[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updates for dokuwiki

Adam D. Barratt, 2011-06-23 14:08 UTC+0100:
> Please prepare packages for both stable and oldstable and send the
> debdiffs to debian-release for approval.

Here they are. Given that I am using quilt as a patch system, these are
“squared” diffs: for convenience I also attach the base patch.

The packages and everything is available at
<http://tanguy.ortolo.eu/deb/dokuwiki/>. Please tell me if I can proceed
with uploading.

Regards,

-- 
Tanguy

diff -Nru dokuwiki-0.0.20091225c/debian/changelog dokuwiki-0.0.20091225c/debian/changelog
--- dokuwiki-0.0.20091225c/debian/changelog	2011-03-16 21:03:49.000000000 +0100
+++ dokuwiki-0.0.20091225c/debian/changelog	2011-06-26 13:18:22.000000000 +0200
@@ -1,3 +1,11 @@
+dokuwiki (0.0.20091225c-10+squeeze2) stable; urgency=low
+
+  * debian/patches/rss_security.diff: Backport an upstream security fix for
+    an XSS vulnerability in the RSS embedding mechanism.
+  * debian/control: Updated Standards-Version (no change required).
+
+ -- Tanguy Ortolo <tanguy+debian@ortolo.eu>  Sun, 26 Jun 2011 13:18:16 +0200
+
 dokuwiki (0.0.20091225c-10+squeeze1) stable; urgency=low
 
   * debian/README.Debian: Correct a spelling error.
diff -Nru dokuwiki-0.0.20091225c/debian/control dokuwiki-0.0.20091225c/debian/control
--- dokuwiki-0.0.20091225c/debian/control	2011-03-16 21:02:43.000000000 +0100
+++ dokuwiki-0.0.20091225c/debian/control	2011-06-26 13:00:25.000000000 +0200
@@ -6,7 +6,7 @@
 Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~), po-debconf
-Standards-Version: 3.9.1
+Standards-Version: 3.9.2
 Homepage: http://www.dokuwiki.org/
 Vcs-Git: git://git.debian.org/collab-maint/dokuwiki.git/
 Vcs-Browser: http://git.debian.org/?p=collab-maint/dokuwiki.git
diff -Nru dokuwiki-0.0.20091225c/debian/patches/rss_security.diff dokuwiki-0.0.20091225c/debian/patches/rss_security.diff
--- dokuwiki-0.0.20091225c/debian/patches/rss_security.diff	1970-01-01 01:00:00.000000000 +0100
+++ dokuwiki-0.0.20091225c/debian/patches/rss_security.diff	2011-06-26 12:54:50.000000000 +0200
@@ -0,0 +1,38 @@
+Author: Andreas Gohr <andi@splitbrain.org>
+Author: Tanguy Ortolo <tanguy+debian@ortolo.eu>
+Origin: upstream, https://github.com/splitbrain/dokuwiki/commit/8dd5c1d6612a6c7f217da041703183200405fa90
+Last-Update: 2011-06-26
+Description: Fix a cross-site scripting vulnerability in the RSS embedding mechanism
+    .
+    This fixes a problem where JavaScript could be introduced through
+    specially crafted RSS feeds.
+    .
+    This also fixes a problem where JavaScript links could be introduced by
+    specifying it as an RSS URL: the resulting error message displays a
+    link to the broken feed URL. This patch makes sure there's no working
+    link for unknown protocols.
+
+Index: dokuwiki/inc/parser/xhtml.php
+===================================================================
+--- dokuwiki.orig/inc/parser/xhtml.php	2011-06-26 12:34:33.102960953 +0200
++++ dokuwiki/inc/parser/xhtml.php	2011-06-26 12:47:55.915963024 +0200
+@@ -580,6 +580,19 @@
+ 
+         $name = $this->_getLinkTitle($name, $url, $isImage);
+ 
++        // url might be an attack vector, only allow registered protocols
++        if(is_null($this->schemes)) $this->schemes = getSchemes();
++        list($scheme) = explode('://',$url);
++        $scheme = strtolower($scheme);
++        if(!in_array($scheme,$this->schemes)) $url = '';
++
++        // is there still an URL?
++        if(!$url){
++            $this->doc .= $name;
++            return;
++        }
++
++        // set class
+         if ( !$isImage ) {
+             $class='urlextern';
+         } else {
diff -Nru dokuwiki-0.0.20091225c/debian/patches/series dokuwiki-0.0.20091225c/debian/patches/series
--- dokuwiki-0.0.20091225c/debian/patches/series	2011-03-16 21:02:43.000000000 +0100
+++ dokuwiki-0.0.20091225c/debian/patches/series	2011-06-26 13:17:41.000000000 +0200
@@ -1,3 +1,4 @@
+rss_security.diff
 xmlrpc_security.diff
 use_packaged_simplepie.diff
 use_packaged_php-geshi_SA32559.diff

