[evolvis-commits] r18007: small-fixes pending merges:↵ Thorsten Glaser 2012-01-13 SECURITY: force PHP 5.2 and make the session cookie HttpOnly
mirabilos at evolvis.org
mirabilos at evolvis.org
Fri Jan 13 12:11:51 CET 2012
Author: mirabilos
Date: 2012-01-13 12:11:51 +0100 (Fri, 13 Jan 2012)
New Revision: 18007
Removed:
trunk/gforge_base/evolvisforge-5.1/src/www/squal/
Modified:
trunk/gforge_base/evolvisforge-5.1/src/README.evolvis
trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php
trunk/gforge_base/evolvisforge-5.1/src/common/mail/MailingList.class.php
trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
trunk/gforge_base/evolvisforge-5.1/src/debian/control
trunk/gforge_base/evolvisforge-5.1/src/packaging/control/030web-apache2
trunk/gforge_base/evolvisforge-5.1/src/www/account/change_email.php
Log:
small-fixes pending merges:
Thorsten Glaser 2012-01-13 SECURITY: force PHP 5.2 and make the session cookie HttpOnly
also, add Rebecca Fischbach to README.evolvis, use the more secure
util_randbytes() from the last commit in the two places marked as
XXX in the small-fixes branch, and nuke an insecure SourceForge API
which I couldn’t spot any reference to in the live source code
regenerate d/control
Modified: trunk/gforge_base/evolvisforge-5.1/src/README.evolvis
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/README.evolvis 2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/README.evolvis 2012-01-13 11:11:51 UTC (rev 18007)
@@ -65,6 +65,7 @@
– Waldemar Brodkorb
– Lukas Degener
– Mike Esser
+ – Rebecca Fischbach
– Sven Frommeyer
– Elmar Geese
– Sebastian Gerhards
Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php 2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php 2012-01-13 11:11:51 UTC (rev 18007)
@@ -383,7 +383,7 @@
if ($force_secure && !session_issecure()) {
return;
}
- setcookie($name, $value, $expiration, '/', $domain, $force_secure);
+ setcookie($name, $value, $expiration, '/', $domain, $force_secure, true);
}
/**
Modified: trunk/gforge_base/evolvisforge-5.1/src/common/mail/MailingList.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/mail/MailingList.class.php 2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/mail/MailingList.class.php 2012-01-13 11:11:51 UTC (rev 18007)
@@ -148,7 +148,7 @@
return false;
}
- $listPassword = substr(md5($GLOBALS['session_ser'] . time() . util_randbytes()), 0, 16);
+ $listPassword = substr(md5(util_randbytes()), 0, 16);
db_begin();
$result = db_query_params ('INSERT INTO mail_group_list (group_id,list_name,is_public,password,list_admin,status,description) VALUES ($1,$2,$3,$4,$5,$6,$7)',
Modified: trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/debian/changelog 2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/debian/changelog 2012-01-13 11:11:51 UTC (rev 18007)
@@ -33,8 +33,9 @@
* Fix detemplating accident in plugins’ postinst maintainer script
* mediawiki plugin: Default to enable image uploads
* Unbreak interwiki; add database convergence (depends BSD::arc4random)
+ * Make session cookies HttpOnly (raise PHP dependency to 5.2)
- -- Thorsten Glaser <t.glaser at tarent.de> Fri, 13 Jan 2012 11:18:25 +0100
+ -- Thorsten Glaser <t.glaser at tarent.de> Fri, 13 Jan 2012 12:07:07 +0100
fusionforge (5.1.1+evolvis6) unstable; urgency=low
Modified: trunk/gforge_base/evolvisforge-5.1/src/debian/control
