Hi, mediawiki 1:1.15.{4,5} included some security fixes that did not warrant a DSA, but we were all too busy to backport them to the package in stable. I have now prepared 1:1.12.0-2lenny6 for stable and I'd like permission to upload it. Changes: mediawiki (1:1.12.0-2lenny6) stable; urgency=high . * Stable upload. Closes: #591382 * Fixed CSRF vulnerability in "e-mail me my password", "create account" and "create by e-mail" features of [[Special:Userlogin]]. CVE-2010-1648 * Fixed XSS vulnerability affecting IE clients only, due to a CSS validation issue. CVE-2010-1647 (Closes: #585918) * Fixed an XSS vulnerability in profileinfo.php for installations with $wgEnableProfileInfo = true (false by default) (Closes: #590669) There is some diffstat noise in po/* as a result of generating them at build-time. They are no-ops: debdiff mediawiki_1.12.0-2lenny5.dsc mediawiki_1.12.0-2lenny6.dsc | diffstat debian/patches/1.15.4-css-security.patch | 84 ++++++++++ debian/patches/1.15.4-userlogin-security.patch | 193 +++++++++++++++++++++++ debian/patches/1.15.5-profileinfo-security.patch | 76 +++++++++ mediawiki-1.12.0/debian/changelog | 13 + mediawiki-1.12.0/debian/patches/series | 3 mediawiki-1.12.0/debian/po/ar.po | 1 mediawiki-1.12.0/debian/po/ca.po | 1 mediawiki-1.12.0/debian/po/cs.po | 1 mediawiki-1.12.0/debian/po/de.po | 1 mediawiki-1.12.0/debian/po/es.po | 4 mediawiki-1.12.0/debian/po/eu.po | 1 mediawiki-1.12.0/debian/po/fi.po | 10 - mediawiki-1.12.0/debian/po/fr.po | 1 mediawiki-1.12.0/debian/po/gl.po | 1 mediawiki-1.12.0/debian/po/it.po | 1 mediawiki-1.12.0/debian/po/ja.po | 1 mediawiki-1.12.0/debian/po/ml.po | 1 mediawiki-1.12.0/debian/po/nl.po | 1 mediawiki-1.12.0/debian/po/pt.po | 1 mediawiki-1.12.0/debian/po/pt_BR.po | 1 mediawiki-1.12.0/debian/po/ru.po | 1 mediawiki-1.12.0/debian/po/sk.po | 1 mediawiki-1.12.0/debian/po/sv.po | 1 mediawiki-1.12.0/debian/po/ta.po | 1 mediawiki-1.12.0/debian/po/vi.po | 3 25 files changed, 397 insertions(+), 6 deletions(-) The full diff is attached. Thanks, -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -u mediawiki-1.12.0/debian/changelog mediawiki-1.12.0/debian/changelog --- mediawiki-1.12.0/debian/changelog +++ mediawiki-1.12.0/debian/changelog @@ -1,3 +1,16 @@ +mediawiki (1:1.12.0-2lenny6) stable; urgency=high + + * Stable upload. Closes: #591382 + * Fixed CSRF vulnerability in "e-mail me my password", + "create account" and "create by e-mail" features of + [[Special:Userlogin]]. CVE-2010-1648 + * Fixed XSS vulnerability affecting IE clients only, due to a CSS + validation issue. CVE-2010-1647 (Closes: #585918) + * Fixed an XSS vulnerability in profileinfo.php for installations + with $wgEnableProfileInfo = true (false by default) (Closes: #590669) + + -- Jonathan Wiltshire <jmw@debian.org> Fri, 17 Dec 2010 23:32:46 +0000 + mediawiki (1:1.12.0-2lenny5) stable-security; urgency=high * Security upload. Fixes the following issue (CVE-2010-1150): diff -u mediawiki-1.12.0/debian/po/ar.po mediawiki-1.12.0/debian/po/ar.po --- mediawiki-1.12.0/debian/po/ar.po +++ mediawiki-1.12.0/debian/po/ar.po @@ -24,6 +24,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: ar\n" "X-Generator: KBabel 1.11.4\n" "Plural-Forms: nplurals=6; plural=n==1 ? 0 : n==0 ? 1 : n==2 ? 2: n%100>=3 && " "n%100<=10 ? 3 : n%100>=11 && n%100<=99 ? 