head	1.1;
access;
symbols
	pkgsrc-2014Q4:1.1.0.2;
locks; strict;
comment	@# @;


1.1
date	2015.02.14.10.07.52;	author tron;	state dead;
branches
	1.1.2.1;
next	;
commitid	gRltTkN3bTYxDX9y;

1.1.2.1
date	2015.02.14.10.07.52;	author tron;	state Exp;
branches;
next	;
commitid	gRltTkN3bTYxDX9y;


desc
@@


1.1
log
@file patch-system_modules_core_classes_Backend.php was initially added on branch pkgsrc-2014Q4.
@
text
@@


1.1.2.1
log
@Pullup ticket #4611 - requested by taca
www/contao33: security patch

Revisions pulled up:
- www/contao33/Makefile                                         patch
- www/contao33/distinfo                                         patch
- www/contao33/patches/patch-system_modules_core_classes_Backend.php new file
- www/contao33/patches/patch-system_modules_core_dca_tl__templates.php new file
- www/contao33/patches/patch-system_modules_core_library_Contao_Validator.php new file

---
Apply patch to fix directory traversal security problem.
@
text
@a0 78
$NetBSD$

Fix for CVE-2015-0269.

--- system/modules/core/classes/Backend.php.orig	2014-11-24 09:12:58.000000000 +0000
+++ system/modules/core/classes/Backend.php
@@@@ -662,6 +662,8 @@@@ abstract class Backend extends \Controll
 	 * Add a breadcrumb menu to the page tree
 	 *
 	 * @@param string
+	 *
+	 * @@throws \RuntimeException
 	 */
 	public static function addPagesBreadcrumb($strKey='tl_page_node')
 	{
@@@@ -670,7 +672,13 @@@@ abstract class Backend extends \Controll
 		// Set a new node
 		if (isset($_GET['node']))
 		{
-			$objSession->set($strKey, \Input::get('node'));
+			// Check the path (thanks to Arnaud Buchoux)
+			if (\Validator::isInsecurePath(\Input::get('node', true)))
+			{
+				throw new \RuntimeException('Insecure path ' . \Input::get('node', true));
+			}
+
+			$objSession->set($strKey, \Input::get('node', true));
 			\Controller::redirect(preg_replace('/&node=[^&]*/', '', \Environment::get('request')));
 		}
 
@@@@ -681,6 +689,12 @@@@ abstract class Backend extends \Controll
 			return;
 		}
 
+		// Check the path (thanks to Arnaud Buchoux)
+		if (\Validator::isInsecurePath($intNode))
+		{
+			throw new \RuntimeException('Insecure path ' . $intNode);
+		}
+
 		$arrIds   = array();
 		$arrLinks = array();
 		$objUser  = \BackendUser::getInstance();
@@@@ -800,6 +814,8 @@@@ abstract class Backend extends \Controll
 	 * Add a breadcrumb menu to the file tree
 	 *
 	 * @@param string
+	 *
+	 * @@throws \RuntimeException
 	 */
 	public static function addFilesBreadcrumb($strKey='tl_files_node')
 	{
@@@@ -808,6 +824,12 @@@@ abstract class Backend extends \Controll
 		// Set a new node
 		if (isset($_GET['node']))
 		{
+			// Check the path (thanks to Arnaud Buchoux)
+			if (\Validator::isInsecurePath(\Input::get('node', true)))
+			{
+				throw new \RuntimeException('Insecure path ' . \Input::get('node', true));
+			}
+
 			$objSession->set($strKey, \Input::get('node', true));
 			\Controller::redirect(preg_replace('/(&|\?)node=[^&]*/', '', \Environment::get('request')));
 		}
@@@@ -819,6 +841,12 @@@@ abstract class Backend extends \Controll
 			return;
 		}
 
+		// Check the path (thanks to Arnaud Buchoux)
+		if (\Validator::isInsecurePath($strNode))
+		{
+			throw new \RuntimeException('Insecure path ' . $strNode);
+		}
+
 		// Currently selected folder does not exist
 		if (!is_dir(TL_ROOT . '/' . $strNode))
 		{
@