Package: gallery2
Version: 2.3.1.dfsg-1~bpo50+1
Severity: important
The Debian version of /usr/share/gallery2/lib/smarty/Smarty_Compiler.class.php
differs from the stock gallery2 2.3.1 version of the file, and it fails when
there are single quotes (') in templates, leading to errors such as:
Parse error: syntax error, unexpected T_STRING, expecting ')' in
/var/www/user-rw/gallery2-349gl0289gys/smarty/templates_c/%%626616196/matrix/%%26^261^2615E4E5%%AdminPlugins.tpl.php
on line 173
When trying to access Site Admin > Plugins via the web interface of gallery2.
The diff from the Debian version to the stock 2.3.1 version is:
--- /usr/share/gallery2/lib/smarty/Smarty_Compiler.class.php 2009-10-25
15:19:04.000000000 +0000
+++ Smarty_Compiler.class.php 2008-10-16 07:35:13.000000000 +0100
@@ -1695,12 +1695,7 @@
$_return = $var_expr;
}
// replace double quoted literal string with single quotes
-
- // The follwoing line has been replaced to close a function injection
security hole (U.Tews)
- // $_return = preg_replace('~^"([\s\w]+)"$~',"'\\1'",$_return);
- $_return = str_replace('"',"'",$_return);
- // escape dollar sign if not printing a var
- $_return = preg_replace('~\$(\W)~',"\\\\\$\\1",$_return);
+ $_return = preg_replace('~^"([\s\w]+)"$~',"'\\1'",$_return);
return $_return;
}
Replacing the Debian version with the stock version allows things to work
properly once more, once you've used Maintenance > Delete template cache.
The stock version uses double-quotes (") around the strings it is handling,
the Debian version uses single-quotes ('), without thinking to escape such
single quotes in the text, and this is the cause of the problem.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.33-fysh-kvmguest (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages gallery2 depends on:
ii apache2 2.2.9-10+lenny6 Apache HTTP Server metapackage
ii apache2-mpm-pre 2.2.9-10+lenny6 Apache HTTP Server - traditional n
ii debconf [debcon 1.5.24 Debian configuration management sy
ii imagemagick 7:6.3.7.9.dfsg2-1~lenny3 image manipulation programs
ii libapache2-mod- 5.2.6.dfsg.1-1+lenny6 server-side, HTML-embedded scripti
ii libphp-adodb 5.05-1 The ADOdb database abstraction lay
ii mysql-client-5. 5.0.51a-24+lenny3 MySQL database client binaries
ii netpbm 2:10.0-12 Graphics conversion tools
ii php5 5.2.6.dfsg.1-1+lenny6 server-side, HTML-embedded scripti
ii php5-cgi 5.2.6.dfsg.1-1+lenny6 server-side, HTML-embedded scripti
ii php5-mysql 5.2.6.dfsg.1-1+lenny6 MySQL module for php5
ii php5-pgsql 5.2.6.dfsg.1-1+lenny6 PostgreSQL module for php5
ii postgresql-clie 8.3.9-0lenny1 front-end programs for PostgreSQL
ii smarty 2.6.20-1.2 Template engine for PHP
ii wwwconfig-commo 0.1.2 Debian web auto configuration
Versions of packages gallery2 recommends:
ii dcraw 8.86-1 decode raw digital camera images
ii ffmpeg 0.svn20080206-18+lenny1 multimedia player, server and enco
ii jhead 2.84-2 manipulate the non-image part of E
ii libjpeg-progs 6b-14 Programs for manipulating JPEG fil
ii php5-gd 5.2.6.dfsg.1-1+lenny6 GD module for php5
ii unzip 5.52-12 De-archiver for .zip files
ii zip 2.32-1 Archiver for .zip files
Versions of packages gallery2 suggests:
pn mysql-server-5.0 | mysql-serv <none> (no description available)
-- debconf information:
gallery2/mysql/dbadmpass: (password omitted)
gallery2/webserver_type: apache, apache-ssl, apache-perl, apache2
gallery2/mysql/dbname: gallery2
* gallery2/mysql/dbserver: db.fysh.org
gallery2/mysql/configure: true
* gallery2/restart-webserver: false
gallery2/purge: true
* gallery2/mysql/dbadmin: root
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
