[aur-dev] [PATCH] Geshi AUR implementation
louipc.ist at gmail.com
Fri Oct 1 19:06:41 EDT 2010
On Thu 30 Sep 2010 20:13 +0200, Lukas Fleischer wrote:
> On Wed, Sep 29, 2010 at 03:35:24PM +0200, Manuel Tortosa wrote:
> > > This introduces a remote file inclusion vulnerability allowing an
> > > attacker to read arbitrary files since "$pkgbuild" is not validated
> > > before passing it to file_get_contents().
> > >
> > > Don't apply this patch until everything is fixed, please.
> > Thanks for your suggestions, i added them all to CCR ;)
> Btw, this is still not fixed! Have a look at .
> You should consider using basename(), realpath() and/or regexp to check
> the PKGBUILD path. Also check , .
>  http://www.madirish.net/?article=427
>  http://www.acunetix.com/websitesecurity/php-security-3.htm
Thanks for helping review these patches Lukas.
It's much appreciated.
More information about the aur-dev