[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861294: marked as done (jessie-pu: package spip/3.0.17-2+deb8u3)



Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <1494078258.26551.13.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #861294,
regarding jessie-pu: package spip/3.0.17-2+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861294: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861294
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I’ve been asked by the security team to fix the (pile of) security
issues currently affecting the spip package in Jessie. Please find
attached the full debdiff, here is the proposed changelog:

spip (3.0.17-2+deb8u3) jessie; urgency=medium

  * Document CVE in previous changelog entry
  * Update security screen to 1.3.0
  * Backport security fixes from 3.0.23
    - Multiple XSS issues
  * Backport security fixes from 3.0.24
    - Server side request forgery (SSRF) attacks via the var_url parameter
      [CVE-2016-7999]
    - Directory traversal vulnerability in ecrire/exec/valider_xml.php
      [CVE-2016-7982]
    - Execution of arbitrary PHP code by authenticated users [CVE-2016-7998]
    - Cross-site request forgery (CSRF) vulnerability in
      ecrire/exec/valider_xml.php [CVE-2016-7980]
    - Cross-site scripting (XSS) vulnerability in valider_xml.php
      [CVE-2016-7981]
  * Backport security fixes from 3.2-alpha-1
    - Reflected Cross Site Scripting Vulnerabilities in
      /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php
      [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
    - Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php
      [CVE-2016-9152] (Closes: #847156)
  * Backport security fix from 3.0.25
    - Execution of arbitrary PHP code

 -- David Prévot <taffit@debian.org>  Wed, 26 Apr 2017 18:02:00 -1000

I’ve just deployed the package on production server, and will follow up
if any issue rises before Saturday, in the hope I’m not too late for the
8.8 update.

Thanks in advance for considering it, and also sorry for all those
French comments…

Regards

David
diff -Nru spip-3.0.17/debian/changelog spip-3.0.17/debian/changelog
--- spip-3.0.17/debian/changelog	2016-03-11 10:32:29.000000000 -1000
+++ spip-3.0.17/debian/changelog	2017-04-26 18:02:00.000000000 -1000
@@ -1,8 +1,35 @@
+spip (3.0.17-2+deb8u3) jessie; urgency=medium
+
+  * Document CVE in previous changelog entry
+  * Update security screen to 1.3.0
+  * Backport security fixes from 3.0.23
+    - Multiple XSS issues
+  * Backport security fixes from 3.0.24
+    - Server side request forgery (SSRF) attacks via the var_url parameter
+      [CVE-2016-7999]
+    - Directory traversal vulnerability in ecrire/exec/valider_xml.php
+      [CVE-2016-7982]
+    - Execution of arbitrary PHP code by authenticated users [CVE-2016-7998]
+    - Cross-site request forgery (CSRF) vulnerability in
+      ecrire/exec/valider_xml.php [CVE-2016-7980]
+    - Cross-site scripting (XSS) vulnerability in valider_xml.php
+      [CVE-2016-7981]
+  * Backport security fixes from 3.2-alpha-1
+    - Reflected Cross Site Scripting Vulnerabilities in
+      /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php
+      [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
+    - Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php
+      [CVE-2016-9152] (Closes: #847156)
+  * Backport security fix from 3.0.25
+    - Execution of arbitrary PHP code
+
+ -- David Prévot <taffit@debian.org>  Wed, 26 Apr 2017 18:02:00 -1000
+
 spip (3.0.17-2+deb8u2) jessie-security; urgency=high
 
   * Backport security fixes from 3.0.22
-    - PHP code injection
-    - Objects injection via unserialize
+    - PHP code injection [CVE-2016-3153]
+    - Objects injection via unserialize [CVE-2016-3154]
   * Update security screen to 1.2.4
 
  -- David Prévot <taffit@debian.org>  Thu, 10 Mar 2016 19:18:09 -0400
diff -Nru spip-3.0.17/debian/patches/0009-Update-security-screen.patch spip-3.0.17/debian/patches/0009-Update-security-screen.patch
--- spip-3.0.17/debian/patches/0009-Update-security-screen.patch	2016-03-11 10:32:29.000000000 -1000
+++ spip-3.0.17/debian/patches/0009-Update-security-screen.patch	2017-04-26 17:46:18.000000000 -1000
@@ -1,13 +1,13 @@
 From: =?utf-8?q?David_Pr=C3=A9vot?= <david@tilapin.org>
-Date: Thu, 10 Mar 2016 19:17:47 -0400
+Date: Tue, 25 Apr 2017 15:07:50 -1000
 Subject: Update security screen
 
