debian/0000775000000000000000000000000013062323004007161 5ustar debian/control0000664000000000000000000000310613053750545010602 0ustar Source: cakephp Section: web Priority: optional Maintainer: Chris Lamb Build-Depends: debhelper (>= 7.0.50~) Standards-Version: 3.9.2 Homepage: http://www.cakephp.org/ Vcs-Git: git://github.com/lamby/pkg-cakephp.git Vcs-Browser: https://github.com/lamby/pkg-cakephp Package: cakephp Architecture: all Depends: ${misc:Depends}, php5 Recommends: cakephp-scripts Suggests: cakephp-instaweb, php5-mysql Conflicts: cakephp1.2 Replaces: cakephp1.2 Description: MVC rapid application development framework for PHP CakePHP is a flexible model-view-controller rapid application development framework for PHP inspired by Ruby on Rails. . CakePHP makes developing applications swiftly and with the least amount of hassle: . * compatibility with PHP4 and PHP5 * integrated CRUD for database interaction and simplified queries including scaffolding * request dispatcher with good looking, custom URLs * fast and flexible templating (PHP syntax, with helpers) * useful core features (access control lists, AJAX integration, etc.) * works from any website subdirectory Package: cakephp-scripts Architecture: all Depends: ${misc:Depends}, cakephp (>= ${source:Version}), php5-cli Conflicts: cakephp1.2-scripts Replaces: cakephp1.2-scripts Description: MVC rapid application development framework for PHP (scripts) CakePHP is a flexible model-view-controller rapid application development framework for PHP inspired by Ruby on Rails. . This package contains the bake.php and acl.php scripts for creating (or "baking") CakePHP applications and modifying Access Control Lists. debian/cakephp-scripts.manpages0000664000000000000000000000002213053750545014006 0ustar debian/manpages/* debian/patches/0000775000000000000000000000000013053750545010626 5ustar debian/patches/01-remove-shebang.diff0000664000000000000000000000060513053750545014601 0ustar Removes unnecessary shebang line from cake.php script - users should use /usr/bin/cake. --- cakephp-cakephp1x-3bb7793.orig/cake/console/cake.php 2010-05-19 23:57:11.000000000 +0100 +++ cakephp-cakephp1x-3bb7793/cake/console/cake.php 2010-05-19 23:57:32.000000000 +0100 @@ -1,4 +1,3 @@ -#!/usr/bin/php -q Date: Fri, 24 Feb 2017 07:20:08 +0100 Subject: CVE-2016-4793 See also http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt Origin: https://github.com/cakephp/cakephp/commit/48af49ddde16c8b99edb701f1c31283455b2b0b6 --- cake/libs/controller/components/request_handler.php | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/cake/libs/controller/components/request_handler.php b/cake/libs/controller/components/request_handler.php index f0f7069..db41fc7 100644 --- a/cake/libs/controller/components/request_handler.php +++ b/cake/libs/controller/components/request_handler.php @@ -481,20 +481,10 @@ class RequestHandlerComponent extends Object { function getClientIP($safe = true) { if (!$safe && env('HTTP_X_FORWARDED_FOR') != null) { $ipaddr = preg_replace('/(?:,.*)/', '', env('HTTP_X_FORWARDED_FOR')); + } elseif (!$safe && env('HTTP_CLIENT_IP')) { + $ipaddr = env('HTTP_CLIENT_IP'); } else { - if (env('HTTP_CLIENT_IP') != null) { - $ipaddr = env('HTTP_CLIENT_IP'); - } else { - $ipaddr = env('REMOTE_ADDR'); - } - } - - if (env('HTTP_CLIENTADDRESS') != null) { - $tmpipaddr = env('HTTP_CLIENTADDRESS'); - - if (!empty($tmpipaddr)) { - $ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr); - } + $ipaddr = env('REMOTE_ADDR'); } return trim($ipaddr); } debian/patches/debian-changes-1.3.2-1.1+deb6u110000664000000000000000000000300013053750545015471 0ustar Description: Upstream changes introduced in version 