Update Geeklog 1.5.2sr5 by adding patches since 1.5.2sr5 isn't provided

as full release. And add updated fckeditor for Geeklog. These updates should fix known security problems, Secunia SA36372. Jul 30, 2009 (1.5.2sr5) ------------ This release addresses the following security issues: - Gerendi Sandor Attila reported an XSS in the forms to email a user and to email a story to a friend. - The "Mail Story to a Friend" function didn't check story permissions, so that it was possible to email a story even if you didn't have the permissions to view it on the site.
2009-09-13 01:15:10 +00:00 · 2009-09-13 01:15:10 +00:00 · 3dca347fc2
commit 3dca347fc2
parent bb88bf0455
11 changed files with 272 additions and 47 deletions
--- a/www/geeklog/Makefile
+++ b/www/geeklog/Makefile
@ -1,10 +1,11 @@
-# $NetBSD: Makefile,v 1.22 2009/05/26 14:19:29 taca Exp $
+# $NetBSD: Makefile,v 1.23 2009/09/13 01:15:10 taca Exp $
 #

 DISTNAME=	geeklog-${VER}
-PKGNAME=	geeklog-${VER:C/(sr|-)/./g}
+PKGNAME=	geeklog-${VER:C/(sr|-)4/.5/g}
 CATEGORIES=	www
 MASTER_SITES=	http://www.geeklog.net/filemgmt/upload_dir/
+DISTFILES=	${DEFAULT_DISTFILES} ${FCKEDITOR_UPDATE}

 MAINTAINER=	taca@NetBSD.org
 HOMEPAGE=	http://www.geeklog.net/
@ -13,6 +14,8 @@ LICENSE=	gnu-gpl-v2

 PKG_DESTDIR_SUPPORT=	user-destdir
 PRIVILEGED_STAGES+=	clean
+EXTRACT_ONLY=		${DEFAULT_DISTFILES}
+FCKEDITOR_UPDATE=	fckeditor-2.6.4.1-updated.tar.gz

 DEPENDS+=	${APACHE_PKG_PREFIX}-${PHP_PKG_PREFIX}>=4.3.3:../../www/ap-php
 DEPENDS+=	${PHP_PKG_PREFIX}-mysql>=4.3.0:../../databases/php-mysql
@ -91,10 +94,14 @@ INSTALLATION_DIRS=	${GEEKLOG_BASE} ${GEEKLOG_PUB} ${GL_TMPL}/images \
 			share/examples/geeklog ${GL_DOC} ${GL_EG}

 post-extract:
+	${RUN} extract_file=${_DISTDIR:Q}/${FCKEDITOR_UPDATE:Q}; \
+	export extract_file; cd ${WRKSRC}/public_html && ${EXTRACT_CMD}
+	cd ${WRKSRC}/public_html && ${RM} -f README.txt \
+		fckeditor/editor/filemanager/browser/default/images/icons/default.icon.gif0000644
 	${CP} ${FILESDIR}/README ${FILESDIR}/geeklog.conf ${WRKDIR}

 pre-install:
-	${FIND} ${WRKSRC:Q} -type f -name "*.orig" -exec ${RM} -f {} \;
+	${FIND} ${WRKSRC} -type f -name "*.orig" -exec ${RM} -f {} \;
 	cd ${WRKSRC}/public_html; \
 		${FIND} ${GL_TMPL_SUB} -type f -exec ${CHMOD} -x {} \;
 	${CHMOD} 0664 ${WRKSRC}/public_html/backend/geeklog.rss
--- a/www/geeklog/PLIST
+++ b/www/geeklog/PLIST
@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.9 2009/06/14 22:00:22 joerg Exp $
+@comment $NetBSD: PLIST,v 1.10 2009/09/13 01:15:10 taca Exp $
 ${GEEKLOG_BASE}/emailgeeklogstories
 ${GEEKLOG_BASE}/language/afrikaans.php
 ${GEEKLOG_BASE}/language/afrikaans_utf-8.php
@ -404,30 +404,32 @@ ${GEEKLOG_BASE}/system/lib-webservices.php
 ${GEEKLOG_BASE}/system/memberdetail.thtml
 ${GEEKLOG_BASE}/system/pear/Archive/Tar.php
 ${GEEKLOG_BASE}/system/pear/Archive/Zip.php
+${GEEKLOG_BASE}/system/pear/Auth/SASL.php
 ${GEEKLOG_BASE}/system/pear/Auth/SASL/Anonymous.php
 ${GEEKLOG_BASE}/system/pear/Auth/SASL/Common.php
 ${GEEKLOG_BASE}/system/pear/Auth/SASL/CramMD5.php
 ${GEEKLOG_BASE}/system/pear/Auth/SASL/DigestMD5.php
 ${GEEKLOG_BASE}/system/pear/Auth/SASL/Login.php
 ${GEEKLOG_BASE}/system/pear/Auth/SASL/Plain.php
-${GEEKLOG_BASE}/system/pear/Auth/SASL.php
 ${GEEKLOG_BASE}/system/pear/Console/Getopt.php
+${GEEKLOG_BASE}/system/pear/Date.php
 ${GEEKLOG_BASE}/system/pear/Date/Calc.php
 ${GEEKLOG_BASE}/system/pear/Date/Human.php
 ${GEEKLOG_BASE}/system/pear/Date/Span.php
 ${GEEKLOG_BASE}/system/pear/Date/TimeZone.php
-${GEEKLOG_BASE}/system/pear/Date.php
-${GEEKLOG_BASE}/system/pear/HTTP/Request/Listener.php
 ${GEEKLOG_BASE}/system/pear/HTTP/Request.php
+${GEEKLOG_BASE}/system/pear/HTTP/Request/Listener.php
+${GEEKLOG_BASE}/system/pear/Mail.php
 ${GEEKLOG_BASE}/system/pear/Mail/RFC822.php
 ${GEEKLOG_BASE}/system/pear/Mail/mail.php
 ${GEEKLOG_BASE}/system/pear/Mail/null.php
 ${GEEKLOG_BASE}/system/pear/Mail/sendmail.php
 ${GEEKLOG_BASE}/system/pear/Mail/smtp.php
-${GEEKLOG_BASE}/system/pear/Mail.php
+${GEEKLOG_BASE}/system/pear/Net/DNS.php
 ${GEEKLOG_BASE}/system/pear/Net/DNS/Header.php
 ${GEEKLOG_BASE}/system/pear/Net/DNS/Packet.php
