Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, As agreed with the security team, the two XSS fixes from the latest upstream version do not deserve a DSA, yet I’d like to fix them via pu if you agree, debdiff attached. There is no upstream fix available (yet) for the 2.1 branch (that is still supported), so I won’t follow up with a pu request for Wheezy for the moment. Regards David
diff -Nru spip-3.0.17/debian/changelog spip-3.0.17/debian/changelog
--- spip-3.0.17/debian/changelog 2014-10-25 20:52:48.000000000 -0400
+++ spip-3.0.17/debian/changelog 2015-11-01 15:34:31.000000000 -0400
@@ -1,3 +1,10 @@
+spip (3.0.17-2+deb8u1) jessie; urgency=medium
+
+ * Track Jessie
+ * Backport XSS fixes in private content from 3.0.21
+
+ -- David Prévot <taffit@debian.org> Sun, 01 Nov 2015 15:34:00 -0400
+
spip (3.0.17-2) unstable; urgency=medium
[ Frans Spiesschaert ]
diff -Nru spip-3.0.17/debian/gbp.conf spip-3.0.17/debian/gbp.conf
--- spip-3.0.17/debian/gbp.conf 2014-10-25 20:50:16.000000000 -0400
+++ spip-3.0.17/debian/gbp.conf 2015-11-01 15:11:01.000000000 -0400
@@ -1,3 +1,3 @@
[DEFAULT]
-debian-branch = 3.0
+debian-branch = jessie
upstream-branch = upstream-3.0
diff -Nru spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch
--- spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch 1969-12-31 20:00:00.000000000 -0400
+++ spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch 2015-11-01 15:31:01.000000000 -0400
@@ -0,0 +1,173 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Sat, 10 Oct 2015 10:44:19 +0000
+Subject: Fix XSS in private content
+
+Bug: https://core.spip.net/issues/3371
+Origin: Upstream, http://zone.spip.org/trac/spip-zone/changeset/92236,
+ https://core.spip.net/projects/spip/repository/revisions/22427,
+ https://core.spip.net/projects/spip/repository/revisions/22450,
+ https://core.spip.net/projects/spip/repository/revisions/22429
+---
+ ecrire/inc/texte.php | 7 ++++
+ ecrire/inc/texte_mini.php | 43 ++++++++++++++++++++--
+ plugins-dist/revisions/inc/revisions.php | 3 ++
+ .../prive/squelettes/contenu/revision.html | 6 +--
+ prive/squelettes/ajax.html | 2 +-
+ prive/squelettes/head/dist.html | 2 +-
+ prive/squelettes/structure.html | 4 +-
+ 7 files changed, 57 insertions(+), 10 deletions(-)
+
+diff --git a/ecrire/inc/texte.php b/ecrire/inc/texte.php
+index af706b3..c0cec0b 100644
+--- a/ecrire/inc/texte.php
++++ b/ecrire/inc/texte.php
+@@ -156,6 +156,7 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ if (is_null($connect)){
+ $connect = '';
+ $interdire_script = true;
++ $env['espace_prive'] = 1;
+ }
+
+ // Echapper les codes <html> etc
+@@ -183,6 +184,12 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ if ($interdire_script)
+ $letexte = interdire_scripts($letexte);
+
++ // Dans l'espace prive on se mefie de tout contenu dangereux
++ // https://core.spip.net/issues/3371
++ if (isset($env['espace_prive']) AND $env['espace_prive']){
++ $letexte = echapper_html_suspect($letexte);
++ }
++
+ return $letexte;
+ }
+
+diff --git a/ecrire/inc/texte_mini.php b/ecrire/inc/texte_mini.php
+index f3c2429..901d903 100644
+--- a/ecrire/inc/texte_mini.php
++++ b/ecrire/inc/texte_mini.php
+@@ -385,15 +385,52 @@ function echapper_faux_tags($letexte){
+ $letexte = "";
+ while (count($textMatches)) {
+ // un texte a echapper
+- $letexte .= str_replace(array("<"),array('<'),array_shift($textMatches));
++ $letexte .= str_replace("<",'<',array_shift($textMatches));
+ // un tag html qui a servit a faite le split
+ $letexte .= array_shift($textMatches);
+ }
+ return $letexte;
+ }
+
+-// Securite : utiliser SafeHTML s'il est present dans ecrire/safehtml/
+-// http://doc.spip.org/@safehtml
++/**
++ * Si le html contenu dans un texte ne passe pas sans transformation a travers safehtml
++ * on l'echappe
++ * si safehtml ne renvoie pas la meme chose on echappe les < en < pour montrer le contenu brut
++ *
++ * @param string $texte
++ * @return string
++ */
++function echapper_html_suspect($texte){
++ if (strpos($texte,'<')===false OR strpos($texte,'=')===false)
++ return $texte;
++
++ // on teste sur strlen car safehtml supprime le contenu dangereux
++ // mais il peut aussi changer des ' en " sur les attributs html,
++ // donc un test d'egalite est trop strict
++ if (strlen(safehtml($texte))!==strlen($texte)){
++ $texte = str_replace("<","<",$texte);
++ }
++
++ return $texte;
++}
++
++
++/**
++ * Sécurise un texte HTML
++ *
++ * Échappe le code PHP et JS.
