diff options
| author |   Conrad Kostecki <conikost@gentoo.org> | 2024-03-10 14:35:34 +0100 |
|---|---|---|
| committer | Conrad Kostecki <conikost@gentoo.org> | 2024-03-10 14:35:34 +0100 |
| commit | 178ca30bd5ec0af0992f13539beedb22bcdf4666 (patch) | |
| tree | f0e1e5fa6bd9247d627b45888a081e429d643db9 /www-apps | |
| parent | games-simulation/openrct2: x86 stable (diff) | |
| download | gentoo-178ca30bd5ec0af0992f13539beedb22bcdf4666.tar.gz gentoo-178ca30bd5ec0af0992f13539beedb22bcdf4666.tar.bz2 gentoo-178ca30bd5ec0af0992f13539beedb22bcdf4666.zip | |
www-apps/phpsysinfo: fix CVE-2023-49006
Signed-off-by: Conrad Kostecki <conikost@gentoo.org>
Diffstat (limited to 'www-apps')
| -rw-r--r-- | www-apps/phpsysinfo/files/phpsysinfo-3.4.3-cve-2023-49006.patch | 44 | ||||
| -rw-r--r-- | www-apps/phpsysinfo/phpsysinfo-3.4.3-r1.ebuild (renamed from www-apps/phpsysinfo/phpsysinfo-3.4.3.ebuild) | 4 |
2 files changed, 47 insertions, 1 deletions
diff --git a/www-apps/phpsysinfo/files/phpsysinfo-3.4.3-cve-2023-49006.patch b/www-apps/phpsysinfo/files/phpsysinfo-3.4.3-cve-2023-49006.patch new file mode 100644 index 000000000000..6bed16996d20 --- /dev/null +++ b/www-apps/phpsysinfo/files/phpsysinfo-3.4.3-cve-2023-49006.patch @@ -0,0 +1,44 @@ +From 4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 Mon Sep 17 00:00:00 2001 +From: namiltd <namiltd@users.noreply.github.com> +Date: Wed, 24 May 2023 10:39:48 +0200 +Subject: [PATCH] Disable JSONP data mode by default for security reasons + +--- + phpsysinfo.ini.new | 7 +++++++ + read_config.php | 5 +++++ + 2 files changed, 12 insertions(+) + +diff --git a/phpsysinfo.ini.new b/phpsysinfo.ini.new +index f2c90f24..25b67c26 100644 +--- a/phpsysinfo.ini.new ++++ b/phpsysinfo.ini.new +@@ -47,6 +47,13 @@ ADD_PATHS=false + ; + ALLOWED=false + ++; Enable JSONP data mode (e.g. /phpsysinfo/xml.php?plugin=complete&jsonp&callback=getData) ++; Disabled by default for security reasons. ++; - false : JSONP data mode disabled ++; - true : JSONP data mode enabled ++; ++;JSONP=false ++ + ; List of sudo commands + ; Example : SUDO_COMMANDS="iptables-save" //execute "sudo iptables-save" instead "iptables-save" + ; SUDO_COMMANDS=false //no sudo commands +diff --git a/read_config.php b/read_config.php +index 17d0683a..53fbf38e 100644 +--- a/read_config.php ++++ b/read_config.php +@@ -89,6 +89,11 @@ + } + } + ++ if (isset($_GET['jsonp']) && (!defined('PSI_JSONP') || !PSI_JSONP)) { ++ echo "JSONP data mode not enabled in phpsysinfo.ini."; ++ die(); ++ } ++ + /* default error handler */ + if (function_exists('errorHandlerPsi')) { + restore_error_handler(); diff --git a/www-apps/phpsysinfo/phpsysinfo-3.4.3.ebuild b/www-apps/phpsysinfo/phpsysinfo-3.4.3-r1.ebuild index bfc4f8956f79..9c6a04a29c14 100644 --- a/www-apps/phpsysinfo/phpsysinfo-3.4.3.ebuild +++ b/www-apps/phpsysinfo/phpsysinfo-3.4.3-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -16,6 +16,8 @@ RDEPEND=" virtual/httpd-php " +PATCHES=( "${FILESDIR}/${PN}-3.4.3-cve-2023-49006.patch" ) + need_httpd_cgi src_install() { |