[aur-dev] [PATCH] Geshi AUR implementation
Sorry last patch i sent will not work in your implementation as we use /lib instead of ../lib, this new one will work in your case. My apologies.
On Wed, Sep 29, 2010 at 01:38:36PM +0200, Manuel Tortosa wrote:
+// Getting variables +if (!empty($HTTP_POST_VARS)) extract($HTTP_POST_VARS); +if (!empty($HTTP_GET_VARS)) extract($HTTP_GET_VARS);
The use of "$HTTP_POST_VARS" and "$HTTP_GET_VARS" is deprecated and highly discouraged. It won't even work at all if register_long_arrays is disabled. Use "$_POST" and "$_GET" instead. Emulating register_globals behaviour is also deprecated and a potential security flaw. Don't do that. Just use "$_GET['pkgbuild']".
+$file = file_get_contents($pkgbuild, FILE_USE_INCLUDE_PATH);
This introduces a remote file inclusion vulnerability allowing an attacker to read arbitrary files since "$pkgbuild" is not validated before passing it to file_get_contents(). Don't apply this patch until everything is fixed, please.
On Wednesday 29 September 2010 14:42:30 Lukas Fleischer wrote:
On Wed, Sep 29, 2010 at 01:38:36PM +0200, Manuel Tortosa wrote:
+// Getting variables +if (!empty($HTTP_POST_VARS)) extract($HTTP_POST_VARS); +if (!empty($HTTP_GET_VARS)) extract($HTTP_GET_VARS);
The use of "$HTTP_POST_VARS" and "$HTTP_GET_VARS" is deprecated and highly discouraged. It won't even work at all if register_long_arrays is disabled. Use "$_POST" and "$_GET" instead.
Emulating register_globals behaviour is also deprecated and a potential security flaw. Don't do that. Just use "$_GET['pkgbuild']".
+$file = file_get_contents($pkgbuild, FILE_USE_INCLUDE_PATH);
This introduces a remote file inclusion vulnerability allowing an attacker to read arbitrary files since "$pkgbuild" is not validated before passing it to file_get_contents().
Don't apply this patch until everything is fixed, please. Thanks for your suggestions, i added them all to CCR ;)
On Wed, Sep 29, 2010 at 03:35:24PM +0200, Manuel Tortosa wrote:
This introduces a remote file inclusion vulnerability allowing an attacker to read arbitrary files since "$pkgbuild" is not validated before passing it to file_get_contents().
Don't apply this patch until everything is fixed, please. Thanks for your suggestions, i added them all to CCR ;)
Btw, this is still not fixed! Have a look at [1]. You should consider using basename(), realpath() and/or regexp to check the PKGBUILD path. Also check [2], [3]. [1] http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001268.html [2] http://www.madirish.net/?article=427 [3] http://www.acunetix.com/websitesecurity/php-security-3.htm
On Thu 30 Sep 2010 20:13 +0200, Lukas Fleischer wrote:
On Wed, Sep 29, 2010 at 03:35:24PM +0200, Manuel Tortosa wrote:
This introduces a remote file inclusion vulnerability allowing an attacker to read arbitrary files since "$pkgbuild" is not validated before passing it to file_get_contents().
Don't apply this patch until everything is fixed, please. Thanks for your suggestions, i added them all to CCR ;)
Btw, this is still not fixed! Have a look at [1].
You should consider using basename(), realpath() and/or regexp to check the PKGBUILD path. Also check [2], [3].
[1] http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001268.html [2] http://www.madirish.net/?article=427 [3] http://www.acunetix.com/websitesecurity/php-security-3.htm
Thanks for helping review these patches Lukas. It's much appreciated.
On Saturday 02 October 2010 01:06:41 Loui Chang wrote:
On Thu 30 Sep 2010 20:13 +0200, Lukas Fleischer wrote:
On Wed, Sep 29, 2010 at 03:35:24PM +0200, Manuel Tortosa wrote:
This introduces a remote file inclusion vulnerability allowing an attacker to read arbitrary files since "$pkgbuild" is not validated before passing it to file_get_contents().
Don't apply this patch until everything is fixed, please.
Thanks for your suggestions, i added them all to CCR ;)
Btw, this is still not fixed! Have a look at [1].
You should consider using basename(), realpath() and/or regexp to check the PKGBUILD path. Also check [2], [3].
[1] http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001268.html [2] http://www.madirish.net/?article=427 [3] http://www.acunetix.com/websitesecurity/php-security-3.htm
Thanks for helping review these patches Lukas. It's much appreciated.
First of all thanks to everibody for pointing me to the correct path, Lukas (or anybody) can be so kind to check if this script it's safe? This time the valiable passed is $row['Name'] instead the whole path. Best Regards.
On Wed 29 Sep 2010 13:38 +0200, Manuel Tortosa wrote:
Sorry last patch i sent will not work in your implementation as we use /lib instead of ../lib, this new one will work in your case.
From 10ba3fa656bc4c59fc6d82f67dbed772e900dc47 Mon Sep 17 00:00:00 2001 From: Manuel Tortosa <manutortosa@gmail.com> Date: Wed, 29 Sep 2010 13:28:49 +0200 Subject: [PATCH 2/2] Add PKGBUILD syntax highligh with GeShi
Hmm. This fails if GeShi isn't installed. Can you make it fallback to the previous behaviour thus making syntax highlighting an optional feature?
participants (3)
-
Loui Chang
-
Lukas Fleischer
-
Manuel Tortosa