On Thu 30 Sep 2010 20:13 +0200, Lukas Fleischer wrote:
On Wed, Sep 29, 2010 at 03:35:24PM +0200, Manuel Tortosa wrote:
This introduces a remote file inclusion vulnerability allowing an attacker to read arbitrary files since "$pkgbuild" is not validated before passing it to file_get_contents().
Don't apply this patch until everything is fixed, please. Thanks for your suggestions, i added them all to CCR ;)
Btw, this is still not fixed! Have a look at [1].
You should consider using basename(), realpath() and/or regexp to check the PKGBUILD path. Also check [2], [3].
[1] http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001268.html [2] http://www.madirish.net/?article=427 [3] http://www.acunetix.com/websitesecurity/php-security-3.htm
Thanks for helping review these patches Lukas. It's much appreciated.