Add patches to fix CVE-2013-6892 and CVE-2016-2511.

PR:		207740
Approved by:	ports-secteam (feld)
MFH:		2016Q1
This commit is contained in:
Raphael Kubo da Costa 2016-03-06 18:26:38 +00:00
parent ff69154fab
commit 31c096f9f8
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=410474
3 changed files with 50 additions and 0 deletions

View file

@ -3,6 +3,7 @@
PORTNAME= websvn
PORTVERSION= 2.3.3
PORTREVISION= 1
CATEGORIES= devel www
MASTER_SITES= http://websvn.tigris.org/files/documents/1380/49056/

View file

@ -0,0 +1,37 @@
Arbitrary files with a known path can be accessed in websvn by committing a
symlink to a repository and then downloading the file (using the download
link).
Author: Thijs Kinkhorst <thijs@debian.org>
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
--- dl.php.orig 2011-06-27 09:02:52 UTC
+++ dl.php
@@ -137,6 +137,18 @@ if ($rep) {
exit(0);
}
+ // For security reasons, disallow direct downloads of filenames that
+ // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
+ // Deciding whether the symlink is relative and legal within the
+ // repository would be nice but seems to error prone at this moment.
+ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
+ header('HTTP/1.x 500 Internal Server Error', true, 500);
+ error_log('to be downloaded file is symlink, aborting: '.$archiveName);
+ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
+ removeDirectory($tempDir);
+ exit(0);
+ }
+
// Set timestamp of exported directory (and subdirectories) to timestamp of
// the revision so every archive of a given revision has the same timestamp.
$revDate = $logEntry->date;
@@ -180,7 +192,7 @@ if ($rep) {
$downloadMimeType = 'application/x-zip';
$downloadArchive .= '.zip';
// Create zip file
- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
+ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
execCommand($cmd, $retcode);
if ($retcode != 0) {
error_log('Unable to call zip command: '.$cmd);

View file

@ -0,0 +1,12 @@
Obtained from: Debian
--- include/setup.php.orig 2011-06-27 09:12:51 UTC
+++ include/setup.php
@@ -467,7 +467,7 @@ $vars['indexurl'] = $config->getURL('',
$vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26');
// To avoid a possible XSS exploit, need to clean up the passed-in path first
-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
+$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
if ($path === null || $path === '')
$path = '/';
$vars['safepath'] = escape($path);