I've prepared an updated fix for this (and other) problems. I split the previous patch into 2, and created 2 other new ones to fix other problems. All 4 are attached, and my repository contains the updated packages. Here's a description of the patches:
11_missed_security_fixes.dpatch: This patch now contains only the security fixes in 2.2 that I missed when I was previously adding fixes. 12_metaInfo_remote_command.dpatch: This patch combines my previously suggested fix of using SecurityClean() on $torrent, in both metaInfo.php and startpop.php, and Stefan's suggested fix of using escapeshellarg($torrent) in metaInfo.php. Only one is required, but I used both just to be safe. 13_possible_xss_vulnerability.dpatch: This patch uses htmlentities() before printing any variables that have been urldecoded after being read in (when htmlentities is initially run). I'm still not sure this can be exploited, as I have not yet been able to do it, but it may depend on the web server in use or it's configuration, so I decided to fix it anyway to be safe. It's a pretty easy fix anyway. 14_maketorrent_remote_command.dpatch: Upstream told me about this one. In maketorrent.php there's another place where an input variable is used unescaped in an exec. This patch escapes the variable before executing it. Let me know if I missed something, or what you think of the patches. I think I managed to take care of every problem mentioned in this bug report, but it is quite long so I could be mistaken. Cameron
11_missed_security_fixes.dpatch
Description: Binary data
12_metaInfo_remote_command.dpatch
Description: Binary data
13_possible_xss_vulnerability.dpatch
Description: Binary data
14_maketorrent_remote_command.dpatch
Description: Binary data
