FreeBSD Bugzilla – Attachment 62344 Details for
Bug 93204
phpBB anti-DOS patch disallows visual authentication
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
patch-phpbb
patch-phpbb (text/plain; charset=us-ascii), 2.69 KB, created by
Xin LI
on 2006-05-05 00:00:06 UTC
(
hide
)
Description:
patch-phpbb
Filename:
MIME Type:
Creator:
Xin LI
Created:
2006-05-05 00:00:06 UTC
Size:
2.69 KB
patch
obsolete
>Index: Makefile >=================================================================== >RCS file: /home/ncvs/ports/www/phpbb/Makefile,v >retrieving revision 1.39 >diff -u -r1.39 Makefile >--- Makefile 18 Apr 2006 09:33:27 -0000 1.39 >+++ Makefile 4 May 2006 22:54:15 -0000 >@@ -7,6 +7,7 @@ > > PORTNAME= phpbb > PORTVERSION= 2.0.20 >+PORTREVISION= 1 > CATEGORIES= www > MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} > MASTER_SITE_SUBDIR= ${PORTNAME} >@@ -31,6 +32,13 @@ > # > # End of user-configurable variables. > >+# XXX The phpBB folks does not seem to care about the session table DoS >+# issue. You can disable the patch at your own risk to make the >+# visual authentication work. >+.if !defined(WITHOUT_ANTIDOS_PATCH) >+EXTRA_PATCHES= ${FILESDIR}/security-patch-includes-sessions.php >+.endif >+ > # Set/override/append to variables from bsd.port.mk: > # > WRKSRC= ${WRKDIR}/phpBB2 >Index: files/patch-includes-sessions.php >=================================================================== >RCS file: files/patch-includes-sessions.php >diff -N files/patch-includes-sessions.php >--- files/patch-includes-sessions.php 8 Nov 2005 19:26:55 -0000 1.4 >+++ /dev/null 1 Jan 1970 00:00:00 -0000 >@@ -1,11 +0,0 @@ >---- includes/sessions.php.orig Sat May 14 05:04:00 2005 >-+++ includes/sessions.php Sun May 15 18:53:48 2005 >-@@ -167,7 +167,7 @@ >- $sql = "INSERT INTO " . SESSIONS_TABLE . " >- (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin) >- VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login, $admin)"; >-- if ( !$db->sql_query($sql) ) >-+ if ( $user_id != ANONYMOUS && !$db->sql_query($sql) ) >- { >- message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql); >- } >Index: files/security-patch-includes-sessions.php >=================================================================== >RCS file: files/security-patch-includes-sessions.php >diff -N files/security-patch-includes-sessions.php >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ files/security-patch-includes-sessions.php 8 Nov 2005 19:26:55 -0000 >@@ -0,0 +1,11 @@ >+--- includes/sessions.php.orig Sat May 14 05:04:00 2005 >++++ includes/sessions.php Sun May 15 18:53:48 2005 >+@@ -167,7 +167,7 @@ >+ $sql = "INSERT INTO " . SESSIONS_TABLE . " >+ (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin) >+ VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login, $admin)"; >+- if ( !$db->sql_query($sql) ) >++ if ( $user_id != ANONYMOUS && !$db->sql_query($sql) ) >+ { >+ message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql); >+ }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=62344">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 93204
: 62344