 ---
- config/ecran_securite.php | 164 +++++++++++++++++++++++++++-------------------
- 1 file changed, 98 insertions(+), 66 deletions(-)
+ config/ecran_securite.php | 187 +++++++++++++++++++++++++++++-----------------
+ 1 file changed, 120 insertions(+), 67 deletions(-)
 
 diff --git a/config/ecran_securite.php b/config/ecran_securite.php
-index 36b0044..0bd8e65 100644
+index 36b0044..ba47691 100644
 --- a/config/ecran_securite.php
 +++ b/config/ecran_securite.php
 @@ -5,7 +5,7 @@
@@ -15,7 +15,7 @@
   */
  
 -define('_ECRAN_SECURITE', '1.1.9'); // 2014-03-13
-+define('_ECRAN_SECURITE', '1.2.4'); // 2016-03-10
++define('_ECRAN_SECURITE', '1.3.0'); // 2017-03-06
  
  /*
   * Documentation : http://www.spip.net/fr_article4200.html
@@ -46,7 +46,7 @@
  	    // UA plus cibles
 -	    . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|Google|INA dlweb|Java VM|LiteFinder|Lycos|Rambler|Scooter|ScrubbyBloglines|Yahoo|Yeti'
 -	    . ',i',(string) $_SERVER['HTTP_USER_AGENT'])
-+	    . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|facebook|flipboard|hootsuite|FunWebProducts|Google|Genieo|INA dlweb|InfegyAtlas|Java VM|LiteFinder|Lycos|MetaURI|Moreover|Rambler|Scooter|ScrubbyBloglines|Yahoo|Yeti'
++	    . '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|flipboard|hootsuite|FunWebProducts|Google|Genieo|INA dlweb|InfegyAtlas|Java VM|LiteFinder|Lycos|MegaIndex|MetaURI|Moreover|Rambler|Scrapy|Scooter|ScrubbyBloglines|Yahoo|Yeti'
 +	    . ',i', (string) $_SERVER['HTTP_USER_AGENT'])
  	);
  
@@ -86,7 +86,8 @@
  /*
   * Contrôle de quelques variables (XSS)
   */
- foreach(array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r', 'var_ajax_ancre') as $var) {
+-foreach(array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r', 'var_ajax_ancre') as $var) {
++foreach(array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r', 'var_ajax_ancre', 'nom_fichier') as $var) {
  	if (isset($_GET[$var]))
 -		$_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w\,/#&;-]+,',' ',(string)$_GET[$var]);
 +		$_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_GET[$var]);
@@ -96,7 +97,7 @@
  }
  
  /*
-@@ -73,38 +88,38 @@ if (preg_match(',^(.*/)?spip_acces_doc\.,', (string)$_SERVER['REQUEST_URI'])) {
+@@ -73,38 +88,47 @@ if (preg_match(',^(.*/)?spip_acces_doc\.,', (string)$_SERVER['REQUEST_URI'])) {
  /*
   * Pas d'inscription abusive
   */
@@ -137,6 +138,15 @@
 +and $_REQUEST['exec'] == 'auteurs'
 +and preg_match(',[<],', (string)$_REQUEST['recherche']))
  	$ecran_securite_raison = "recherche";
++if (isset($_REQUEST['exec'])
++and $_REQUEST['exec'] == 'info_plugin'
++and preg_match(',[<],', (string)$_REQUEST['plugin']))
++	$ecran_securite_raison = "plugin";
++if (isset($_REQUEST['exec'])
++and $_REQUEST['exec'] == 'puce_statut'
++and isset($_REQUEST['id'])
++and !intval($_REQUEST['id']))
++	$ecran_securite_raison = "puce_statut";
  if (isset($_REQUEST['action'])
 -AND $_REQUEST['action'] == 'configurer') {
 +and $_REQUEST['action'] == 'configurer') {
@@ -146,7 +156,7 @@
  		function action_configurer() {
  			include_spip('inc/autoriser');
  			if(!autoriser('configurer', _request('configuration'))) {
-@@ -132,7 +147,7 @@ if (strpos(
+@@ -132,7 +156,7 @@ if (strpos(
   * Bloque les requêtes fond=formulaire_
   */
  if (isset($_REQUEST['fond'])
@@ -155,7 +165,7 @@
  	$ecran_securite_raison = "fond=formulaire_";
  
