head	1.3;
access;
symbols
	pkgsrc-2014Q1:1.2.0.4
	pkgsrc-2014Q1-base:1.2
	pkgsrc-2013Q4:1.2.0.2
	pkgsrc-2013Q4-base:1.2
	pkgsrc-2013Q3:1.1.0.14
	pkgsrc-2013Q3-base:1.1
	pkgsrc-2013Q2:1.1.0.12
	pkgsrc-2013Q2-base:1.1
	pkgsrc-2013Q1:1.1.0.10
	pkgsrc-2013Q1-base:1.1
	pkgsrc-2012Q4:1.1.0.8
	pkgsrc-2012Q4-base:1.1
	pkgsrc-2012Q3:1.1.0.6
	pkgsrc-2012Q3-base:1.1
	pkgsrc-2012Q2:1.1.0.4
	pkgsrc-2012Q2-base:1.1
	pkgsrc-2012Q1:1.1.0.2
	pkgsrc-2012Q1-base:1.1;
locks; strict;
comment	@# @;


1.3
date	2014.06.01.14.14.53;	author taca;	state dead;
branches;
next	1.2;
commitid	5sGd2RUJtDDoiPCx;

1.2
date	2013.11.19.14.19.58;	author taca;	state Exp;
branches;
next	1.1;
commitid	PcRa99BpzIzJyTdx;

1.1
date	2012.03.28.15.14.43;	author taca;	state Exp;
branches;
next	;


desc
@@


1.3
log
@Remove contao211 since Contao 2.11 is EOL.
@
text
@$NetBSD: patch-system_initialize.php,v 1.2 2013/11/19 14:19:58 taca Exp $

* Unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.

--- system/initialize.php.orig	2013-11-19 10:53:04.000000000 +0000
+++ system/initialize.php
@@@@ -185,10 +185,28 @@@@ if (file_exists(TL_ROOT . '/system/confi
 /**
  * Check the request token upon POST requests
  */
-if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'] && !defined('BYPASS_TOKEN_CHECK'))
+if (!$GLOBALS['TL_CONFIG']['disableRefererCheck'] &&
+    ($_POST && !defined('BYPASS_TOKEN_CHECK') ||
+     $_SERVER['REQUEST_METHOD'] == 'POST' && !$GLOBALS['TL_CONFIG']['disableCompatRefererCheck']))
 {
-	// Exit if the token cannot be validated
-	if (!$objToken->validate($objInput->post('REQUEST_TOKEN')))
+    $bad = false;
+
+	// Exit if traditional referer check is enabled.
+    if (!$GLOBALS['TL_CONFIG']['disableCompatRefererCheck'])
+    {
+        $self = parse_url($objEnvironment->url);
+        $referer = parse_url($objEnvironment->httpReferer);
+
+        $bad = (!strlen($referer['host']) || $referer['host'] != $self['host']);
+    }
+
+    if (!$bad)
+    {
+        // Exit if the token cannot be validated
+        $bad = !$objToken->validate($objInput->post('REQUEST_TOKEN'));
+    }
+    
+	if ($bad)
 	{
 		// Force JavaScript redirect upon Ajax requests (IE requires absolute link)
 		if ($objEnvironment->isAjaxRequest)
@


1.2
log
@Update contao211 to 2.11.13.

Version 2.11.13 (2013-11-19)
----------------------------

### Fixed
Sort the list of available modules (see #6391).

### Fixed
Decode entities in passwords (see #6252).

### Fixed
Replace insert tags in the details view of the listing module (see #6120).
@
text
@d1 1
a1 1
$NetBSD: patch-system_initialize.php,v 1.1 2012/03/28 15:14:43 taca Exp $
@


1.1
log
@Add unofficial fix for CVE-2012-1297 by checking Referer as days of Contao 2.9.

Bump PKGREVISION.
@
text
@d1 1
a1 1
$NetBSD$
d5 1
a5 1
--- system/initialize.php.orig	2012-03-14 15:13:14.000000000 +0000
d7 1
a7 1
@@@@ -168,10 +168,28 @@@@ if (file_exists(TL_ROOT . '/system/confi
@