summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAaron Walker <ka0ttic@gentoo.org>2005-03-11 17:43:26 +0000
committerAaron Walker <ka0ttic@gentoo.org>2005-03-11 17:43:26 +0000
commitd64cd795665ada61ad466e200290eb5be8be0d38 (patch)
tree25112b86100d44e3387b7ccc47344feb8a598077 /www-apps/xoops/files
parentne version (diff)
downloadhistorical-d64cd795665ada61ad466e200290eb5be8be0d38.tar.gz
historical-d64cd795665ada61ad466e200290eb5be8be0d38.tar.bz2
historical-d64cd795665ada61ad466e200290eb5be8be0d38.zip
Version bump; added patch to fix weak file extension validation (see bug 84570) until upstream releases a new version.
Package-Manager: portage-2.0.51.19
Diffstat (limited to 'www-apps/xoops/files')
-rw-r--r--www-apps/xoops/files/digest-xoops-2.0.9.21
-rw-r--r--www-apps/xoops/files/xoops-2.0.9.2-fix-file-ext-validation.diff273
2 files changed, 274 insertions, 0 deletions
diff --git a/www-apps/xoops/files/digest-xoops-2.0.9.2 b/www-apps/xoops/files/digest-xoops-2.0.9.2
new file mode 100644
index 000000000000..2381276bf7f5
--- /dev/null
+++ b/www-apps/xoops/files/digest-xoops-2.0.9.2
@@ -0,0 +1 @@
+MD5 10c620da751aa1b709b2b6f7985021c2 xoops-2.0.9.2.tar.gz 1118423
diff --git a/www-apps/xoops/files/xoops-2.0.9.2-fix-file-ext-validation.diff b/www-apps/xoops/files/xoops-2.0.9.2-fix-file-ext-validation.diff
new file mode 100644
index 000000000000..3e3335fc574e
--- /dev/null
+++ b/www-apps/xoops/files/xoops-2.0.9.2-fix-file-ext-validation.diff
@@ -0,0 +1,273 @@
+diff --exclude='*~' -urN xoops-2.0.9.2.orig/html/class/mimetypes.inc.php xoops-2.0.9.2/html/class/mimetypes.inc.php
+--- xoops-2.0.9.2.orig/html/class/mimetypes.inc.php 1969-12-31 19:00:00.000000000 -0500
++++ xoops-2.0.9.2/html/class/mimetypes.inc.php 2005-03-11 12:37:12.081298241 -0500
+@@ -0,0 +1,117 @@
++<?php
++/**
++* Extension to mimetype lookup table
++*
++* This file is provided as an helper for objects who need to perform filename to mimetype translations.
++* Common types have been provided, but feel free to add your own one if you need it.
++* <br /><br />
++* See the enclosed file LICENSE for licensing information.
++* If you did not receive this file, get it at http://www.fsf.org/copyleft/gpl.html
++*
++* @copyright The Xoops project http://www.xoops.org/
++* @license http://www.fsf.org/copyleft/gpl.html GNU public license
++* @author Skalpa Keo <skalpa@xoops.org>
++* @since 2.0.9.3
++*/
++return array(
++ "hqx" => "application/mac-binhex40",
++ "doc" => "application/msword",
++ "dot" => "application/msword",
++ "bin" => "application/octet-stream",
++ "lha" => "application/octet-stream",
++ "lzh" => "application/octet-stream",
++ "exe" => "application/octet-stream",
++ "class" => "application/octet-stream",
++ "so" => "application/octet-stream",
++ "dll" => "application/octet-stream",
++ "pdf" => "application/pdf",
++ "ai" => "application/postscript",
++ "eps" => "application/postscript",
++ "ps" => "application/postscript",
++ "smi" => "application/smil",
++ "smil" => "application/smil",
++ "wbxml" => "application/vnd.wap.wbxml",
++ "wmlc" => "application/vnd.wap.wmlc",
++ "wmlsc" => "application/vnd.wap.wmlscriptc",
++ "xla" => "application/vnd.ms-excel",
++ "xls" => "application/vnd.ms-excel",
++ "xlt" => "application/vnd.ms-excel",
