tags #655832 + patch thanks On So 15 Jan 2012 10:46:09 CET Petter Reinholdtsen wrote:
[Petter Reinholdtsen]There is a slbackup-php bug (BTS report submitted, no # yet) that is of the few fatal problems with our Debian Edu/Squeeze version soon to be finished. Anyone with PHP skills around capable of providing a patch to fix the problem?The bug number is #655832. Please, if you know PHP, have a look and fix a patch. The next stable update is next weekend, and we really should have a fix in place before this. When I had a look at the cookies set by slbackup-php, I was surprised to find two cookies with paths in them, one pointing to the script and another to a template. Is this a security issue, where the user can fool the script to show files the user should not have access to? -- Happy hacking Petter Reinholdtsen
A patch has been attached to this mail that fixes the reported problem... Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
root@tjener:/usr/share/slbackup-php/web# diff -u index.php index.php.fixed
--- index.php 2007-04-25 10:15:47.000000000 +0200
+++ index.php.fixed 2012-01-15 12:28:24.000000000 +0100
@@ -582,9 +582,17 @@
$ssh_askpass = sprintf ("%s/script/mypass.sh",
dirname (dirname ($_SERVER["SCRIPT_FILENAME"])));
+$arguments = $_REQUEST;
+
+# merge _COOKIE and _REQUEST
+foreach ($_COOKIE as $key => $value) {
+ if (! array_key_exists($key, $arguments)) {
+ $arguments[$key] = $value;
+ }
+}
# Fetch arguments passed as the script is executed
-foreach ($_REQUEST as $key => $value) {
+foreach ($arguments as $key => $value) {
switch ($key) {
case "smarty_templ":
case "smarty_compile":
@@ -640,6 +648,8 @@
}
}
+unset ($arguments);
+
if ($submit == "logout") {
unset ($passwd) ;
unset ($xorstring) ;
Attachment:
pgpGwW4tujI7R.pgp
Description: Digitale PGP-Unterschrift