[evolvis-commits] r18007: small-fixes pending merges:↵ Thorsten Glaser 2012-01-13 SECURITY: force PHP 5.2 and make the session cookie HttpOnly

mirabilos at evolvis.org mirabilos at evolvis.org
Fri Jan 13 12:11:51 CET 2012


Author: mirabilos
Date: 2012-01-13 12:11:51 +0100 (Fri, 13 Jan 2012)
New Revision: 18007

Removed:
   trunk/gforge_base/evolvisforge-5.1/src/www/squal/
Modified:
   trunk/gforge_base/evolvisforge-5.1/src/README.evolvis
   trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php
   trunk/gforge_base/evolvisforge-5.1/src/common/mail/MailingList.class.php
   trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
   trunk/gforge_base/evolvisforge-5.1/src/debian/control
   trunk/gforge_base/evolvisforge-5.1/src/packaging/control/030web-apache2
   trunk/gforge_base/evolvisforge-5.1/src/www/account/change_email.php
Log:
small-fixes pending merges:
  Thorsten Glaser 2012-01-13 SECURITY: force PHP 5.2 and make the session cookie HttpOnly

also, add Rebecca Fischbach to README.evolvis, use the more secure
util_randbytes() from the last commit in the two places marked as
XXX in the small-fixes branch, and nuke an insecure SourceForge API
which I couldn’t spot any reference to in the live source code

regenerate d/control


Modified: trunk/gforge_base/evolvisforge-5.1/src/README.evolvis
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/README.evolvis	2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/README.evolvis	2012-01-13 11:11:51 UTC (rev 18007)
@@ -65,6 +65,7 @@
   – Waldemar Brodkorb
   – Lukas Degener
   – Mike Esser
+  – Rebecca Fischbach
   – Sven Frommeyer
   – Elmar Geese
   – Sebastian Gerhards

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php	2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php	2012-01-13 11:11:51 UTC (rev 18007)
@@ -383,7 +383,7 @@
 	if ($force_secure && !session_issecure()) {
 		return;
 	}
-	setcookie($name, $value, $expiration, '/', $domain, $force_secure);
+	setcookie($name, $value, $expiration, '/', $domain, $force_secure, true);
 }
 
 /**

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/mail/MailingList.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/mail/MailingList.class.php	2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/mail/MailingList.class.php	2012-01-13 11:11:51 UTC (rev 18007)
@@ -148,7 +148,7 @@
 			return false;
 		}
 
-		$listPassword = substr(md5($GLOBALS['session_ser'] . time() . util_randbytes()), 0, 16);
+		$listPassword = substr(md5(util_randbytes()), 0, 16);
 		
 		db_begin();
 		$result = db_query_params ('INSERT INTO mail_group_list (group_id,list_name,is_public,password,list_admin,status,description) VALUES ($1,$2,$3,$4,$5,$6,$7)',

Modified: trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/debian/changelog	2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/debian/changelog	2012-01-13 11:11:51 UTC (rev 18007)
@@ -33,8 +33,9 @@
   * Fix detemplating accident in plugins’ postinst maintainer script
   * mediawiki plugin: Default to enable image uploads
   * Unbreak interwiki; add database convergence (depends BSD::arc4random)
+  * Make session cookies HttpOnly (raise PHP dependency to 5.2)
 
- -- Thorsten Glaser <t.glaser at tarent.de>  Fri, 13 Jan 2012 11:18:25 +0100
+ -- Thorsten Glaser <t.glaser at tarent.de>  Fri, 13 Jan 2012 12:07:07 +0100
 
 fusionforge (5.1.1+evolvis6) unstable; urgency=low
 

Modified: trunk/gforge_base/evolvisforge-5.1/src/debian/control
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/debian/control	2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/debian/control	2012-01-13 11:11:51 UTC (rev 18007)
@@ -98,7 +98,7 @@
 