 ${GEEKLOG_BASE}/system/pear/Net/DNS/Question.php
+${GEEKLOG_BASE}/system/pear/Net/DNS/RR.php
 ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/A.php
 ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/AAAA.php
 ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/CNAME.php
@ -440,17 +442,17 @@ ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/SOA.php
 ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/SRV.php
 ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/TSIG.php
 ${GEEKLOG_BASE}/system/pear/Net/DNS/RR/TXT.php
-${GEEKLOG_BASE}/system/pear/Net/DNS/RR.php
 ${GEEKLOG_BASE}/system/pear/Net/DNS/Resolver.php
-${GEEKLOG_BASE}/system/pear/Net/DNS.php
 ${GEEKLOG_BASE}/system/pear/Net/SMTP.php
 ${GEEKLOG_BASE}/system/pear/Net/Socket.php
 ${GEEKLOG_BASE}/system/pear/Net/URL.php
 ${GEEKLOG_BASE}/system/pear/OS/Guess.php
+${GEEKLOG_BASE}/system/pear/PEAR.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Autoloader.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Builder.php
-${GEEKLOG_BASE}/system/pear/PEAR/ChannelFile/Parser.php
 ${GEEKLOG_BASE}/system/pear/PEAR/ChannelFile.php
+${GEEKLOG_BASE}/system/pear/PEAR/ChannelFile/Parser.php
+${GEEKLOG_BASE}/system/pear/PEAR/Command.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Command/Auth.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Command/Auth.xml
 ${GEEKLOG_BASE}/system/pear/PEAR/Command/Build.php
@ -474,19 +476,20 @@ ${GEEKLOG_BASE}/system/pear/PEAR/Command/Remote.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Command/Remote.xml
 ${GEEKLOG_BASE}/system/pear/PEAR/Command/Test.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Command/Test.xml
-${GEEKLOG_BASE}/system/pear/PEAR/Command.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Common.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Config.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Dependency.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Dependency2.php
 ${GEEKLOG_BASE}/system/pear/PEAR/DependencyDB.php
-${GEEKLOG_BASE}/system/pear/PEAR/Downloader/Package.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Downloader.php
+${GEEKLOG_BASE}/system/pear/PEAR/Downloader/Package.php
 ${GEEKLOG_BASE}/system/pear/PEAR/ErrorStack.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Exception.php
 ${GEEKLOG_BASE}/system/pear/PEAR/FixPHP5PEARWarnings.php
-${GEEKLOG_BASE}/system/pear/PEAR/Frontend/CLI.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Frontend.php
+${GEEKLOG_BASE}/system/pear/PEAR/Frontend/CLI.php
+${GEEKLOG_BASE}/system/pear/PEAR/Installer.php
+${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Cfg.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Cfg.xml
 ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Common.php
@ -506,41 +509,40 @@ ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Test.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Test.xml
 ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Www.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role/Www.xml
-${GEEKLOG_BASE}/system/pear/PEAR/Installer/Role.php
-${GEEKLOG_BASE}/system/pear/PEAR/Installer.php
+${GEEKLOG_BASE}/system/pear/PEAR/PackageFile.php
 ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/Generator/v1.php
 ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/Generator/v2.php
 ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/Parser/v1.php
 ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/Parser/v2.php
 ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/v1.php
+${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/v2.php
 ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/v2/Validator.php
 ${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/v2/rw.php
-${GEEKLOG_BASE}/system/pear/PEAR/PackageFile/v2.php
-${GEEKLOG_BASE}/system/pear/PEAR/PackageFile.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Packager.php
+${GEEKLOG_BASE}/system/pear/PEAR/REST.php
 ${GEEKLOG_BASE}/system/pear/PEAR/REST/10.php
 ${GEEKLOG_BASE}/system/pear/PEAR/REST/11.php
 ${GEEKLOG_BASE}/system/pear/PEAR/REST/13.php
