cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- Update patch for more strict untainting.

Browse Source 
Reported by:	Geraint Edwards <gedge@yadn.org>
Obtained from:	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409731
This commit is contained in:
Jun Kuriyama 2010-01-20 01:21:26 +00:00
parent e2f360f7fb
commit 3eea4ba0fb
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=248184
2 changed files with 30 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
security/p5-Authen-Captcha/Makefile
View File

@ -7,7 +7,7 @@
PORTNAME= Authen-Captcha PORTNAME= Authen-Captcha
PORTVERSION= 1.023 PORTVERSION= 1.023
PORTREVISION= 4 PORTREVISION= 5
CATEGORIES= security perl5 CATEGORIES= security perl5
MASTER_SITES= CPAN MASTER_SITES= CPAN
PKGNAMEPREFIX= p5- PKGNAMEPREFIX= p5-

40
security/p5-Authen-Captcha/files/patch-Captcha.pm
View File

@ -1,6 +1,6 @@
--- Captcha.pm.orig Mon May 10 10:58:05 2004 --- Captcha.pm.orig 2003-12-18 13:44:34.000000000 +0900
+++ Captcha.pm Mon May 10 11:06:24 2004 +++ Captcha.pm 2010-01-19 18:52:23.656183439 +0900
@@ -65,6 +65,7 @@ sub new @@ -65,6 +65,7 @@
my $keep_failures = (defined($opts{keep_failures}) && $opts{keep_failures}) my $keep_failures = (defined($opts{keep_failures}) && $opts{keep_failures})
? 1 : 0; ? 1 : 0;
$self->keep_failures($keep_failures); $self->keep_failures($keep_failures);
@ -8,7 +8,7 @@
# create a random seed if perl version less than 5.004 # create a random seed if perl version less than 5.004
if ($] < 5.005) if ($] < 5.005)
@@ -193,6 +194,18 @@ sub data_folder @@ -193,6 +194,18 @@
} }
} }
@ -27,7 +27,7 @@
sub check_code sub check_code
{ {
@@ -214,7 +227,7 @@ sub check_code @@ -214,7 +227,7 @@
# they could be confused with (o) and (l), so we swap them in # they could be confused with (o) and (l), so we swap them in
$code =~ tr/01/ol/; $code =~ tr/01/ol/;
@ -36,7 +36,25 @@
# pull in current database # pull in current database
warn "Open File: $database_file\n" if($self->debug() >= 2); warn "Open File: $database_file\n" if($self->debug() >= 2);
@@ -490,7 +503,7 @@ sub generate_code @@ -232,7 +245,7 @@
foreach my $line (@data)
{
$line =~ s/\n//;
- my ($data_time,$data_code) = split(/::/,$line);
+ my ($data_time,$data_code) = $line =~ m/(^\d+)::([[:xdigit:]]{32})$/;
my $png_file = File::Spec->catfile($self->output_folder(),$data_code . ".png");
if ($data_code eq $crypt)
@@ -351,7 +364,7 @@
foreach my $line (@data)
{
$line =~ s/\n//;
- my ($data_time,$data_code) = split(/::/,$line);
+ my ($data_time,$data_code) = $line =~ m/(^\d+)::([[:xdigit:]]{32})$/;
if ( (($current_time - $data_time) > ($self->expire())) ||
($data_code eq $md5) )
{ # remove expired captcha, or a dup
@@ -490,7 +503,7 @@
my $length = shift; my $length = shift;
my $code = $self->generate_random_string($length); my $code = $self->generate_random_string($length);
@ -45,7 +63,7 @@
my ($captcha_data_ref,$output_filename); my ($captcha_data_ref,$output_filename);
if ($self->type() eq 'image') if ($self->type() eq 'image')
@@ -625,6 +638,7 @@ See the method descriptions for more det @@ -625,6 +638,7 @@
height => 35, # optional. default 35 height => 35, # optional. default 35
images_folder => '/some/folder', # optional. default to lib dir images_folder => '/some/folder', # optional. default to lib dir
keep_failures => 0, # optional, defaults to 0(false) keep_failures => 0, # optional, defaults to 0(false)
@ -53,11 +71,10 @@
debug => 0, # optional. default 0 debug => 0, # optional. default 0
=back =back
@@ -694,6 +708,14 @@ Optional. Number of pixels wide for the @@ -695,6 +709,14 @@
=item C<$captcha-E<gt>keep_failures( [0|1] );>
Optional. Defaults to zero. This option controls whether or not the captcha will remain valid after a failed attempt. By default, we only allow one attempt to solve it. This greatly reduces the possibility that a bot could brute force a correct answer. Change it at your own risk. Optional. Defaults to zero. This option controls whether or not the captcha will remain valid after a failed attempt. By default, we only allow one attempt to solve it. This greatly reduces the possibility that a bot could brute force a correct answer. Change it at your own risk.
+
+=item C<$captcha-E<gt>secret( "SuperSecret" );> +=item C<$captcha-E<gt>secret( "SuperSecret" );>
+ +
+Optional. Defaults to an empty string. This option is meant to prevent +Optional. Defaults to an empty string. This option is meant to prevent
@ -65,6 +82,7 @@
+valid codes and comparing them with the image file name. Obviously, the +valid codes and comparing them with the image file name. Obviously, the
+secret should be the same for creating and checking the captcha. It is a +secret should be the same for creating and checking the captcha. It is a
+good idea to set it to something else than the default. +good idea to set it to something else than the default.
+
=item C<$captcha-E<gt>debug( [0|1|2] );> =item C<$captcha-E<gt>debug( [0|1|2] );>
Optional.