[aur-dev] [PATCH] Geshi AUR implementation
Manuel Tortosa
manutortosa at gmail.com
Sat Oct 2 10:18:03 EDT 2010
On Saturday 02 October 2010 01:06:41 Loui Chang wrote:
> On Thu 30 Sep 2010 20:13 +0200, Lukas Fleischer wrote:
> > On Wed, Sep 29, 2010 at 03:35:24PM +0200, Manuel Tortosa wrote:
> > > > This introduces a remote file inclusion vulnerability allowing an
> > > > attacker to read arbitrary files since "$pkgbuild" is not validated
> > > > before passing it to file_get_contents().
> > > >
> > > > Don't apply this patch until everything is fixed, please.
> > >
> > > Thanks for your suggestions, i added them all to CCR ;)
> >
> > Btw, this is still not fixed! Have a look at [1].
> >
> > You should consider using basename(), realpath() and/or regexp to check
> > the PKGBUILD path. Also check [2], [3].
> >
> > [1]
> > http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001268.html
> > [2] http://www.madirish.net/?article=427
> > [3] http://www.acunetix.com/websitesecurity/php-security-3.htm
>
> Thanks for helping review these patches Lukas.
> It's much appreciated.
First of all thanks to everibody for pointing me to the correct path,
Lukas (or anybody) can be so kind to check if this script it's safe?
This time the valiable passed is $row['Name'] instead the whole path.
Best Regards.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pkgbuildview.php
Type: application/x-php
Size: 703 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/aur-dev/attachments/20101002/cf4dc75d/attachment-0001.bin>
More information about the aur-dev
mailing list