head 1.3; access; symbols pkgsrc-2013Q2:1.3.0.4 pkgsrc-2013Q2-base:1.3 pkgsrc-2012Q4:1.3.0.2 pkgsrc-2012Q4-base:1.3 pkgsrc-2011Q4:1.2.0.2 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q3:1.1.0.2; locks; strict; comment @# @; 1.3 date 2012.03.22.14.56.21; author taca; state dead; branches; next 1.2; 1.2 date 2011.10.10.16.35.11; author taca; state Exp; branches; next 1.1; 1.1 date 2011.10.07.12.28.55; author taca; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2011.10.07.12.28.55; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2011.10.08.09.29.09; author tron; state Exp; branches; next 1.1.2.3; 1.1.2.3 date 2011.10.10.18.03.11; author tron; state Exp; branches; next ; desc @@ 1.3 log @Remove contao29. Please switch to contao211 (or contao210). @ text @$NetBSD: patch-system_modules_frontend_Frontend.php,v 1.2 2011/10/10 16:35:11 taca Exp $ * Fix potential XSS vulnerability, r1041 and r1044. --- system/modules/frontend/Frontend.php.orig 2011-03-02 13:03:27.000000000 +0000 +++ system/modules/frontend/Frontend.php @@@@ -80,14 +80,13 @@@@ abstract class Frontend extends Controll return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null; } - if (!strlen($this->Environment->request)) + if ($this->Environment->request == '') { return null; } $strRequest = preg_replace('/\?.*$/i', '', $this->Environment->request); $strRequest = preg_replace('/' . preg_quote($GLOBALS['TL_CONFIG']['urlSuffix'], '/') . '$/i', '', $strRequest); - $arrFragments = explode('/', $strRequest); // Skip index.php @@@@ -106,13 +105,15 @@@@ abstract class Frontend extends Controll } } - // Add fragments to $_GET array + $arrFragments = array_map('urldecode', $arrFragments); + + // Add the fragments to the $_GET array for ($i=1; $iInput->setGet($arrFragments[$i], $arrFragments[$i+1]); } - return strlen($arrFragments[0]) ? urldecode($arrFragments[0]) : null; + return ($arrFragments[0] != '') ? $arrFragments[0] : null; } @@@@ -136,7 +137,7 @@@@ abstract class Frontend extends Controll /** - * Overwrite parent method as front end URLs are handled differently + * Overwrite the parent method as front end URLs are handled differently * @@param string * @@param boolean * @@return string @@@@ -170,9 +171,22 @@@@ abstract class Frontend extends Controll $strParams = ''; + // Determine connector and separator + if ($GLOBALS['TL_CONFIG']['disableAlias']) + { + $strConnector = '&'; + $strSeparator = '='; + } + else + { + $strConnector = '/'; + $strSeparator = '/'; + } + + // Compile the parameters string foreach ($arrGet as $k=>$v) { - $strParams .= $GLOBALS['TL_CONFIG']['disableAlias'] ? '&' . $k . '=' . $v : '/' . $k . '/' . $v; + $strParams .= $strConnector . urlencode($k) . $strSeparator . urlencode($v); } // Do not use aliases @ 1.2 log @Add update patche to fix XSS from Contao's repository. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: patch-system_modules_frontend_Frontend.php,v 1.1 2011/10/07 12:28:55 taca Exp $ @ 1.1 log @Add a patch based r1041 from the repository of Contao to fix potential XSS vulnerability. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 * Fix potential XSS vulnerability, r1041. d7 1 a7 1 @@@@ -80,7 +80,7 @@@@ abstract class Frontend extends Controll d16 8 a23 1 @@@@ -106,13 +106,15 @@@@ abstract class Frontend extends Controll d28 1 a28 1 + // DO NOT USE urldecode() HERE (XSS vulnerability)! d34 1 a34 1 + $_GET[$arrFragments[$i]] = $arrFragments[$i+1]; d42 33 @ 1.1.2.1 log @file patch-system_modules_frontend_Frontend.php was added on branch pkgsrc-2011Q3 on 2011-10-08 09:29:09 +0000 @ text @d1 34 @ 1.1.2.2 log @Pullup ticket #3533 - requested by taca www/contao29: security patch Revisions pulled up: - www/contao29/Makefile 1.17 - www/contao29/distinfo 1.10 - www/contao29/patches/patch-system_modules_frontend_Frontend.php 1.1 --- Module Name: pkgsrc Committed By: taca Date: Fri Oct 7 12:28:55 UTC 2011 Modified Files: pkgsrc/www/contao29: Makefile distinfo Added Files: pkgsrc/www/contao29/patches: patch-system_modules_frontend_Frontend.php Log Message: Add a patch based r1041 from the repository of Contao to fix potential XSS vulnerability. Bump PKGREVISION. @ text @a0 34 $NetBSD$ * Fix potential XSS vulnerability, r1041. --- system/modules/frontend/Frontend.php.orig 2011-03-02 13:03:27.000000000 +0000 +++ system/modules/frontend/Frontend.php @@@@ -80,7 +80,7 @@@@ abstract class Frontend extends Controll return is_numeric($this->Input->get('id')) ? $this->Input->get('id') : null; } - if (!strlen($this->Environment->request)) + if ($this->Environment->request == '') { return null; } @@@@ -106,13 +106,15 @@@@ abstract class Frontend extends Controll } } - // Add fragments to $_GET array + // DO NOT USE urldecode() HERE (XSS vulnerability)! + + // Add the fragments to the $_GET array for ($i=1; $iEnvironment->request); $strRequest = preg_replace('/' . preg_quote($GLOBALS['TL_CONFIG']['urlSuffix'], '/') . '$/i', '', $strRequest); - $arrFragments = explode('/', $strRequest); // Skip index.php @@@@ -106,13 +105,15 @@@@ abstract class Frontend extends Controll d21 1 a21 1 + $arrFragments = array_map('urldecode', $arrFragments); d27 1 a27 1 + $this->Input->setGet($arrFragments[$i], $arrFragments[$i+1]); a34 33 @@@@ -136,7 +137,7 @@@@ abstract class Frontend extends Controll /** - * Overwrite parent method as front end URLs are handled differently + * Overwrite the parent method as front end URLs are handled differently * @@param string * @@param boolean * @@return string @@@@ -170,9 +171,22 @@@@ abstract class Frontend extends Controll $strParams = ''; + // Determine connector and separator + if ($GLOBALS['TL_CONFIG']['disableAlias']) + { + $strConnector = '&'; + $strSeparator = '='; + } + else + { + $strConnector = '/'; + $strSeparator = '/'; + } + + // Compile the parameters string foreach ($arrGet as $k=>$v) { - $strParams .= $GLOBALS['TL_CONFIG']['disableAlias'] ? '&' . $k . '=' . $v : '/' . $k . '/' . $v; + $strParams .= $strConnector . urlencode($k) . $strSeparator . urlencode($v); } // Do not use aliases @