  /*
-@@ -146,9 +161,9 @@ if (isset($_REQUEST['GLOBALS']))
+@@ -146,9 +170,9 @@ if (isset($_REQUEST['GLOBALS']))
   * les agenda
   * les paginations entremélées
   */
@@ -168,7 +178,7 @@
  )
  )
  	$ecran_securite_raison = "robot agenda/double pagination";
-@@ -158,12 +173,12 @@ if (_IS_BOT AND (
+@@ -158,12 +182,12 @@ if (_IS_BOT AND (
   * Bloque un XSS sur une page inexistante
   */
  if (isset($_REQUEST['page'])) {
@@ -183,7 +193,7 @@
  		$ecran_securite_raison = "xss404";
  }
  
-@@ -171,7 +186,7 @@ if (isset($_REQUEST['page'])) {
+@@ -171,7 +195,7 @@ if (isset($_REQUEST['page'])) {
   * XSS par array
   */
  foreach (array('var_login') as $var)
@@ -192,7 +202,7 @@
  	$ecran_securite_raison = "xss ".$var;
  
  /*
-@@ -179,11 +194,11 @@ if (isset($_REQUEST[$var]) AND is_array($_REQUEST[$var]))
+@@ -179,11 +203,11 @@ if (isset($_REQUEST[$var]) AND is_array($_REQUEST[$var]))
   */
  if (!function_exists('tmp_lkojfghx')) {
  	function tmp_lkojfghx() {}
@@ -207,7 +217,22 @@
  	}
  }
  if (isset($_POST['tmp_lkojfghx3']))
-@@ -199,10 +214,10 @@ if (isset($_REQUEST['transformer_xml']))
+@@ -196,13 +220,25 @@ if (isset($_REQUEST['transformer_xml']))
+ 	$ecran_securite_raison = "transformer_xml";
+ 
+ /*
++ * Outils XML mal sécurisés again
++ */
++if (isset($_REQUEST['var_url']) and $_REQUEST['var_url'] and isset($_REQUEST['exec']) and $_REQUEST['exec']=='valider_xml'){
++	$url = trim($_REQUEST['var_url']);
++	if (strncmp($url,'/',1)==0
++	  or (($p=strpos($url,'..'))!==false AND strpos($url,'..',$p+3)!==false)
++		or (strpos($url,'://')!==false or strpos($url,':\\')!==false)) {
++		$ecran_securite_raison = 'URL interdite pour var_url';
++	}
++}
++
++/*
   * Sauvegarde mal securisée < 2.0.9
   */
  if (isset($_REQUEST['nom_sauvegarde'])
@@ -220,7 +245,7 @@
  	$ecran_securite_raison = 'znom_sauvegarde manipulee';
  
  
-@@ -210,26 +225,35 @@ AND strstr((string)$_REQUEST['znom_sauvegarde'], '/'))
+@@ -210,26 +246,35 @@ AND strstr((string)$_REQUEST['znom_sauvegarde'], '/'))
   * op permet des inclusions arbitraires ;
   * on vérifie 'page' pour ne pas bloquer ... drupal
   */
@@ -262,7 +287,7 @@
  	$ecran_securite_raison = 'reinstall=oui';
  
  /*
-@@ -241,9 +265,9 @@ if (isset($_SERVER['HTTP_REFERER']))
+@@ -241,9 +286,9 @@ if (isset($_SERVER['HTTP_REFERER']))
  /*
   * Réinjection des clés en html dans l'admin r19561
   */
@@ -275,7 +300,7 @@
  		$ecran_securite_raison = 'Cle incorrecte en $_REQUEST';
  }
  
