mirror of
https://git.freebsd.org/ports.git
synced 2025-07-18 17:59:20 -04:00
Add patches to fix CVE-2013-6892 and CVE-2016-2511.
PR: 207740 Approved by: ports-secteam (feld) MFH: 2016Q1
This commit is contained in:
parent
ff69154fab
commit
31c096f9f8
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=410474
3 changed files with 50 additions and 0 deletions
|
@ -3,6 +3,7 @@
|
|||
|
||||
PORTNAME= websvn
|
||||
PORTVERSION= 2.3.3
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= devel www
|
||||
MASTER_SITES= http://websvn.tigris.org/files/documents/1380/49056/
|
||||
|
||||
|
|
37
devel/websvn/files/patch-CVE-2013-6892
Normal file
37
devel/websvn/files/patch-CVE-2013-6892
Normal file
|
@ -0,0 +1,37 @@
|
|||
Arbitrary files with a known path can be accessed in websvn by committing a
|
||||
symlink to a repository and then downloading the file (using the download
|
||||
link).
|
||||
|
||||
Author: Thijs Kinkhorst <thijs@debian.org>
|
||||
|
||||
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
|
||||
--- dl.php.orig 2011-06-27 09:02:52 UTC
|
||||
+++ dl.php
|
||||
@@ -137,6 +137,18 @@ if ($rep) {
|
||||
exit(0);
|
||||
}
|
||||
|
||||
+ // For security reasons, disallow direct downloads of filenames that
|
||||
+ // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
|
||||
+ // Deciding whether the symlink is relative and legal within the
|
||||
+ // repository would be nice but seems to error prone at this moment.
|
||||
+ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
|
||||
+ header('HTTP/1.x 500 Internal Server Error', true, 500);
|
||||
+ error_log('to be downloaded file is symlink, aborting: '.$archiveName);
|
||||
+ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
|
||||
+ removeDirectory($tempDir);
|
||||
+ exit(0);
|
||||
+ }
|
||||
+
|
||||
// Set timestamp of exported directory (and subdirectories) to timestamp of
|
||||
// the revision so every archive of a given revision has the same timestamp.
|
||||
$revDate = $logEntry->date;
|
||||
@@ -180,7 +192,7 @@ if ($rep) {
|
||||
$downloadMimeType = 'application/x-zip';
|
||||
$downloadArchive .= '.zip';
|
||||
// Create zip file
|
||||
- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
|
||||
+ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
|
||||
execCommand($cmd, $retcode);
|
||||
if ($retcode != 0) {
|
||||
error_log('Unable to call zip command: '.$cmd);
|
12
devel/websvn/files/patch-CVE-2016-2511
Normal file
12
devel/websvn/files/patch-CVE-2016-2511
Normal file
|
@ -0,0 +1,12 @@
|
|||
Obtained from: Debian
|
||||
--- include/setup.php.orig 2011-06-27 09:12:51 UTC
|
||||
+++ include/setup.php
|
||||
@@ -467,7 +467,7 @@ $vars['indexurl'] = $config->getURL('',
|
||||
$vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26');
|
||||
|
||||
// To avoid a possible XSS exploit, need to clean up the passed-in path first
|
||||
-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
|
||||
+$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
|
||||
if ($path === null || $path === '')
|
||||
$path = '/';
|
||||
$vars['safepath'] = escape($path);
|
Loading…
Add table
Reference in a new issue