tags #655832 + patch thanks On So 15 Jan 2012 10:46:09 CET Petter Reinholdtsen wrote:
[Petter Reinholdtsen]There is a slbackup-php bug (BTS report submitted, no # yet) that is of the few fatal problems with our Debian Edu/Squeeze version soon to be finished. Anyone with PHP skills around capable of providing a patch to fix the problem?The bug number is #655832. Please, if you know PHP, have a look and fix a patch. The next stable update is next weekend, and we really should have a fix in place before this. When I had a look at the cookies set by slbackup-php, I was surprised to find two cookies with paths in them, one pointing to the script and another to a template. Is this a security issue, where the user can fool the script to show files the user should not have access to? -- Happy hacking Petter Reinholdtsen
A patch has been attached to this mail that fixes the reported problem... Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
root@tjener:/usr/share/slbackup-php/web# diff -u index.php index.php.fixed --- index.php 2007-04-25 10:15:47.000000000 +0200 +++ index.php.fixed 2012-01-15 12:28:24.000000000 +0100 @@ -582,9 +582,17 @@ $ssh_askpass = sprintf ("%s/script/mypass.sh", dirname (dirname ($_SERVER["SCRIPT_FILENAME"]))); +$arguments = $_REQUEST; + +# merge _COOKIE and _REQUEST +foreach ($_COOKIE as $key => $value) { + if (! array_key_exists($key, $arguments)) { + $arguments[$key] = $value; + } +} # Fetch arguments passed as the script is executed -foreach ($_REQUEST as $key => $value) { +foreach ($arguments as $key => $value) { switch ($key) { case "smarty_templ": case "smarty_compile": @@ -640,6 +648,8 @@ } } +unset ($arguments); + if ($submit == "logout") { unset ($passwd) ; unset ($xorstring) ;
pgpmo3yXI8jFW.pgp
Description: Digitale PGP-Unterschrift