Bug#579608: Bug#578691: libmediawiki-perl: Security update of mediawiki will break login API

[Ansgar Burchardt <ansgar@43-1.org>]

"Adam D. Barratt" <adam@adam-barratt.org.uk> writes:

>> clone     578691 -1
>> reassign  -1 release.debian.org
>
> When doing this, please also CC your mail to the debian-release list. 
> Otherwise, we just get a copy of the control@bugs reply mail and have to
> retrieve a copy of the original mail from elsewhere.

Will do next time.  I don't use "clone" very often so I was not sure
weather it was necessary or not.

>> I have changed the distribution to stable (instead of stable-security).
>> The diff between 1.13-1 and the proposed updated is attached once more.
>> Should we go ahead with the upload?
>
>   * Add support for login token. (Closes: #578691)
>   * Use quilt to manage patches.
>
> Modifying the patch system in use is not appropriate for a stable update. 
> Please prepare a diff which patches the files directly.

Done.

Regards,
Ansgar

diff -u libmediawiki-perl-1.13/debian/changelog libmediawiki-perl-1.13/debian/changelog
--- libmediawiki-perl-1.13/debian/changelog
+++ libmediawiki-perl-1.13/debian/changelog
@@ -1,3 +1,11 @@
+libmediawiki-perl (1.13-1+lenny1) stable; urgency=low
+
+  * Add support for login token. (Closes: #578691)
+  * Remove David Paleino from Uploaders (as in 1.13-1.1).
+  * Add myself to Uploaders.
+
+ -- Ansgar Burchardt <ansgar@43-1.org>  Thu, 29 Apr 2010 22:39:06 +0900
+
 libmediawiki-perl (1.13-1) unstable; urgency=low
 
   * New upstream release
diff -u libmediawiki-perl-1.13/debian/control libmediawiki-perl-1.13/debian/control
--- libmediawiki-perl-1.13/debian/control
+++ libmediawiki-perl-1.13/debian/control
@@ -6,7 +6,7 @@
  libtest-pod-perl, libtest-pod-coverage-perl
 Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
 Uploaders: Michael Mende <debian@menole.net>,
- David Paleino <d.paleino@gmail.com>,
+ Ansgar Burchardt <ansgar@43-1.org>,
  Damyan Ivanov <dmn@debian.org>, 
  Gunnar Wolf <gwolf@debian.org>
 Standards-Version: 3.7.3
only in patch2:
unchanged:
--- libmediawiki-perl-1.13.orig/lib/MediaWiki.pm
+++ libmediawiki-perl-1.13/lib/MediaWiki.pm
@@ -207,10 +207,17 @@
 		return 1;
 	}
 
+	# get login token
+	my $token_res = $mw->{ua}->request(GET $mw->{index} . "?title=Special:Userlogin");
+	return $mw->error(ERR_LOGIN_FAILED) unless $token_res->is_success;
+
+	my $token;
+	$token = $1 if $token_res->content() =~ /input type=['"]hidden['"] name=['"]wpLoginToken['"] value=['"]([a-fA-F0-9]+)['"]/i;
+
 	my $res = $mw->{ua}->request(
 		POST $mw->{index} . "?title=Special:Userlogin&action=submitlogin",
 		Content_Type  => 'application/x-www-form-urlencoded',
-		Content       => [ ( 'wpName' => $user, 'wpPassword' => $pass, 'wpLoginattempt' => 'Log in' ) ]
+		Content       => [ ( 'wpName' => $user, 'wpPassword' => $pass, 'wpLoginattempt' => 'Log in' ), defined $token ? (wpLoginToken => $token) : () ]
 	);
 	if($res->code == 302 || $res->header("Set-Cookie"))
 	{

Attachment: pgpJ0PkVnFbAb.pgp
Description: PGP signature