-@@ -251,13 +275,13 @@ if (strpos($_SERVER['REQUEST_URI'],"ecrire/")!==false){
+@@ -251,13 +296,13 @@ if (strpos($_SERVER['REQUEST_URI'],"ecrire/")!==false){
   * Injection par connect
   */
  if (isset($_REQUEST['connect'])
@@ -295,7 +320,7 @@
  	) {
  	$ecran_securite_raison = "malformed connect argument";
  }
-@@ -275,6 +299,17 @@ if (isset($ecran_securite_raison)) {
+@@ -275,6 +320,17 @@ if (isset($ecran_securite_raison)) {
  }
  
  /*
@@ -313,7 +338,7 @@
   * Fin sécurité
   */
  
-@@ -288,23 +323,23 @@ if (!defined('_ECRAN_SECURITE_LOAD'))
+@@ -288,23 +344,23 @@ if (!defined('_ECRAN_SECURITE_LOAD'))
  
  if (
  	defined('_ECRAN_SECURITE_LOAD')
@@ -349,7 +374,7 @@
  ) {
  	header("HTTP/1.0 503 Service Unavailable");
  	header("Retry-After: 300");
-@@ -314,6 +349,3 @@ if (
+@@ -314,6 +370,3 @@ if (
  	header("Content-Type: text/html");
  	die("<html><title>Status 503: Site temporarily unavailable</title><body><h1>Status 503</h1><p>Site temporarily unavailable (load average $load)</p></body></html>");
  }
diff -Nru spip-3.0.17/debian/patches/0010-Report-de-r23063-Sanitizer-controler-les-entree-four.patch spip-3.0.17/debian/patches/0010-Report-de-r23063-Sanitizer-controler-les-entree-four.patch
--- spip-3.0.17/debian/patches/0010-Report-de-r23063-Sanitizer-controler-les-entree-four.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0010-Report-de-r23063-Sanitizer-controler-les-entree-four.patch	2017-04-26 17:49:05.000000000 -1000
@@ -0,0 +1,42 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Mon, 27 Jun 2016 09:33:14 +0000
+Subject: Report de r23063 : Sanitizer/controler les entree fournies a
+ valider_xml_ok (Thomas Chauchefoin)
+
+Origin: upstream, https://core.spip.net/projects/spip/repository/revisions/23065
+---
+ ecrire/exec/valider_xml.php | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/ecrire/exec/valider_xml.php b/ecrire/exec/valider_xml.php
+index db3ee92..d8efef1 100644
+--- a/ecrire/exec/valider_xml.php
++++ b/ecrire/exec/valider_xml.php
+@@ -30,7 +30,26 @@ function exec_valider_xml_dist()
+ 	if (!autoriser('sauvegarder')) {
+ 		include_spip('inc/minipres');
+ 		echo minipres();
+-	} else valider_xml_ok(_request('var_url'), _request('ext'), intval(_request('limit')), _request('recur'));
++	} else {
++		$erreur = "";
++		// verifier que les var de l'URL sont conformes avant d'appeler la fonction
++		$url = trim(_request('var_url'));
++		if (strncmp($url,'/',1)==0) $erreur = 'Chemin absolu interdit pour var_url';
++		// on a pas le droit de remonter plus de 1 fois dans le path (pas 2 occurences de ../)
++		if (($p=strpos($url,'../'))!==false AND strpos($url,'../',$p+3)!==false) $erreur = 'Interdit de remonter en dehors de la racine';
++
++		$ext = trim(_request('ext'));
++		$ext = ltrim($ext,'.'); // precaution
++		if (preg_match('/\W/',$ext)) $erreur = 'Extension invalide';
++
++		if ($erreur){
++			include_spip('inc/minipres');
++			echo minipres($erreur);
++		}
++		else {
++			valider_xml_ok($url, $ext, intval(_request('limit')), _request('recur'));
++		}
++	}
+ }
+ 
+ // http://doc.spip.org/@valider_xml_ok
diff -Nru spip-3.0.17/debian/patches/0011-ne-pas-permettre-n-importe-quoi-en-url-de-site-Tim-C.patch spip-3.0.17/debian/patches/0011-ne-pas-permettre-n-importe-quoi-en-url-de-site-Tim-C.patch
--- spip-3.0.17/debian/patches/0011-ne-pas-permettre-n-importe-quoi-en-url-de-site-Tim-C.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0011-ne-pas-permettre-n-importe-quoi-en-url-de-site-Tim-C.patch	2017-04-26 17:49:05.000000000 -1000
@@ -0,0 +1,24 @@
+From: b_b <brunobergot@gmail.com>
+Date: Tue, 6 Sep 2016 12:31:49 +0000
+Subject: ne pas permettre n'importe quoi en url de site (Tim Coen)
+
+Origin: backport, https://zone.spip.org/trac/spip-zone/changeset/99400/
+---
+ plugins-dist/forum/formulaires/forum_prive.php | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/plugins-dist/forum/formulaires/forum_prive.php b/plugins-dist/forum/formulaires/forum_prive.php
+index 9f3d437..ef476ef 100644
+--- a/plugins-dist/forum/formulaires/forum_prive.php
++++ b/plugins-dist/forum/formulaires/forum_prive.php
+@@ -92,6 +92,10 @@ function formulaires_forum_prive_verifier_dist($objet, $id_objet, $id_forum, $af
+ 		$erreurs['erreur_message'] = _T('forum:forum_message_trop_long');
+ 	}
+ 
++	if ($url = _request('url_site') and !tester_url_absolue($url)) {
++		$erreurs['url_site'] = _T('info_url_site_pas_conforme');
++	}
++
+ 	if (!count($erreurs) AND !_request('confirmer_previsu_forum')){
+ 		if ($afficher_previsu != 'non') {
+ 			$previsu = inclure_forum_prive_previsu($texte, $titre, _request('url_site'), _request('nom_site'), _request('ajouter_mot'));
diff -Nru spip-3.0.17/debian/patches/0012-Report-de-r23151-Eviter-d-accepter-n-importe-quoi-da.patch spip-3.0.17/debian/patches/0012-Report-de-r23151-Eviter-d-accepter-n-importe-quoi-da.patch
--- spip-3.0.17/debian/patches/0012-Report-de-r23151-Eviter-d-accepter-n-importe-quoi-da.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0012-Report-de-r23151-Eviter-d-accepter-n-importe-quoi-da.patch	2017-04-26 17:49:05.000000000 -1000
@@ -0,0 +1,46 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Fri, 9 Sep 2016 10:00:22 +0000
+Subject: Report de r23151 : Eviter d'accepter n'importe quoi dans les
+ redirect de l'espace prive (Tim Coen)
+
+Origin: upstream, https://core.spip.net/projects/spip/repository/revisions/23153
+---
+ ecrire/index.php            | 8 ++++++++
+ ecrire/public/aiguiller.php | 5 +++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/index.php b/ecrire/index.php
+index 99a8329..169ef2f 100644
+--- a/ecrire/index.php
++++ b/ecrire/index.php
+@@ -65,6 +65,14 @@ if (_request('action') OR _request('var_ajax') OR _request('formulaire_action'))
+ 	  traiter_formulaires_dynamiques())
+ 	  exit; // le hit est fini !
+ }
++// securiser les redirect du back-office
++if (_request('redirect')) {
++	if (!function_exists('securiser_redirect_action')){
++		include_spip('public/aiguiller');
++	}
++	set_request('redirect',securiser_redirect_action(_request('redirect')));
++}
++
+ 
+ //
+ // Gestion d'une page normale de l'espace prive
+diff --git a/ecrire/public/aiguiller.php b/ecrire/public/aiguiller.php
+index 28f552b..da5cc03 100644
+--- a/ecrire/public/aiguiller.php
++++ b/ecrire/public/aiguiller.php
+@@ -12,8 +12,9 @@
+ 
+ if (!defined('_ECRIRE_INC_VERSION')) return;
+ 
+-function securiser_redirect_action($redirect){
+-	if (tester_url_absolue($redirect) AND !defined('_AUTORISER_ACTION_ABS_REDIRECT')){
++function securiser_redirect_action($redirect) {
++	if ((tester_url_absolue($redirect) or preg_match(',^\w+:,',trim($redirect)))
++		and !defined('_AUTORISER_ACTION_ABS_REDIRECT')) {
+ 		// si l'url est une url du site, on la laisse passer sans rien faire
