[Pkg-drupal-commits] r1951 - in /branches/drupal-5.0/debian: changelog patches/00list patches/12_SA-2008-067.dpatch

luigi at users.alioth.debian.org luigi at users.alioth.debian.org
Fri Oct 24 21:17:12 UTC 2008 

Author: luigi
Date: Fri Oct 24 21:17:12 2008
New Revision: 1951

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1951
Log:
Added upstream patch fixing several security vulnerabilities (Ref: SA-2008-067, CVE-TBA) (Closes: #503217)

Added:
    branches/drupal-5.0/debian/patches/12_SA-2008-067.dpatch   (with props)
Modified:
    branches/drupal-5.0/debian/changelog
    branches/drupal-5.0/debian/patches/00list

Modified: branches/drupal-5.0/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/changelog?rev=1951&op=diff
==============================================================================
--- branches/drupal-5.0/debian/changelog (original)
+++ branches/drupal-5.0/debian/changelog Fri Oct 24 21:17:12 2008
@@ -1,6 +1,10 @@
 drupal5 (5.10-3) UNRELEASED; urgency=low
 
   * NOT RELEASED YET
+
+  * debian/patches/12_SA-2008-067
+    - Added upstream patch fixing several security vulnerabilities
+      (Ref: SA-2008-067, CVE-TBA) (Closes: #503217)
 
  -- Luigi Gangitano <luigi at debian.org>  Mon, 24 Oct 2008 23:09:01 +0200
 

Modified: branches/drupal-5.0/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/patches/00list?rev=1951&op=diff
==============================================================================
--- branches/drupal-5.0/debian/patches/00list (original)
+++ branches/drupal-5.0/debian/patches/00list Fri Oct 24 21:17:12 2008
@@ -1,2 +1,3 @@
 10_cronjob
 11-SA-2008-060
+12_SA-2008-067

Added: branches/drupal-5.0/debian/patches/12_SA-2008-067.dpatch
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/patches/12_SA-2008-067.dpatch?rev=1951&op=file
==============================================================================
--- branches/drupal-5.0/debian/patches/12_SA-2008-067.dpatch (added)
+++ branches/drupal-5.0/debian/patches/12_SA-2008-067.dpatch Fri Oct 24 21:17:12 2008
@@ -1,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 12_SA-2008-067.dpatch by Luigi Gangitano <luigi at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad drupal5~/includes/bootstrap.inc drupal5/includes/bootstrap.inc
+--- drupal5~/includes/bootstrap.inc	2008-01-11 15:01:01.000000000 +0100
++++ drupal5/includes/bootstrap.inc	2008-10-24 23:14:57.000000000 +0200
+@@ -201,6 +201,11 @@
+ 
+   $confdir = 'sites';
+   $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']);
++  if (strpos($_SERVER['HTTP_HOST'], '/') !== FALSE) {
++    // A HTTP_HOST containing slashes may be an attack and is invalid.
++    header('HTTP/1.1 400 Bad Request');
++    exit;
++  }
+   $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.')))));
+   for ($i = count($uri) - 1; $i > 0; $i--) {
+     for ($j = count($server); $j > 0; $j--) {

Propchange: branches/drupal-5.0/debian/patches/12_SA-2008-067.dpatch
------------------------------------------------------------------------------
    svn:executable = *

More information about the Pkg-drupal-commits mailing list