[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SRM] Permission to upload mediawiki to stable



On Sat, 2010-12-18 at 00:28 +0000, Jonathan Wiltshire wrote: 
> * Fixed CSRF vulnerability in "e-mail me my password",
>      "create account" and "create by e-mail" features of
>      [[Special:Userlogin]]. CVE-2010-1648
>    * Fixed XSS vulnerability affecting IE clients only, due to a CSS
>      validation issue. CVE-2010-1647 (Closes: #585918)

The security tracker seems to be somewhat confused here, fwiw -
http://security-tracker.debian.org/tracker/CVE-2010-164{7,8} both claim
that the issue was fixed in -2lenny5.

>    * Fixed an XSS vulnerability in profileinfo.php for installations
>      with $wgEnableProfileInfo = true (false by default) (Closes: #590669)

+-              if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) {
+-                      // Not allowed  
+-                      return false;
+-              } else {
+-                      // Allowed, return CSS with comments stripped
+-                      return $value;
++              // Reject problematic keywords and control characters
++              if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
++                      return '/* invalid control char */';
++              } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
++                      return '/* insecure input */';

Hmmm, the removal of the hard-coded "https?://" looks a little strange
there; other than that, the patch looks okay; thanks.

Regards,

Adam


Reply to: