patch with security fix for CVE-2015-5059

Submitted by: Torsten Zuhlsdorff & Jason Unovitch
PR: 201106 202865
Approved by: mat (mentor)
Differential Review: D4196
This commit is contained in:
Dan Langille 2015-12-23 21:20:51 +00:00
parent 48c69118c7
commit 358229bc25
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=404324
2 changed files with 30 additions and 4 deletions

View file

@ -3,7 +3,7 @@
PORTNAME= mantis
PORTVERSION= 1.2.19
PORTREVISION= 0
PORTREVISION= 1
CATEGORIES= databases www
MASTER_SITES= SF/${PORTNAME}bt/${PORTNAME}-stable/${PORTVERSION}
DISTNAME= mantisbt-${PORTVERSION}
@ -12,14 +12,23 @@ MAINTAINER= dvl@FreeBSD.org
COMMENT= Bug tracking system written in PHP
NO_BUILD= yes
USE_PHP= hash pcre session
USES= pgsql
USE_PHP= hash pcre session xml
OPTIONS_MULTI= DB
OPTIONS_MULTI_DB= MYSQL PGSQL
MYSQL_DESC= MySQL support
PGSQL_DESC= PostgreSQL support
OPTIONS_DEFAULT= MYSQL
MYSQL_USE= mysql=yes php=mysql
PGSQL_USE= pgsql=yes php=pgsql
SUB_FILES= pkg-message
PLIST_SUB= WWWOWN=${WWWOWN} WWWGRP=${WWWGRP}
do-install:
${MKDIR} ${STAGEDIR}${WWWDIR}
cd ${WRKSRC} && ${COPYTREE_SHARE} . ${STAGEDIR}${WWWDIR}

View file

@ -0,0 +1,17 @@
--- config_defaults_inc.php.orig 2015-11-02 10:57:53 UTC
+++ config_defaults_inc.php
@@ -2347,9 +2347,13 @@
/**
* Threshold needed to view project documentation
+ * Note: setting this to ANYBODY will let any user download attachments
+ * from private projects, regardless of their being a member of it.
+ * @see $g_enable_project_documentation
+ * @see $g_upload_project_file_threshold
* @global int $g_view_proj_doc_threshold
*/
- $g_view_proj_doc_threshold = ANYBODY;
+ $g_view_proj_doc_threshold = VIEWER;
/**
* Site manager