1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
#! /bin/sh /usr/share/dpatch/dpatch-run
## 012CVE-2008-4769.dpatch by Giuseppe Iuculano <giuseppe@iuculano.it>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Sanitize "cat" query var and cast to int before looking for a category template (CVE-2008-4769)
@DPATCH@
diff -urNad wordpress~/wp-includes/classes.php wordpress/wp-includes/classes.php
--- wordpress~/wp-includes/classes.php 2009-08-24 14:58:11.000000000 +0200
+++ wordpress/wp-includes/classes.php 2009-08-24 14:58:29.000000000 +0200
@@ -91,6 +91,7 @@
$qv['m'] = (int) $qv['m'];
$qv['p'] = (int) $qv['p'];
+ $qv['cat'] = preg_replace( '|[^0-9,-]|', '', $qv['cat'] ); // comma separated list of positive or negative integers
// Compat. Map subpost to attachment.
if ( '' != $qv['subpost'] )
diff -urNad wordpress~/wp-includes/functions.php wordpress/wp-includes/functions.php
--- wordpress~/wp-includes/functions.php 2009-08-24 14:58:29.000000000 +0200
+++ wordpress/wp-includes/functions.php 2009-08-24 14:59:23.000000000 +0200
@@ -2003,10 +2003,14 @@
return get_query_template('author');
}
+function absint( $maybeint ) {
+ return abs( intval( $maybeint ) );
+}
+
function get_category_template() {
$template = '';
- if ( file_exists(TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php') )
- $template = TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php';
+ if ( file_exists(TEMPLATEPATH . "/category-" . absint( get_query_var('cat') ) . '.php') )
+ $template = TEMPLATEPATH . "/category-" . absint( get_query_var('cat') ) . '.php';
else if ( file_exists(TEMPLATEPATH . "/category.php") )
$template = TEMPLATEPATH . "/category.php";
|