-${GEEKLOG_BASE}/system/pear/PEAR/REST.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Registry.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Remote.php
 ${GEEKLOG_BASE}/system/pear/PEAR/RunTest.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Task/Common.php
-${GEEKLOG_BASE}/system/pear/PEAR/Task/Postinstallscript/rw.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Task/Postinstallscript.php
-${GEEKLOG_BASE}/system/pear/PEAR/Task/Replace/rw.php
+${GEEKLOG_BASE}/system/pear/PEAR/Task/Postinstallscript/rw.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Task/Replace.php
-${GEEKLOG_BASE}/system/pear/PEAR/Task/Unixeol/rw.php
+${GEEKLOG_BASE}/system/pear/PEAR/Task/Replace/rw.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Task/Unixeol.php
-${GEEKLOG_BASE}/system/pear/PEAR/Task/Windowseol/rw.php
+${GEEKLOG_BASE}/system/pear/PEAR/Task/Unixeol/rw.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Task/Windowseol.php
+${GEEKLOG_BASE}/system/pear/PEAR/Task/Windowseol/rw.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Validate.php
 ${GEEKLOG_BASE}/system/pear/PEAR/Validator/PECL.php
 ${GEEKLOG_BASE}/system/pear/PEAR/XMLParser.php
-${GEEKLOG_BASE}/system/pear/PEAR.php
 ${GEEKLOG_BASE}/system/pear/README
 ${GEEKLOG_BASE}/system/pear/System.php
+${GEEKLOG_BASE}/system/pear/Text/Wiki.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Default.php
+${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Anchor.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Blockquote.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Bold.php
@ -579,7 +581,8 @@ ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Tt.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Underline.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Url.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse/Default/Wikilink.php
-${GEEKLOG_BASE}/system/pear/Text/Wiki/Parse.php
+${GEEKLOG_BASE}/system/pear/Text/Wiki/Render.php
+${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Anchor.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Blockquote.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Bold.php
@ -625,7 +628,7 @@ ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Tt.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Underline.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Url.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex/Wikilink.php
-${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Latex.php
+${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Anchor.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Blockquote.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Bold.php
@ -671,7 +674,7 @@ ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Tt.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Underline.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Url.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain/Wikilink.php
-${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Plain.php
+${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Address.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Anchor.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Blockquote.php
@ -718,12 +721,9 @@ ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Tt.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Underline.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Url.php
 ${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml/Wikilink.php
-${GEEKLOG_BASE}/system/pear/Text/Wiki/Render/Xhtml.php
-${GEEKLOG_BASE}/system/pear/Text/Wiki/Render.php
-${GEEKLOG_BASE}/system/pear/Text/Wiki.php
+${GEEKLOG_BASE}/system/pear/XML/RPC.php
 ${GEEKLOG_BASE}/system/pear/XML/RPC/Dump.php
 ${GEEKLOG_BASE}/system/pear/XML/RPC/Server.php
-${GEEKLOG_BASE}/system/pear/XML/RPC.php
 ${GEEKLOG_BASE}/system/pear/scripts/pear.bat
 ${GEEKLOG_BASE}/system/pear/scripts/pear.sh
 ${GEEKLOG_BASE}/system/pear/scripts/pearcmd.php
@ -771,6 +771,7 @@ ${GL_TMPL}/images/topics/topic_gl.gif
 ${GL_TMPL}/images/topics/topic_news.gif
 ${GL_TMPL}/images/userphotos/index.html
 ${GEEKLOG_PUB}/404.php
+${GEEKLOG_PUB}/article.php