1.3.2-1.1+deb6u11 This patch has been created by dpkg-source during the package build. Here's the last changelog entry, hopefully it gives details on why those changes were made: . cakephp (1.3.2-1.1+deb6u11) squeeze-lts; urgency=high . * [TEMP-0000000-698CF7] Address SSRF (Server Side Request Forgery) attack by ensuring included files are "regular" (eg. `./foo.xml`) rather than merely existing (eg. `/dev/urandom`, etc.). . The person named in the Author field signed this changelog entry. Author: Chris Lamb --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: , Bug: Bug-Debian: http://bugs.debian.org/ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: Reviewed-By: Last-Update: --- a/cake/libs/xml.php +++ b/cake/libs/xml.php @@ -900,7 +900,7 @@ App::import('Core', 'HttpSocket'); $socket = new HttpSocket(); $this->__rawData = $socket->get($input); - } elseif (file_exists($input)) { + } elseif (is_file($input)) { $this->__rawData = file_get_contents($input); } else { trigger_error(__('XML cannot be read', true)); debian/patches/02-cake-binary-libs.diff0000664000000000000000000000066713053750545015024 0ustar Use an absolute path to the CakePHP libs. --- a/cake/console/cake.orig 2012-06-26 17:19:31.000000000 +0100 +++ b/cake/console/cake 2012-06-26 17:19:43.000000000 +0100 @@ -26,9 +26,9 @@ LIB=$(cd $DIR && cd $(dirname -- "$SYM") && pwd)/$(basename -- "$SYM") done -LIB=$(dirname -- "$LIB")/ +LIB=/usr/share/php/cake/console/ APP=`pwd` exec php -q ${LIB}cake.php -working "${APP}" "$@" -exit; \ No newline at end of file +exit; debian/patches/series0000664000000000000000000000014513053750545012043 0ustar 01-remove-shebang.diff 02-cake-binary-libs.diff debian-changes-1.3.2-1.1+deb6u11 CVE-2016-4793.patch debian/cakephp.dirs0000664000000000000000000000002313053750545011470 0ustar usr/share/php/cake debian/cakephp-scripts.lintian-overrides0000664000000000000000000000017713053750545015664 0ustar # The skeleton CakePHP application contais a number of empty dirs by design. cakephp-scripts: package-contains-empty-directory debian/compat0000664000000000000000000000000213053750545010375 0ustar 5 debian/cakephp.docs0000664000000000000000000000000713053750545011461 0ustar README debian/changelog0000664000000000000000000001556613062323004011050 0ustar cakephp (1.3.15-1+deb7u2build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Tyler Hicks Wed, 15 Mar 2017 20:37:24 +0000 cakephp (1.3.15-1+deb7u2) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2016-4793: The getClientIP function allowed remote attackers to spoof their IP address. This vulnerability could be used to bypass access control lists to get access to sensitive data, or lead to higher severity vulnerabilities if untrusted data returned by getClientIP() is treated as safe and used without appropriate sanitization within SQL queries, system command calls etc. -- Markus Koschany Fri, 24 Feb 2017 07:23:33 +0100 cakephp (1.3.15-1+deb7u1) wheezy-security; urgency=medium * Address SSRF (Server Side Request Forgery) attack by ensuring included files are "regular" (eg. `./foo.xml`) rather than merely existing (eg. `/dev/urandom`, etc.). (Closes: #832283) -- Balint Reczey Sat, 23 Jul 2016 10:30:59 +0200 cakephp (1.3.15-1) unstable; urgency=low * New upstream release (Closes: #665218) * Bump Standards-Version to 3.9.2. * Update 02-cake-binary-libs.diff. -- Chris Lamb Tue, 26 Jun 2012 17:20:45 +0100 cakephp (1.3.7-1) unstable; urgency=low * New upstream release. * Update Vcs-{Git,Browser}. * Bump Standards-Version to 3.9.1. * Update debian/watch location. Thanks to Martin Atukunda (Closes: #603476) -- Chris Lamb Sun, 27 Feb 2011 21:15:13 +0000 cakephp (1.3.2-1) unstable; urgency=low * New