[Pkg-php-commits] [php/debian-etch] CVE-2008-5814: XSS vulnerability via display_errors
Sean Finney
seanius at debian.org
Tue Apr 28 12:15:45 UTC 2009
(cherry-picked from a71a80d0465f4e82210559c51217f03057c7e028)
this was taken from the ubuntu hardy security update.
Closes: #523028
Conflicts:
debian/patches/series
---
debian/patches/CVE-2008-5814.patch | 22 ++++++++++++++++++++++
1 files changed, 22 insertions(+), 0 deletions(-)
create mode 100644 debian/patches/CVE-2008-5814.patch
diff --git a/debian/patches/CVE-2008-5814.patch b/debian/patches/CVE-2008-5814.patch
new file mode 100644
index 0000000..f297ae4
--- /dev/null
+++ b/debian/patches/CVE-2008-5814.patch
@@ -0,0 +1,22 @@
+#
+# Description: fix cross-site scripting vulnerability when display_errors is enabled.
+# Patch: http://viewcvs.php.net/viewvc.cgi/php-src/ext/standard/head.c?r1=1.84.2.1.2.8&r2=1.84.2.1.2.9&pathrev=PHP_5_2
+#
+diff -Nur php5-5.2.4/ext/standard/head.c php5-5.2.4.new/ext/standard/head.c
+--- php5-5.2.4/ext/standard/head.c 2007-02-25 21:12:36.000000000 -0500
++++ php5-5.2.4.new/ext/standard/head.c 2009-04-15 13:31:00.000000000 -0400
+@@ -69,12 +69,12 @@
+ int result;
+
+ if (name && strpbrk(name, "=,; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+- zend_error( E_WARNING, "Cookie names can not contain any of the folllowing '=,; \\t\\r\\n\\013\\014' (%s)", name );
++ zend_error( E_WARNING, "Cookie names can not contain any of the folllowing '=,; \\t\\r\\n\\013\\014'" );
+ return FAILURE;
+ }
+
+ if (!url_encode && value && strpbrk(value, ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+- zend_error( E_WARNING, "Cookie values can not contain any of the folllowing ',; \\t\\r\\n\\013\\014' (%s)", value );
++ zend_error( E_WARNING, "Cookie values can not contain any of the folllowing ',; \\t\\r\\n\\013\\014'" );
+ return FAILURE;
+ }
+
--
1.5.6.5
More information about the Pkg-php-commits
mailing list