From c0011352162c9ebed6faea4c0f4bdf035d3feb92 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Mon, 22 Dec 2014 09:23:02 +0100
Subject: glpi: fix SQL Injection CVE-2014-9258

---
 glpi-0.84-CVE-2014-9258.patch | 62 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 glpi-0.84-CVE-2014-9258.patch

(limited to 'glpi-0.84-CVE-2014-9258.patch')

diff --git a/glpi-0.84-CVE-2014-9258.patch b/glpi-0.84-CVE-2014-9258.patch
new file mode 100644
index 0000000..97f1966
--- /dev/null
+++ b/glpi-0.84-CVE-2014-9258.patch
@@ -0,0 +1,62 @@
+Index: branches/0.84-bugfixes/inc/dropdown.class.php
+===================================================================
+--- branches/0.84-bugfixes/inc/dropdown.class.php	(révision 23260)
++++ branches/0.84-bugfixes/inc/dropdown.class.php	(révision 23261)
+@@ -177,6 +177,11 @@
+          }
+       }
+ 
++      // Manage condition
++      if (!empty($params['condition'])) {
++        $params['condition'] = static::addNewCondition($params['condition']);
++      }
++      
+       $param = array('searchText'           => '__VALUE__',
+                       'value'               => $params['value'],
+                       'itemtype'            => $itemtype,
+@@ -259,6 +264,11 @@
+       }
+    }
+ 
++    static function addNewCondition($condition) {
++        $sha1=sha1($condition);
++        $_SESSION['glpicondition'][$sha1] = $condition;
++        return $sha1;
++    }   
+ 
+    /**
+     * Get the value of a dropdown
+@@ -1095,7 +1105,7 @@
+                           'entity_restrict' => $entity_restrict);
+ 
+          if ($onlyglobal) {
+-            $params['condition'] = "`is_global` = '1'";
++            $params['condition'] = static::addNewCondition("`is_global` = '1'");
+          }
+          Ajax::updateItemOnSelectEvent("itemtype$rand", "show_$myname$rand",
+                                        $CFG_GLPI["root_doc"]."/ajax/dropdownAllItems.php", $params);
+Index: branches/0.84-bugfixes/ajax/dropdownValue.php
+===================================================================
+--- branches/0.84-bugfixes/ajax/dropdownValue.php	(révision 23260)
++++ branches/0.84-bugfixes/ajax/dropdownValue.php	(révision 23261)
+@@ -72,13 +72,17 @@
+    $_POST['permit_select_parent'] = false;
+ }
+ 
+-// No define rand
+-if (!isset($_POST['rand'])) {
++    // No define rand
++    if (!isset($_POST['rand'])) {
+    $_POST['rand'] = mt_rand();
+ }
+ 
+ if (isset($_POST['condition']) && !empty($_POST['condition'])) {
+-   $_POST['condition'] = rawurldecode(stripslashes($_POST['condition']));
++    if (isset($_SESSION['glpicondition'][$_POST['condition']])) {
++        $_POST['condition'] = $_SESSION['glpicondition'][$_POST['condition']];
++    } else {
++        $_POST['condition'] = '';
++    }
+ }
+ 
+ if (!isset($_POST['emptylabel']) || ($_POST['emptylabel'] == '')) {
-- 
cgit