upstream release (Closes: #585684) -- Chris Lamb Tue, 15 Jun 2010 10:05:07 +0100 cakephp (1.3.0-1) unstable; urgency=low * New upstream release (Closes: #581400) * Update debian/watch. * Bump Standards-Version to 3.8.4. * Refresh 01-remove-shebang.diff. * Refresh 02-cake-binary-libs.diff. * Also delete 'empty' files in cakephp-scripts. * Remove unnecessary executable bits. -- Chris Lamb Thu, 20 May 2010 00:12:41 +0100 cakephp (1.2.5-1) unstable; urgency=low * New upstream stable release. * Allow empty directories in "cakephp" package too; it includes a test project which has these directories by default. -- Chris Lamb Wed, 13 Jan 2010 23:24:24 +0000 cakephp (1.2.4.8284-1) unstable; urgency=low * New upstream bugfix release. * Bump Standards-Version to 3.8.3 * Bump Build-Depends on debhelper as we use override_* rules. * Use "dh --with quilt" instead of overriding targets to add the quilt stamp file to their dependencies. -- Chris Lamb Mon, 24 Aug 2009 23:37:41 +0100 cakephp (1.2.3.8166-1) unstable; urgency=low * New upstream release. * Move to Debhelper 7 and override_*-based customisations. * Bump Standards-Version to 3.8.1. * Using "find ... -print0 | xargs -0" over "find ... | xargs". * Add ${misc:Depends} to all binary package Depends. -- Chris Lamb Sat, 09 May 2009 13:16:16 +0100 cakephp (1.2.1.8004-2) unstable; urgency=low * Correct reference to `bake.php` in README.Debian. (Closes: #517031) * Update Git repository locations. * Correct watch file. -- Chris Lamb Fri, 06 Mar 2009 11:32:39 +0000 cakephp (1.2.1.8004-1) unstable; urgency=low * New upstream release. * Add patch description for 02-cake-binary-libs.diff. * Use © symbol in debian/copyright to appease lintian. * Update years in debian/copyright. -- Chris Lamb Sun, 15 Feb 2009 22:52:53 +0000 cakephp (1.2.0.7962.final-1) unstable; urgency=low * New stable upstream release, released Christmas Day. * Update debian/cakephp.docs. * Remove unused "package-contains-empty-directory" Lintian overrides for cakephp binary package. * Remove code to reset pointless executable bits on files (merged upstream via https://trac.cakephp.org/ticket/3817). -- Chris Lamb Tue, 30 Dec 2008 00:42:46 +0000 cakephp (1.2.0.7692-rc3-1) unstable; urgency=low * New upstream release. * New maintainer email address. -- Chris Lamb Sat, 04 Oct 2008 15:49:12 +0100 cakephp (1.2.0.7296-rc2-1) unstable; urgency=low * New upstream release. -- Chris Lamb Wed, 02 Jul 2008 13:03:41 +0100 cakephp (1.2.0.7125-rc1-1) unstable; urgency=low * New upstream release. * Replace now cakephp1.2 package - Conflict with and replace cakephp1.2 * Migrate away from CDBS and dpatch to debhelper and quilt * Rename XS-Vcs-* to Vcs-*. * Move to machine-readable debian/copyright * Bump Standards-Version to 3.8.0 -- Chris Lamb Thu, 03 Apr 2008 13:03:11 +0100 cakephp (1.1.19.6305-1) unstable; urgency=low * New upstream release. * Remove php4 and php4-cli from Depends: and associated Lintian override. * Bump Standards-Version to 3.7.3. * Rework debian/rules, debian/cakephp.install, debian/cakephp-scripts.install, etc. * Add Lintian overrides for empty-dir warnings. -- Chris Lamb Thu, 03 Jan 2008 15:47:47 +0000 cakephp (1.1.18.5850-2) unstable; urgency=low * Add Homepage: field * Expand acl.php manpage (Closes: #453700) -- Chris Lamb Mon, 03 Dec 2007 02:58:26 +0000 cakephp (1.1.18.5850-1) unstable; urgency=low * New upstream release. * Add php5-mysql to Suggests:. -- Chris Lamb Fri, 02 Nov 2007 13:10:17 +0000 cakephp (1.1.17.5612-2) unstable; urgency=low * Add cakephp-instaweb to Suggests:. -- Chris Lamb Mon, 24 Sep 2007 17:53:34 +0100 cakephp (1.1.17.5612-1) unstable; urgency=low * New upstream release. * Alters default app location