1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
Description: Unsafe use of Storable::thaw
CVE-2013-2184: The 'comment_state' parameter is processed by the
unserialize() function which can be used to send data into
Storable::thaw(), allowing remote attackers to include and execute
arbitrary local Perl files and possibly remotely execute arbitrary
code.
Origin: upstream
Bug-Debian: https://bugs.debian.org/712602
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2015-03-05
Applied-Upstream: 5.2.6
--- a/lib/MT/App/Comments.pm
+++ b/lib/MT/App/Comments.pm
@@ -915,15 +915,6 @@ sub post {
"403 Throttled" );
my $cfg = $app->config;
- if ( my $state = $q->param('comment_state') ) {
- require MT::Serialize;
- my $ser = MT::Serialize->new( $cfg->Serializer );
- $state = $ser->unserialize( pack 'H*', $state );
- $state = $$state;
- for my $f ( keys %$state ) {
- $q->param( $f, $state->{$f} );
- }
- }
unless ( $cfg->AllowComments && $entry->allow_comments eq '1' ) {
return $app->handle_error(
$app->translate("Comments are not allowed on this entry.") );
@@ -1841,16 +1832,6 @@ sub do_preview {
$comment->commenter_id( $commenter->id ) if $commenter;
$ctx->stash( 'comment', $comment );
-
- unless ($err) {
- ## Serialize comment state, then hex-encode it.
- require MT::Serialize;
- my $ser = MT::Serialize->new( $cfg->Serializer );
- my $state = $comment->get_values;
- $state->{static} = $q->param('static');
- $ctx->stash( 'comment_state', unpack 'H*',
- $ser->serialize( \$state ) );
- }
$ctx->stash( 'comment_is_static', $q->param('static') );
$ctx->stash( 'entry', $entry );
$ctx->{current_timestamp} = $ts;
|