++ "ppt" => "application/vnd.ms-powerpoint",
++ "csh" => "application/x-csh",
++ "dcr" => "application/x-director",
++ "dir" => "application/x-director",
++ "dxr" => "application/x-director",
++ "spl" => "application/x-futuresplash",
++ "gtar" => "application/x-gtar",
++ "php" => "application/x-httpd-php",
++ "php3" => "application/x-httpd-php",
++ "php5" => "application/x-httpd-php",
++ "phtml" => "application/x-httpd-php",
++ "js" => "application/x-javascript",
++ "sh" => "application/x-sh",
++ "swf" => "application/x-shockwave-flash",
++ "sit" => "application/x-stuffit",
++ "tar" => "application/x-tar",
++ "tcl" => "application/x-tcl",
++ "xhtml" => "application/xhtml+xml",
++ "xht" => "application/xhtml+xml",
++ "xhtml" => "application/xml",
++ "ent" => "application/xml-external-parsed-entity",
++ "dtd" => "application/xml-dtd",
++ "mod" => "application/xml-dtd",
++ "gz" => "application/x-gzip",
++ "zip" => "application/zip",
++ "au" => "audio/basic",
++ "snd" => "audio/basic",
++ "mid" => "audio/midi",
++ "midi" => "audio/midi",
++ "kar" => "audio/midi",
++ "mp1" => "audio/mpeg",
++ "mp2" => "audio/mpeg",
++ "mp3" => "audio/mpeg",
++ "aif" => "audio/x-aiff",
++ "aiff" => "audio/x-aiff",
++ "m3u" => "audio/x-mpegurl",
++ "ram" => "audio/x-pn-realaudio",
++ "rm" => "audio/x-pn-realaudio",
++ "rpm" => "audio/x-pn-realaudio-plugin",
++ "ra" => "audio/x-realaudio",
++ "wav" => "audio/x-wav",
++ "bmp" => "image/bmp",
++ "gif" => "image/gif",
++ "jpeg" => "image/jpeg",
++ "jpg" => "image/jpeg",
++ "jpe" => "image/jpeg",
++ "png" => "image/png",
++ "tiff" => "image/tiff",
++ "tif" => "image/tif",
++ "wbmp" => "image/vnd.wap.wbmp",
++ "pnm" => "image/x-portable-anymap",
++ "pbm" => "image/x-portable-bitmap",
++ "pgm" => "image/x-portable-graymap",
++ "ppm" => "image/x-portable-pixmap",
++ "xbm" => "image/x-xbitmap",
++ "xpm" => "image/x-xpixmap",
++ "ics" => "text/calendar",
++ "ifb" => "text/calendar",
++ "css" => "text/css",
++ "html" => "text/html",
++ "htm" => "text/html",
++ "asc" => "text/plain",
++ "txt" => "text/plain",
++ "rtf" => "text/rtf",
++ "sgml" => "text/x-sgml",
++ "sgm" => "text/x-sgml",
++ "tsv" => "text/tab-seperated-values",
++ "wml" => "text/vnd.wap.wml",
++ "wmls" => "text/vnd.wap.wmlscript",
++ "xsl" => "text/xml",
++ "mpeg" => "video/mpeg",
++ "mpg" => "video/mpeg",
++ "mpe" => "video/mpeg",
++ "qt" => "video/quicktime",
++ "mov" => "video/quicktime",
++ "avi" => "video/x-msvideo",
++);
++
++?>
+diff --exclude='*~' -urN xoops-2.0.9.2.orig/html/class/uploader.php xoops-2.0.9.2/html/class/uploader.php
+--- xoops-2.0.9.2.orig/html/class/uploader.php 2005-03-11 12:34:09.527394373 -0500
++++ xoops-2.0.9.2/html/class/uploader.php 2005-03-11 12:38:27.795812193 -0500
+@@ -84,11 +84,17 @@
+ */
+ class XoopsMediaUploader
+ {
++ /**
++ * Flag indicating if unrecognized mimetypes should be allowed (use with precaution ! may lead to security issues )
++ **/
++ var $allowUnknownTypes = false;
++
+ var $mediaName;
+ var $mediaType;
+ var $mediaSize;
+ var $mediaTmpName;
+ var $mediaError;
++ var $mediaRealType = '';
+
+ var $uploadDir = '';
+
+@@ -97,7 +103,7 @@
+ var $maxFileSize = 0;
+ var $maxWidth;
+ var $maxHeight;
+-
++
+ var $targetFileName;
+
+ var $prefix;
+@@ -108,9 +114,12 @@
+
+ var $savedFileName;