for bake.php-generated apps. Thanks to Edwin Taylor . (Closes: #441263) * Add XS-Vcs-Git and XS-Vcs-Browse lines to debian/control. -- Chris Lamb Fri, 14 Sep 2007 19:16:55 +0100 cakephp (1.1.16.5421-1) unstable; urgency=low * New upstream release. -- Chris Lamb Fri, 13 Jul 2007 01:18:30 +0100 cakephp (1.1.15.5144-1) unstable; urgency=low * New upstream release. * Ensure global cake/vendors directory is in /usr/share/php/cake. -- Chris Lamb Tue, 22 May 2007 01:23:16 +0100 cakephp (1.1.14.4797-1) unstable; urgency=low * New upstream release. * Fixed package description. (Closes: #420580) * Updated debian/watch to not match development branch. -- Chris Lamb Wed, 25 Apr 2007 23:23:46 +0100 cakephp (1.1.13.4450-1) unstable; urgency=low * Initial release. * The bake.php and acl.php scripts have been moved to /usr/bin and set executable. Their on-line help has been adjusted to match. -- Chris Lamb Mon, 19 Mar 2007 19:55:39 +0000 debian/copyright0000664000000000000000000000377213053750545011143 0ustar Author: Larry E. Masters Download: http://www.cakeforge.org/ Files: * Copyright: © 2005-2008 Cake Software Foundation, Inc. License: MIT-other Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Files: * Copyright: © 2007-2009 Chris Lamb License: GPL-3 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . On Debian systems, the complete text of the GNU General Public License can be found in the /usr/share/common-licenses/GPL-3 file. debian/manpages/0000775000000000000000000000000013053750545010772 5ustar debian/manpages/bake.php.10000664000000000000000000000200713053750545012543 0ustar .TH BAKE.PHP 1 "March 19, 2007" .SH NAME bake.php \- generates skeleton CakePHP applications .SH SYNOPSIS .B bake.php .RI [command] " [path]" .SH DESCRIPTION The \fBbake.php\fP script generates controllers, views and models for your application. If run with no command line arguments, \fBbake.php\fP guides the user through the class creation process. You can customize the generation process by telling \fBbake.php\fP where different parts of your application are using command line arguments. .SH OPTIONS .TP .B \-app, \-a Absolute path to Cake's app directory .TP .B \-core, \-c Absolute path to Cake's cake directory .TP .B \-project, \-p Generates a new app directory in the path supplied .TP .B \-root, \-r Absolute path to Cake's /app/webroot directory .TP .B \-help, \-h Shows help message .SH SEE ALSO .BR acl.php (1). .SH AUTHOR \fBbake.php\fP was written by Larry E. Masters . .PP This manual page was written by Chris Lamb , for the Debian project (but may be used by others). debian/manpages/acl.php.10000664000000000000000000000467113053750545012411 0ustar .TH ACL.PHP 1 "March 19, 2007" .SH NAME acl.php \- manages Access Control Lists (ACLs) for CakePHP applications .SH SYNOPSIS .B acl.php .RI " ..." .SH DESCRIPTION The \fBacl.php\fP script manages Access Control Lists (ACLs) for CakePHP applications. .SH OPTIONS .TP .B create aro|aco Creates a new ACL object under the parent specified by , an id/alias (see 'view'). The link_id allows you to link a user object to Cake's ACL structures. The alias parameter allows you to address your object using a non-integer ID. .sp 1 Example: "acl.php create aro 57 0 John" would create a new ARO object at the root of the tree, linked to 57 in your users table, with an internal alias `John'. .TP .B delete aro|aco Deletes the ACL object with the specified ID (see `view'). .TP .B setParent aro|aco Used to set the parent of the ACL object specified by to the ID specified by . .TP .B getPath aro|aco Returns the path to the ACL object specified by . This command is is useful in determining the inhertiance of permissions for a certain