Debian Bug report logs - #655832
slbackup-php: Fail to remember when I log into the web interface

version graph

Package: slbackup-php; Maintainer for slbackup-php is Debian Edu Packaging Team <debian-edu-pkg-team@lists.alioth.debian.org>; Source for slbackup-php is src:slbackup-php.

Reported by: Petter Reinholdtsen <pere@hungry.com>

Date: Sat, 14 Jan 2012 08:39:01 UTC

Severity: important

Tags: patch

Found in version slbackup-php/0.3-2.2

Fixed in versions slbackup-php/0.3-3, slbackup-php/0.3-2.2+squeeze1

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#655832; Package slbackup-php. (Sat, 14 Jan 2012 08:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
New Bug report received and forwarded. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sat, 14 Jan 2012 08:39:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: submit@bugs.debian.org
Subject: slbackup-php: Fail to remember when I log into the web interface
Date: Sat, 14 Jan 2012 09:36:07 +0100
Package: slbackup-php
Version: 0.3-2.2
Severity: important
User: debian-edu@lists.debian.org
Usertags: debian-edu

We discovered this issue while working on the Squeeze based version of
Debian Edu.  When logging into the web interface, the login is not
remembered by the service, and one need to provide a password for
every click in the user interface.

These messages show up in apache/error.log:

  PHP Notice: Undefined offset: 1 in
  /usr/share/slbackup-php/web/index.php on line 544.

  PHP Notice: Undefined index: Authenticated in
  /usr/share/slbackup-php/web/index.php on line 573.

Perhaps something changed in PHP to cause this problem?
-- 
Happy hacking
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#655832; Package slbackup-php. (Sun, 15 Jan 2012 02:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sun, 15 Jan 2012 02:21:03 GMT) Full text and rfc822 format available.

Message #10 received at 655832@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 655832@bugs.debian.org
Subject: Re: Bug#655832: Acknowledgement (slbackup-php: Fail to remember when I log into the web interface)
Date: Sun, 15 Jan 2012 03:17:23 +0100
I notice similar code was in lwat version 0.9, but is no longer
present in the latest version of lwat.  I found
<URL: http://lwat.org/svn/tags/v0_9/lib/index.php > searching the net,
and <URL: http://lwat.org/svn/trunk/lib/index.php > is the latest
version.  Perhaps a similar rewrite should be done her?
-- 
Happy hacking
Petter Reinholdtsen




Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#655832; Package slbackup-php. (Sun, 15 Jan 2012 11:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sun, 15 Jan 2012 11:45:05 GMT) Full text and rfc822 format available.

Message #15 received at 655832@bugs.debian.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Petter Reinholdtsen <pere@hungry.com>, 655832@bugs.debian.org
Cc: debian-edu@lists.debian.org, control@bugs.debian.org
Subject: Re: Anyone with PHP skills around capable of patching #X in slbackup-php?
Date: Sun, 15 Jan 2012 12:42:35 +0100
[Message part 1 (text/plain, inline)]
tags #655832 + patch
thanks

On So 15 Jan 2012 10:46:09 CET Petter Reinholdtsen wrote:

> [Petter Reinholdtsen]
>> There is a slbackup-php bug (BTS report submitted, no # yet) that is
>> of the few fatal problems with our Debian Edu/Squeeze version soon
>> to be finished.  Anyone with PHP skills around capable of providing
>> a patch to fix the problem?
>
> The bug number is #655832.  Please, if you know PHP, have a look and
> fix a patch.  The next stable update is next weekend, and we really
> should have a fix in place before this.
>
> When I had a look at the cookies set by slbackup-php, I was surprised
> to find two cookies with paths in them, one pointing to the script and
> another to a template.  Is this a security issue, where the user can
> fool the script to show files the user should not have access to?
> --
> Happy hacking
> Petter Reinholdtsen

A patch has been attached to this mail that fixes the reported problem...

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[slbackup-php_cookie+request-merge.patch (text/x-patch, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.debian.org. (Sun, 15 Jan 2012 11:45:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#655832; Package slbackup-php. (Sun, 15 Jan 2012 16:15:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sun, 15 Jan 2012 16:15:11 GMT) Full text and rfc822 format available.

Message #22 received at 655832@bugs.debian.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: Petter Reinholdtsen <pere@hungry.com>, 655832@bugs.debian.org, debian-edu@lists.debian.org, control@bugs.debian.org
Subject: Patch Update, NMU preparation
Date: Sun, 15 Jan 2012 17:12:40 +0100
[Message part 1 (text/plain, inline)]
Hi again,

On So 15 Jan 2012 12:42:35 CET Mike Gabriel wrote:

> tags #655832 + patch
> thanks
>

currently, an NMU is prepared for slbackup-php. Proposed patches for  
upstream code are attached to this mail.

Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[001_slbackup-php_cookie+request-merge.patch (text/x-patch, attachment)]
[002_slbackup-php_restore-paths-with-blanks.patch (text/x-patch, attachment)]
[101_slbackup-php_i18n-de.patch (text/x-patch, attachment)]
[Message part 5 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#655832; Package slbackup-php. (Sun, 15 Jan 2012 21:24:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sun, 15 Jan 2012 21:24:32 GMT) Full text and rfc822 format available.

Message #27 received at 655832@bugs.debian.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: Petter Reinholdtsen <pere@hungry.com>, 655832@bugs.debian.org
Subject: Re: Patch Update, NMU preparation
Date: Sun, 15 Jan 2012 22:11:41 +0100
[Message part 1 (text/plain, inline)]
Updating patches again...

Another patch was added that properly fixes the locale detection code  
in slbackup-php...

Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[001_slbackup-php_cookie+request-merge.patch (text/x-patch, attachment)]
[002_slbackup-php_restore-paths-with-blanks.patch (text/x-patch, attachment)]
[100_slbackup-php_fix-language-detection.patch (text/x-patch, attachment)]
[101_slbackup-php_i18n-de.patch (text/x-patch, attachment)]
[Message part 6 (application/pgp-signature, inline)]

Reply sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
You have taken responsibility. (Thu, 19 Jan 2012 17:22:01 GMT) Full text and rfc822 format available.

Notification sent to Petter Reinholdtsen <pere@hungry.com>:
Bug acknowledged by developer. (Thu, 19 Jan 2012 17:22:01 GMT) Full text and rfc822 format available.

Message #32 received at 655832-close@bugs.debian.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 655832-close@bugs.debian.org
Subject: Bug#655832: fixed in slbackup-php 0.3-3
Date: Thu, 19 Jan 2012 17:19:53 +0000
Source: slbackup-php
Source-Version: 0.3-3

We believe that the bug you reported is fixed in the latest version of
slbackup-php, which is due to be installed in the Debian FTP archive:

slbackup-php_0.3-3.diff.gz
  to main/s/slbackup-php/slbackup-php_0.3-3.diff.gz
slbackup-php_0.3-3.dsc
  to main/s/slbackup-php/slbackup-php_0.3-3.dsc
slbackup-php_0.3-3_all.deb
  to main/s/slbackup-php/slbackup-php_0.3-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 655832@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <mike.gabriel@das-netzwerkteam.de> (supplier of updated slbackup-php package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 18 Jan 2012 17:05:14 +0100
Source: slbackup-php
Binary: slbackup-php
Architecture: source all
Version: 0.3-3
Distribution: unstable
Urgency: low
Maintainer: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Changed-By: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Description: 
 slbackup-php - web-based administration tool for slbackup
Closes: 565181 655832
Changes: 
 slbackup-php (0.3-3) unstable; urgency=low
 .
   * Mike Gabriel becomes Debian package maintainer.
   * Enable quilt patch system. Bump Standards-Version from 3.7.3 to 3.9.2.
   * Add generic README.source that explains the usage of quilt.
   * Add patch: 001_slbackup-php_cookie+request-merge.patch. Fixes reappearing
     login page on every click (closes: #655832).
   * Add patch: 002_slbackup-php_restore-paths-with-blanks.patch. Allows restore
     of files with blanks in their name. Closes: #565181.
     Patch provided by Cyril ETCHEVERRIA <cyril.e@wanadoo.fr> -> thanks!
   * Add patch: 003_slbackup-php_fix-failed-in-status-template.patch,
     for last failed backup really show timestamp of the last failed backup
     and not erroneously the timestamp of the last successful backup.
 .
   * Upload sponsored by Petter Reinholdtsen.
Checksums-Sha1: 
 a39b06e11d926a9a2032f02c0622626af284e621 1155 slbackup-php_0.3-3.dsc
 019b8dab9320a80f6da3439dc0fe48042cacd906 11283 slbackup-php_0.3-3.diff.gz
 1bc926ca09b294106163309c813f201be2605651 21690 slbackup-php_0.3-3_all.deb
Checksums-Sha256: 
 bd87903f4c4d835c3cb351e163e989c1fdb6e4db909745321f3b915f67738c5f 1155 slbackup-php_0.3-3.dsc
 d6cf7d673ea6aa6d53d62a35eb341a463a2b947609c26b6ecc270a6f1b5fd441 11283 slbackup-php_0.3-3.diff.gz
 eb6cf6e1d6d3b6ad31509c2083ed74c4118b23a2777f1e4c64c723a3f8e07916 21690 slbackup-php_0.3-3_all.deb
Files: 
 1c28492e80c7d33024773edd6ca045d2 1155 misc optional slbackup-php_0.3-3.dsc
 1326ebb3c4a16b0012717a411278efd0 11283 misc optional slbackup-php_0.3-3.diff.gz
 a32b3827c975bb7b1b63f804306453d1 21690 misc optional slbackup-php_0.3-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFPGE3J20zMSyow1ykRAoqfAJ4umv9z5v/fQk14KNpmSnc0/DVgqQCcCrFs
l15OAf/68o7AQUnsdhv8/oA=
=ajxi
-----END PGP SIGNATURE-----





