
These two updates occurs after a discussion with websvn upstream, to
validate the corrections. Security problem is described at:
(I haven't found any related CVE, but a Secunia advisory:

The first upload is for stable:
Please allow websvn 1.61-21 into stable, it contains a security fix:

   * Security: fix potential PHP code execution due to unsafe use of
     preg_replace (Closes: #503330)

The fix is to remove the offending code (which was useless) with quilt
patch 40_unsafe_preg_replace.diff (attached).
Other parts of the advisory (directory transversal and XSS) were not
found in this version.

The second upload is for both unstable and testing:
Please allow websvn 2.0-4 to enter testing, it contains fixes for the
same security advisory, but for different problems:

   * Security: fix potential Cross Site Scripting and Directory
     transveral issues (Closes: #503330)

Problems are fixed in quilt patches 10_security_dir_transversal.patch
and 11_security_css.patch (attached). preg_replace affected code was removed in
2.x branch.

Index: websvn-1.61/include/utils.inc
--- websvn-1.61.orig/include/utils.inc	2008-11-12 13:04:16.000000000 +0100
+++ websvn-1.61/include/utils.inc	2008-11-12 13:04:23.000000000 +0100
@@ -87,11 +87,6 @@
 	                    "<a href=\"mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a>",
-   // Replace any usernames
-	$ret = preg_replace("#\[:nom:([^\]]*)\]#e",
-	                    "username(0, trim(\"\\1\"))",
-	                    $ret);
 	return ($ret);
@@ -185,4 +180,4 @@
    // Stick them together
    return $spaces.$s;
\ No newline at end of file
Index: websvn-2.0/rss.php
--- websvn-2.0.orig/rss.php	2008-11-12 13:10:56.000000000 +0100
+++ websvn-2.0/rss.php	2008-11-12 13:11:20.000000000 +0100
@@ -67,7 +67,7 @@
 // Cachename reflecting full path to and rev for rssfeed. Must end with xml to work
 $cachename = strtr(getFullURL($listurl), ":/\\?", "____");
-$cachename = $locwebsvnreal.DIRECTORY_SEPARATOR."cache"[EMAIL PROTECTED]"rev"]."_rssfeed.xml";
+$cachename = $locwebsvnreal.DIRECTORY_SEPARATOR.'cache'.DIRECTORY_SEPARATOR.$cachename.$rev.'_rssfeed.xml';
 $rss = new UniversalFeedCreator();
 $rss->useCached("RSS2.0", $cachename);
Index: websvn-2.0/include/setup.php
--- websvn-2.0.orig/include/setup.php	2008-11-12 13:12:10.000000000 +0100
+++ websvn-2.0/include/setup.php	2008-11-12 13:12:26.000000000 +0100
@@ -314,7 +314,7 @@
 $vars['lang_code'] = $userLang;
-$url = getParameterisedSelfUrl(true);
+$url = '?'.buildQuery($_GET + $_POST);
 $vars["lang_form"] = "<form action=\"$url\" method=\"post\" id=\"langform\">";
 $vars["lang_select"] = "<select name=\"langchoice\" onchange=\"javascript:this.form.submit();\">";
Index: websvn-2.0/include/utils.php
--- websvn-2.0.orig/include/utils.php	2008-11-12 13:12:14.000000000 +0100
+++ websvn-2.0/include/utils.php	2008-11-12 13:12:26.000000000 +0100
@@ -304,43 +304,6 @@
 // }}}
-// {{{ getParameterisedSelfUrl
-// Get the relative URL (PHP_SELF) with GET and POST data
-function getParameterisedSelfUrl($params = true)
-   global $config;
-   $url = null;
-   if ($config->multiViews)
-   {
-      // Get rid of the file's name
-      $url = preg_replace('/\.php/', '', $_SERVER['PHP_SELF'], 1);
-   }
-   else
-   {
-      $url = basename($_SERVER['PHP_SELF']);
-      // Sometimes the .php isn't on the end.  Damn strange...
-      if (strchr($url, '.') === false)
-         $url .= '.php';   
-   }
-   if ($params)
-   {
-      $arr = $_GET + $_POST;
-      # XXX: the point of HTTP POST is that URIs have a set size limit, so POST
-      #      data is typically too large to bother with; why include it?
-      $url .= '?'.buildQuery($arr);
-   }
-   return $url;
-// }}}
 // {{{ getUserLanguage
 function getUserLanguage($languages, $default, $userchoice)

Attachment: signature.asc
Description: Digital signature

Reply via email to