Bug#599255: unblock: zabbix/1.8.3-2
[ CC'ing Christoph Haas since he's the uploader ]
On 06/10/2010 09:57, Jordi Mallach wrote:
> Package: release.debian.org Severity: normal User:
> release.debian.org@packages.debian.org Usertags: freeze-exception
>
> Please unblock package zabbix
>
> Zabbix 1.8.3 includes a security fix (CVE-2010-2790) plus a series of
> important packaging fixes.
>
The diff is quite large. I don't think it's reasonable to unblocking it at
this stage of the freeze.
643 files changed, 57774 insertions(+), 93146 deletions(-)
Most of the changes are packaging related. Concerning the security bug, it
seems possible to extract a fix. Looking at the diff (file attached) for
frontends/php/include/classes/class.curl.php, it seems pretty easy to
provide a simple fix. Why didn't you try to do that instead of introducing
this new upstream release?
Regards,
--
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/
diff -Nru zabbix-1.8.2/frontends/php/include/classes/class.curl.php zabbix-1.8.3/frontends/php/include/classes/class.curl.php
--- zabbix-1.8.2/frontends/php/include/classes/class.curl.php 2010-03-29 17:22:45.000000000 +0000
+++ zabbix-1.8.3/frontends/php/include/classes/class.curl.php 2010-08-16 08:19:32.000000000 +0000
@@ -49,7 +49,7 @@
$this->arguments = array();
if(empty($url)){
- $this->formatArguments();
+ $this->formatGetArguments();
// $protocol = (zbx_strpos(zbx_strtolower($_SERVER['SERVER_PROTOCOL']), 'shttp') !== false)?'shttp':'http';
$protocol = ((isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on')) || ($_SERVER['SERVER_PORT'] == 443)) ? 'https' : 'http';
@@ -57,7 +57,7 @@
$this->url = $url = $protocol.'://'.$_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT'].$_SERVER['SCRIPT_NAME'].'?'.$this->getQuery();
}
else{
- $this->url=urldecode($url);
+ $this->url = $url;
$tmp_pos = zbx_strpos($this->url,'?');
$this->query=($tmp_pos!==false)?(substr($this->url,$tmp_pos+1)):'';
@@ -141,23 +141,28 @@
}
public function formatQuery(){
- $query = '';
+ $query = Array();
+
foreach($this->arguments as $key => $value){
if(is_null($value)) continue;
if(is_array($value)){
foreach($value as $vkey => $vvalue){
- $query.= $key.'['.$vkey.']='.$vvalue.'&';
+ if(is_array($vvalue)) continue;
+
+ $query[] = $key.'['.$vkey.']='.rawurlencode($vvalue);
}
}
else{
- $query.= $key.'='.$value.'&';
+ $query[] = $key.'='.rawurlencode($value);
}
}
- $this->query = rtrim($query,'&');
+ $this->query = implode('&', $query);
}
public function formatGetArguments(){
$this->arguments = $_GET;
+ if(isset($_COOKIE['zbx_sessionid']))
+ $this->setArgument('sid', substr($_COOKIE['zbx_sessionid'],16,16));
$this->formatQuery();
}
@@ -171,23 +176,25 @@
foreach($args as $id => $arg){
if(empty($arg)) continue;
- $tmp = explode('=',$arg);
- $this->arguments[$tmp[0]] = isset($tmp[1])?$tmp[1]:'';
+ list($name, $value) = explode('=',$arg);
+ $this->arguments[$name] = isset($value) ? urldecode($value):'';
}
}
$this->formatQuery();
}
public function getUrl(){
- $url = $this->protocol ? $this->protocol.'://' : '';
- $url .= $this->username ? $this->username : '';
- $url .= $this->password ? ':'.$this->password : '';
- $url .= $this->host ? $this->host : '';
- $url .= $this->port ? ':'.$this->port : '';
- $url .= $this->path ? $this->path : '';
- $url .= $this->query ? '?'.$this->query : '';
- $url .= $this->reference ? '#'.urlencode($this->reference) : '';
- //SDI($this->getProtocol().' : '.$this->getHost().' : '.$this->getPort().' : '.$this->getPath().' : '.$this->getQuery());
+ $this->formatQuery();
+
+ $url = $this->protocol ? $this->protocol.'://' : '';
+ $url .= $this->username ? $this->username : '';
+ $url .= $this->password ? ':'.$this->password : '';
+ $url .= $this->host ? $this->host : '';
+ $url .= $this->port ? ':'.$this->port : '';
+ $url .= $this->path ? $this->path : '';
+ $url .= $this->query ? '?'.$this->query : '';
+ $url .= $this->reference ? '#'.urlencode($this->reference) : '';
+//SDI($this->getProtocol().' : '.$this->getHost().' : '.$this->getPort().' : '.$this->getPath().' : '.$this->getQuery());
return $url;
}
@@ -201,7 +208,6 @@
public function setArgument($key,$value=''){
$this->arguments[$key] = $value;
- $this->formatQuery();
}
public function getArgument($key){
@@ -216,6 +222,7 @@
}
public function getQuery(){
+ $this->formatQuery();
return $this->query;
}
Reply to: