Version 1.7.3 is a security maintenance release, including a previously patched file Upload class, and a new security fix to prevent possible directory traversal in certain circumstances. There are no other significant changes. Remove patched file Upload class.
Responsible Changed From-To: freebsd-ports-bugs->glarkin Over to maintainer (via the GNATS Auto Assign Tool)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Bo-Yi, I applied your patch to www/codeigniter and attempted to build it, but I got this error while trying to download the new distfile: # make ===> WARNING: Vulnerability database out of date, checking anyway ===> License check disabled, port has not defined LICENSE ===> Found saved configuration for codeigniter-1.7.2_1 => CodeIgniter_1.7.3.zip doesn't seem to exist in /usr/ports/distfiles/. => Attempting to fetch from http://codeigniter.com/download_files/. fetch: http://codeigniter.com/download_files/CodeIgniter_1.7.3.zip: size mismatch: expected 2234093, actual 2234099 Where did you fetch your distfile from? It is 6 bytes smaller than the one on the codeigniter site. Can you post your distfile somewhere so I can download it and compare vs. the official one? I want to ensure that one of them hasn't been tampered with. Thank you, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/sourcehosting/ - Follow me, follow you -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNBmpD0sRouByUApARAml5AKCTnu/gCks7xdmW+jzyCfI13JhygwCgnHgx O+AjxZB0rXIz69QlOEb3xG8= =bI/R -----END PGP SIGNATURE-----
State Changed From-To: open->analyzed Waiting for feedback about changed distfile size.
>Submitter-Id: current-users >Originator: Bo-Yi Wu >Organization: >Confidential: no >Synopsis: Re: ports/152878: [PATCH] www/codeigniter: update to 1.7.3 >Severity: non-critical >Priority: low >Category: ports >Class: update >Release: FreeBSD 7.1-RELEASE-p13 i386 >Environment: System: FreeBSD freebsd.ee.ccu.edu.tw 7.1-RELEASE-p13 FreeBSD 7.1-RELEASE-p13 #0: Mon Jul 12 17:44:51 UTC 2010 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >Description: Sorry, I download file from http://codeigniter.com web site, but they modified the user guide after release v1.7.3, and change new download file CodeIgniter_1.7.3.zip. I update the distinfo file, please recheck it. >How-To-Repeat: >Fix: --- codeigniter.patch begins here --- diff -ruN /usr/ports/www/codeigniter/Makefile codeigniter/Makefile --- /usr/ports/www/codeigniter/Makefile 2010-11-29 16:47:03.000000000 +0800 +++ codeigniter/Makefile 2010-12-07 10:50:22.000000000 +0800 @@ -6,8 +6,7 @@ # PORTNAME= codeigniter -PORTVERSION= 1.7.2 -PORTREVISION= 1 +PORTVERSION= 1.7.3 CATEGORIES= www MASTER_SITES= http://codeigniter.com/download_files/ \ LOCAL/glarkin @@ -149,9 +148,6 @@ @${ECHO_MSG} "http://codeigniter.com/user_guide/installation/index.html" @${ECHO_MSG} "" -post-patch: - @cd ${WRKSRC} && ${RM} system/libraries/Upload.php.orig - do-install: @cd ${WRKSRC} && ${COPYTREE_SHARE} "${STD_BITS}" ${WWWDIR} @for i in ${CI_CONF_FILES}; do \ diff -ruN /usr/ports/www/codeigniter/distinfo codeigniter/distinfo --- /usr/ports/www/codeigniter/distinfo 2010-11-29 16:47:03.000000000 +0800 +++ codeigniter/distinfo 2010-12-14 09:49:48.000000000 +0800 @@ -1,3 +1,2 @@ -MD5 (CodeIgniter_1.7.2.zip) = 3ce815c3ee66933d926bb51428371a38 -SHA256 (CodeIgniter_1.7.2.zip) = bb870c1cc7297634fe44b81c5c40023c5175a3c2365da9b18a371274c09b1512 -SIZE (CodeIgniter_1.7.2.zip) = 2227891 +SHA256 (CodeIgniter_1.7.3.zip) = df207c4bf4b1a34de54f21e269cd4bffe894f1b429d12b9b040e9067dac545fe +SIZE (CodeIgniter_1.7.3.zip) = 2234099 diff -ruN /usr/ports/www/codeigniter/files/patch-system__libraries__Upload.php codeigniter/files/patch-system__libraries__Upload.php --- /usr/ports/www/codeigniter/files/patch-system__libraries__Upload.php 2010-07-22 06:26:46.000000000 +0800 +++ codeigniter/files/patch-system__libraries__Upload.php 1970-01-01 08:00:00.000000000 +0800 @@ -1,245 +0,0 @@ ---- ./system/libraries/Upload.php.orig 2009-04-22 10:15:09.000000000 -0400 -+++ ./system/libraries/Upload.php 2010-07-12 09:16:30.000000000 -0400 -@@ -6,7 +6,7 @@ - * - * @package CodeIgniter - * @author ExpressionEngine Dev Team -- * @copyright Copyright (c) 2008 - 2009, EllisLab, Inc. -+ * @copyright Copyright (c) 2008 - 2010, EllisLab, Inc. - * @license http://codeigniter.com/user_guide/license.html - * @link http://codeigniter.com - * @since Version 1.0 -@@ -26,31 +26,33 @@ - */ - class CI_Upload { - -- var $max_size = 0; -- var $max_width = 0; -- var $max_height = 0; -- var $max_filename = 0; -- var $allowed_types = ""; -- var $file_temp = ""; -- var $file_name = ""; -- var $orig_name = ""; -- var $file_type = ""; -- var $file_size = ""; -- var $file_ext = ""; -- var $upload_path = ""; -- var $overwrite = FALSE; -- var $encrypt_name = FALSE; -- var $is_image = FALSE; -- var $image_width = ''; -- var $image_height = ''; -- var $image_type = ''; -- var $image_size_str = ''; -- var $error_msg = array(); -- var $mimes = array(); -- var $remove_spaces = TRUE; -- var $xss_clean = FALSE; -- var $temp_prefix = "temp_file_"; -- -+ var $max_size = 0; -+ var $max_width = 0; -+ var $max_height = 0; -+ var $max_filename = 0; -+ var $allowed_types = ""; -+ var $file_temp = ""; -+ var $file_name = ""; -+ var $orig_name = ""; -+ var $file_type = ""; -+ var $file_size = ""; -+ var $file_ext = ""; -+ var $upload_path = ""; -+ var $overwrite = FALSE; -+ var $encrypt_name = FALSE; -+ var $is_image = FALSE; -+ var $image_width = ''; -+ var $image_height = ''; -+ var $image_type = ''; -+ var $image_size_str = ''; -+ var $error_msg = array(); -+ var $mimes = array(); -+ var $remove_spaces = TRUE; -+ var $xss_clean = FALSE; -+ var $temp_prefix = "temp_file_"; -+ var $client_name = ''; -+ -+ var $_file_name_override = ''; - /** - * Constructor - * -@@ -101,7 +103,8 @@ - 'mimes' => array(), - 'remove_spaces' => TRUE, - 'xss_clean' => FALSE, -- 'temp_prefix' => "temp_file_" -+ 'temp_prefix' => "temp_file_", -+ 'client_name' => '' - ); - - -@@ -124,6 +127,10 @@ - $this->$key = $val; - } - } -+ -+ // if a file_name was provided in the config, use it instead of the user input -+ // supplied file name for all uploads until initialized again -+ $this->_file_name_override = $this->file_name; - } - - // -------------------------------------------------------------------- -@@ -187,17 +194,12 @@ - - // Set the uploaded data as class variables - $this->file_temp = $_FILES[$field]['tmp_name']; -- $this->file_name = $this->_prep_filename($_FILES[$field]['name']); -- $this->file_size = $_FILES[$field]['size']; -+ $this->file_size = $_FILES[$field]['size']; - $this->file_type = preg_replace("/^(.+?);.