head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2012Q1:1.1.0.2
	pkgsrc-2012Q1-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2012.06.16.12.27.59;	author taca;	state dead;
branches;
next	1.1;

1.1
date	2012.03.14.16.35.29;	author taca;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Remove contao210 for now.  Use Contao 2.11, please.
@
text
@$NetBSD: patch-contao_popup.php,v 1.1 2012/03/14 16:35:29 taca Exp $

* Fix vulnerability as Contao 2.11.2.

--- contao/popup.php.orig	2011-12-30 09:00:10.000000000 +0000
+++ contao/popup.php
@@@@ -102,6 +102,12 @@@@ class Popup extends Backend
 			die('File not found');
 		}
 
+		// Check whether the file is mounted (thanks to Marko Cupic)
+		if (!$this->User->hasAccess($this->strFile, 'filemounts'))
+		{
+			die('Permission denied');
+		}
+
 		// Open download dialogue
 		if ($this->Input->get('download') && $this->strFile)
 		{
@


1.1
log
@Add patches for security problems which fixed in Contao 2.11.2.

Bump PKGREVISION.
@
text
@d1 1
a1 1
$NetBSD$
@