+ 		// c'est encore le plus simple
+ 		$base = $GLOBALS['meta']['adresse_site']."/";
diff -Nru spip-3.0.17/debian/patches/0013-l-URL-de-rappel-de-mot-de-passe-doit-etre-une-URL-sa.patch spip-3.0.17/debian/patches/0013-l-URL-de-rappel-de-mot-de-passe-doit-etre-une-URL-sa.patch
--- spip-3.0.17/debian/patches/0013-l-URL-de-rappel-de-mot-de-passe-doit-etre-une-URL-sa.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0013-l-URL-de-rappel-de-mot-de-passe-doit-etre-une-URL-sa.patch	2017-04-26 17:49:05.000000000 -1000
@@ -0,0 +1,29 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Fri, 9 Sep 2016 12:11:19 +0000
+Subject: l'URL de rappel de mot de passe doit etre une URL safe,
+ on la force sur l'adresse_site parametree dans la configuration du
+ site
+
+Origin: backport, https://zone.spip.org/trac/spip-zone/changeset/99431/
+---
+ squelettes-dist/formulaires/oubli.php | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/squelettes-dist/formulaires/oubli.php b/squelettes-dist/formulaires/oubli.php
+index 4bb6ba6..f8d92ed 100644
+--- a/squelettes-dist/formulaires/oubli.php
++++ b/squelettes-dist/formulaires/oubli.php
+@@ -28,10 +28,12 @@ function message_oubli($email, $param)
+ 		include_spip('action/inscrire_auteur');
+ 		$cookie = auteur_attribuer_jeton($r[1]['id_auteur']);
+ 
++		// l'url_reset doit etre une URL de confiance, on force donc un url_absolue sur adresse_site
++		include_spip('inc/filtres');
+ 		$msg = recuperer_fond(
+ 			"modeles/mail_oubli",
+ 			array(
+-				'url_reset'=>generer_url_public('spip_pass',"$param=$cookie", true, false)
++				'url_reset' => url_absolue(generer_url_public('spip_pass', "$param=$cookie"),$GLOBALS['meta']['adresse_site'])
+ 			)
+ 		);
+ 		include_spip("inc/notifications");
diff -Nru spip-3.0.17/debian/patches/0014-Eviter-des-illegal-offset-si-l-utilisateur-n-est-pas.patch spip-3.0.17/debian/patches/0014-Eviter-des-illegal-offset-si-l-utilisateur-n-est-pas.patch
--- spip-3.0.17/debian/patches/0014-Eviter-des-illegal-offset-si-l-utilisateur-n-est-pas.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0014-Eviter-des-illegal-offset-si-l-utilisateur-n-est-pas.patch	2017-04-26 17:49:05.000000000 -1000
@@ -0,0 +1,32 @@
+From: Eric <eric@smellup.net>
+Date: Fri, 22 Aug 2014 09:34:29 +0000
+Subject: =?utf-8?q?Eviter_des_=22illegal_offset=22_si_l=27utilisateur_n=27?=
+ =?utf-8?q?est_pas_connect=C3=A9_=28d=C3=A9j=C3=A0_corrig=C3=A9_en_3=2E1=29?=
+ =?utf-8?q?=2E?=
+
+Origin: upstream, https://core.spip.net/projects/spip/repository/revisions/21531
+---
+ ecrire/inc/minipres.php | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/inc/minipres.php b/ecrire/inc/minipres.php
+index 7b507b9..0de42ae 100644
+--- a/ecrire/inc/minipres.php
++++ b/ecrire/inc/minipres.php
+@@ -119,10 +119,14 @@ function minipres($titre='', $corps="", $onload='', $all_inline = false)
+ 		$titre = ($titre == 'install')
+ 		  ?  _T('avis_espace_interdit')
+ 		  : $titre . '&nbsp;: '. _T('info_acces_interdit');
++
++		$statut = isset($GLOBALS['visiteur_session']['statut']) ? $GLOBALS['visiteur_session']['statut'] : '';
++		$nom    = isset($GLOBALS['visiteur_session']['nom']) ? $GLOBALS['visiteur_session']['nom'] : '';
++
+ 		$corps = generer_form_ecrire('accueil', '','',
+-						$GLOBALS['visiteur_session']['statut']?_T('public:accueil_site'):_T('public:lien_connecter')