*$/", "\\1", $_FILES[$field]['type']); -- $this->file_type = strtolower($this->file_type); -- $this->file_ext = $this->get_extension($_FILES[$field]['name']); -- -- // Convert the file size to kilobytes -- if ($this->file_size > 0) -- { -- $this->file_size = round($this->file_size/1024, 2); -- } -+ $this->file_type = strtolower(trim(stripslashes($this->file_type), '"')); -+ $this->file_name = $this->_prep_filename($_FILES[$field]['name']); -+ $this->file_ext = $this->get_extension($this->file_name); -+ $this->client_name = $this->file_name; - - // Is the file type allowed to be uploaded? - if ( ! $this->is_allowed_filetype()) -@@ -205,6 +207,25 @@ - $this->set_error('upload_invalid_filetype'); - return FALSE; - } -+ -+ // if we're overriding, let's now make sure the new name and type is allowed -+ if ($this->_file_name_override != '') -+ { -+ $this->file_name = $this->_prep_filename($this->_file_name_override); -+ $this->file_ext = $this->get_extension($this->file_name); -+ -+ if ( ! $this->is_allowed_filetype(TRUE)) -+ { -+ $this->set_error('upload_invalid_filetype'); -+ return FALSE; -+ } -+ } -+ -+ // Convert the file size to kilobytes -+ if ($this->file_size > 0) -+ { -+ $this->file_size = round($this->file_size/1024, 2); -+ } - - // Is the file size within the allowed maximum? - if ( ! $this->is_allowed_filesize()) -@@ -312,6 +333,7 @@ - 'full_path' => $this->upload_path.$this->file_name, - 'raw_name' => str_replace($this->file_ext, '', $this->file_name), - 'orig_name' => $this->orig_name, -+ 'client_name' => $this->client_name, - 'file_ext' => $this->file_ext, - 'file_size' => $this->file_size, - 'is_image' => $this->is_image(), -@@ -549,43 +571,49 @@ - * @access public - * @return bool - */ -- function is_allowed_filetype() -+ function is_allowed_filetype($ignore_mime = FALSE) - { - if (count($this->allowed_types) == 0 OR ! is_array($this->allowed_types)) - { - $this->set_error('upload_no_file_types'); - return FALSE; - } -+ -+ $ext = strtolower(ltrim($this->file_ext, '.')); -+ -+ if ( ! in_array($ext, $this->allowed_types)) -+ { -+ return FALSE; -+ } - -+ // Images get some additional checks - $image_types = array('gif', 'jpg', 'jpeg', 'png', 'jpe'); - -- foreach ($this->allowed_types as $val) -+ if (in_array($ext, $image_types)) - { -- $mime = $this->mimes_types(strtolower($val)); -- -- // Images get some additional checks -- if (in_array($val, $image_types)) -+ if (getimagesize($this->file_temp) === FALSE) - { -- if (getimagesize($this->file_temp) === FALSE) -- { -- return FALSE; -- } -- } -+ return FALSE; -+ } -+ } - -- if (is_array($mime)) -- { -- if (in_array($this->file_type, $mime, TRUE)) -- { -- return TRUE; -- } -- } -- else -+ if ($ignore_mime === TRUE) -+ { -+ return TRUE; -+ } -+ -+ $mime = $this->mimes_types($ext); -+ -+ if (is_array($mime)) -+ { -+ if (in_array($this->file_type, $mime, TRUE)) - { -- if ($mime == $this->file_type) -- { -- return TRUE; -- } -- } -+ return TRUE; -+ } -+ } -+ elseif ($mime == $this->file_type) -+ { -+ return TRUE; - } - - return FALSE; -@@ -918,7 +946,7 @@ - - foreach ($parts as $part) - { -- if ($this->mimes_types(strtolower($part)) === FALSE) -+ if ( ! in_array(strtolower($part), $this->allowed_types) OR $this->mimes_types(strtolower($part)) === FALSE) - { - $filename .= '.'.$part.'_'; - } -@@ -928,13 +956,6 @@ - } - } - -- // file name override, since the exact name is provided, no need to -- // run it through a $this->mimes check. -- if ($this->file_name != '') -- { -- $filename = $this->file_name; -- } -- - $filename .= '.'.