head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2;
locks; strict;
comment	@# @;


1.2
date	2012.03.22.14.56.20;	author taca;	state dead;
branches;
next	1.1;

1.1
date	2012.03.14.16.42.02;	author taca;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Remove contao29.

Please switch to contao211 (or contao210).
@
text
@$NetBSD: patch-contao_popup.php,v 1.1 2012/03/14 16:42:02 taca Exp $

* Fix vulnerability as Contao 2.11.2.

--- contao/popup.php.orig	2011-03-02 12:54:54.000000000 +0000
+++ contao/popup.php
@@@@ -98,6 +98,12 @@@@ class Popup extends Backend
 			die('File not found');
 		}
 
+		// Check whether the file is mounted (thanks to Marko Cupic)
+		if (!$this->User->hasAccess($this->strFile, 'filemounts'))
+		{
+			die('Permission denied');
+		}
+
 		// Open download dialogue
 		if ($this->Input->get('download') && $this->strFile)
 		{
@


1.1
log
@Add patches for security problems which fixed in Contao 2.11.2.

Bump PKGREVISION.
@
text
@d1 1
a1 1
$NetBSD$
@