++						$statut ? _T('public:accueil_site') : _T('public:lien_connecter')
+ 		);
+-		spip_log($GLOBALS['visiteur_session']['nom'] . " $titre " . $_SERVER['REQUEST_URI']);
++		spip_log($nom . " $titre " . $_SERVER['REQUEST_URI']);
+ 	}
+ 
+ 	if (!_AJAX)
diff -Nru spip-3.0.17/debian/patches/0015-Fix-3831-report-de-r23141-et-r23148.patch spip-3.0.17/debian/patches/0015-Fix-3831-report-de-r23141-et-r23148.patch
--- spip-3.0.17/debian/patches/0015-Fix-3831-report-de-r23141-et-r23148.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0015-Fix-3831-report-de-r23141-et-r23148.patch	2017-04-26 17:49:08.000000000 -1000
@@ -0,0 +1,40 @@
+From: b_b <brunobergot@gmail.com>
+Date: Tue, 27 Sep 2016 07:52:08 +0000
+Subject: Fix #3831 : report de r23141 et r23148
+
+Origin: upstream, https://core.spip.net/projects/spip/repository/revisions/23178
+---
+ ecrire/inc/minipres.php | 4 ++++
+ ecrire/inc/utils.php    | 4 +++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/ecrire/inc/minipres.php b/ecrire/inc/minipres.php
+index 0de42ae..38f0f1c 100644
+--- a/ecrire/inc/minipres.php
++++ b/ecrire/inc/minipres.php
+@@ -123,6 +123,10 @@ function minipres($titre='', $corps="", $onload='', $all_inline = false)
+ 		$statut = isset($GLOBALS['visiteur_session']['statut']) ? $GLOBALS['visiteur_session']['statut'] : '';
+ 		$nom    = isset($GLOBALS['visiteur_session']['nom']) ? $GLOBALS['visiteur_session']['nom'] : '';
+ 
++		if ($statut != '0minirezo') {
++			$titre = _T('info_acces_interdit');
++		}
++
+ 		$corps = generer_form_ecrire('accueil', '','',
+ 						$statut ? _T('public:accueil_site') : _T('public:lien_connecter')
+ 		);
+diff --git a/ecrire/inc/utils.php b/ecrire/inc/utils.php
+index f9bee58..1934df7 100644
+--- a/ecrire/inc/utils.php
++++ b/ecrire/inc/utils.php
+@@ -45,7 +45,9 @@ function charger_fonction($nom, $dossier='exec', $continue=false) {
+ 
+ 	if (!preg_match(',^\w+$,', $f)){
+ 		if ($continue) return false; //appel interne, on passe
+-		die(spip_htmlspecialchars($nom)." pas autorise");
++		include_spip('inc/minipres');
++		echo minipres();
++		exit;
+ 	}
+ 
+ 	// passer en minuscules (cf les balises de formulaires)
diff -Nru spip-3.0.17/debian/patches/0016-Report-de-r23179-ne-pas-afficher-l-url-brute-venant-.patch spip-3.0.17/debian/patches/0016-Report-de-r23179-ne-pas-afficher-l-url-brute-venant-.patch
--- spip-3.0.17/debian/patches/0016-Report-de-r23179-ne-pas-afficher-l-url-brute-venant-.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0016-Report-de-r23179-ne-pas-afficher-l-url-brute-venant-.patch	2017-04-26 17:49:08.000000000 -1000
@@ -0,0 +1,23 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Tue, 27 Sep 2016 10:51:55 +0000
+Subject: Report de r23179 : ne pas afficher l'url brute venant de la request
+ (Nicolas CHATELAIN)
+
+Origin: upstream, https://core.spip.net/projects/spip/repository/revisions/23183
+---
+ ecrire/exec/valider_xml.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ecrire/exec/valider_xml.php b/ecrire/exec/valider_xml.php
+index d8efef1..8abdb02 100644
+--- a/ecrire/exec/valider_xml.php
++++ b/ecrire/exec/valider_xml.php
+@@ -114,7 +114,7 @@ function valider_xml_ok($url, $req_ext, $limit, $rec)
+ 			$res =
+ 			"<div style='text-align: center'>" . $err . "</div>" .
+ 			"<div style='margin: 10px; text-align: left'>" . $texte . '</div>';
+-			$bandeau = "<a href='$url_aff'>$url</a>";
