1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE-2009-4427.dpatch by Giuseppe Iuculano <iuculano@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: CVE-2009-4427: Local file inclusion vulnerability #561975
@DPATCH@
diff -urNad phpldapadmin~/htdocs/cmd.php phpldapadmin/htdocs/cmd.php
--- phpldapadmin~/htdocs/cmd.php 2008-01-10 13:28:34.000000000 +0100
+++ phpldapadmin/htdocs/cmd.php 2010-01-06 17:39:59.000000000 +0100
@@ -35,6 +35,14 @@
# Create page.
$www['page'] = new page($ldapserver->server_id);
+# See if we can render the command
+if (trim($www['cmd'])) {
+ # If this command has been disabled by the config.
+ if (!preg_match('/^([A-Za-z0-9-_]+)$/',$www['cmd']))
+ system_message(array('title'=>_('Command disabled by the server configuration'),
+ _('Error'),'body'=>sprintf('%s: <b>%s</b>.',_('The command could not be run'),$www['cmd']),'type'=>'error'),'index.php');
+}
+
if ($file)
include $file;
|