 ${GL_ADMIN}/auth.inc.php
 ${GL_ADMIN}/block.php
 ${GL_ADMIN}/configuration.php
@ -797,6 +798,7 @@ ${GL_ADMIN}/install/success.php
 ${GL_ADMIN}/install/toinnodb.php
 ${GL_ADMIN}/mail.php
 ${GL_ADMIN}/moderation.php
+${GL_ADMIN}/plugins.php
 ${GL_ADMIN}/plugins/calendar/index.php
 ${GL_ADMIN}/plugins/calendar/install.php
 ${GL_ADMIN}/plugins/links/category.php
@ -809,14 +811,12 @@ ${GL_ADMIN}/plugins/spamx/index.php
 ${GL_ADMIN}/plugins/spamx/install.php
 ${GL_ADMIN}/plugins/staticpages/index.php
 ${GL_ADMIN}/plugins/staticpages/install.php
-${GL_ADMIN}/plugins.php
 ${GL_ADMIN}/sectest.php
 ${GL_ADMIN}/story.php
 ${GL_ADMIN}/syndication.php
 ${GL_ADMIN}/topic.php
 ${GL_ADMIN}/trackback.php
 ${GL_ADMIN}/user.php
-${GEEKLOG_PUB}/article.php
 ${GEEKLOG_PUB}/calendar/event.php
 ${GEEKLOG_PUB}/calendar/images/calendar.png
 ${GEEKLOG_PUB}/calendar/images/delete_event.gif
@ -921,6 +921,7 @@ ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckcodeformatter.js
 ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckcommands.js
 ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckconfig.js
 ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckdebug.js
+${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckdebug_empty.js
 ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckdialog.js
 ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckdocumentprocessor.js
 ${GEEKLOG_PUB}/fckeditor/editor/_source/internals/fckdomtools.js
@ -973,35 +974,37 @@ ${GEEKLOG_PUB}/fckeditor/editor/dialog/common/fck_dialog_common.js
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/common/images/locked.gif
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/common/images/reset.gif
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/common/images/unlocked.gif
+${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_about.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_about/logo_fckeditor.gif
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_about/logo_fredck.gif
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_about/sponsors/spellchecker_net.gif
-${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_about.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_anchor.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_button.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_checkbox.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_colorselector.html
-${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_docprops/fck_document_preview.html
+${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_div.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_docprops.html
+${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_docprops/fck_document_preview.html
+${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_flash.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_flash/fck_flash.js
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_flash/fck_flash_preview.html
-${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_flash.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_form.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_hiddenfield.html
+${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_image.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_image/fck_image.js
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_image/fck_image_preview.html
-${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_image.html
-${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_link/fck_link.js
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_link.html
+${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_link/fck_link.js
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_listprop.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_paste.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_radiobutton.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_replace.html
-${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_select/fck_select.js
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_select.html
+${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_select/fck_select.js
