[med-svn] r2555 - trunk/packages/agdbnet/trunk/debian/patches

tille at alioth.debian.org tille at alioth.debian.org
Mon Sep 29 12:56:44 UTC 2008 

Author: tille
Date: 2008-09-29 12:56:43 +0000 (Mon, 29 Sep 2008)
New Revision: 2555

Removed:
   trunk/packages/agdbnet/trunk/debian/patches/30_fix_empty_status_bug_in_curator_authentication.patch
Modified:
   trunk/packages/agdbnet/trunk/debian/patches/series
Log:
Security patch applied by upstream


Deleted: trunk/packages/agdbnet/trunk/debian/patches/30_fix_empty_status_bug_in_curator_authentication.patch
===================================================================
--- trunk/packages/agdbnet/trunk/debian/patches/30_fix_empty_status_bug_in_curator_authentication.patch	2008-09-29 12:32:48 UTC (rev 2554)
+++ trunk/packages/agdbnet/trunk/debian/patches/30_fix_empty_status_bug_in_curator_authentication.patch	2008-09-29 12:56:43 UTC (rev 2555)
@@ -1,26 +0,0 @@
-This is a security fix which should be applied upstream.
-A user with status == '' should not be able to log in as curator.
-Forewarded upstream.
---- agdbnet_v1.0.0.orig/cgi-bin/agcurate.pl
-+++ agdbnet_v1.0.0/cgi-bin/agcurate.pl
-@@ -322,11 +322,18 @@
- sub curator_id {
- 	my $username = $q->remote_user;
- 	if ($username) {
--		my $qry = "SELECT id FROM users WHERE user_name=?";
-+		# status needs to be queried as well
-+		my $qry = "SELECT id, status FROM users WHERE user_name=?";
- 		my $sql = $db->prepare($qry) or die "cannot prepare";
- 		$sql->execute($username);
- 		my ( $id, $status ) = $sql->fetchrow_array;
--		if ( $status && $status ne 'curator' ) {
-+		# The original line
-+		# 	if ( $status && $status ne 'curator' ) {
-+		# enables successfull authentication if status == ''
-+		# because $status is false and the second term
-+		# will not be evaluated any more because && would
-+		# be false in any way.
-+		if ( ! $status || $status ne 'curator' ) {
- 			return 0;
- 		}
- 		return $id;

Modified: trunk/packages/agdbnet/trunk/debian/patches/series
===================================================================
--- trunk/packages/agdbnet/trunk/debian/patches/series	2008-09-29 12:32:48 UTC (rev 2554)
+++ trunk/packages/agdbnet/trunk/debian/patches/series	2008-09-29 12:56:43 UTC (rev 2555)
@@ -4,4 +4,3 @@
 12_apache_is_web-data.patch
 13_ident_authentication.patch
 20_metainfo.patch
-30_fix_empty_status_bug_in_curator_authentication.patch

More information about the debian-med-commit mailing list