[aur-dev] [PATCH] Geshi AUR implementation
Manuel Tortosa
manutortosa at gmail.com
Wed Sep 29 09:35:24 EDT 2010
On Wednesday 29 September 2010 14:42:30 Lukas Fleischer wrote:
> On Wed, Sep 29, 2010 at 01:38:36PM +0200, Manuel Tortosa wrote:
> > +// Getting variables
> > +if (!empty($HTTP_POST_VARS)) extract($HTTP_POST_VARS);
> > +if (!empty($HTTP_GET_VARS)) extract($HTTP_GET_VARS);
>
> The use of "$HTTP_POST_VARS" and "$HTTP_GET_VARS" is deprecated and
> highly discouraged. It won't even work at all if register_long_arrays is
> disabled. Use "$_POST" and "$_GET" instead.
>
> Emulating register_globals behaviour is also deprecated and a potential
> security flaw. Don't do that. Just use "$_GET['pkgbuild']".
>
> > +$file = file_get_contents($pkgbuild, FILE_USE_INCLUDE_PATH);
>
> This introduces a remote file inclusion vulnerability allowing an
> attacker to read arbitrary files since "$pkgbuild" is not validated
> before passing it to file_get_contents().
>
> Don't apply this patch until everything is fixed, please.
Thanks for your suggestions, i added them all to CCR ;)
More information about the aur-dev
mailing list