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_smiley.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_source.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_specialchar.html
+${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/blank.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/controlWindow.js
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/controls.html
@ -1012,13 +1015,12 @@ ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/spellChecke
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/spellchecker.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/spellerStyle.css
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages/spellerpages/wordWindow.js
-${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_spellerpages.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_table.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_tablecell.html
+${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_template.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_template/images/template1.gif
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_template/images/template2.gif
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_template/images/template3.gif
-${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_template.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_textarea.html
 ${GEEKLOG_PUB}/fckeditor/editor/dialog/fck_textfield.html
 ${GEEKLOG_PUB}/fckeditor/editor/dtd/fck_dtd_test.html
@ -1161,10 +1163,12 @@ ${GEEKLOG_PUB}/fckeditor/editor/lang/fo.js
 ${GEEKLOG_PUB}/fckeditor/editor/lang/fr-ca.js
 ${GEEKLOG_PUB}/fckeditor/editor/lang/fr.js
 ${GEEKLOG_PUB}/fckeditor/editor/lang/gl.js
+${GEEKLOG_PUB}/fckeditor/editor/lang/gu.js
 ${GEEKLOG_PUB}/fckeditor/editor/lang/he.js
 ${GEEKLOG_PUB}/fckeditor/editor/lang/hi.js
 ${GEEKLOG_PUB}/fckeditor/editor/lang/hr.js
 ${GEEKLOG_PUB}/fckeditor/editor/lang/hu.js
+${GEEKLOG_PUB}/fckeditor/editor/lang/is.js
 ${GEEKLOG_PUB}/fckeditor/editor/lang/it.js
 ${GEEKLOG_PUB}/fckeditor/editor/lang/ja.js
 ${GEEKLOG_PUB}/fckeditor/editor/lang/km.js
@ -1259,6 +1263,9 @@ ${GEEKLOG_PUB}/fckeditor/editor/skins/silver/images/toolbar.end.gif
 ${GEEKLOG_PUB}/fckeditor/editor/skins/silver/images/toolbar.expand.gif
 ${GEEKLOG_PUB}/fckeditor/editor/skins/silver/images/toolbar.separator.gif
 ${GEEKLOG_PUB}/fckeditor/editor/skins/silver/images/toolbar.start.gif
+${GEEKLOG_PUB}/fckeditor/editor/wsc/ciframe.html
+${GEEKLOG_PUB}/fckeditor/editor/wsc/tmpFrameset.html
+${GEEKLOG_PUB}/fckeditor/editor/wsc/w.html
 ${GEEKLOG_PUB}/fckeditor/fckconfig.js
 ${GEEKLOG_PUB}/fckeditor/fckeditor.js
 ${GEEKLOG_PUB}/fckeditor/fckeditor.php
--- a/www/geeklog/distinfo
+++ b/www/geeklog/distinfo
@ -1,7 +1,16 @@
-$NetBSD: distinfo,v 1.9 2009/05/26 14:19:29 taca Exp $
+$NetBSD: distinfo,v 1.10 2009/09/13 01:15:10 taca Exp $

+SHA1 (fckeditor-2.6.4.1-updated.tar.gz) = 60008ea4ee12a9951b7e05cb76922afe5d103fb6
+RMD160 (fckeditor-2.6.4.1-updated.tar.gz) = 75ee469a39508085e5360e6d53168f01d1faa65d
+Size (fckeditor-2.6.4.1-updated.tar.gz) = 832636 bytes
 SHA1 (geeklog-1.5.2sr4.tar.gz) = fa0e1e97a8d3fa7ccdff0835eb0bd0e963d5bc24
 RMD160 (geeklog-1.5.2sr4.tar.gz) = a218749173c0c4e1aba322759f7ee32d20ec166d
 Size (geeklog-1.5.2sr4.tar.gz) = 4499082 bytes
-SHA1 (patch-aa) = 56252ea1af7abe3aec8c99f11788f58de0015948
-SHA1 (patch-aj) = 846d860115d4108454799599ce41ead262efba92
+SHA1 (patch-aa) = 61cc381e4c3def555806ed4589446f466f6f8368
+SHA1 (patch-aj) = a7ff9d20a1313ace5f4ea4c46f5e8b087748e4e3
+SHA1 (patch-ak) = 5d49a7fd449b3905fe7a2177a636be3db7b45e33
+SHA1 (patch-al) = 6ebcfe407ad8b84a41130f6f7c2a26cf5b96f6c1
+SHA1 (patch-ba) = 74850e68510f37e4da762b247e5b68992acd7c18
+SHA1 (patch-bb) = cd6586fd10747231aa92efbdc59944f61d1cb7be
+SHA1 (patch-bc) = fab4ff8b9fa00b40d96bb580055b6773d0774abb
+SHA1 (patch-bd) = d09def0a09c9cbfc846e630acd1208beebfc2224
--- a/www/geeklog/patches/patch-aa
+++ b/www/geeklog/patches/patch-aa
@ -1,4 +1,6 @@
-$NetBSD: patch-aa,v 1.3 2009/05/26 14:19:29 taca Exp $
+$NetBSD: patch-aa,v 1.4 2009/09/13 01:15:11 taca Exp $
+
+* Correct interpreter path.