4 : 5\n" diff -u mediawiki-1.12.0/debian/po/ca.po mediawiki-1.12.0/debian/po/ca.po --- mediawiki-1.12.0/debian/po/ca.po +++ mediawiki-1.12.0/debian/po/ca.po @@ -17,6 +17,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: ca\n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/de.po mediawiki-1.12.0/debian/po/de.po --- mediawiki-1.12.0/debian/po/de.po +++ mediawiki-1.12.0/debian/po/de.po @@ -14,6 +14,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=ISO-8859-15\n" "Content-Transfer-Encoding: 8bit\n" +"Language: de\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/cs.po mediawiki-1.12.0/debian/po/cs.po --- mediawiki-1.12.0/debian/po/cs.po +++ mediawiki-1.12.0/debian/po/cs.po @@ -22,6 +22,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/es.po mediawiki-1.12.0/debian/po/es.po --- mediawiki-1.12.0/debian/po/es.po +++ mediawiki-1.12.0/debian/po/es.po @@ -43,6 +43,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: \n" "com>\n" #. Type: multiselect @@ -169,2 +170 @@ -#~ "por si acaso esto fallara, que también está disponible en «/etc/" -#~ "mediawiki»." +#~ "por si acaso esto fallara, que también está disponible en «/etc/mediawiki»." diff -u mediawiki-1.12.0/debian/po/fi.po mediawiki-1.12.0/debian/po/fi.po --- mediawiki-1.12.0/debian/po/fi.po +++ mediawiki-1.12.0/debian/po/fi.po @@ -9,6 +9,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: fi\n" "X-Poedit-Language: Finnish\n" "X-Poedit-Country: Finland\n" @@ -24,3 +25,6 @@ -msgid "Please select the web server(s) that should be configured automatically for MediaWiki." -msgstr "Valitse verkkopalvelimet, joille tulisi automaattisesti tehdä asetukset MediaWikiä varten." - +msgid "" +"Please select the web server(s) that should be configured automatically for " +"MediaWiki." +msgstr "" +"Valitse verkkopalvelimet, joille tulisi automaattisesti tehdä asetukset " +"MediaWikiä varten." diff -u mediawiki-1.12.0/debian/po/eu.po mediawiki-1.12.0/debian/po/eu.po --- mediawiki-1.12.0/debian/po/eu.po +++ mediawiki-1.12.0/debian/po/eu.po @@ -14,6 +14,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: \n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/fr.po mediawiki-1.12.0/debian/po/fr.po --- mediawiki-1.12.0/debian/po/fr.po +++ mediawiki-1.12.0/debian/po/fr.po @@ -13,6 +13,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: \n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/gl.po mediawiki-1.12.0/debian/po/gl.po --- mediawiki-1.12.0/debian/po/gl.po +++ mediawiki-1.12.0/debian/po/gl.po @@ -13,6 +13,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: gl\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/ja.po mediawiki-1.12.0/debian/po/ja.po --- mediawiki-1.12.0/debian/po/ja.po +++ mediawiki-1.12.0/debian/po/ja.po @@ -13,6 +13,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: ja\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/it.po mediawiki-1.12.0/debian/po/it.po --- mediawiki-1.12.0/debian/po/it.po +++ mediawiki-1.12.0/debian/po/it.po @@ -14,6 +14,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: it\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/ml.po mediawiki-1.12.0/debian/po/ml.po --- mediawiki-1.12.0/debian/po/ml.po +++ mediawiki-1.12.0/debian/po/ml.po @@ -14,6 +14,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: \n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/nl.po mediawiki-1.12.0/debian/po/nl.po --- mediawiki-1.12.0/debian/po/nl.po +++ mediawiki-1.12.0/debian/po/nl.po @@ -14,6 +14,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: \n" "X-Poedit-Language: Dutch\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/pt.po mediawiki-1.12.0/debian/po/pt.po --- mediawiki-1.12.0/debian/po/pt.po +++ mediawiki-1.12.0/debian/po/pt.po @@ -13,6 +13,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: \n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/ru.po mediawiki-1.12.0/debian/po/ru.po --- mediawiki-1.12.0/debian/po/ru.po +++ mediawiki-1.12.0/debian/po/ru.po @@ -14,6 +14,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" "X-Generator: KBabel 1.11.4\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%" "10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" diff -u mediawiki-1.12.0/debian/po/sk.po mediawiki-1.12.0/debian/po/sk.po --- mediawiki-1.12.0/debian/po/sk.po +++ mediawiki-1.12.0/debian/po/sk.po @@ -9,6 +9,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: sk\n" "X-Poedit-Language: Slovak\n" "X-Poedit-Country: SLOVAKIA\n" diff -u mediawiki-1.12.0/debian/po/ta.po mediawiki-1.12.0/debian/po/ta.po --- mediawiki-1.12.0/debian/po/ta.po +++ mediawiki-1.12.0/debian/po/ta.po @@ -14,6 +14,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: \n" "X-Generator: KBabel 1.11.4\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/po/sv.po mediawiki-1.12.0/debian/po/sv.po --- mediawiki-1.12.0/debian/po/sv.po +++ mediawiki-1.12.0/debian/po/sv.po @@ -21,6 +21,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: 8bit\n" +"Language: sv\n" #. Type: multiselect #. Description diff -u mediawiki-1.12.0/debian/po/vi.po mediawiki-1.12.0/debian/po/vi.po --- mediawiki-1.12.0/debian/po/vi.po +++ mediawiki-1.12.0/debian/po/vi.po @@ -1,7 +1,7 @@ # Vietnamese translation for MediaWiki. # Copyright © 2007 Free Software Foundation, Inc. # Clytie Siddall <clytie@riverland.net.au>, 2007 -# +# msgid "" msgstr "" "Project-Id-Version: mediawiki\n" @@ -13,6 +13,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" "Plural-Forms: nplurals=1; plural=0;\n" "X-Generator: LocFactoryEditor 1.6.3b1\n" diff -u mediawiki-1.12.0/debian/po/pt_BR.po mediawiki-1.12.0/debian/po/pt_BR.po --- mediawiki-1.12.0/debian/po/pt_BR.po +++ mediawiki-1.12.0/debian/po/pt_BR.po @@ -14,6 +14,7 @@ "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Language: \n" "pt_BR utf-8\n" #. Type: multiselect diff -u mediawiki-1.12.0/debian/patches/series mediawiki-1.12.0/debian/patches/series --- mediawiki-1.12.0/debian/patches/series +++ mediawiki-1.12.0/debian/patches/series @@ -10,0 +11,3 @@ +1.15.4-userlogin-security.patch +1.15.4-css-security.patch +1.15.5-profileinfo-security.patch only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/1.15.4-userlogin-security.patch +++ mediawiki-1.12.0/debian/patches/1.15.4-userlogin-security.patch @@ -0,0 +1,193 @@ +Description: Fixed CSRF vulnerability in "e-mail me my password", + "create account" and "create by e-mail" features of [[Special:Userlogin]] +Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66991 +Author: Tim Starling +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 +Last-Update: 2010-12-17 + + +--- mediawiki-1.12.0.orig/includes/SpecialUserlogin.php ++++ mediawiki-1.12.0/includes/SpecialUserlogin.php +@@ -66,7 +66,7 @@ + $this->mAction = $request->getVal( 'action' ); + $this->mRemember = $request->getCheck( 'wpRemember' ); + $this->mLanguage = $request->getText( 'uselang' ); +- $this->mToken = $request->getVal( 'wpLoginToken' ); ++ $this->mToken = ($this->mType == 'signup' ) ? $request->getVal( 'wpCreateaccountToken' ) : $request->getVal( 'wpLoginToken' ); + + if( $wgEnableEmail ) { + $this->mEmail = $request->getText( 'wpEmail' ); +@@ -234,6 +234,25 @@ + return false; + } + ++ # Request forgery checks. ++ if ( !self::getCreateaccountToken() ) { ++ self::setCreateaccountToken(); ++ $this->mainLoginForm( wfMsg( 'sessionfailure' ) ); ++ return false; ++ } ++ ++ # The user didn't pass a createaccount token ++ if ( !