mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
phoronix-test-suite: Fix CVE-2022-40704
Add fix created after latest release (10.8.4). Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
@@ -0,0 +1,46 @@
|
|||||||
|
From d3880d9d3ba795138444da83f1153c3c3ac27640 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Larabel <michael@phoronix.com>
|
||||||
|
Date: Sat, 23 Jul 2022 07:32:43 -0500
|
||||||
|
Subject: [PATCH] phoromatic: Explicitly check both $_GET abd $_POST in
|
||||||
|
phoromatic_quit_if_invalid_input_found()
|
||||||
|
|
||||||
|
Fixes: https://github.com/phoronix-test-suite/phoronix-test-suite/issues/650#issuecomment-1193116678
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
CVE: CVE-2022-40704
|
||||||
|
|
||||||
|
Reference to upstream patch:
|
||||||
|
https://github.com/phoronix-test-suite/phoronix-test-suite/commit/d3880d9d3ba795138444da83f1153c3c3ac27640
|
||||||
|
|
||||||
|
Signed-off-by: Li Wang <li.wang@windriver.com>
|
||||||
|
---
|
||||||
|
pts-core/phoromatic/phoromatic_functions.php | 15 +++++++++++++--
|
||||||
|
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/pts-core/phoromatic/phoromatic_functions.php b/pts-core/phoromatic/phoromatic_functions.php
|
||||||
|
index 74ccc5444c..c2313dcdea 100644
|
||||||
|
--- a/pts-core/phoromatic/phoromatic_functions.php
|
||||||
|
+++ b/pts-core/phoromatic/phoromatic_functions.php
|
||||||
|
@@ -37,9 +37,20 @@ function phoromatic_quit_if_invalid_input_found($input_keys = null)
|
||||||
|
{
|
||||||
|
foreach($input_keys as $key)
|
||||||
|
{
|
||||||
|
- if(isset($_REQUEST[$key]) && !empty($_REQUEST[$key]))
|
||||||
|
+ if(isset($_GET[$key]) && !empty($_GET[$key]))
|
||||||
|
{
|
||||||
|
- foreach(pts_arrays::to_array($_REQUEST[$key]) as $val_to_check)
|
||||||
|
+ foreach(pts_arrays::to_array($_GET[$key]) as $val_to_check)
|
||||||
|
+ {
|
||||||
|
+ if(stripos($val_to_check, $invalid_string) !== false)
|
||||||
|
+ {
|
||||||
|
+ echo '<strong>Exited due to invalid input ( ' . $invalid_string . ') attempted:</strong> ' . htmlspecialchars($val_to_check);
|
||||||
|
+ exit;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if(isset($_POST[$key]) && !empty($_POST[$key]))
|
||||||
|
+ {
|
||||||
|
+ foreach(pts_arrays::to_array($_POST[$key]) as $val_to_check)
|
||||||
|
{
|
||||||
|
if(stripos($val_to_check, $invalid_string) !== false)
|
||||||
|
{
|
||||||
@@ -5,7 +5,11 @@ LICENSE = "GPL-3.0-only"
|
|||||||
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
|
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
|
||||||
SECTION = "console/tests"
|
SECTION = "console/tests"
|
||||||
|
|
||||||
SRC_URI = "http://www.phoronix-test-suite.com/releases/${BP}.tar.gz"
|
SRC_URI = "http://www.phoronix-test-suite.com/releases/${BP}.tar.gz \
|
||||||
|
file://CVE-2022-40704.patch \
|
||||||
|
"
|
||||||
|
|
||||||
|
|
||||||
SRC_URI[md5sum] = "459c3c45b39bb3d720ddc8ba5f944332"
|
SRC_URI[md5sum] = "459c3c45b39bb3d720ddc8ba5f944332"
|
||||||
SRC_URI[sha256sum] = "86681343d20415831ab16ef6c3d1c317e2345e771925e0698ae920a03a9eaab6"
|
SRC_URI[sha256sum] = "86681343d20415831ab16ef6c3d1c317e2345e771925e0698ae920a03a9eaab6"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user