rpms/sahana/EL-5 sahana.patch, NONE, 1.1 import.log, 1.2, 1.3 sahana.spec, 1.2, 1.3

Thu Oct 22 02:19:52 UTC 2009

Author: ke4qqq

Update of /cvs/pkgs/rpms/sahana/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4607/EL-5

Modified Files:
	import.log sahana.spec 
Added Files:
	sahana.patch 
Log Message:
* Wed Oct 21 2009 David Nalley <david at gnsa.us> 0.6.2.2-6
- fixed security issue noted in bz 530255



sahana.patch:
 index.php |   25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

--- NEW FILE sahana.patch ---
--- www/index.php	2007-12-10 05:04:15.000000000 -0500
+++ www/index.php	2009-10-21 21:40:00.823878649 -0400
@@ -92,11 +92,31 @@ if (!file_exists($APPROOT.'conf/sysconf.
 
 }
 
-// === cleans the GET and POST ===
+// === cleans the GET and POST and REQUEST ===
 function shn_main_clean_getpost()
 {
 
 	$purifier = new HTMLPurifier();
+	
+        foreach ($_REQUEST as $key=>$val){
+                if(is_array($_REQUEST[$key])==true){
+                
+                }else{
+                        $val = $purifier->purify($val);
+                        $val=escapeHTML($val);
+                        $_REQUEST[$key]=$val;
+                }
+        }        
+
+        foreach ($_GET as $key=>$val){
+                if(is_array($_GET[$key])==true){
+                
+                }else{
+                        $val = $purifier->purify($val);
+                        $val=escapeHTML($val);
+                        $_GET[$key]=$val;
+                }
+        }
 
 	foreach ($_POST as $key=>$val){
 		if(is_array($_POST[$key])==true){
@@ -164,6 +184,9 @@ function shn_main_front_controller()
 	// check the users access permissions for this action
 	$module_function = 'shn_'.$stream_.$module.'_'.$action;
 
+	// fixes the security vulnerability associated with null characters in the $module string
+	$module = str_replace("\0", "", $module);
+
 	// include the correct module file based on action and module
 	$module_file = $APPROOT.'mod/'.$module.'/main.inc';
 


Index: import.log
===================================================================
RCS file: /cvs/pkgs/rpms/sahana/EL-5/import.log,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- import.log	1 Apr 2009 17:51:17 -0000	1.2
+++ import.log	22 Oct 2009 02:19:52 -0000	1.3
@@ -1,2 +1,3 @@
 sahana-0_6_2_2-3_fc10:EL-5:sahana-0.6.2.2-3.fc10.src.rpm:1238605197
 sahana-0_6_2_2-4_fc10:EL-5:sahana-0.6.2.2-4.fc10.src.rpm:1238608186
+sahana-0_6_2_2-6_fc11:EL-5:sahana-0.6.2.2-6.fc11.src.rpm:1256178063


Index: sahana.spec
===================================================================
RCS file: /cvs/pkgs/rpms/sahana/EL-5/sahana.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- sahana.spec	1 Apr 2009 17:51:17 -0000	1.2
+++ sahana.spec	22 Oct 2009 02:19:52 -0000	1.3
@@ -3,7 +3,7 @@
 
 Name: sahana
 Version: 0.6.2.2
-Release: 4%{?dist}
+Release: 6%{?dist}
 Summary: Sahana is a free open source disaster management application
 Group:	Applications/Publishing
 License: LGPLv2+
@@ -11,6 +11,7 @@ URL: http://www.sahana.lk/
 Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz 
 #URL for source is http://code.zikula.org/core/downloads/99
 Source1: sahana.conf
+Patch0:  sahana.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch: noarch
 BuildRequires: dos2unix
@@ -38,7 +39,7 @@ semanage fcontext -a -t httpd_var_run_t 
 
 %prep
 %setup -qn %{name} 
-
+%patch0 -p0
 %build
 #nothing really for this section but rpmbuild complains if build is empty
 
@@ -108,6 +109,12 @@ symlinks -crs /usr/share/sahana >/dev/nu
 
 
 %changelog
+* Wed Oct 21 2009 David Nalley <david at gnsa.us> 0.6.2.2-6
+- fixed security issue noted in bz 530255
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.6.2.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
 * Wed Apr 01 2009 David Nalley <david at gnsa.us> 0.6.2.2-4
 - removed -executable predicate from find so it will build on EL-5 and F-9
 * Tue Mar 31 2009 David Nalley <david at gnsa.us> 0.6.2.2-3