 Package: gforge-web-apache2
 Architecture: all
-Depends: gforge-common, gforge-db-postgresql | gforge-db, libapache2-mod-php5, php5-cgi, php5-pgsql, php5-gd, perl, libdbi-perl, libdbd-pg-perl, debianutils (>= 1.7), debconf (>= 1.0.32) | debconf-2.0, ucf, cronolog, python, ssl-cert, libnusoap-php, php-htmlpurifier (>= 4.0), libjs-yui (>= 2.8.2r1~squeeze-1.1~), libjs-prototype (>= 1.7.0-2.1~), libjs-scriptaculous (>= 1.9.0-2~), libjs-jquery (>= 1.6.4-1~), libjs-jquery-ui (>= 1.8.ooops.16+dfsg-1~), libphp-jpgraph, tango-icon-theme, toilet, ${misc:Depends}
+Depends: gforge-common, gforge-db-postgresql | gforge-db, libapache2-mod-php5 (>= 5.2), php5-cgi (>= 5.2), php5-pgsql, php5-gd, perl, libdbi-perl, libdbd-pg-perl, debianutils (>= 1.7), debconf (>= 1.0.32) | debconf-2.0, ucf, cronolog, python, ssl-cert, libnusoap-php, php-htmlpurifier (>= 4.0), libjs-yui (>= 2.8.2r1~squeeze-1.1~), libjs-prototype (>= 1.7.0-2.1~), libjs-scriptaculous (>= 1.9.0-2~), libjs-jquery (>= 1.6.4-1~), libjs-jquery-ui (>= 1.8.ooops.16+dfsg-1~), libphp-jpgraph, tango-icon-theme, toilet, ${misc:Depends}
 Recommends: locales | locales-all
 Provides: gforge-web
 Conflicts: gforge-web

Modified: trunk/gforge_base/evolvisforge-5.1/src/packaging/control/030web-apache2
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/packaging/control/030web-apache2	2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/packaging/control/030web-apache2	2012-01-13 11:11:51 UTC (rev 18007)
@@ -1,6 +1,6 @@
 Package: @OLDPACKAGE at -web-apache2
 Architecture: all
-Depends: @OLDPACKAGE at -common, @OLDPACKAGE at -db-postgresql | @OLDPACKAGE at -db, libapache2-mod-php5, php5-cgi, php5-pgsql, php5-gd, perl, libdbi-perl, libdbd-pg-perl, debianutils (>= 1.7), debconf (>= 1.0.32) | debconf-2.0, ucf, cronolog, python, ssl-cert, libnusoap-php, php-htmlpurifier (>= 4.0), libjs-yui (>= 2.8.2r1~squeeze-1.1~), libjs-prototype (>= 1.7.0-2.1~), libjs-scriptaculous (>= 1.9.0-2~), libjs-jquery (>= 1.6.4-1~), libjs-jquery-ui (>= 1.8.ooops.16+dfsg-1~), libphp-jpgraph, tango-icon-theme, toilet, ${misc:Depends}
+Depends: @OLDPACKAGE at -common, @OLDPACKAGE at -db-postgresql | @OLDPACKAGE at -db, libapache2-mod-php5 (>= 5.2), php5-cgi (>= 5.2), php5-pgsql, php5-gd, perl, libdbi-perl, libdbd-pg-perl, debianutils (>= 1.7), debconf (>= 1.0.32) | debconf-2.0, ucf, cronolog, python, ssl-cert, libnusoap-php, php-htmlpurifier (>= 4.0), libjs-yui (>= 2.8.2r1~squeeze-1.1~), libjs-prototype (>= 1.7.0-2.1~), libjs-scriptaculous (>= 1.9.0-2~), libjs-jquery (>= 1.6.4-1~), libjs-jquery-ui (>= 1.8.ooops.16+dfsg-1~), libphp-jpgraph, tango-icon-theme, toilet, ${misc:Depends}
 Recommends: locales | locales-all
 Provides: @OLDPACKAGE at -web
 Conflicts: @OLDPACKAGE at -web

Modified: trunk/gforge_base/evolvisforge-5.1/src/www/account/change_email.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/www/account/change_email.php	2012-01-13 11:11:45 UTC (rev 18006)
+++ trunk/gforge_base/evolvisforge-5.1/src/www/account/change_email.php	2012-01-13 11:11:51 UTC (rev 18007)
@@ -38,7 +38,7 @@
 		exit_error(_('Invalid email address.'),'my');
 	}
 
-	$confirm_hash = substr(md5($GLOBALS['session_ser'] . time()),0,16);
+	$confirm_hash = substr(md5(util_randbytes()),0,16);
 
 	$u =& user_get_object(user_getid());
 	if (!$u || !is_object($u)) {



More information about the evolvis-commits mailing list