From: henoheno <henoheno>
Date: Tue, 30 May 2006 14:51:25 +0000 (+0900)
Subject: Added about OS command injection
X-Git-Tag: r1_5_0_rc1~33
X-Git-Url: http://git.osdn.net/view?p=pukiwiki%2Fpukiwiki.git;a=commitdiff_plain;h=fb17a3a20ed93c3cab907cf7c36c3fa111abf8b5

Added about OS command injection
---

diff --git a/UPDATING.txt b/UPDATING.txt
index 29244d4..ba9d63f 100644
--- a/UPDATING.txt
+++ b/UPDATING.txt
@@ -1,5 +1,5 @@
 PukiWiki UPDATING
-$Id: UPDATING.txt,v 1.35 2006/05/29 15:16:04 henoheno Exp $
+$Id: UPDATING.txt,v 1.36 2006/05/30 14:51:25 henoheno Exp $
 
 
 ¸ß´¹À­¤Ë´Ø¤¹¤ëµ­½Ò
@@ -7,16 +7,26 @@ $Id: UPDATING.txt,v 1.35 2006/05/29 15:16:04 henoheno Exp $
 
 PukiWiki 1.4.7: PukiWiki 1.4.6 ¤È¤ÎÈó¸ß´¹ÅÀ
 
-   1. ´ÉÍý¼Ô¥Ñ¥¹¥ï¡¼¥É¤Î½é´üÃÍ¤¬ 'pass' ¤Ç¤Ï¤Ê¤¯¤Ê¤ê¤Þ¤·¤¿¡£´ÉÍý¼Ô¤¬²¿¤«
-     ÀßÄê¤¹¤ë¤Þ¤Ç¤Ï¡¢±Ê±ó¤ËÈ½Äê¤Ë¼ºÇÔ¤·¤Þ¤¹¡£
-     ¢¨1.4.6¤Î¥Ñ¥¹¥ï¡¼¥É¤Ï¤½¤Î¤Þ¤Þ»È¤¨¤Þ¤¹¡£
-     ¢¨1.4.6°Ê¹ß¡¢¥Ñ¥¹¥ï¡¼¥É¤ÎÊÝÂ¸·Á¼°¤ÏÊÑ²½¤·¤Æ¤¤¤Þ¤¹¡£
-
-   2. ½é´ü¥³¥ó¥Æ¥ó¥Ä¤ÎÌ¾¾ÎÊÑ¹¹¤Ê¤É
-     ¥Þ¥ë¥Á¥Ð¥¤¥ÈÊ¸»úÎó¤Ë°ÍÂ¸¤·¤¿¥Õ¥¡¥¤¥ëÌ¾¤¬½é´ü¥³¥ó¥Æ¥ó¥Ä¤Ë´Þ¤Þ¤ì¤Æ¤¤¤¿
-     ÌäÂê¤ò²ò¾Ã¤·¤¿·ë²Ì¡¢°Ê²¼¤Î¥Ú¡¼¥¸¤ÎÌ¾¾Î¤¬ÊÑ¹¹¤µ¤ì¤Þ¤·¤¿¡£
-     ²áµî¤Î¥Ð¡¼¥¸¥ç¥ó¤Î¥³¥ó¥Æ¥ó¥Ä¤ò 1.4.7 ¤Ë°Ü¿¢¤¹¤ë¾ì¹ç¡¢¤³¤ì¤é¤Î¥Ú¡¼¥¸
-     ¤òËº¤ì¤º¤ËÀßÃÖ¤·¡¢"Åà·ë"¤·¤Æ²¼¤µ¤¤¡£
+   1. ´ÉÍý¼Ô¥Ñ¥¹¥ï¡¼¥É($adminpass)¤Î¥Ç¥Õ¥©¥ë¥ÈÃÍ¤ÎÊÑ¹¹
+     ¥Ç¥Õ¥©¥ë¥ÈÃÍ¤¬ "pass" ¤«¤é¡¢"ÀäÂÐ¤Ë¼ºÇÔ¤¹¤ëÊ¸»úÎó" ¤Ë½¤Àµ¤µ¤ì¤Þ¤·¤¿¡£´É
+     Íý¼Ô¤¬Å¬ÀÚ¤ÊÃÍ¤òÀßÄê¤¹¤ë¤Þ¤Ç¤Ï±Ê±ó¤ËÈ½Äê¤Ë¼ºÇÔ¤·¤Þ¤¹¡£
+       ¢¨1.4.6¤Î¥Ñ¥¹¥ï¡¼¥É¤Ï¤½¤Î¤Þ¤Þ»ÈÍÑ¤Ç¤­¤Þ¤¹¡£
+       ¢¨1.4.6°Ê¹ß¡¢¥Ñ¥¹¥ï¡¼¥É¤ÎÊÝÂ¸·Á¼°¤ÏÊÑ¹¹¤µ¤ì¤Æ¤¤¤Þ¤¹¡£
+         (See BugTrack/709)
+
+   2. ¥³¥Þ¥ó¥É¼Â¹Ôµ¡Ç½¤Î»ÅÍÍÊÑ¹¹
+     ¥Ú¡¼¥¸¤¬¹¹¿·¤µ¤ì¤ëÅÙ¤Ë¡¢"´ÉÍý¼Ô¤¬»ØÄê¤·¤¿¥³¥Þ¥ó¥É" ¤ò¥µ¡¼¥Ð¡¼ÆâÉô¤Ç¼Â¹Ô
+     ¤¹¤ë¤¿¤á¤Î¥°¥í¡¼¥Ð¥ëÊÑ¿ô($update_exec)¤Ï¡¢Äê¿ô(PKWK_UPDATE_ EXEC)¤Ë¤Ê¤ê
+     ¤Þ¤·¤¿¡£
+     
+     ¥°¥í¡¼¥Ð¥ëÊÑ¿ô¤Ë¥³¥Þ¥ó¥ÉÊ¸»úÎó¤ò³ÊÇ¼¤·¤Æ¤¤¤ë¾ì¹ç¡¢°­°Õ¤Î¤¢¤ëÂè»°¼Ô¤¬ºîÀ®
+     ¤·¤¿¥×¥é¥°¥¤¥ó¤Ê¤É¤Ë¤è¤Ã¤Æ¡¢ÃÍ¤òÆ°Åª¤Ë²þÊÑ¤µ¤ì¤ë²ÄÇ½À­¤¬¤¢¤ê¤Þ¤¹¡£
+
+   3. ½é´ü¥³¥ó¥Æ¥ó¥Ä¤ÎÌ¾¾ÎÊÑ¹¹
+     ¥Þ¥ë¥Á¥Ð¥¤¥ÈÊ¸»úÎó¤Ë°ÍÂ¸¤·¤¿¥Õ¥¡¥¤¥ëÌ¾¤¬½é´ü¥³¥ó¥Æ¥ó¥Ä¤Ë´Þ¤Þ¤ì¤Æ¤¤¤¿ÌäÂê
+     ¤ò²ò¾Ã¤·¤¿·ë²Ì¡¢°Ê²¼¤Î¥Ú¡¼¥¸¤ÎÌ¾¾Î¤¬ÊÑ¹¹¤µ¤ì¤Þ¤·¤¿¡£²áµî¤Î¥Ð¡¼¥¸¥ç¥ó¤Çºî
+     À®¤·¤Æ¤¤¤¿¥³¥ó¥Æ¥ó¥Ä¤ò 1.4.7 ¤Ë°Ü¿¢¤¹¤ë¾ì¹ç¡¢¤³¤ì¤é¤Î¥Ú¡¼¥¸¤òËº¤ì¤º¤ËÀß
+     ÃÖ¤·¡¢"Åà·ë"¤·¤Æ²¼¤µ¤¤¡£
 