$this->mToken ) { ++ $this->mainLoginForm( wfMsg( 'sessionfailure' ) ); ++ return false; ++ } ++ ++ # Validate the createaccount token ++ if ( $this->mToken !== self::getCreateaccountToken() ) { ++ $this->mainLoginForm( wfMsg( 'sessionfailure' ) ); ++ return false; ++ } ++ + # Check permissions + if ( !$wgUser->isAllowed( 'createaccount' ) ) { + $this->userNotPrivilegedMessage(); +@@ -248,7 +267,7 @@ + $wgUser->inSorbsBlacklist( $ip ) ) + { + $this->mainLoginForm( wfMsg( 'sorbs_create_account_reason' ) . ' (' . htmlspecialchars( $ip ) . ')' ); +- return; ++ return false; + } + + # Now create a dummy user ($u) and check if it is valid +@@ -322,6 +341,7 @@ + return false; + } + ++ self::clearCreateaccountToken(); + return $this->initUser( $u, false ); + } + +@@ -540,13 +560,26 @@ + return; + } + +- # Check against blocked IPs +- # fixme -- should we not? ++ # Check against blocked IPs so blocked users can't flood admins ++ # with password resets + if( $wgUser->isBlocked() ) { + $this->mainLoginForm( wfMsg( 'blocked-mailpassword' ) ); + return; + } + ++ # If the user doesn't have a login token yet, set one. ++ if ( !self::getLoginToken() ) { ++ self::setLoginToken(); ++ $this->mainLoginForm( wfMsg( 'sessionfailure' ) ); ++ return; ++ } ++ ++ # If the user didn't pass a login token, tell them we need one ++ if ( !$this->mToken ) { ++ $this->mainLoginForm( wfMsg( 'sessionfailure' ) ); ++ return; ++ } ++ + # Check against the rate limiter + if( $wgUser->pingLimiter( 'mailpassword' ) ) { + $wgOut->rateLimited(); +@@ -567,6 +600,12 @@ + return; + } + ++ # Validate the login token ++ if ( $this->mToken !== self::getLoginToken() ) { ++ $this->mainLoginForm( wfMsg( 'sessionfailure' ) ); ++ return; ++ } ++ + # Check against password throttle + if ( $u->isPasswordReminderThrottled() ) { + global $wgPasswordReminderResendTime; +@@ -581,6 +620,7 @@ + $this->mainLoginForm( wfMsg( 'mailerror', $result->getMessage() ) ); + } else { + $this->mainLoginForm( wfMsg( 'passwordsent', $u->getName() ), 'success' ); ++ self::clearLoginToken(); + } + } + +@@ -757,11 +797,18 @@ + $template->set( 'canreset', $wgAuth->allowPasswordChange() ); + $template->set( 'remember', $wgUser->getOption( 'rememberpassword' ) or $this->mRemember ); + +- if ( !self::getLoginToken() ) { +- self::setLoginToken(); ++ if ( $this->mType == 'signup' ) { ++ if ( !self::getCreateaccountToken() ) { ++ self::setCreateaccountToken(); ++ } ++ $template->set( 'token', self::getCreateaccountToken() ); ++ } else { ++ if ( !self::getLoginToken() ) { ++ self::setLoginToken(); ++ } ++ $template->set( 'token', self::getLoginToken() ); + } +- $template->set( 'token', self::getLoginToken() ); +- ++ + # Prepare language selection links as needed + if( $wgLoginLanguageSelector ) { + $template->set( 'languages', $this->makeLanguageSelector() ); +@@ -820,7 +867,7 @@ + } + + /** +- * Generate a new login token and attach it to the current session ++ * Randomly generate a new login token and attach it to the current session + */ + public static function setLoginToken() { + global $wgRequest; +@@ -832,12 +879,36 @@ + /** + * Remove any login token attached to the current session + */ +- public static function clearLoginToken() { ++ public static function