On Wed, Sep 29, 2010 at 01:38:36PM +0200, Manuel Tortosa wrote:
+// Getting variables +if (!empty($HTTP_POST_VARS)) extract($HTTP_POST_VARS); +if (!empty($HTTP_GET_VARS)) extract($HTTP_GET_VARS);
The use of "$HTTP_POST_VARS" and "$HTTP_GET_VARS" is deprecated and highly discouraged. It won't even work at all if register_long_arrays is disabled. Use "$_POST" and "$_GET" instead. Emulating register_globals behaviour is also deprecated and a potential security flaw. Don't do that. Just use "$_GET['pkgbuild']".
+$file = file_get_contents($pkgbuild, FILE_USE_INCLUDE_PATH);
This introduces a remote file inclusion vulnerability allowing an attacker to read arbitrary files since "$pkgbuild" is not validated before passing it to file_get_contents(). Don't apply this patch until everything is fixed, please.