summaryrefslogtreecommitdiff
path: root/debian/patches/fix_CVE-2015-1431.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/fix_CVE-2015-1431.patch')
-rw-r--r--debian/patches/fix_CVE-2015-1431.patch70
1 files changed, 70 insertions, 0 deletions
diff --git a/debian/patches/fix_CVE-2015-1431.patch b/debian/patches/fix_CVE-2015-1431.patch
new file mode 100644
index 0000000..3153ad3
--- /dev/null
+++ b/debian/patches/fix_CVE-2015-1431.patch
@@ -0,0 +1,70 @@
+Description: Explicitly disallow trailing paths
+ CSRF potentially allowing an attacker to modify the private message
+ setting that determines how full folders are handled (i.e. whether to
+ delete the oldest message or hold the new message until further space
+ is available).
+ [CVE-2015-1432]
+Author: Marc Alexander <admin@m-a-styles.de>
+Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456
+Bug: https://tracker.phpbb.com/browse/PHPBB3-13531, https://tracker.phpbb.com/browse/PHPBB3-13549
+Bug-Debian: https://bugs.debian.org/776699
+Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/4b9434bf1ba4c015da11309602cfccf1a9c2493c https://github.com/phpbb/phpbb/commit/e34b92882a51dc89da88464b8c751a9d93a03124 https://github.com/phpbb/phpbb/commit/74950559074d738733ac1258b07912f9ca14203a
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>, Nils Adermann <naderman@naderman.de>
+Last-Update: 2015-02-01
+--- a/includes/startup.php
++++ b/includes/startup.php
+@@ -113,6 +113,54 @@
+ unset($input);
+ }
+
++/**
++ * Check if requested page uses a trailing path
++ *
++ * @param string $phpEx PHP extension
++ *
++ * @return bool True if trailing path is used, false if not
++ */
++function phpbb_has_trailing_path($phpEx)
++{
++ // Check if path_info is being used
++ if (!empty($_SERVER['PATH_INFO']) || (!empty($_SERVER['ORIG_PATH_INFO']) && $_SERVER['SCRIPT_NAME'] != $_SERVER['ORIG_PATH_INFO']))
++ {
++ return true;
++ }
++
++ // Match any trailing path appended to a php script in the REQUEST_URI.
++ // It is assumed that only actual PHP scripts use names like foo.php. Due
++ // to this, any phpBB board inside a directory that has the php extension
++ // appended to its name will stop working, i.e. if the board is at
++ // example.com/phpBB/test.php/ or example.com/test.php/
++ if (preg_match('#^[^?]+\.' . preg_quote($phpEx, '#') . '/#', $_SERVER['REQUEST_URI']))
++ {
++ return true;
++ }
++
++ return false;
++}
++
++// Check if trailing path is used
++if (phpbb_has_trailing_path($phpEx))
++{
++ if (substr(strtolower(@php_sapi_name()), 0, 3) === 'cgi')
++ {
++ $prefix = 'Status:';
++ }
++ else if (!empty($_SERVER['SERVER_PROTOCOL']))
++ {
++ $prefix = $_SERVER['SERVER_PROTOCOL'];
++ }
++ else
++ {
++ $prefix = 'HTTP/1.0';
++ }
++ header("$prefix 404 Not Found", true, 404);
++ echo 'Trailing paths and PATH_INFO is not supported by phpBB 3.0';
++ exit;
++}
++
+ // Register globals and magic quotes have been dropped in PHP 5.4
+ if (version_compare(PHP_VERSION, '5.4.0-dev', '>='))
+ {