++ * Applique en plus safehtml si un plugin le définit dans inc/safehtml.php
++ *
++ * Permet de protéger les textes issus d'une origine douteuse (forums, syndications...)
++ *
++ * @filtre
++ * @link http://www.spip.net/4310
++ *
++ * @param string $t
++ * Texte à sécuriser
++ * @return string
++ * Texte sécurisé
++**/
+ function safehtml($t) {
+ static $safehtml;
+
+diff --git a/plugins-dist/revisions/inc/revisions.php b/plugins-dist/revisions/inc/revisions.php
+index 16d6f86..c9ab05e 100644
+--- a/plugins-dist/revisions/inc/revisions.php
++++ b/plugins-dist/revisions/inc/revisions.php
+@@ -605,6 +605,9 @@ function propre_diff($texte) {
+ $reg = end($regs);
+ if (!$reg[1] AND $reg[2]) $texte.="</$reg[2]>";
+
++ // et interdire_scripts !
++ $texte = interdire_scripts($texte);
++
+ return $texte;
+ }
+
+diff --git a/plugins-dist/revisions/prive/squelettes/contenu/revision.html b/plugins-dist/revisions/prive/squelettes/contenu/revision.html
+index 935e6bf..a59a716 100644
+--- a/plugins-dist/revisions/prive/squelettes/contenu/revision.html
++++ b/plugins-dist/revisions/prive/squelettes/contenu/revision.html
+@@ -40,9 +40,9 @@
+ ]
+ ]
+ [<div class='id_rubrique'>(#GET{textes}|table_valeur{id_rubrique})</div>]
+- [<h4 class='surtitre'>(#GET{textes}|table_valeur{surtitre})</h4>]
+- <h1>[(#INFO_STATUT{#OBJET,#ID_OBJET}|puce_statut{#OBJET}) ][(#GET{textes}|table_valeur{titre}|sinon{<:info_sans_titre:>})]</h1>
+- [<h2 class='soustitre'>(#GET{textes}|table_valeur{soustitre})</h2>]
++ [<h4 class='surtitre'>(#GET{textes}|table_valeur{surtitre}|interdire_scripts)</h4>]
++ <h1>[(#INFO_STATUT{#OBJET,#ID_OBJET}|puce_statut{#OBJET}) ][(#GET{textes}|table_valeur{titre}|sinon{<:info_sans_titre:>}|interdire_scripts)]</h1>
++ [<h2 class='soustitre'>(#GET{textes}|table_valeur{soustitre}|interdire_scripts)</h2>]
+
+ <div class="nettoyeur"></div>
+ <div id="wysiwyg" class="revision">
+diff --git a/prive/squelettes/ajax.html b/prive/squelettes/ajax.html
+index dcd9319..b6bc56a 100644
+--- a/prive/squelettes/ajax.html
++++ b/prive/squelettes/ajax.html
+@@ -4,4 +4,4 @@
+
+ ]
+ #SET{zajax,#VAL{var_zajax}|_request|replace{\W,''}}
+-<INCLURE{fond=prive/squelettes/#GET{zajax}|concat{'/',#ENV{type-page}},ajax=#GET{zajax},env}>
+\ No newline at end of file
++<INCLURE{fond=prive/squelettes/#GET{zajax}|concat{'/',#ENV{type-page}},ajax=#GET{zajax},espace_prive=1,env}>
+\ No newline at end of file
+diff --git a/prive/squelettes/head/dist.html b/prive/squelettes/head/dist.html
+index d770c45..9dc5b63 100644
+--- a/prive/squelettes/head/dist.html
++++ b/prive/squelettes/head/dist.html
+@@ -8,4 +8,4 @@
+ [(#REM) Si pas de title, celui ci sera mis automatiquement par f_title_auto
+ en capturant le premier <h1> de la page]
+ #SET{paramcss,#REM|parametres_css_prive}
