAKEY_CACHE',$cache);
+             }
+             return ($cache[$creds]);
+         }
diff --git a/debian/patches/series b/debian/patches/series
index da3fbc7..97eaa4f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,6 +3,7 @@
 0003_xss-vulnerability-on-login-screen.patch
 1001_fix-mass-ldapimport.patch
 1002_trim-decrypt.patch
+1003_RequestHeader-no-underscores-apache24.patch
 2001_fix-smarty-location.patch
 2002_fix-template-location.patch
 2003_fix-class-mapping.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/pkg-team/gosa.git



More information about the debian-edu-commits mailing list