diff options
author | Olivier Gayot <duskcoder@gmail.com> | 2018-03-12 22:57:42 +0100 |
---|---|---|
committer | Olivier Gayot <duskcoder@gmail.com> | 2018-03-12 22:57:42 +0100 |
commit | a8c22829d8e8845cd4ddf4ef8b61a1ed79edfffc (patch) | |
tree | f0ae554b863266fbe523582d1be09216436c7472 /debian/patches/fix_CVE-2015-1431.patch |
Imported from the SVN repository
http://svn.wolffelaar.nl/wsvn/phpbb/branches/jessie/
Signed-off-by: Olivier Gayot <duskcoder@gmail.com>
Diffstat (limited to 'debian/patches/fix_CVE-2015-1431.patch')
-rw-r--r-- | debian/patches/fix_CVE-2015-1431.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/debian/patches/fix_CVE-2015-1431.patch b/debian/patches/fix_CVE-2015-1431.patch new file mode 100644 index 0000000..3153ad3 --- /dev/null +++ b/debian/patches/fix_CVE-2015-1431.patch @@ -0,0 +1,70 @@ +Description: Explicitly disallow trailing paths + CSRF potentially allowing an attacker to modify the private message + setting that determines how full folders are handled (i.e. whether to + delete the oldest message or hold the new message until further space + is available). + [CVE-2015-1432] +Author: Marc Alexander <admin@m-a-styles.de> +Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456 +Bug: https://tracker.phpbb.com/browse/PHPBB3-13531, https://tracker.phpbb.com/browse/PHPBB3-13549 +Bug-Debian: https://bugs.debian.org/776699 +Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/4b9434bf1ba4c015da11309602cfccf1a9c2493c https://github.com/phpbb/phpbb/commit/e34b92882a51dc89da88464b8c751a9d93a03124 https://github.com/phpbb/phpbb/commit/74950559074d738733ac1258b07912f9ca14203a +Reviewed-by: Andreas Fischer <bantu@phpbb.com>, Nils Adermann <naderman@naderman.de> +Last-Update: 2015-02-01 +--- a/includes/startup.php ++++ b/includes/startup.php +@@ -113,6 +113,54 @@ + unset($input); + } + ++/** ++ * Check if requested page uses a trailing path ++ * ++ * @param string $phpEx PHP extension ++ * ++ * @return bool True if trailing path is used, false if not ++ */ ++function phpbb_has_trailing_path($phpEx) ++{ ++ // Check if path_info is being used ++ if (!empty($_SERVER['PATH_INFO']) || (!empty($_SERVER['ORIG_PATH_INFO']) && $_SERVER['SCRIPT_NAME'] != $_SERVER['ORIG_PATH_INFO'])) ++ { ++ return true; ++ } ++ ++ // Match any trailing path appended to a php script in the REQUEST_URI. ++ // It is assumed that only actual PHP scripts use names like foo.php. Due ++ // to this, any phpBB board inside a directory that has the php extension ++ // appended to its name will stop working, i.e. if the board is at ++ // example.com/phpBB/test.php/ or example.com/test.php/ ++ if (preg_match('#^[^?]+\.' . preg_quote($phpEx, '#') . '/#', $_SERVER['REQUEST_URI'])) ++ { ++ return true; ++ } ++ ++ return false; ++} ++ ++// Check if trailing path is used ++if (phpbb_has_trailing_path($phpEx)) ++{ ++ if (substr(strtolower(@php_sapi_name()), 0, 3) === 'cgi') ++ { ++ $prefix = 'Status:'; ++ } ++ else if (!empty($_SERVER['SERVER_PROTOCOL'])) ++ { ++ $prefix = $_SERVER['SERVER_PROTOCOL']; ++ } ++ else ++ { ++ $prefix = 'HTTP/1.0'; ++ } ++ header("$prefix 404 Not Found", true, 404); ++ echo 'Trailing paths and PATH_INFO is not supported by phpBB 3.0'; ++ exit; ++} ++ + // Register globals and magic quotes have been dropped in PHP 5.4 + if (version_compare(PHP_VERSION, '5.4.0-dev', '>=')) + { |