rpms/moodle/devel moodle-1.5.3-SA18267.patch, NONE, 1.1 moodle.spec, 1.2, 1.3
Ignacio Vazquez-Abrams (ivazquez)
fedora-extras-commits at redhat.com
Tue Jan 10 00:00:38 UTC 2006
Author: ivazquez
Update of /cvs/extras/rpms/moodle/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19761/devel
Modified Files:
moodle.spec
Added Files:
moodle-1.5.3-SA18267.patch
Log Message:
Add security patch for adodb (SA18267)
moodle-1.5.3-SA18267.patch:
--- NEW FILE moodle-1.5.3-SA18267.patch ---
diff -urN moodle/lib/adodb/server.php moodle.adodb/lib/adodb/server.php
--- moodle/lib/adodb/server.php 2005-11-10 21:05:24.000000000 -0500
+++ moodle.adodb/lib/adodb/server.php 2006-01-03 21:07:46.000000000 -0500
@@ -1,98 +1,10 @@
<?php
-/**
- * @version V4.66 28 Sept 2005 (c) 2000-2005 John Lim (jlim at natsoft.com.my). All rights reserved.
- * Released under both BSD license and Lesser GPL library license.
- Whenever there is any discrepancy between the two licenses,
- the BSD license will take precedence.
- */
-
-/* Documentation on usage is at http://php.weblogs.com/adodb_csv
- *
- * Legal query string parameters:
- *
- * sql = holds sql string
- * nrows = number of rows to return
- * offset = skip offset rows of data
- * fetch = $ADODB_FETCH_MODE
- *
- * example:
- *
- * http://localhost/php/server.php?select+*+from+table&nrows=10&offset=2
- */
+require_once('../../config.php');
+require_once('../weblib.php');
-
-/*
- * Define the IP address you want to accept requests from
- * as a security measure. If blank we accept anyone promisciously!
- */
-$ACCEPTIP = '';
-
-/*
- * Connection parameters
- */
-$driver = 'mysql';
-$host = 'localhost'; // DSN for odbc
-$uid = 'root';
-$pwd = '';
-$database = 'test';
-
-/*============================ DO NOT MODIFY BELOW HERE =================================*/
-// $sep must match csv2rs() in adodb.inc.php
-$sep = ' :::: ';
-
-include('./adodb.inc.php');
-include_once(ADODB_DIR.'/adodb-csvlib.inc.php');
-
-function err($s)
-{
- die('**** '.$s.' ');
-}
-
-// undo stupid magic quotes
-function undomq(&$m)
-{
- if (get_magic_quotes_gpc()) {
- // undo the damage
- $m = str_replace('\\\\','\\',$m);
- $m = str_replace('\"','"',$m);
- $m = str_replace('\\\'','\'',$m);
-
- }
- return $m;
-}
-
-///////////////////////////////////////// DEFINITIONS
-
-
-$remote = $_SERVER["REMOTE_ADDR"];
-
-if (empty($_REQUEST['sql'])) err('No SQL');
-
-if (!empty($ACCEPTIP))
- if ($remote != '127.0.0.1' && $remote != $ACCEPTIP)
- err("Unauthorised client: '$remote'");
-
-
-$conn = &ADONewConnection($driver);
-
-if (!$conn->Connect($host,$uid,$pwd,$database)) err($conn->ErrorNo(). $sep . $conn->ErrorMsg());
-$sql = undomq($_REQUEST['sql']);
-
-if (isset($_REQUEST['fetch']))
- $ADODB_FETCH_MODE = $_REQUEST['fetch'];
-
-if (isset($_REQUEST['nrows'])) {
- $nrows = $_REQUEST['nrows'];
- $offset = isset($_REQUEST['offset']) ? $_REQUEST['offset'] : -1;
- $rs = $conn->SelectLimit($sql,$nrows,$offset);
-} else
- $rs = $conn->Execute($sql);
-if ($rs){
- //$rs->timeToLive = 1;
- echo _rs2serialize($rs,$conn,$sql);
- $rs->Close();
-} else
- err($conn->ErrorNo(). $sep .$conn->ErrorMsg());
+add_to_log(0, 'adodb', 'intrusion attempt', 'lib/adodb/server.php');
+trigger_error('SECURITY WARNING: intrusion attempt against lib/adodb/server.php from ' . getremoteaddr());
+error('SECURITY WARNING: logged intrusion attempt against lib/adodb/server.php');
?>
\ No newline at end of file
diff -urN moodle/lib/adodb/tests/benchmark.php moodle.adodb/lib/adodb/tests/benchmark.php
--- moodle/lib/adodb/tests/benchmark.php 2005-11-10 21:05:25.000000000 -0500
+++ moodle.adodb/lib/adodb/tests/benchmark.php 1969-12-31 19:00:00.000000000 -0500
@@ -1,84 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
-
-<html>
-<head>
- <title>ADODB Benchmarks</title>
-</head>
-
-<body>
-<?php
-/*
-V4.66 28 Sept 2005 (c) 2000-2005 John Lim (jlim at natsoft.com.my). All rights reserved.
- Released under both BSD license and Lesser GPL library license.
- Whenever there is any discrepancy between the two licenses,
- the BSD license will take precedence.
-
- Benchmark code to test the speed to the ADODB library with different databases.
- This is a simplistic benchmark to be used as the basis for further testing.
- It should not be used as proof of the superiority of one database over the other.
-*/
-
-$testmssql = true;
-//$testvfp = true;
-$testoracle = true;
-$testado = true;
-$testibase = true;
-$testaccess = true;
-$testmysql = true;
-$testsqlite = true;;
-
-set_time_limit(240); // increase timeout
-
-include("../tohtml.inc.php");
-include("../adodb.inc.php");
-
-function testdb(&$db,$createtab="create table ADOXYZ (id int, firstname char(24), lastname char(24), created date)")
-{
-GLOBAL $ADODB_version,$ADODB_FETCH_MODE;
-
- adodb_backtrace();
-
- $max = 100;
- $sql = 'select * from ADOXYZ';
- $ADODB_FETCH_MODE = ADODB_FETCH_NUM;
-
- //print "<h3>ADODB Version: $ADODB_version Host: <i>$db->host</i> Database: <i>$db->database</i></h3>";
-
- // perform query once to cache results so we are only testing throughput
- $rs = $db->Execute($sql);
- if (!$rs){
- print "Error in recordset<p>";
- return;
- }
- $arr = $rs->GetArray();
- //$db->debug = true;
- global $ADODB_COUNTRECS;
- $ADODB_COUNTRECS = false;
- $start = microtime();
- for ($i=0; $i < $max; $i++) {
- $rs =& $db->Execute($sql);
- $arr =& $rs->GetArray();
- // print $arr[0][1];
- }
- $end = microtime();
- $start = explode(' ',$start);
- $end = explode(' ',$end);
-
- //print_r($start);
- //print_r($end);
-
- // print_r($arr);
- $total = $end[0]+trim($end[1]) - $start[0]-trim($start[1]);
- printf ("<p>seconds = %8.2f for %d iterations each with %d records</p>",$total,$max, sizeof($arr));
- flush();
-
-
- //$db->Close();
-}
-include("testdatabases.inc.php");
-
-?>
-
-
-</body>
-</html>
diff -urN moodle/lib/adodb/tests/client.php moodle.adodb/lib/adodb/tests/client.php
--- moodle/lib/adodb/tests/client.php 2004-07-12 23:13:35.000000000 -0400
+++ moodle.adodb/lib/adodb/tests/client.php 1969-12-31 19:00:00.000000000 -0500
[...3782 lines suppressed...]
- print "<p>Random session destroy</p>";
- session_destroy();
- }
- }
-?>
\ No newline at end of file
diff -urN moodle/lib/adodb/tests/test-xmlschema.php moodle.adodb/lib/adodb/tests/test-xmlschema.php
--- moodle/lib/adodb/tests/test-xmlschema.php 2005-11-10 21:05:25.000000000 -0500
+++ moodle.adodb/lib/adodb/tests/test-xmlschema.php 1969-12-31 19:00:00.000000000 -0500
@@ -1,54 +0,0 @@
-<?PHP
-
-// V4.50 6 July 2004
-
-error_reporting(E_ALL);
-include_once( "../adodb.inc.php" );
-include_once( "../adodb-xmlschema.inc.php" );
-
-// To build the schema, start by creating a normal ADOdb connection:
-$db = ADONewConnection( 'mysql' );
-$db->Connect( 'localhost', 'root', '', 'schematest' );
-
-// To create a schema object and build the query array.
-$schema = new adoSchema( $db );
-
-// To upgrade an existing schema object, use the following
-// To upgrade an existing database to the provided schema,
-// uncomment the following line:
-#$schema->upgradeSchema();
-
-print "<b>SQL to build xmlschema.xml</b>:\n<pre>";
-// Build the SQL array
-$sql = $schema->ParseSchema( "xmlschema.xml" );
-
-print_r( $sql );
-print "</pre>\n";
-
-// Execute the SQL on the database
-//$result = $schema->ExecuteSchema( $sql );
-
-// Finally, clean up after the XML parser
-// (PHP won't do this for you!)
-//$schema->Destroy();
-
-
-
-print "<b>SQL to build xmlschema-mssql.xml</b>:\n<pre>";
-
-$db2 = ADONewConnection('mssql');
-$db2->Connect('','adodb','natsoft','northwind') || die("Fail 2");
-
-$db2->Execute("drop table simple_table");
-
-$schema = new adoSchema( $db2 );
-$sql = $schema->ParseSchema( "xmlschema-mssql.xml" );
-
-print_r( $sql );
-print "</pre>\n";
-
-$db2->debug=1;
-
-foreach ($sql as $s)
-$db2->Execute($s);
-?>
\ No newline at end of file
diff -urN moodle/lib/adodb/tests/time.php moodle.adodb/lib/adodb/tests/time.php
--- moodle/lib/adodb/tests/time.php 2003-10-22 04:52:42.000000000 -0400
+++ moodle.adodb/lib/adodb/tests/time.php 1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-<?php
-
-include_once('../adodb-time.inc.php');
-//adodb_date_test();
-?>
-<?php
-//require("adodb-time.inc.php");
-
-$datestring = "1963-12-04"; // string normally from mySQL
-$stringArray = explode("-", $datestring);
-$date = adodb_mktime(0,0,0,$stringArray[1],$stringArray[2],$stringArray[0]);
-
-$convertedDate = date("d-M-Y", $date); // converted string to UK style date
-
-echo( "Birthday: $convertedDate" ); //why is string returned as one day (3 not 4) less for this example??
-
-?>
\ No newline at end of file
diff -urN moodle/lib/adodb/tests/tmssql.php moodle.adodb/lib/adodb/tests/tmssql.php
--- moodle/lib/adodb/tests/tmssql.php 2005-11-10 21:05:25.000000000 -0500
+++ moodle.adodb/lib/adodb/tests/tmssql.php 2006-01-03 21:07:46.000000000 -0500
@@ -1,65 +1,10 @@
<?php
-error_reporting(E_ALL);
-ini_set('mssql.datetimeconvert',0);
-function tmssql()
-{
- print "<h3>mssql</h3>";
- $db = mssql_connect('JAGUAR\vsdotnet','adodb','natsoft') or die('No Connection');
- mssql_select_db('northwind',$db);
-
- $rs = mssql_query('select getdate() as date',$db);
- $o = mssql_fetch_row($rs);
- print_r($o);
- mssql_free_result($rs);
-
- print "<p>Delete</p>"; flush();
- $rs2 = mssql_query('delete from adoxyz',$db);
- $p = mssql_num_rows($rs2);
- mssql_free_result($rs2);
+require_once('../../../config.php');
+require_once('../../weblib.php');
-}
+add_to_log(0, 'adodb', 'intrusion attempt', 'lib/adodb/tests/tmssql.php');
+trigger_error('SECURITY WARNING: intrusion attempt against lib/tests/tmssql.php from ' . getremoteaddr());
+error('SECURITY WARNING: logged intrusion attempt against lib/adodb/tests/tmssql.php');
-function tpear()
-{
-include_once('DB.php');
-
- print "<h3>PEAR</h3>";
- $username = 'adodb';
- $password = 'natsoft';
- $hostname = 'JAGUAR\vsdotnet';
- $databasename = 'northwind';
-
- $dsn = "mssql://$username:$password@$hostname/$databasename";
- $conn = &DB::connect($dsn);
- print "date=".$conn->GetOne('select getdate()')."<br>";
- @$conn->query('create table tester (id integer)');
- print "<p>Delete</p>"; flush();