object in the tree. .TP .B grant Use this command to grant ACL permissions. Once executed, the ARO specified (and its children, if any) will have ALLOW access to the specified ACO action (and the ACO's children, if any). .TP .B deny Use this command to deny ACL permissions. Once executed, the ARO specified (and its children, if any) will have DENY access to the specified ACO action (and the ACO's children, if any). .TP .B inherit Use this command to force a child ARO object to inherit its permissions settings from its parent. .TP .B view aro|aco [id] The view command will return the ARO or ACO tree. The optional id/alias parameter allows you to return only a portion of the requested tree. .TP .B initdb Use this command to create the database tables needed to use DB ACL. .TP .B \-app Absolute path to Cake's app directory .TP .B \-core Absolute path to Cake's cake directory .TP .B \-root Absolute path to Cake's /app/webroot directory .TP .B \-datasource CakePHP datasource name .TP .B help Displays help message. .SH SEE ALSO .BR bake.php (1). .SH AUTHOR \fBacl.php\fP was written by Larry E. Masters . .PP This manual page was written by Chris Lamb , for the Debian project (but may be used by others). debian/manpages/cake.10000664000000000000000000000126713053750545011765 0ustar .TH CAKE 1 "September 15, 2007" .SH NAME cake \- CakePHP application shell. .SH SYNOPSIS .B cake .RI .SH DESCRIPTION The \fBcake\fP utility encapsulates a number of operations that can be performed on CakePHP applications, including generating controllers, views and models, as well as managing access control lists (ACLs), viewing API documentation and application-specific console tasks. .PP The available commands (or `shells') can be seen by running \fBcake\fP without any arguments. .SH AUTHOR \fBcake\fP was written by Larry E. Masters . .PP This manual page was written by Chris Lamb , for the Debian project (but may be used by others). debian/watch0000664000000000000000000000015313053750545010227 0ustar version=3 opts="uversionmangle=s/-/~/" \ http://githubredir.debian.net/github/cakephp/cakephp /(.*).tar.gz debian/source/0000775000000000000000000000000013053750545010477 5ustar debian/source/format0000664000000000000000000000001413053750545011705 0ustar 3.0 (quilt) debian/cakephp.README.Debian0000664000000000000000000000041613053750545012653 0ustar cakephp for Debian ------------------ To create a skeleton CakePHP application, please install the cakephp-scripts package and use the `cake` utility, which is installed system-wide in /usr/bin. -- Chris Lamb Mon, 19 Mar 2007 23:14:04 +0000 debian/rules0000775000000000000000000000125613053750545010263 0ustar #!/usr/bin/make -f %: dh $@ override_dh_install: # cakephp cp -r cake/libs cake/config cake/tests cake/*.php debian/cakephp/usr/share/php/cake # cakephp-scripts cp -r app cake/console debian/cakephp-scripts/usr/share/php/cake/ cp -r cake/console/cake debian/cakephp-scripts/usr/bin # Remove unnecessary 'empty' files and directories # These were added by upstream to workaround braindead MacOS X extracting # utilities that would silently not create empty directories find debian/cakephp debian/cakephp-scripts -type f -name empty -size 0 -print0 | xargs -0 rm -f # Remove unnecessary executable bits find debian/cakephp -type f -perm /111 -print0 | xargs -0r chmod -x debian/cakephp.lintian-overrides0000664000000000000000000000016713053750545014176 0ustar # The skeleton CakePHP application contais a number of empty dirs by design. cakephp: package-contains-empty-directory debian/cakephp-scripts.dirs0000664000000000000000000000007713053750545013166 0ustar usr/share/php/cake/scripts usr/bin usr/share/lintian/overrides