+
++
++ var $extensionToMime = array();
++
+ /**
+ * Constructor
+- *
++ *
+ * @param string $uploadDir
+ * @param array $allowedMimeTypes
+ * @param int $maxFileSize
+@@ -118,8 +127,13 @@
+ * @param int $maxHeight
+ * @param int $cmodvalue
+ **/
+- function XoopsMediaUploader($uploadDir, $allowedMimeTypes, $maxFileSize, $maxWidth=null, $maxHeight=null)
++ function XoopsMediaUploader($uploadDir, $allowedMimeTypes, $maxFileSize=0, $maxWidth=null, $maxHeight=null)
+ {
++ @$this->extensionToMime = include( XOOPS_ROOT_PATH . '/class/mimetypes.inc.php' );
++ if ( !is_array( $this->extensionToMime ) ) {
++ $this->extensionToMime = array();
++ return false;
++ }
+ if (is_array($allowedMimeTypes)) {
+ $this->allowedMimeTypes =& $allowedMimeTypes;
+ }
+@@ -135,14 +149,18 @@
+
+ /**
+ * Fetch the uploaded file
+- *
++ *
+ * @param string $media_name Name of the file field
+ * @param int $index Index of the file (if more than one uploaded under that name)
+ * @return bool
+ **/
+ function fetchMedia($media_name, $index = null)
+ {
+- if (!isset($_FILES[$media_name])) {
++ if ( empty( $this->extensionToMime ) ) {
++ $this->setErrors( 'Error loading mimetypes definition' );
++ return false;
++ }
++ if (!isset($_FILES[$media_name])) {
+ $this->setErrors('File not found');
+ return false;
+ } elseif (is_array($_FILES[$media_name]['name']) && isset($index)) {
+@@ -161,6 +179,14 @@
+ $this->mediaTmpName = $media_name['tmp_name'];
+ $this->mediaError = !empty($media_name['error']) ? $media_name['error'] : 0;
+ }
++ if ( ($ext = strrpos( $this->mediaName, '.' )) !== false ) {
++ $ext = substr( $this->mediaName, $ext + 1 );
++ if ( isset( $this->extensionToMime[$ext] ) ) {
++ $this->mediaRealType = $this->extensionToMime[$ext];
++ trigger_error( "XoopsMediaUploader: Set mediaRealType to {$this->mediaRealType} (file extension is $ext)", E_USER_NOTICE );
++ }
++ }
++
+ $this->errors = array();
+ if (intval($this->mediaSize) < 0) {
+ $this->setErrors('Invalid File Size');
+@@ -170,10 +196,6 @@
+ $this->setErrors('Filename Is Empty');
+ return false;
+ }
+- if ( preg_match( '/\.(php|cgi|pl|py|asp)$/i', $this->mediaName ) ) {
+- $this->setErrors('Filename rejected');
+- return false;
+- }
+ if ($this->mediaTmpName == 'none' || !is_uploaded_file($this->mediaTmpName)) {
+ $this->setErrors('No file uploaded');
+ return false;
+@@ -380,20 +402,19 @@
+ }
+
+ /**
+- * Is the file the right Mime type
+- *
+- * (is there a right type of mime? ;-)
+- *
++ * Check whether or not the uploaded file type is allowed
++ *
+ * @return bool
+ **/
+ function checkMimeType()
+ {
+- if (count($this->allowedMimeTypes) > 0 && !in_array($this->mediaType, $this->allowedMimeTypes)) {
+- return false;
+- } else {
+- return true;
+- }
+- }
++ if ( empty( $this->mediaRealType ) && !$this->allowUnknownTypes ) {
++ $this->setErrors( 'Unknown filetype rejected' );
++ return false;
++ }
++
++ return ( empty($this->allowedMimeTypes) || in_array($this->mediaRealType, $this->allowedMimeTypes) );
++ }
+
+ /**
+ * Add an error
+@@ -407,7 +428,7 @@
+
+ /**
+ * Get generated errors
+- *
++ *
+ * @param bool $ashtml Format using HTML?
+ *
+ * @return array|string Array of array messages OR HTML string
+@@ -428,4 +449,4 @@
+ }
+ }
+ }
+-?>
+\ No newline at end of file
++?>