 --- emailgeeklogstories.orig	2008-12-14 18:57:36.000000000 +0900
 +++ emailgeeklogstories
--- a/www/geeklog/patches/patch-aj
+++ b/www/geeklog/patches/patch-aj
@ -1,8 +1,52 @@
-$NetBSD: patch-aj,v 1.1 2009/05/26 14:19:29 taca Exp $
+$NetBSD: patch-aj,v 1.2 2009/09/13 01:15:11 taca Exp $
+
+* make it geeklog 1.5.2sr5.
+* Add missing charset parameter.
+* Add missing utf8 select button.
+* Send correct charset parameter.

 --- public_html/admin/install/index.php.orig	2009-04-18 16:55:00.000000000 +0900
 +++ public_html/admin/install/index.php
-@@ -1793,16 +1793,8 @@ function INST_setDefaultCharset($sitecon
+@@ -48,7 +48,7 @@ if (!defined("LB")) {
+     define("LB", "\n");
+ }
+ if (!defined('VERSION')) {
+-    define('VERSION', '1.5.2sr4');
+    define('VERSION', '1.5.2sr5');
+ }
+ if (!defined('XHTML')) {
+     define('XHTML', ' /');
+@@ -178,7 +178,8 @@ function get_SPX_Ver()
+  */
+ function INST_checkPost150Upgrade($dbconfig_path, $siteconfig_path)
+ {
+-    global $_CONF, $_TABLES, $_DB, $_DB_dbms, $_DB_host, $_DB_user, $_DB_pass;
+    global $_CONF, $_TABLES, $_DB, $_DB_dbms, $_DB_host, $_DB_user, $_DB_pass,
+        $language;
+ 
+     require $dbconfig_path;
+     require $siteconfig_path;
+@@ -227,6 +228,7 @@ function INST_checkPost150Upgrade($dbcon
+             // this is a 1.5.x version, so upgrade directly
+             $req_string = 'index.php?mode=upgrade&step=3'
+                         . '&dbconfig_path=' . $dbconfig_path
+                        . '&language=' . $language
+                         . '&version=' . $version;
+ 
+             header('Location: ' . $req_string);
+@@ -407,6 +409,11 @@ function INST_installEngine($install_typ
+             if ($install_type == 'install') {
+                 $display .= '
+                     <p><label class="' . $label_dir . '">' . $LANG_INSTALL[92] . ' ' . INST_helpLink('utf8') . '</label> <input type="checkbox" name="utf8"' . ($utf8 ? ' checked="checked"' : '') . XHTML . '></p>';
+            } else {
+                if ($utf8) {
+                    $display .= '
+                    <input type="hidden" name="utf8" value="on"'. XHTML .'>';
+                }
+             }
+ 
+             $display .= '
+@@ -1793,16 +1800,8 @@ function INST_setDefaultCharset($sitecon
 // | Main                                                                      |
 // +---------------------------------------------------------------------------+
 
@ -21,3 +65,10 @@ $NetBSD: patch-aj,v 1.1 2009/05/26 14:19:29 taca Exp $
 
 $html_path          = str_replace('admin/install/index.php', '', str_replace('admin\install\index.php', '', str_replace('\\', '/', __FILE__)));
 $siteconfig_path    = '../../siteconfig.php';
+@@ -2228,5 +2227,6 @@ $display .= '
+ </body>
+ </html>' . LB;
+ 
+header('Content-Type: text/html; charset=' . $LANG_CHARSET);
+ echo $display;
+ ?>
--- a/www/geeklog/patches/patch-ak
+++ b/www/geeklog/patches/patch-ak
@ -0,0 +1,14 @@
+$NetBSD: patch-ak,v 1.1 2009/09/13 01:15:11 taca Exp $
+
+* Send correct charset parameter.