+-#PIPELINE{header_prive,#INCLURE{fond=prive/squelettes/inclure/head,titre,minipres,paramcss=#GET{paramcss}}}
+\ No newline at end of file
++#PIPELINE{header_prive,#INCLURE{fond=prive/squelettes/inclure/head,titre,minipres,paramcss=#GET{paramcss},espace_prive}}
+\ No newline at end of file
+diff --git a/prive/squelettes/structure.html b/prive/squelettes/structure.html
+index b9dd987..7520bd8 100644
+--- a/prive/squelettes/structure.html
++++ b/prive/squelettes/structure.html
+@@ -8,7 +8,7 @@
+ <!--[if IE 9 ]> <html class="[(#LANG_DIR)][ (#LANG)] no-js ie ie9 lte9" xmlns="http://www.w3.org/1999/xhtml"; xml:lang="#LANG" lang="#LANG" dir="#LANG_DIR"> <![endif]-->
+ <!--[if (gt IE 9)|!(IE)]><!--> <html class="[(#LANG_DIR)][ (#LANG)] no-js" xmlns="http://www.w3.org/1999/xhtml"; xml:lang="#LANG" lang="#LANG" dir="#LANG_DIR"> <!--<![endif]-->
+ <head>
+-<INCLURE{fond=prive/squelettes/head/#ENV{type-page},env}>
++<INCLURE{fond=prive/squelettes/head/#ENV{type-page},env,espace_prive=1}>
+ </head>
+-<INCLURE{fond=prive/squelettes/body,env}>
++<INCLURE{fond=prive/squelettes/body,env,espace_prive=1}>
+ </html>
diff -Nru spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch
--- spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch 1969-12-31 20:00:00.000000000 -0400
+++ spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch 2015-11-01 15:31:01.000000000 -0400
@@ -0,0 +1,130 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Thu, 29 Oct 2015 16:58:27 +0100
+Subject: Fix XSS from iframe in private content
+
+Bug: https://core.spip.net/issues/1994, https://core.spip.net/issues/1998
+Origin: http://zone.spip.org/trac/spip-zone/changeset/92321,
+ http://zone.spip.org/trac/spip-zone/changeset/92519,
+ http://zone.spip.org/trac/spip-zone/changeset/92520
+---
+ plugins-dist/textwheel/wheels/spip/echappe-js.php | 39 ++++++++++++++++++
+ plugins-dist/textwheel/wheels/spip/echappe-js.yaml | 48 ++++++++++++++++++++++
+ .../textwheel/wheels/spip/interdire-scripts.yaml | 3 +-
+ 3 files changed, 89 insertions(+), 1 deletion(-)
+ create mode 100644 plugins-dist/textwheel/wheels/spip/echappe-js.php
+
+diff --git a/plugins-dist/textwheel/wheels/spip/echappe-js.php b/plugins-dist/textwheel/wheels/spip/echappe-js.php
+new file mode 100644
+index 0000000..66b0717
+--- /dev/null
++++ b/plugins-dist/textwheel/wheels/spip/echappe-js.php
+@@ -0,0 +1,39 @@
++<?php
++
++/**
++ * Fonctions utiles pour la wheel echappe-js
++ *
++ * @SPIP\Textwheel\Wheel\SPIP\Fonctions
++**/
++
++if (!defined('_ECRIRE_INC_VERSION')) return;
++
++function echappe_anti_xss($match){
++ static $safehtml;
++
++ if (!is_array($match) OR !strlen($match[0])) {
++ return "";
++ }
++ $texte = &$match[0];
++
++ // on echappe les urls data: javascript: et tout ce qui ressemble
++ if (strpos($texte,":")!==false
++ AND preg_match(",(data|script)\s*:,iS",$texte)){
