From a8c22829d8e8845cd4ddf4ef8b61a1ed79edfffc Mon Sep 17 00:00:00 2001 From: Olivier Gayot Date: Mon, 12 Mar 2018 22:57:42 +0100 Subject: Imported from the SVN repository http://svn.wolffelaar.nl/wsvn/phpbb/branches/jessie/ Signed-off-by: Olivier Gayot --- debian/patches/fix_CVE-2015-1431.patch | 70 ++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 debian/patches/fix_CVE-2015-1431.patch (limited to 'debian/patches/fix_CVE-2015-1431.patch') diff --git a/debian/patches/fix_CVE-2015-1431.patch b/debian/patches/fix_CVE-2015-1431.patch new file mode 100644 index 0000000..3153ad3 --- /dev/null +++ b/debian/patches/fix_CVE-2015-1431.patch @@ -0,0 +1,70 @@ +Description: Explicitly disallow trailing paths + CSRF potentially allowing an attacker to modify the private message + setting that determines how full folders are handled (i.e. whether to + delete the oldest message or hold the new message until further space + is available). + [CVE-2015-1432] +Author: Marc Alexander +Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456 +Bug: https://tracker.phpbb.com/browse/PHPBB3-13531, https://tracker.phpbb.com/browse/PHPBB3-13549 +Bug-Debian: https://bugs.debian.org/776699 +Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/4b9434bf1ba4c015da11309602cfccf1a9c2493c https://github.com/phpbb/phpbb/commit/e34b92882a51dc89da88464b8c751a9d93a03124 https://github.com/phpbb/phpbb/commit/74950559074d738733ac1258b07912f9ca14203a +Reviewed-by: Andreas Fischer , Nils Adermann +Last-Update: 2015-02-01 +--- a/includes/startup.php ++++ b/includes/startup.php +@@ -113,6 +113,54 @@ + unset($input); + } + ++/** ++ * Check if requested page uses a trailing path ++ * ++ * @param string $phpEx PHP extension ++ * ++ * @return bool True if trailing path is used, false if not ++ */ ++function phpbb_has_trailing_path($phpEx) ++{ ++ // Check if path_info is being used ++ if (!empty($_SERVER['PATH_INFO']) || (!empty($_SERVER['ORIG_PATH_INFO']) && $_SERVER['SCRIPT_NAME'] != $_SERVER['ORIG_PATH_INFO'])) ++ { ++ return true; ++ } ++ ++ // Match any trailing path appended to a php script in the REQUEST_URI. ++ // It is assumed that only actual PHP scripts use names like foo.php. Due ++ // to this, any phpBB board inside a directory that has the php extension ++ // appended to its name will stop working, i.e. if the board is at ++ // example.com/phpBB/test.php/ or example.com/test.php/ ++ if (preg_match('#^[^?]+\.' . preg_quote($phpEx, '#') . '/#', $_SERVER['REQUEST_URI'])) ++ { ++ return true; ++ } ++ ++ return false; ++} ++ ++// Check if trailing path is used ++if (phpbb_has_trailing_path($phpEx)) ++{ ++ if (substr(strtolower(@php_sapi_name()), 0, 3) === 'cgi') ++ { ++ $prefix = 'Status:'; ++ } ++ else if (!empty($_SERVER['SERVER_PROTOCOL'])) ++ { ++ $prefix = $_SERVER['SERVER_PROTOCOL']; ++ } ++ else ++ { ++ $prefix = 'HTTP/1.0'; ++ } ++ header("$prefix 404 Not Found", true, 404); ++ echo 'Trailing paths and PATH_INFO is not supported by phpBB 3.0'; ++ exit; ++} ++ + // Register globals and magic quotes have been dropped in PHP 5.4 + if (version_compare(PHP_VERSION, '5.4.0-dev', '>=')) + { -- cgit v1.2.3