+
+--- public_html/admin/install/configinfo.php.orig	2008-05-11 16:25:08.000000000 +0900
+++ public_html/admin/install/configinfo.php
+@@ -92,6 +92,7 @@ foreach ($_CONF as $option => $value) {
+ }
+ $display .= "</table>\n</body>\n</html>";
+ 
+header('Content-Type: text/html; charset=' . COM_getCharset());
+ echo $display;
+ 
+ ?>
--- a/www/geeklog/patches/patch-al
+++ b/www/geeklog/patches/patch-al
@ -0,0 +1,14 @@
+$NetBSD: patch-al,v 1.1 2009/09/13 01:15:11 taca Exp $
+
+* Send correct charset parameter.
+
+--- public_html/admin/install/help.php.orig	2009-01-23 04:19:55.000000000 +0900
+++ public_html/admin/install/help.php
+@@ -141,6 +141,7 @@ $display .= '<head>
+ </body>
+ </html>' . LB;
+ 
+header('Content-Type: text/html; charset=' . $LANG_CHARSET);
+ echo $display;
+ 
+ ?>
--- a/www/geeklog/patches/patch-ba
+++ b/www/geeklog/patches/patch-ba
@ -0,0 +1,26 @@
+$NetBSD: patch-ba,v 1.1 2009/09/13 01:15:11 taca Exp $
+
+* Documentation update for Geeklog 1.5.2sr5 which isn't contained in
+  geeklog-1.5.2sr4-upgrade.tar.gz.
+
+--- public_html/docs/changes.html.orig	2009-04-18 16:56:05.000000000 +0900
+++ public_html/docs/changes.html
+@@ -16,6 +16,18 @@ and / or obvious changes. For a detailed
+ <a href="history">ChangeLog</a>. The file <tt>docs/changed-files</tt> has a list
+ of files that have been changed since the last release.</p>
+ 
+<h2><a name="changes152sr5">Geeklog 1.5.2sr5</a></h2>
+
+<p>This release addresses the following security issues:</p>
+<ol>
+<li>Gerendi Sandor Attila reported an XSS in the forms to email a user and to
+    email a story to a friend.</li>
+<li>The "Mail Story to a Friend" function didn't check story permissions, so
+    that it was possible to email a story even if you didn't have the
+    permissions to view it on the site.</li>
+</ol>
+
+
+ <h2><a name="changes152sr4">Geeklog 1.5.2sr4</a></h2>
+ 
+ <p>Bookoo of the Nine Situations Group posted another SQL injection exploit, targetting an old bug in usersettings.php. As with the previous issues, this allowed an attacker to extract the password hash for any account and is fixed with this release.</p>
--- a/www/geeklog/patches/patch-bb
+++ b/www/geeklog/patches/patch-bb
@ -0,0 +1,24 @@
+$NetBSD: patch-bb,v 1.1 2009/09/13 01:15:11 taca Exp $
+
+* Documentation update for Geeklog 1.5.2sr5 which isn't contained in
+  geeklog-1.5.2sr4-upgrade.tar.gz.
+
+--- public_html/docs/history.orig	2009-04-18 16:47:32.000000000 +0900
+++ public_html/docs/history
+@@ -1,5 +1,16 @@
+ Geeklog History/Changes:
+ 
+Jul 30, 2009 (1.5.2sr5)
+------------
+
+This release addresses the following security issues:
+- Gerendi Sandor Attila reported an XSS in the forms to email a user and to
+  email a story to a friend.
+- The "Mail Story to a Friend" function didn't check story permissions, so that
+  it was possible to email a story even if you didn't have the permissions to
+  view it on the site.
