From: Darren S. <ds...@us...> - 2008-02-16 18:06:52
|
Update of /cvsroot/xine/xine_www/modules In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv15966/modules Modified Files: security.php Log Message: Security page fixes: add version info, group by package. Also add some old CVEs. Dispose of the old README since the script no longer accesses it. Index: security.php =================================================================== RCS file: /cvsroot/xine/xine_www/modules/security.php,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- security.php 23 Jan 2008 19:13:19 -0000 1.3 +++ security.php 16 Feb 2008 18:06:30 -0000 1.4 @@ -17,19 +17,26 @@ // Create an array of matching files $lines = file ($base_dir.'/documentation/security/list'); -$entities = array (); -$descs = array (); +$bugs = array (); +$ids = array (); +$which = ''; foreach ($lines as $line) { - $item = preg_split ('/:[[:space:]]+/', $line, 2); - if ($item[1] !== null) + $item = preg_split ('/\t+/', trim ($line), 4); + if (count ($item) == 0 || substr ($item[0], 0, 1) == '#') + continue; + if (count ($item) == 1) + $which = $item[0]; + else if (count ($item) == 4) { - $entities[] = $item[0]; - $descs[$item[0]] = $item[1]; + $bugs[] = array ('pkg' => $which, 'id' => $item[0], + 'safe' => $item[1], 'fixed' => $item[2], + 'desc' => $item[3]); + $ids[] = $item[0]; } } -if (substr ($file, 0, 3) == 'CVE' && array_search ($file, $entities) != FALSE) +if (substr ($file, 0, 3) == 'CVE' && array_search ($file, $ids) != FALSE) { header ('Location: http://cve.mitre.org/cgi-bin/cvename.cgi?name='.$file); exit; @@ -51,13 +58,23 @@ if ($file == 'README') $hbar .= "'<option value='' selected='selected'>Select...</option>\n"; -foreach ($entities as $cur) { - $selected = ($file == $cur) ? 'selected="selected"' : ''; - $hbar .= "<option value=\"".htmlspecialchars ($cur); - $hbar .= "\" $selected>".htmlentities ($cur, ENT_COMPAT, 'utf-8')."</option>\n"; +function entities ($str) +{ + return htmlentities ($str, ENT_COMPAT, 'utf-8'); } -$hbar .= '</select>' +$which = FALSE; +foreach ($bugs as $cur) { + if ($which != $cur['pkg']) + { + $hbar .= ($which != FALSE ? "</optgroup>\n" : '').'<optgroup label="'.htmlspecialchars ($cur['pkg'])."\">\n"; + $which = $cur['pkg']; + } + $selected = ($file == $cur['id']) ? 'selected="selected"' : ''; + $hbar .= "<option value=\"".htmlspecialchars ($cur['id']); + $hbar .= "\" $selected>".entities ($cur['id'])."</option>\n"; +} +$hbar .= '</optgroup></select>' . '</form>' . "</td>\n" . '</tr>' @@ -97,18 +114,36 @@ <p>Currently, we have:</p> -<dl> +<ul> '; - foreach ($entities as $cur) + $which = FALSE; + foreach ($bugs as $cur) { + if ($which != $cur['pkg']) + { + $content .= ($which != FALSE ? '</dl></li>' : '').'<li><strong>'.entities ($cur['pkg'])."\n</strong><dl>"; + $which = $cur['pkg']; + } $content .= '<dt><a href="'; - if (ereg ('^CVE', $cur)) - $content .= 'http://cve.mitre.org/cgi-bin/cvename.cgi?name='.htmlspecialchars ($cur); + if (ereg ('^CVE', $cur['id'])) + $content .= 'http://cve.mitre.org/cgi-bin/cvename.cgi?name='.htmlspecialchars ($cur['id']); else - $content .= htmlspecialchars (selflink().'/'.$cur); - $content .= '">'.htmlspecialchars ($cur).'</a></dt><dd>'.htmlspecialchars ($descs[$cur])."</dd>\n"; + $content .= htmlspecialchars (selflink().'/'.$cur['id']); + $content .= '">'.entities ($cur['id']).'</a>: '.entities ($cur['desc']).'</dt><dd>'; + $content .= '<em>Fixed in:</em> '.entities ($cur['fixed']); + switch (substr ($cur['safe'], 0, 1)) + { + case '=': + $content .= '; <em>not affected:</em> '.entities (substr ($cur['safe'], 1)); + case '?': + break; + default: + $content .= '; <em>not affected:</em> '.entities ($cur['safe'].' and older'); + break; + } + $content .= "</dd>\n"; } - $content .= "</ul>\n"; + $content .= "</dl></ul>\n"; } elseif (!strpos ('..', $file)) { @@ -120,7 +155,7 @@ $result = Array (); $charset = 'utf-8'; - $data = htmlentities($data, ENT_COMPAT, 'utf-8'); + $data = entities($data); // make http and ftp URIs clickable: $data = eregi_replace('((http|ftp)://[._a-z0-9&;/?=-]+)([^._a-z0-9&;/?=-])', '<a href="\\1">\\1</a>\\3', $data); |