clearLoginToken() { + global $wgRequest; + $wgRequest->setSessionData( 'wsLoginToken', null ); + } + + /** ++ * Get the createaccount token from the current session ++ */ ++ public static function getCreateaccountToken() { ++ global $wgRequest; ++ return $wgRequest->getSessionData( 'wsCreateaccountToken' ); ++ } ++ ++ /** ++ * Randomly generate a new createaccount token and attach it to the current session ++ */ ++ public static function setCreateaccountToken() { ++ global $wgRequest; ++ $wgRequest->setSessionData( 'wsCreateaccountToken', User::generateToken() ); ++ } ++ ++ /** ++ * Remove any createaccount token attached to the current session ++ */ ++ public static function clearCreateaccountToken() { ++ global $wgRequest; ++ $wgRequest->setSessionData( 'wsCreateaccountToken', null ); ++ } ++ ++ /** + * @private + */ + function cookieRedirectCheck( $type ) { +--- mediawiki-1.12.0.orig/includes/templates/Userlogin.php ++++ mediawiki-1.12.0/includes/templates/Userlogin.php +@@ -214,6 +214,7 @@ + </tr> + </table> + <?php if( @$this->haveData( 'uselang' ) ) { ?><input type="hidden" name="uselang" value="<?php $this->text( 'uselang' ); ?>" /><?php } ?> ++<?php if( @$this->haveData( 'token' ) ) { ?><input type="hidden" name="wpCreateaccountToken" value="<?php $this->text( 'token' ); ?>" /><?php } ?> + </form> + </div> + <div id="signupend"><?php $this->msgWiki( 'signupend' ); ?></div> + only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/1.15.4-css-security.patch +++ mediawiki-1.12.0/debian/patches/1.15.4-css-security.patch @@ -0,0 +1,84 @@ +Description: Fixed XSS vulnerability affecting IE clients only, due to a CSS + validation issue. +Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66992 +Author: Tim Starling +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=23687 +Last-Update: 2010-12-17 + +--- mediawiki-1.12.0.orig/includes/Sanitizer.php ++++ mediawiki-1.12.0/includes/Sanitizer.php +@@ -609,10 +609,6 @@ + # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp + if( $attribute == 'style' ) { + $value = Sanitizer::checkCss( $value ); +- if( $value === false ) { +- # haxx0r +- continue; +- } + } + + if ( $attribute === 'id' ) +@@ -668,10 +664,8 @@ + $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); + + // Decode escape sequences and line continuation +- // See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately. +- // IE 8 doesn't implement it at all, but there's no way to introduce url() into +- // IE that doesn't hit Mozilla also. +- static $decodeRegex; ++ // See the grammar in the CSS 2 spec, appendix D. ++ static $decodeRegex, $reencodeTable; + if ( !$decodeRegex ) { + $space = '[\\x20\\t\\r\\n\\f]'; + $nl = '(?:\\n|\\r\\n|\\r|\\f)'; +@@ -680,29 +674,39 @@ + (?: + ($nl) | # 1. Line continuation + ([0-9A-Fa-f]{1,6})$space? | # 2. character number +- (.) # 3. backslash cancelling special meaning ++ (.) | # 3. backslash cancelling special meaning ++ () | # 4. backslash at end of string + )/xu"; + } +- $decoded = preg_replace_callback( $decodeRegex, ++ $value = preg_replace_callback( $decodeRegex, + array( __CLASS__, 'cssDecodeCallback' ), $value ); +- if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) { +- // Not allowed +- return false; +- } else { +- // Allowed, return CSS with comments stripped +- return $value; ++ // Reject problematic keywords and control characters ++ if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { ++ return '/* invalid control char */'; ++ } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) { ++ return '/* insecure input */'; + } ++ return $value; + } + + static function cssDecodeCallback( $matches ) { + if ( $matches[1] !