        "À°·Á¥ë¡¼¥ë" => "FormattingRules"
           (ÊÔ½¸»þ¤Î¥ê¥ó¥¯¤«¤é»²¾È¤µ¤ì¤Æ¤¤¤Þ¤¹)
@@ -31,16 +41,17 @@ PukiWiki 1.4.7: PukiWiki 1.4.6 
 
      (See BugTrack2/118)
 
-   3. ¤¤¤¯¤Ä¤«¤Î¥Õ¥¡¥¤¥ë¤¬ÅºÉÕ¤µ¤ì¤Ê¤¯¤Ê¤ê¤Þ¤·¤¿¡£
-
-     pukiwiki.php   : É¬Í×¤Ç¤¢¤ì¤Ð index.php ¤ò¥³¥Ô¡¼¤·¤Æ¤ª»È¤¤²¼¤µ¤¤¡£
-     skin/default.js: ¤É¤³¤«¤é¤âÍøÍÑ¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¤Ç¤·¤¿¡£
+   4. ²¼µ­¤Î¥Õ¥¡¥¤¥ë¤¬ÅºÉÕ¤µ¤ì¤Ê¤¯¤Ê¤ê¤Þ¤·¤¿¡£
+     pukiwiki.php    : É¬Í×¤Ç¤¢¤ì¤Ð index.php ¤ò¥³¥Ô¡¼¤·¤Æ¤ª»È¤¤²¼¤µ¤¤¡£
+     skin/default.js : ¤É¤³¤«¤é¤âÍøÍÑ¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¤Ç¤·¤¿¡£
 
-   4. µÓÃí¤ËËä¤á¹þ¤Þ¤ì¤Æ¤¤¤¿ "µÓÃí¤½¤Î¤â¤Î(Ê¸»úÎó)" ¤Ï¡¢º£¸å¤ÏÁ´Ê¸¤Ç¤Ï¤Ê¤¯
+   5. µÓÃí¤ËËä¤á¹þ¤Þ¤ì¤Æ¤¤¤¿ "µÓÃí¤½¤Î¤â¤Î(Ê¸»úÎó)" ¤Ï¡¢º£¸å¤ÏÁ´Ê¸¤Ç¤Ï¤Ê¤¯¡¢
      ·è¤á¤é¤ì¤¿Ê¸»ú¿ô¤À¤±½ÐÎÏ¤µ¤ì¤Þ¤¹¡£ (See BugTrack/420)
 
-   5. ¤¤¤¯¤Ä¤«¤ÎÉ¸½àÅºÉÕ¥×¥é¥°¥¤¥ó¤Ï¡¢$non_list(°ìÍ÷¤·¤Ê¤¤¥Ñ¥¿¡¼¥ó) ¤Ë¹çÃ×
-     ¤¹¤ë¥Ú¡¼¥¸¤òÉ½¼¨¤·¤Ê¤¯¤Ê¤ê¤Þ¤·¤¿¡£ (See BugTrack2/140)
+   6. °Ê²¼¤ÎÉÕ¥×¥é¥°¥¤¥ó¤Ï¡¢$non_list(°ìÍ÷¤·¤Ê¤¤¥Ñ¥¿¡¼¥ó) ¤Ë¹çÃ×¤¹¤ë¥Ú¡¼¥¸¤ò
+     É½¼¨¤·¤Ê¤¯¤Ê¤ê¤Þ¤·¤¿¡£
+       attach, popular, related, touchgraph, yetlist
+     (See BugTrack2/140, BugTrack2/175)
 
 
 PukiWiki 1.4.6: PukiWiki 1.4.5_1 ¤È¤ÎÈó¸ß´¹ÅÀ