Reply sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
You have taken responsibility. (Sun, 22 Jan 2012 12:07:45 GMT) Full text and rfc822 format available.

Notification sent to Petter Reinholdtsen <pere@hungry.com>:
Bug acknowledged by developer. (Sun, 22 Jan 2012 12:08:32 GMT) Full text and rfc822 format available.

Message #37 received at 655832-close@bugs.debian.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 655832-close@bugs.debian.org
Subject: Bug#655832: fixed in slbackup-php 0.3-2.2+squeeze1
Date: Sun, 22 Jan 2012 12:02:07 +0000
Source: slbackup-php
Source-Version: 0.3-2.2+squeeze1

We believe that the bug you reported is fixed in the latest version of
slbackup-php, which is due to be installed in the Debian FTP archive:

slbackup-php_0.3-2.2+squeeze1.diff.gz
  to main/s/slbackup-php/slbackup-php_0.3-2.2+squeeze1.diff.gz
slbackup-php_0.3-2.2+squeeze1.dsc
  to main/s/slbackup-php/slbackup-php_0.3-2.2+squeeze1.dsc
slbackup-php_0.3-2.2+squeeze1_all.deb
  to main/s/slbackup-php/slbackup-php_0.3-2.2+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 655832@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <mike.gabriel@das-netzwerkteam.de> (supplier of updated slbackup-php package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Jan 2012 23:08:18 +0100
Source: slbackup-php
Binary: slbackup-php
Architecture: source all
Version: 0.3-2.2+squeeze1
Distribution: stable
Urgency: low
Maintainer: Patrick Winnertz <winnie@debian.org>
Changed-By: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Description: 
 slbackup-php - web-based administration tool for slbackup
Closes: 565181 655832
Changes: 
 slbackup-php (0.3-2.2+squeeze1) stable; urgency=low
 .
   * Non-maintainer upload.
   * Patch src/index.php. Fixes reappearing login page on every click
     (closes: #655832).
   * Patch src/index.php and templates/restore.tpl. Allows restore
     of files with blanks in their name. Closes: #565181.
     Patch provided by Cyril ETCHEVERRIA <cyril.e@wanadoo.fr> -> thanks!
   * Patch templates/status.tpl. For last failed backup really show the
     timestamp of the last failed backup and not erroneously the timestamp
     of the last successful backup.
 .
   * Upload sponsored by Petter Reinholdtsen.
Checksums-Sha1: 
 7f2b9632398da2cbb48e5e115440243d6d82153e 1129 slbackup-php_0.3-2.2+squeeze1.dsc
 6062ff7e2141c52cfa93fd15c50a9465995dc048 10132 slbackup-php_0.3-2.2+squeeze1.diff.gz
 5fc5389d1f7020af0240cf5dc2112f39844c311b 21624 slbackup-php_0.3-2.2+squeeze1_all.deb
Checksums-Sha256: 
 fd2d223cf83da18b3c32d80146a4e8e30d854b8f1f9ea1cb9cfe58f59c4ce7c6 1129 slbackup-php_0.3-2.2+squeeze1.dsc
 8b661b27ac550cca8379e21826ff180322bc4f9b4d108ff20184853c5a98146e 10132 slbackup-php_0.3-2.2+squeeze1.diff.gz
 ddc3c6374d5eef24b15e1d3e7091e648b5228800725645618fca608aaab7837e 21624 slbackup-php_0.3-2.2+squeeze1_all.deb
Files: 
 7a42dafa7034453c28fe534790a1f9a6 1129 misc optional slbackup-php_0.3-2.2+squeeze1.dsc
 c05f63d211b909da4a810f95baf61eed 10132 misc optional slbackup-php_0.3-2.2+squeeze1.diff.gz
 51dfd500d9208dfce351c6e34035386c 21624 misc optional slbackup-php_0.3-2.2+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFPG7zA20zMSyow1ykRAkFvAJkBvmhikSiBQnIy9bwUNEWOYtbvhQCeJfmY
Ls43Qoaj0gbrY+PIMakPQcw=
=pfW3
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 22 Feb 2012 07:35:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 09:45:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.