patches

tille Mon, 29 Sep 2008 05:56:53 -0700

Author: tille
Date: 2008-09-29 12:56:43 +0000 (Mon, 29 Sep 2008)
New Revision: 2555


Removed:
   
trunk/packages/agdbnet/trunk/debian/patches/30_fix_empty_status_bug_in_curator_authentication.patch
Modified:
   trunk/packages/agdbnet/trunk/debian/patches/series
Log:
Security patch applied by upstream


Deleted: 
trunk/packages/agdbnet/trunk/debian/patches/30_fix_empty_status_bug_in_curator_authentication.patch
===================================================================
--- 
trunk/packages/agdbnet/trunk/debian/patches/30_fix_empty_status_bug_in_curator_authentication.patch
 2008-09-29 12:32:48 UTC (rev 2554)
+++ 
trunk/packages/agdbnet/trunk/debian/patches/30_fix_empty_status_bug_in_curator_authentication.patch
 2008-09-29 12:56:43 UTC (rev 2555)
@@ -1,26 +0,0 @@
-This is a security fix which should be applied upstream.
-A user with status == '' should not be able to log in as curator.
-Forewarded upstream.
---- agdbnet_v1.0.0.orig/cgi-bin/agcurate.pl
-+++ agdbnet_v1.0.0/cgi-bin/agcurate.pl
-@@ -322,11 +322,18 @@
- sub curator_id {
-       my $username = $q->remote_user;
-       if ($username) {
--              my $qry = "SELECT id FROM users WHERE user_name=?";
-+              # status needs to be queried as well
-+              my $qry = "SELECT id, status FROM users WHERE user_name=?";
-               my $sql = $db->prepare($qry) or die "cannot prepare";
-               $sql->execute($username);
-               my ( $id, $status ) = $sql->fetchrow_array;
--              if ( $status && $status ne 'curator' ) {
-+              # The original line
-+              #       if ( $status && $status ne 'curator' ) {
-+              # enables successfull authentication if status == ''
-+              # because $status is false and the second term
-+              # will not be evaluated any more because && would
-+              # be false in any way.
-+              if ( ! $status || $status ne 'curator' ) {
-                       return 0;
-               }
-               return $id;

Modified: trunk/packages/agdbnet/trunk/debian/patches/series
===================================================================
--- trunk/packages/agdbnet/trunk/debian/patches/series  2008-09-29 12:32:48 UTC 
(rev 2554)
+++ trunk/packages/agdbnet/trunk/debian/patches/series  2008-09-29 12:56:43 UTC 
(rev 2555)
@@ -4,4 +4,3 @@
 12_apache_is_web-data.patch
 13_ident_authentication.patch
 20_metainfo.patch
-30_fix_empty_status_bug_in_curator_authentication.patch


_______________________________________________
debian-med-commit mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/debian-med-commit

[med-svn] r2555 - trunk/packages/agdbnet/trunk/debian/patches

Reply via email to