diff -Nru dokuwiki-0.0.20080505/debian/changelog dokuwiki-0.0.20080505/debian/changelog
--- dokuwiki-0.0.20080505/debian/changelog	2011-06-26 13:26:03.000000000 +0200
+++ dokuwiki-0.0.20080505/debian/changelog	2011-06-26 13:26:03.000000000 +0200
@@ -1,3 +1,10 @@
+dokuwiki (0.0.20080505-4+lenny3) oldstable; urgency=low
+
+  * debian/patches/rss_security.diff: Backport an upstream security fix for an
+    XSS vulnerability in the RSS embedding mechanism.
+
+ -- Tanguy Ortolo <tanguy+debian@ortolo.eu>  Sun, 26 Jun 2011 13:23:05 +0200
+
 dokuwiki (0.0.20080505-4+lenny2) oldstable; urgency=low
 
   * debian/patches/xmlrpc_security.diff: Backport an upstream security fix
diff -Nru dokuwiki-0.0.20080505/debian/patches/rss_security.diff dokuwiki-0.0.20080505/debian/patches/rss_security.diff
--- dokuwiki-0.0.20080505/debian/patches/rss_security.diff	1970-01-01 01:00:00.000000000 +0100
+++ dokuwiki-0.0.20080505/debian/patches/rss_security.diff	2011-06-26 13:26:03.000000000 +0200
@@ -0,0 +1,38 @@
+Author: Andreas Gohr <andi@splitbrain.org>
+Author: Tanguy Ortolo <tanguy+debian@ortolo.eu>
+Origin: upstream, https://github.com/splitbrain/dokuwiki/commit/8dd5c1d6612a6c7f217da041703183200405fa90
+Last-Update: 2011-06-26
+Description: Fix a cross-site scripting vulnerability in the RSS embedding mechanism
+    .
+    This fixes a problem where JavaScript could be introduced through
+    specially crafted RSS feeds.
+    .
+    This also fixes a problem where JavaScript links could be introduced by
+    specifying it as an RSS URL: the resulting error message displays a
+    link to the broken feed URL. This patch makes sure there's no working
+    link for unknown protocols.
+
+Index: dokuwiki-0.0.20080505/inc/parser/xhtml.php
+===================================================================
+--- dokuwiki-0.0.20080505.orig/inc/parser/xhtml.php	2008-05-05 19:10:08.000000000 +0200
++++ dokuwiki-0.0.20080505/inc/parser/xhtml.php	2011-06-26 13:21:21.743609982 +0200
+@@ -543,6 +543,19 @@
+ 
+         $name = $this->_getLinkTitle($name, $url, $isImage);
+ 
++        // url might be an attack vector, only allow registered protocols
++        if(is_null($this->schemes)) $this->schemes = getSchemes();
++        list($scheme) = explode('://',$url);
++        $scheme = strtolower($scheme);
++        if(!in_array($scheme,$this->schemes)) $url = '';
++
++        // is there still an URL?
++        if(!$url){
++            $this->doc .= $name;
++            return;
++        }
++
++        // set class
+         if ( !$isImage ) {
+             $class='urlextern';
+         } else {
diff -Nru dokuwiki-0.0.20080505/debian/patches/series dokuwiki-0.0.20080505/debian/patches/series
--- dokuwiki-0.0.20080505/debian/patches/series	2011-06-26 13:26:03.000000000 +0200
+++ dokuwiki-0.0.20080505/debian/patches/series	2011-06-26 13:26:03.000000000 +0200
@@ -5,3 +5,4 @@
 debianize.diff
 security.diff
 xmlrpc_security.diff
+rss_security.diff

diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 1041268..83359cd 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -646,6 +646,19 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
 
         $name = $this->_getLinkTitle($name, $url, $isImage);
 
+        // url might be an attack vector, only allow registered protocols
+        if(is_null($this->schemes)) $this->schemes = getSchemes();
+        list($scheme) = explode('://',$url);
+        $scheme = strtolower($scheme);
+        if(!in_array($scheme,$this->schemes)) $url = '';
+
+        // is there still an URL?
+        if(!$url){
+            $this->doc .= $name;
+            return;
+        }
+
+        // set class
         if ( !$isImage ) {
             $class='urlextern';
         } else {

Attachment: signature.asc
Description: Digital signature

Reply to: