Date: Thu, 4 May 2006 23:00:36 GMT From: Xin LI <delphij@freebsd.org> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/93204: phpBB anti-DOS patch disallows visual authentication Message-ID: <200605042300.k44N0acd098627@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/93204; it has been noted by GNATS.
From: Xin LI <delphij@freebsd.org>
To: bug-followup@FreeBSD.org, sadangel@pow2clk.net, liukang@cn.FreeBSD.org
Cc:
Subject: Re: ports/93204: phpBB anti-DOS patch disallows visual authentication
Date: Thu, 4 May 2006 23:00:06 +0000
--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Here is a patch that conditionally removes the anti-DoS patch.
Maintainer, do you approve or disapprove the patch?
Please note that the option is intentionally undocumented because
this option makes the user into a risk and should be generally
discouraged.
Cheers,
--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch-phpbb
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/www/phpbb/Makefile,v
retrieving revision 1.39
diff -u -r1.39 Makefile
--- Makefile 18 Apr 2006 09:33:27 -0000 1.39
+++ Makefile 4 May 2006 22:54:15 -0000
@@ -7,6 +7,7 @@
PORTNAME= phpbb
PORTVERSION= 2.0.20
+PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
@@ -31,6 +32,13 @@
#
# End of user-configurable variables.
+# XXX The phpBB folks does not seem to care about the session table DoS
+# issue. You can disable the patch at your own risk to make the
+# visual authentication work.
+.if !defined(WITHOUT_ANTIDOS_PATCH)
+EXTRA_PATCHES= ${FILESDIR}/security-patch-includes-sessions.php
+.endif
+
# Set/override/append to variables from bsd.port.mk:
#
WRKSRC= ${WRKDIR}/phpBB2
Index: files/patch-includes-sessions.php
===================================================================
RCS file: files/patch-includes-sessions.php
diff -N files/patch-includes-sessions.php
--- files/patch-includes-sessions.php 8 Nov 2005 19:26:55 -0000 1.4
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,11 +0,0 @@
---- includes/sessions.php.orig Sat May 14 05:04:00 2005
-+++ includes/sessions.php Sun May 15 18:53:48 2005
-@@ -167,7 +167,7 @@
- $sql = "INSERT INTO " . SESSIONS_TABLE . "
- (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin)
- VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login, $admin)";
-- if ( !$db->sql_query($sql) )
-+ if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )
- {
- message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
- }
Index: files/security-patch-includes-sessions.php
===================================================================
RCS file: files/security-patch-includes-sessions.php
diff -N files/security-patch-includes-sessions.php
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/security-patch-includes-sessions.php 8 Nov 2005 19:26:55 -0000
@@ -0,0 +1,11 @@
+--- includes/sessions.php.orig Sat May 14 05:04:00 2005
++++ includes/sessions.php Sun May 15 18:53:48 2005
+@@ -167,7 +167,7 @@
+ $sql = "INSERT INTO " . SESSIONS_TABLE . "
+ (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin)
+ VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login, $admin)";
+- if ( !$db->sql_query($sql) )
++ if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )
+ {
+ message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
+ }
--zYM0uCDKw75PZbzx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605042300.k44N0acd098627>