[aur-dev] [PATCH] Geshi AUR implementation

Loui Chang louipc.ist at gmail.com
Fri Oct 1 19:06:41 EDT 2010


On Thu 30 Sep 2010 20:13 +0200, Lukas Fleischer wrote:
> On Wed, Sep 29, 2010 at 03:35:24PM +0200, Manuel Tortosa wrote:
> > > This introduces a remote file inclusion vulnerability allowing an
> > > attacker to read arbitrary files since "$pkgbuild" is not validated
> > > before passing it to file_get_contents().
> > > 
> > > Don't apply this patch until everything is fixed, please.
> > Thanks for your suggestions, i added them all to CCR ;)
> 
> Btw, this is still not fixed! Have a look at [1].
> 
> You should consider using basename(), realpath() and/or regexp to check
> the PKGBUILD path. Also check [2], [3].
> 
> [1]
> http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001268.html
> [2] http://www.madirish.net/?article=427
> [3] http://www.acunetix.com/websitesecurity/php-security-3.htm

Thanks for helping review these patches Lukas.
It's much appreciated.



More information about the aur-dev mailing list