fix cross-site scripting bug, pointed out by viq. fix (adapted from

upstream repo) requires php>=5.2 so tighten RUN_DEPENDS accordingly. http://secunia.com/advisories/41283
2010-09-14 12:32:42 +00:00 · 2010-09-14 12:32:42 +00:00 · 8bcc0b5372
commit 8bcc0b5372
parent 56e01aaf81
2 changed files with 18 additions and 3 deletions
--- a/www/horde/horde/Makefile
+++ b/www/horde/horde/Makefile
@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.4 2010/08/30 13:33:40 sthen Exp $ 
+# $OpenBSD: Makefile,v 1.5 2010/09/14 12:32:42 sthen Exp $ 

 COMMENT=	modular framework for web-based applications

 # LGPLv2
 DISTNAME=	horde-3.3.8
-REVISION=	0
+REVISION=	1
 CATEGORIES=	devel
 MASTER_SITES=	${HORDE_SITES:=horde/}
 HOMEPAGE=	http://www.horde.org/
@ -27,7 +27,7 @@ RUN_DEPENDS+=	::databases/pear-DB \
 		::www/pear-HTTP-WebDAV-Server \
 		::www/pear-SOAP \
 		::www/pecl-geoip \
-		::www/php5/core \
+		:php5-core->=5.2.0:www/php5/core \
 		::www/php5/extensions,-gd \
 		::www/php5/extensions,-mbstring \
 		::www/php5/extensions,-mcrypt \
--- a/www/horde/horde/patches/patch-util_icon_browser_php
+++ b/www/horde/horde/patches/patch-util_icon_browser_php
@ -0,0 +1,15 @@
+$OpenBSD: patch-util_icon_browser_php,v 1.1 2010/09/14 12:32:42 sthen Exp $
+
+http://secunia.com/advisories/41283, adapted from code in git repo.
+
+--- util/icon_browser.php.orig	Tue Sep 14 10:19:07 2010
+++ util/icon_browser.php	Tue Sep 14 10:25:34 2010
+@@ -33,7 +33,7 @@ if (($app = basename(Util::getFormData('app'))) && iss
+         exit(sprintf(_("Base graphics directory \"%s\" not found."), $dir));
+     }
+ 
+-    if (($subdir = basename(Util::getFormData('subdir')))) {
+    if (($subdir = basename(filter_var(Util::getFormData('subdir'), FILTER_SANITIZE_STRING)))) {
+         $dir .= DIRECTORY_SEPARATOR . $subdir;
+         if (!is_dir($dir)) {
+             exit(sprintf(_("Subdirectory \"%s\" not found."), $dir));