On Thu 30 Sep 2010 20:13 +0200, Lukas Fleischer wrote: > On Wed, Sep 29, 2010 at 03:35:24PM +0200, Manuel Tortosa wrote: > > > This introduces a remote file inclusion vulnerability allowing an > > > attacker to read arbitrary files since "$pkgbuild" is not validated > > > before passing it to file_get_contents(). > > > > > > Don't apply this patch until everything is fixed, please. > > Thanks for your suggestions, i added them all to CCR ;) > > Btw, this is still not fixed! Have a look at [1]. > > You should consider using basename(), realpath() and/or regexp to check > the PKGBUILD path. Also check [2], [3]. > > [1] > http://mailman.archlinux.org/pipermail/aur-dev/2010-September/001268.html > [2] http://www.madirish.net/?article=427 > [3] http://www.acunetix.com/websitesecurity/php-security-3.htm
Thanks for helping review these patches Lukas. It's much appreciated.