== '' ) { ++ // Line continuation + return ''; + } elseif ( $matches[2] !== '' ) { +- return codepointToUtf8( hexdec( $matches[2] ) ); ++ $char = codepointToUtf8( hexdec( $matches[2] ) ); + } elseif ( $matches[3] !== '' ) { +- return $matches[3]; ++ $char = $matches[3]; ++ } else { ++ $char = '\\'; ++ } ++ if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) { ++ // These characters need to be escaped in strings ++ // Clean up the escape sequence to avoid parsing errors by clients ++ return '\\' . dechex( ord( $char ) ) . ' '; + } else { +- throw new MWException( __METHOD__.': invalid match' ); ++ // Decode unnecessary escape ++ return $char; + } + } + only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/1.15.5-profileinfo-security.patch +++ mediawiki-1.12.0/debian/patches/1.15.5-profileinfo-security.patch @@ -0,0 +1,76 @@ +Descripto: Fixed an XSS vulnerability in profileinfo.php for installations + with $wgEnableProfileInfo = true (false by default) +Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66989 +Author: Tim Starling +Last-Update: 2010-12-17 + +--- mediawiki-1.12.0.orig/profileinfo.php ++++ mediawiki-1.12.0/profileinfo.php +@@ -52,7 +52,8 @@ + require_once( './includes/GlobalFunctions.php' ); + + if (!$wgEnableProfileInfo) { +- echo "disabled\n"; ++ echo "<p>Disabled</p>\n"; ++ echo "</body></html>"; + exit( 1 ); + } + +@@ -95,7 +96,7 @@ + else $ex = false; + if (!$ex) { + if (count($this->children)) { +- $url = makeurl(false, false, $expand + array($this->name() => true)); ++ $url = getEscapedProfileUrl(false, false, $expand + array($this->name() => true)); + $extet = " <a href=\"$url\">[+]</a>"; + } else $extet = ''; + } else { +@@ -104,7 +105,7 @@ + if ($name != $this->name()) + $e += array($name => $ep); + +- $extet = " <a href=\"" . makeurl(false, false, $e) . "\">[–]</a>"; ++ $extet = " <a href=\"" . getEscapedProfileUrl(false, false, $e) . "\">[–]</a>"; + } + ?> + <tr> +@@ -181,26 +182,30 @@ + + <table cellspacing="0"> + <tr id="top"> +-<th><a href="<?php echo makeurl(false, "time") ?>">Time</a></th> ++<th><a href="<?php echo getEscapedProfileUrl(false, "time") ?>">Time</a></th> + <th>Time (%)</th> +-<th><a href="<?php echo makeurl(false, "count") ?>">Count</a></th> ++<th><a href="<?php echo getEscapedProfileUrl(false, "count") ?>">Count</a></th> + <th>Avg calls per request</th> +-<th><a href="<?php echo makeurl(false, "name") ?>">Name</a></th> ++<th><a href="<?php echo getEscapedProfileUrl(false, "name") ?>">Name</a></th> + </tr> + <?php + $totaltime = 0.0; + $totalcount = 0; + +-function makeurl($_filter = false, $_sort = false, $_expand = false) { ++function getEscapedProfileUrl( $_filter = false, $_sort = false, $_expand = false ) { + global $filter, $sort, $expand; + +- if ($_expand === false) ++ if ( $_expand === false ) + $_expand = $expand; + +- $nfilter = $_filter ? $_filter : $filter; +- $nsort = $_sort ? $_sort : $sort; +- $exp = urlencode(implode(',', array_keys($_expand))); +- return "?filter=$nfilter&sort=$nsort&expand=$exp"; ++ return htmlspecialchars( ++ '?' . ++ wfArrayToCGI( array( ++ 'filter' => $_filter ? $_filter : $filter, ++ 'sort' => $_sort ? $_sort : $sort, ++ 'expand' => implode( ',', array_keys( $_expand ) ) ++ ) ) ++ ); + } + + $points = array();
Attachment:
signature.asc
Description: Digital signature