[debian-edu-commits] debian-edu/pkg-team/ 01/02: debian/patches: Add 0004_RequestHeader-no-underscores-apache24.patch. Since Apache2.4: Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped.
Mike Gabriel
sunweaver at debian.org
Tue Jul 1 18:46:56 UTC 2014
This is an automated email from the git hooks/post-receive script.
sunweaver pushed a commit to annotated tag debian/2.7.4+reloaded1-4
in repository gosa.
commit 4c6e469cb69997935c7f561540f6574c594d381b
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Tue Jul 1 20:36:45 2014 +0200
debian/patches: Add 0004_RequestHeader-no-underscores-apache24.patch. Since Apache2.4: Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped.
---
...003_RequestHeader-no-underscores-apache24.patch | 45 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 46 insertions(+)
diff --git a/debian/patches/1003_RequestHeader-no-underscores-apache24.patch b/debian/patches/1003_RequestHeader-no-underscores-apache24.patch
new file mode 100644
index 0000000..d9cf6e2
--- /dev/null
+++ b/debian/patches/1003_RequestHeader-no-underscores-apache24.patch
@@ -0,0 +1,45 @@
+Description: Don't use underscores in request header variables
+Andreas B. Mundt <andi.mundt at web.de>
+ Since Apache2.4: Translation of headers to environment variables is more
+ strict than before to mitigate some possible cross-site-scripting attacks
+ via header injection. Headers containing invalid characters (including
+ underscores) are now silently dropped.
+
+Index: gosa-core/bin/gosa-encrypt-passwords
+===================================================================
+--- a/gosa-core/bin/gosa-encrypt-passwords
++++ b/gosa-core/bin/gosa-encrypt-passwords
+@@ -51,7 +51,7 @@ if (file_exists("/etc/gosa/gosa.secrets"
+ } else {
+ echo "* creating /etc/gosa/gosa.secrets\n";
+ $fp = fopen("/etc/gosa/gosa.secrets", 'w') or die("Cannot open /etc/gosa/gosa.secrets for writing - aborted");
+- fwrite($fp, "RequestHeader set GOSA_KEY $master_key\n");
++ fwrite($fp, "RequestHeader set GOSAKEY $master_key\n");
+ fclose($fp);
+ chmod ("/etc/gosa/gosa.secrets", 0600);
+ chown ("/etc/gosa/gosa.secrets", "root");
+Index: gosa-2.7.4+reloaded1/gosa-core/include/class_config.inc
+===================================================================
+--- a/gosa-core/include/class_config.inc
++++ b/gosa-core/include/class_config.inc
+@@ -301,14 +301,14 @@ class config {
+
+ function get_credentials($creds)
+ {
+- if (isset($_SERVER['HTTP_GOSA_KEY'])){
+- if (!session::global_is_set('HTTP_GOSA_KEY_CACHE')){
+- session::global_set('HTTP_GOSA_KEY_CACHE',array());
++ if (isset($_SERVER['HTTP_GOSAKEY'])){
++ if (!session::global_is_set('HTTP_GOSAKEY_CACHE')){
++ session::global_set('HTTP_GOSAKEY_CACHE',array());
+ }
+- $cache = session::global_get('HTTP_GOSA_KEY_CACHE');
++ $cache = session::global_get('HTTP_GOSAKEY_CACHE');
+ if(!isset($cache[$creds])){
+- $cache[$creds] = cred_decrypt($creds, $_SERVER['HTTP_GOSA_KEY']);
+- session::global_set('HTTP_GOSA_KEY_CACHE',$cache);
++ $cache[$creds] = cred_decrypt($creds, $_SERVER['HTTP_GOSAKEY']);
++ session::global_set('HTTP_GOSAKEY_CACHE',$cache);
+ }
+ return ($cache[$creds]);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index da3fbc7..97eaa4f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,6 +3,7 @@
0003_xss-vulnerability-on-login-screen.patch
1001_fix-mass-ldapimport.patch
1002_trim-decrypt.patch
+1003_RequestHeader-no-underscores-apache24.patch
2001_fix-smarty-location.patch
2002_fix-template-location.patch
2003_fix-class-mapping.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/pkg-team/gosa.git
More information about the debian-edu-commits
mailing list