[aur-dev] [PATCH] Geshi AUR implementation

Lukas Fleischer archlinux at cryptocrack.de
Wed Sep 29 08:42:30 EDT 2010

On Wed, Sep 29, 2010 at 01:38:36PM +0200, Manuel Tortosa wrote:
> +// Getting variables
> +if (!empty($HTTP_POST_VARS)) extract($HTTP_POST_VARS);
> +if (!empty($HTTP_GET_VARS)) extract($HTTP_GET_VARS);

The use of "$HTTP_POST_VARS" and "$HTTP_GET_VARS" is deprecated and
highly discouraged. It won't even work at all if register_long_arrays is
disabled. Use "$_POST" and "$_GET" instead.

Emulating register_globals behaviour is also deprecated and a potential
security flaw. Don't do that. Just use "$_GET['pkgbuild']".

> +$file = file_get_contents($pkgbuild, FILE_USE_INCLUDE_PATH); 

This introduces a remote file inclusion vulnerability allowing an
attacker to read arbitrary files since "$pkgbuild" is not validated
before passing it to file_get_contents().

Don't apply this patch until everything is fixed, please.

More information about the aur-dev mailing list