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/debian/control 2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/debian/control 2012-01-13 11:11:51 UTC (rev 18007)
@@ -98,7 +98,7 @@
Package: gforge-web-apache2
Architecture: all
-Depends: gforge-common, gforge-db-postgresql | gforge-db, libapache2-mod-php5, php5-cgi, php5-pgsql, php5-gd, perl, libdbi-perl, libdbd-pg-perl, debianutils (>= 1.7), debconf (>= 1.0.32) | debconf-2.0, ucf, cronolog, python, ssl-cert, libnusoap-php, php-htmlpurifier (>= 4.0), libjs-yui (>= 2.8.2r1~squeeze-1.1~), libjs-prototype (>= 1.7.0-2.1~), libjs-scriptaculous (>= 1.9.0-2~), libjs-jquery (>= 1.6.4-1~), libjs-jquery-ui (>= 1.8.ooops.16+dfsg-1~), libphp-jpgraph, tango-icon-theme, toilet, ${misc:Depends}
+Depends: gforge-common, gforge-db-postgresql | gforge-db, libapache2-mod-php5 (>= 5.2), php5-cgi (>= 5.2), php5-pgsql, php5-gd, perl, libdbi-perl, libdbd-pg-perl, debianutils (>= 1.7), debconf (>= 1.0.32) | debconf-2.0, ucf, cronolog, python, ssl-cert, libnusoap-php, php-htmlpurifier (>= 4.0), libjs-yui (>= 2.8.2r1~squeeze-1.1~), libjs-prototype (>= 1.7.0-2.1~), libjs-scriptaculous (>= 1.9.0-2~), libjs-jquery (>= 1.6.4-1~), libjs-jquery-ui (>= 1.8.ooops.16+dfsg-1~), libphp-jpgraph, tango-icon-theme, toilet, ${misc:Depends}
Recommends: locales | locales-all
Provides: gforge-web
Conflicts: gforge-web
Modified: trunk/gforge_base/evolvisforge-5.1/src/packaging/control/030web-apache2
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/packaging/control/030web-apache2 2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/packaging/control/030web-apache2 2012-01-13 11:11:51 UTC (rev 18007)
@@ -1,6 +1,6 @@
Package: @OLDPACKAGE at -web-apache2
Architecture: all
-Depends: @OLDPACKAGE at -common, @OLDPACKAGE at -db-postgresql | @OLDPACKAGE at -db, libapache2-mod-php5, php5-cgi, php5-pgsql, php5-gd, perl, libdbi-perl, libdbd-pg-perl, debianutils (>= 1.7), debconf (>= 1.0.32) | debconf-2.0, ucf, cronolog, python, ssl-cert, libnusoap-php, php-htmlpurifier (>= 4.0), libjs-yui (>= 2.8.2r1~squeeze-1.1~), libjs-prototype (>= 1.7.0-2.1~), libjs-scriptaculous (>= 1.9.0-2~), libjs-jquery (>= 1.6.4-1~), libjs-jquery-ui (>= 1.8.ooops.16+dfsg-1~), libphp-jpgraph, tango-icon-theme, toilet, ${misc:Depends}
+Depends: @OLDPACKAGE at -common, @OLDPACKAGE at -db-postgresql | @OLDPACKAGE at -db, libapache2-mod-php5 (>= 5.2), php5-cgi (>= 5.2), php5-pgsql, php5-gd, perl, libdbi-perl, libdbd-pg-perl, debianutils (>= 1.7), debconf (>= 1.0.32) | debconf-2.0, ucf, cronolog, python, ssl-cert, libnusoap-php, php-htmlpurifier (>= 4.0), libjs-yui (>= 2.8.2r1~squeeze-1.1~), libjs-prototype (>= 1.7.0-2.1~), libjs-scriptaculous (>= 1.9.0-2~), libjs-jquery (>= 1.6.4-1~), libjs-jquery-ui (>= 1.8.ooops.16+dfsg-1~), libphp-jpgraph, tango-icon-theme, toilet, ${misc:Depends}
Recommends: locales | locales-all
Provides: @OLDPACKAGE at -web
Conflicts: @OLDPACKAGE at -web
Modified: trunk/gforge_base/evolvisforge-5.1/src/www/account/change_email.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/www/account/change_email.php 2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/www/account/change_email.php 2012-01-13 11:11:51 UTC (rev 18007)
@@ -38,7 +38,7 @@
exit_error(_('Invalid email address.'),'my');
}
- $confirm_hash = substr(md5($GLOBALS['session_ser'] . time()),0,16);
+ $confirm_hash = substr(md5(util_randbytes()),0,16);
$u =& user_get_object(user_getid());
if (!$u || !is_object($u)) {
More information about the evolvis-commits
mailing list