+
+
+ Apr 18, 2009 (1.5.2sr4)
+ ------------
+ 
--- a/www/geeklog/patches/patch-bc
+++ b/www/geeklog/patches/patch-bc
@ -0,0 +1,54 @@
+$NetBSD: patch-bc,v 1.1 2009/09/13 01:15:11 taca Exp $
+
+* An update to Geeklog 1.5.2sr5.
+
+--- public_html/profiles.php.orig	2009-01-19 02:27:58.000000000 +0900
+++ public_html/profiles.php
+@@ -231,7 +231,7 @@ function contactform ($uid, $subject = '
+             $mail_template->set_var ('lang_subject', $LANG08[13]);
+             $mail_template->set_var ('subject', $subject);
+             $mail_template->set_var ('lang_message', $LANG08[14]);
+-            $mail_template->set_var ('message', $message);
+            $mail_template->set_var ('message', htmlspecialchars($message));
+             $mail_template->set_var ('lang_nohtml', $LANG08[15]);
+             $mail_template->set_var ('lang_submit', $LANG08[16]);
+             $mail_template->set_var ('uid', $uid);
+@@ -300,9 +300,13 @@ function mailstory($sid, $to, $toemail, 
+         return $retval;
+     }
+ 
+-    $sql = "SELECT uid,title,introtext,bodytext,commentcode,UNIX_TIMESTAMP(date) AS day FROM {$_TABLES['stories']} WHERE sid = '$sid'";
+-    $result = DB_query ($sql);
+-    $A = DB_fetchArray ($result);
+    $sql = "SELECT uid,title,introtext,bodytext,commentcode,UNIX_TIMESTAMP(date) AS day FROM {$_TABLES['stories']} WHERE sid = '$sid'" . COM_getTopicSql('AND') . COM_getPermSql('AND');
+    $result = DB_query($sql);
+    if (DB_numRows($result) == 0) {
+        return COM_refresh($_CONF['site_url'] . '/index.php');
+    }
+    $A = DB_fetchArray($result);
+
+     $shortmsg = COM_stripslashes ($shortmsg);
+     $mailtext = sprintf ($LANG08[23], $from, $fromemail) . LB;
+     if (strlen ($shortmsg) > 0) {
+@@ -392,6 +396,12 @@ function mailstoryform ($sid, $to = '', 
+         return $retval;
+     }
+ 
+    $result = DB_query("SELECT COUNT(*) AS count FROM {$_TABLES['stories']} WHERE sid = '$sid'" . COM_getTopicSql('AND') . COM_getPermSql('AND'));
+    $A = DB_fetchArray($result);
+    if ($A['count'] == 0) {
+        return COM_refresh($_CONF['site_url'] . '/index.php');
+    }
+
+     if ($msg > 0) {
+         $retval .= COM_showMessage ($msg);
+     }
+@@ -421,7 +431,7 @@ function mailstoryform ($sid, $to = '', 
+     $mail_template->set_var('lang_toemailaddress', $LANG08[19]);
+     $mail_template->set_var('toemail', $toemail);
+     $mail_template->set_var('lang_shortmessage', $LANG08[27]);
+-    $mail_template->set_var('shortmsg', $shortmsg);
+    $mail_template->set_var('shortmsg', htmlspecialchars($shortmsg));
+     $mail_template->set_var('lang_warning', $LANG08[22]);
+     $mail_template->set_var('lang_sendmessage', $LANG08[16]);
+     $mail_template->set_var('story_id',$sid);
--- a/www/geeklog/patches/patch-bd
+++ b/www/geeklog/patches/patch-bd
@ -0,0 +1,17 @@
+$NetBSD: patch-bd,v 1.1 2009/09/13 01:15:11 taca Exp $
+
+* An update of Geeklog 1.5.2sr5 which isn't contained in
+  geeklog-1.5.2sr4-upgrade.tar.gz.  This is configuration file and
+  it will be updated during upgrade from 1.5.2sr4.
+
+--- public_html/siteconfig.php.orig	2009-04-18 16:54:50.000000000 +0900
+++ public_html/siteconfig.php
+@@ -38,7 +38,7 @@ if (!defined('LB')) {
+   define('LB',"\n");
+ }
+ if (!defined('VERSION')) {
+-  define('VERSION', '1.5.2sr4');
+  define('VERSION', '1.5.2sr5');
+ }
+ 
+ ?>