++ $texte = nl2br(htmlspecialchars($texte));
++ }
++ // on echappe si on a possiblement un attribut onxxx et que ca passe pas dans safehtml
++ elseif(stripos($texte,"on")!==false
++ AND preg_match(",\bon\w+\s*=,i",$texte)){
++ if (!isset($safehtml))
++ $safehtml = charger_fonction('safehtml', 'inc', true);
++ if (!$safehtml OR strlen($safehtml($texte))!==strlen($texte)){
++ $texte = nl2br(htmlspecialchars($texte));
++ }
++ }
++
++ if (strpos($texte,"<")===false){
++ $texte = "<code class=\"echappe-js\">$texte</code>";
++ }
++
++ return $texte;
++}
+diff --git a/plugins-dist/textwheel/wheels/spip/echappe-js.yaml b/plugins-dist/textwheel/wheels/spip/echappe-js.yaml
+index 9684738..84c65f2 100644
+--- a/plugins-dist/textwheel/wheels/spip/echappe-js.yaml
++++ b/plugins-dist/textwheel/wheels/spip/echappe-js.yaml
+@@ -18,3 +18,51 @@
+ -
+ type: all
+ replace: "<code class=\"echappe-js\">$0</code>"
++
++-
++ if_str: "<iframe"
++ match: "{<iframe.*?($|</iframe.)}isS"
++ is_callback: Y
++ replace: echappe_anti_xss
++
++-
++ if_str: "<embed"
++ match: "{<embed.*?($|</embed.)}isS"
++ is_callback: Y
++ replace: echappe_anti_xss
++
++-
++ if_str: "<object"
++ match: "{<object.*?($|</object.)}isS"
++ is_callback: Y
++ replace: echappe_anti_xss
++
++-
++ if_str: "<img"
++ match: "{<img.*?($|>)}isS"
++ is_callback: Y
++ replace: echappe_anti_xss
++
++-
++ if_str: "<image"
++ match: "{<image.*?($|>)}isS"
++ is_callback: Y
++ replace: echappe_anti_xss
++
++-
++ if_str: "<body"
++ match: "{<body.*?($|>)}isS"
++ is_callback: Y
++ replace: echappe_anti_xss
++
++-
++ if_str: "<bgsound"
++ match: "{<bgsound.*?($|>)}isS"
++ is_callback: Y
++ replace: echappe_anti_xss
++
++-
++ if_str: "<meta"
++ match: "{<meta.*?($|>)}isS"
++ is_callback: Y
++ replace: echappe_anti_xss
+diff --git a/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml b/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml
+index 790f34d..d809847d 100644
+--- a/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml
++++ b/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml
+@@ -19,7 +19,8 @@ securite-script-php:
+ replace: "<$1"
+
+ securite-js:
+- if_str: "<script"
++ if_str: "<"
++ if_match: "/<(?:script|iframe|embed|object|img|image|body|bgsound|meta)/iS"
+ type: all
+ replace: "echappe_js"
+ is_callback: Y
diff -Nru spip-3.0.17/debian/patches/series spip-3.0.17/debian/patches/series
--- spip-3.0.17/debian/patches/series 2014-08-26 12:06:06.000000000 -0400
+++ spip-3.0.17/debian/patches/series 2015-11-01 15:31:01.000000000 -0400
@@ -2,3 +2,5 @@
0002-Use-php-html-safe.patch
0003-No-next-upstream-version-display-in-private-area.patch
0004-Fix-displayed-version-in-the-private-interface.patch
+0005-Fix-XSS-in-private-content.patch
+0006-Fix-XSS-from-iframe-in-private-content.patch
Attachment:
signature.asc
Description: OpenPGP digital signature