Hi, On Tuesday 18 November 2008, Olivier Berger wrote: > FYI, I have prepared another package (available at > http://mentors.debian.net/debian/pool/main/l/libcas-php/libcas-php_1.0.1-2. >dsc) > Ok, let's see. > > In order to address the following issues : > > On Tue, Nov 18, 2008 at 09:42:29AM +0100, Olivier Berger wrote: >> >> Le lundi 17 novembre 2008 à 15:20 -0600, Raphael Geissert a écrit :>> >> > debian/rules: >> > What about cleaning it up? >> > >> Sure. >> > done I still see many commented-out lines, why? > dh_installman > dh_link > dh_strip I don't see neither a manpage around nor a debian/links nor an ELF object. If they are not used then don't call them. > >> > debian/copyright: >> > > Upstream Author: >> > > >> > > Pascal Aubry >> > >> > What about also displaying his email address? >> Sure. > done > The Debian packaging is (C) 2008, Olivier Berger <olivier.berger@it-sudparis.eu> and > is licensed under the GPL, see `/usr/share/common-licenses/GPL'. You should better be more specific and say exactly what version of the licence you want. >> > >> > CAS.php: >> > > define("CAS_PGT_STORAGE_FILE_DEFAULT_PATH",'/tmp'); >> > .. >> > > define("CAS_PGT_STORAGE_FILE_FORMAT_PLAIN",'plain'); >> > >> > Doesn't look good at all. >> >> Hmmm... I guess that needs to be fixed indeed. Thanks for spotting that. > > I have applied a patch in order to use /var/lib/libcas-php/pgtstorage/ and not /tmp for storage. I'm not quite convinced that it is a good solution. But let's hold on for a moment on that problem (read below). > > Hope I did it in a safe way. > > > In addition, I have tested more the proxy mode and fixed a nasty crash that occurred in validatePGT with the new domxml-php4-to-php5. > Good > > Any comments welcome $ lintian -I -E libcas-php_1.0.1-2.dsc I: libcas-php source: debian-watch-file-is-missing And what about the api docs? From CAS/client.php: > function setPGTStorageDB($user, ... > trigger_error('PGT storage into database is an experim... If it is not supported then it should be documented and the dependency on php-db dropped or downgraded to suggests if you insist/think there are chances for it to be used. I have not fully reviewed/audited the code, but the code has several vulnerabilities (symlink attacks, directory traversal, and XSS are those I have identified). The symlinks attack can be launched because of predictable file names used and the default storage directory. To make things worst, the user's input is not sanitized, so it is possible to predict the file name where data is going to be written to by passing an arbitrary pgtIou GET argument. The same lack of sanitization allows an attacker to either perform XSS or directory traversal attacks by abusing the callback function in CAS/client.php). Additionally the functions calling getCallbackURL when proxy mode is enabled can lead to XSS attacks if the validation request fails. A similar situation also applies to functions calling getURL. Tomorrow I'll send this information to bugtraq and will file the corresponding bug reports against packages shipping phpCAS. I strongly recommend you and upstream to audit the code. > > Best regards, Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
Attachment:
signature.asc
Description: This is a digitally signed message part.