$ext; - - return $filename; diff -ruN /usr/ports/www/codeigniter/pkg-plist codeigniter/pkg-plist --- /usr/ports/www/codeigniter/pkg-plist 2010-11-29 16:47:03.000000000 +0800 +++ codeigniter/pkg-plist 2010-12-07 10:47:13.000000000 +0800 @@ -75,8 +75,11 @@ %%PORTDOCS%%%%DOCSDIR%%/images/codeigniter_1.7.1_library_reference.png %%PORTDOCS%%%%DOCSDIR%%/images/file.gif %%PORTDOCS%%%%DOCSDIR%%/images/folder.gif +%%PORTDOCS%%%%DOCSDIR%%/images/nav_bg.jpg %%PORTDOCS%%%%DOCSDIR%%/images/nav_bg_darker.jpg +%%PORTDOCS%%%%DOCSDIR%%/images/nav_separator.jpg %%PORTDOCS%%%%DOCSDIR%%/images/nav_separator_darker.jpg +%%PORTDOCS%%%%DOCSDIR%%/images/nav_toggle.jpg %%PORTDOCS%%%%DOCSDIR%%/images/nav_toggle_darker.jpg %%PORTDOCS%%%%DOCSDIR%%/images/smile.gif %%PORTDOCS%%%%DOCSDIR%%/images/transparent.gif @@ -102,6 +105,7 @@ %%PORTDOCS%%%%DOCSDIR%%/installation/upgrade_170.html %%PORTDOCS%%%%DOCSDIR%%/installation/upgrade_171.html %%PORTDOCS%%%%DOCSDIR%%/installation/upgrade_172.html +%%PORTDOCS%%%%DOCSDIR%%/installation/upgrade_173.html %%PORTDOCS%%%%DOCSDIR%%/installation/upgrade_b11.html %%PORTDOCS%%%%DOCSDIR%%/installation/upgrading.html %%PORTDOCS%%%%DOCSDIR%%/libraries/benchmark.html @@ -295,7 +299,6 @@ %%WWWDIR%%/system/libraries/Ftp.php %%WWWDIR%%/system/libraries/Hooks.php %%WWWDIR%%/system/libraries/Image_lib.php -%%WWWDIR%%/system/libraries/index.html %%WWWDIR%%/system/libraries/Input.php %%WWWDIR%%/system/libraries/Language.php %%WWWDIR%%/system/libraries/Loader.php @@ -311,23 +314,24 @@ %%WWWDIR%%/system/libraries/Table.php %%WWWDIR%%/system/libraries/Trackback.php %%WWWDIR%%/system/libraries/Typography.php +%%WWWDIR%%/system/libraries/URI.php %%WWWDIR%%/system/libraries/Unit_test.php %%WWWDIR%%/system/libraries/Upload.php -%%WWWDIR%%/system/libraries/URI.php %%WWWDIR%%/system/libraries/User_agent.php %%WWWDIR%%/system/libraries/Validation.php %%WWWDIR%%/system/libraries/Xmlrpc.php %%WWWDIR%%/system/libraries/Xmlrpcs.php %%WWWDIR%%/system/libraries/Zip.php +%%WWWDIR%%/system/libraries/index.html %%WWWDIR%%/system/logs/index.html %%WWWDIR%%/system/plugins/captcha_pi.php %%WWWDIR%%/system/plugins/index.html %%WWWDIR%%/system/plugins/js_calendar_pi.php +%%WWWDIR%%/system/scaffolding/Scaffolding.php %%WWWDIR%%/system/scaffolding/images/background.jpg %%WWWDIR%%/system/scaffolding/images/index.html %%WWWDIR%%/system/scaffolding/images/logo.jpg %%WWWDIR%%/system/scaffolding/index.html -%%WWWDIR%%/system/scaffolding/Scaffolding.php %%WWWDIR%%/system/scaffolding/views/add.php %%WWWDIR%%/system/scaffolding/views/delete.php %%WWWDIR%%/system/scaffolding/views/edit.php --- codeigniter.patch ends here ---
glarkin 2010-12-14 15:06:14 UTC FreeBSD ports repository Modified files: www/codeigniter Makefile distinfo pkg-plist Removed files: www/codeigniter/files patch-system__libraries__Upload.php Log: - Updated to 1.7.3 - Removed Upload class patch file - now included in 1.7.3 Version 1.7.3 is a security maintenance release, including a previously patched file Upload class, and a new security fix to prevent possible directory traversal in certain circumstances. There are no other significant changes. PR: ports/152878 Submitted by: Bo-Yi Wu <appleboy dot tw at gmail dot com> Revision Changes Path 1.15 +1 -5 ports/www/codeigniter/Makefile 1.9 +2 -3 ports/www/codeigniter/distinfo 1.2 +0 -245 ports/www/codeigniter/files/patch-system__libraries__Upload.php (dead) 1.9 +7 -3 ports/www/codeigniter/pkg-plist _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: analyzed->closed Committed, thank you!