On Wednesday 29 September 2010 14:42:30 Lukas Fleischer wrote:
On Wed, Sep 29, 2010 at 01:38:36PM +0200, Manuel Tortosa wrote:
+// Getting variables +if (!empty($HTTP_POST_VARS)) extract($HTTP_POST_VARS); +if (!empty($HTTP_GET_VARS)) extract($HTTP_GET_VARS);
The use of "$HTTP_POST_VARS" and "$HTTP_GET_VARS" is deprecated and highly discouraged. It won't even work at all if register_long_arrays is disabled. Use "$_POST" and "$_GET" instead.
Emulating register_globals behaviour is also deprecated and a potential security flaw. Don't do that. Just use "$_GET['pkgbuild']".
+$file = file_get_contents($pkgbuild, FILE_USE_INCLUDE_PATH);
This introduces a remote file inclusion vulnerability allowing an attacker to read arbitrary files since "$pkgbuild" is not validated before passing it to file_get_contents().
Don't apply this patch until everything is fixed, please. Thanks for your suggestions, i added them all to CCR ;)