[aur-dev] [PATCH] Geshi AUR implementation
Lukas Fleischer
archlinux at cryptocrack.de
Wed Sep 29 08:42:30 EDT 2010
On Wed, Sep 29, 2010 at 01:38:36PM +0200, Manuel Tortosa wrote:
> +// Getting variables
> +if (!empty($HTTP_POST_VARS)) extract($HTTP_POST_VARS);
> +if (!empty($HTTP_GET_VARS)) extract($HTTP_GET_VARS);
The use of "$HTTP_POST_VARS" and "$HTTP_GET_VARS" is deprecated and
highly discouraged. It won't even work at all if register_long_arrays is
disabled. Use "$_POST" and "$_GET" instead.
Emulating register_globals behaviour is also deprecated and a potential
security flaw. Don't do that. Just use "$_GET['pkgbuild']".
> +$file = file_get_contents($pkgbuild, FILE_USE_INCLUDE_PATH);
This introduces a remote file inclusion vulnerability allowing an
attacker to read arbitrary files since "$pkgbuild" is not validated
before passing it to file_get_contents().
Don't apply this patch until everything is fixed, please.
More information about the aur-dev
mailing list