- $rs = $conn->query('delete from tester');
- print "date=".$conn->GetOne('select getdate()')."<br>";
-}
-
-function tadodb()
-{
-include_once('../adodb.inc.php');
-
- print "<h3>ADOdb</h3>";
- $conn = NewADOConnection('mssql');
- $conn->Connect('JAGUAR\vsdotnet','adodb','natsoft','northwind');
-// $conn->debug=1;
- print "date=".$conn->GetOne('select getdate()')."<br>";
- $conn->Execute('create table tester (id integer)');
- print "<p>Delete</p>"; flush();
- $rs = $conn->Execute('delete from tester');
- print "date=".$conn->GetOne('select getdate()')."<br>";
-}
-?>
-<a href=tmssql.php?do=tmssql>mssql</a>
-<a href=tmssql.php?do=tpear>pear</a>
-<a href=tmssql.php?do=tadodb>adodb</a>
-<?php
-if (!empty($_GET['do'])) {
- $do = $_GET['do'];
- $do();
-}
?>
\ No newline at end of file
diff -urN moodle/lib/adodb/tests/xmlschema.xml moodle.adodb/lib/adodb/tests/xmlschema.xml
--- moodle/lib/adodb/tests/xmlschema.xml 2005-11-10 21:05:25.000000000 -0500
+++ moodle.adodb/lib/adodb/tests/xmlschema.xml 1969-12-31 19:00:00.000000000 -0500
@@ -1,33 +0,0 @@
-<?xml version="1.0"?>
-<schema version="0.2">
- <table name="mytable">
- <field name="row1" type="I">
- <descr>An integer row that's a primary key and autoincrements</descr>
- <KEY/>
- <AUTOINCREMENT/>
- </field>
- <field name="row2" type="C" size="16">
- <descr>A 16 character varchar row that can't be null</descr>
- <NOTNULL/>
- </field>
- <index name="myindex">
- <col>row1</col>
- <col>row2</col>
- </index>
- </table>
- <sql>
- <descr>SQL to be executed only on specific platforms</descr>
- <query platform="postgres|postgres7">
- insert into mytable ( row1, row2 ) values ( 12, 'postgres stuff' )
- </query>
- <query platform="mysql">
- insert into mytable ( row1, row2 ) values ( 12, 'mysql stuff' )
- </query>
- <query platform="mssql">
- insert into mytable ( row1, row2 ) values ( 12, 'Microsoft stuff' )
- </query>
- </sql>
- <table name="obsoletetable">
- <DROP/>
- </table>
-</schema>
\ No newline at end of file
Index: moodle.spec
===================================================================
RCS file: /cvs/extras/rpms/moodle/devel/moodle.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- moodle.spec 12 Dec 2005 21:05:20 -0000 1.2
+++ moodle.spec 10 Jan 2006 00:00:38 -0000 1.3
@@ -9,7 +9,7 @@
Name: moodle
Version: 1.5.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: A Course Management System
Group: Applications/Publishing
@@ -24,6 +24,7 @@
Source6: moodle-README-rpm
Patch0: moodle-1.5.2-mimetex-linux.patch
Patch1: moodle-1.5.2-mimetex-fedora.patch
+Patch2: moodle-1.5.3-SA18267.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -628,6 +629,7 @@
%setup -q -n %{name}
%patch0 -p1 -b .mimetex-linux
%patch1 -p1 -b .mimetex-fedora
+%patch2 -p1 -b .SA18267
cp %{SOURCE6} README-rpm
find $RPM_BUILD_DIR/%{name} -name \*.bak -exec rm {} \;
find $RPM_BUILD_DIR/%{name} -type f -exec chmod a-x {} \;
@@ -692,6 +694,9 @@
%endif
%changelog
+* Mon Jan 9 2006 Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> 1.5.3-2
+- Add security patch for adodb (SA18267)
+
* Sat Dec 10 2005 Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> 1.5.3-1
- Update to 1.5.3
- Split off spell check package due to lack of Text::Aspell
More information about the fedora-extras-commits
mailing list