rpms/ktorrent/F-8 ktorrent-2.2.7-php-injection.patch, NONE, 1.1 ktorrent-2.2.7-upload.patch, NONE, 1.1 ktorrent.spec, 1.52, 1.53

Rex Dieter rdieter at fedoraproject.org
Wed Oct 29 14:40:37 UTC 2008 

Author: rdieter

Update of /cvs/pkgs/rpms/ktorrent/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20304

Modified Files:
	ktorrent.spec 
Added Files:
	ktorrent-2.2.7-php-injection.patch ktorrent-2.2.7-upload.patch 
Log Message:
* Wed Oct 29 2008 Rex Dieter <rdieter at fedoraproject.org> - 2.2.7-2
- multiple security issues in the web interface (#469020)


ktorrent-2.2.7-php-injection.patch:

--- NEW FILE ktorrent-2.2.7-php-injection.patch ---
Index: ktorrent-2.2.7/plugins/webinterface/php_handler.cpp
===================================================================
--- ktorrent-2.2.7.orig/plugins/webinterface/php_handler.cpp
+++ ktorrent-2.2.7/plugins/webinterface/php_handler.cpp
@@ -82,7 +82,9 @@ namespace kt
 			
 		for ( it = args.begin(); it != args.end(); ++it )
 		{
-			ts << QString("$_REQUEST['%1']=\"%2\";\n").arg(it.key()).arg(it.data());
+			// Check for string delimiters, don't want PHP injection attacks
+			if (!containsDelimiters(it.key()) && !containsDelimiters(it.data()))
+				ts << QString("$_REQUEST['%1']=\"%2\";\n").arg(it.key()).arg(it.data());
 		}
 		ts.writeRawBytes(php_s.data() + off,php_s.size() - off); // the rest of the script
 		ts << flush;
@@ -116,6 +118,10 @@ namespace kt
 		}
 	}
 
+	bool PhpHandler::containsDelimiters(const QString & str)
+	{
+		return str.contains("\"") || str.contains("'");
+	}
 }
 
 #include "php_handler.moc"
Index: ktorrent-2.2.7/plugins/webinterface/php_handler.h
===================================================================
--- ktorrent-2.2.7.orig/plugins/webinterface/php_handler.h
+++ ktorrent-2.2.7/plugins/webinterface/php_handler.h
@@ -43,6 +43,9 @@ namespace kt
 		void onExited();
 		void onReadyReadStdout();
 		
+	private:
+		bool containsDelimiters(const QString & str);
+		
 	signals:
 		void finished();
 		

ktorrent-2.2.7-upload.patch:

--- NEW FILE ktorrent-2.2.7-upload.patch ---
Index: ktorrent-2.2.7/plugins/webinterface/httpserver.cpp
===================================================================
--- ktorrent-2.2.7.orig/plugins/webinterface/httpserver.cpp
+++ ktorrent-2.2.7/plugins/webinterface/httpserver.cpp
@@ -431,9 +431,17 @@ namespace kt
 	void HttpServer::handleTorrentPost(HttpClientHandler* hdlr,const QHttpRequestHeader & hdr,const QByteArray & data)
 	{
 		const char* ptr = data.data();
-		Uint32 len = data.size();
+		int len = data.size();
 		int pos = QString(data).find("\r\n\r\n");
 		
+		if (!session.logged_in || !checkSession(hdr))
+		{
+			// You can't post torrents if you are not logged in
+			// or the session is not OK
+			redirectToLoginPage(hdlr);
+			return;
+		}
+		
 		if (pos == -1 || pos + 4 >= len || ptr[pos + 4] != 'd')
 		{
 			HttpResponseHeader rhdr(500);


Index: ktorrent.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ktorrent/F-8/ktorrent.spec,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- ktorrent.spec	3 Jun 2008 14:44:42 -0000	1.52
+++ ktorrent.spec	29 Oct 2008 14:40:07 -0000	1.53
@@ -1,8 +1,16 @@
-%define desktopvendor fedora
+
+# Fedora pkg review: http://bugzilla.redhat.com/187818
+
+%if 0%{?fedora} > 6
+%define kdelibs3 kdelibs3
+%else
+%define kdelibs3 kdelibs
+BuildRequires: libutempter-devel
+%endif
 
 Name:           ktorrent
 Version:        2.2.7
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A BitTorrent program for KDE
 Group:          Applications/Internet
 License:        GPLv2+
@@ -10,7 +18,11 @@
 Source0:        http://ktorrent.org/downloads/%{version}/ktorrent-%{version}.tar.bz2
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-BuildRequires:  kdelibs3-devel
+# http://bugs.gentoo.org/show_bug.cgi?id=244741
+Patch1: ktorrent-2.2.7-upload.patch
+Patch2: ktorrent-2.2.7-php-injection.patch
+
+BuildRequires:  %{kdelibs3}-devel
 BuildRequires:  gettext   
 BuildRequires:  gmp-devel   
 BuildRequires:  avahi-devel   
@@ -26,6 +38,10 @@
 
 %prep
 %setup -q
+
+%patch1 -p1 -b .upload
+%patch2 -p1 -b .php_injection
+
 # fix "WARNING:.../Makefile.in seems to ignore the --datarootdir setting"
 make -f admin/Makefile.common
 
@@ -50,7 +66,6 @@
 rm -f $RPM_BUILD_ROOT%{_datadir}/applnk/Internet/ktorrent.desktop
 /usr/bin/desktop-file-install --vendor=""                       \
         --dir=${RPM_BUILD_ROOT}%{_datadir}/applications/kde     \
-        --add-category=X-Fedora                                 \
         %{buildroot}%{_datadir}/applications/kde/ktorrent.desktop
 
 # Unpackaged files
@@ -155,6 +170,9 @@
 %{_datadir}/services/ktzeroconfplugin.desktop
 
 %changelog
+* Wed Oct 29 2008 Rex Dieter <rdieter at fedoraproject.org> - 2.2.7-2
+- multiple security issues in the web interface (#469020)
+
 * Tue Jun 03 2008 Roland Wolters <wolters.liste at gmx.net> - 2.2.7-1
 - update to bugfix version 2.2.7

More information about the scm-commits mailing list