++			$bandeau = "<a href='$url_aff'>".$url_aff."</a>";
+ 		}
+ 	}
+ 
diff -Nru spip-3.0.17/debian/patches/0017-Report-de-r23180-pas-d-url-absolue-dans-var_url-Nico.patch spip-3.0.17/debian/patches/0017-Report-de-r23180-pas-d-url-absolue-dans-var_url-Nico.patch
--- spip-3.0.17/debian/patches/0017-Report-de-r23180-pas-d-url-absolue-dans-var_url-Nico.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0017-Report-de-r23180-pas-d-url-absolue-dans-var_url-Nico.patch	2017-04-26 17:49:08.000000000 -1000
@@ -0,0 +1,21 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Tue, 27 Sep 2016 10:53:56 +0000
+Subject: Report de r23180 : pas d'url absolue dans var_url (Nicolas CHATELAIN)
+
+Oritin: upstream, https://core.spip.net/projects/spip/repository/revisions/23184
+---
+ ecrire/exec/valider_xml.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ecrire/exec/valider_xml.php b/ecrire/exec/valider_xml.php
+index 8abdb02..e9d4502 100644
+--- a/ecrire/exec/valider_xml.php
++++ b/ecrire/exec/valider_xml.php
+@@ -37,6 +37,7 @@ function exec_valider_xml_dist()
+ 		if (strncmp($url,'/',1)==0) $erreur = 'Chemin absolu interdit pour var_url';
+ 		// on a pas le droit de remonter plus de 1 fois dans le path (pas 2 occurences de ../)
+ 		if (($p=strpos($url,'../'))!==false AND strpos($url,'../',$p+3)!==false) $erreur = 'Interdit de remonter en dehors de la racine';
++		if (strpos($url,'://')!==false) $erreur = 'URL absolue interdite pour var_url';
+ 
+ 		$ext = trim(_request('ext'));
+ 		$ext = ltrim($ext,'.'); // precaution
diff -Nru spip-3.0.17/debian/patches/0018-Report-de-r23185-Eviter-aussi-les-urls-absolues-wind.patch spip-3.0.17/debian/patches/0018-Report-de-r23185-Eviter-aussi-les-urls-absolues-wind.patch
--- spip-3.0.17/debian/patches/0018-Report-de-r23185-Eviter-aussi-les-urls-absolues-wind.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0018-Report-de-r23185-Eviter-aussi-les-urls-absolues-wind.patch	2017-04-26 17:49:08.000000000 -1000
@@ -0,0 +1,60 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Tue, 27 Sep 2016 15:21:41 +0000
+Subject: Report de r23185 : Eviter aussi les urls absolues windows c:\xxx et
+ supprimer le onfocus obsolete au profit d'un placholder innofensif (Nicolas
+ Chatelain)
+
+Origin: upstream, https://core.spip.net/projects/spip/repository/revisions/23191
+---
+ ecrire/exec/valider_xml.php | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/ecrire/exec/valider_xml.php b/ecrire/exec/valider_xml.php
+index e9d4502..c90d6bb 100644
+--- a/ecrire/exec/valider_xml.php
++++ b/ecrire/exec/valider_xml.php
+@@ -37,7 +37,7 @@ function exec_valider_xml_dist()
+ 		if (strncmp($url,'/',1)==0) $erreur = 'Chemin absolu interdit pour var_url';
+ 		// on a pas le droit de remonter plus de 1 fois dans le path (pas 2 occurences de ../)
+ 		if (($p=strpos($url,'../'))!==false AND strpos($url,'../',$p+3)!==false) $erreur = 'Interdit de remonter en dehors de la racine';
+-		if (strpos($url,'://')!==false) $erreur = 'URL absolue interdite pour var_url';
++		if (strpos($url,'://')!==false or strpos($url,':\\')!==false) $erreur = 'URL absolue interdite pour var_url';
+ 
+ 		$ext = trim(_request('ext'));
+ 		$ext = ltrim($ext,'.'); // precaution
+@@ -61,9 +61,8 @@ function valider_xml_ok($url, $req_ext, $limit, $rec)
+ 	if (!$limit) $limit = 200;
+ 	$titre = _T('analyse_xml');
+ 	if (!$url) {
+-		$url_aff = 'http://';
+-		$onfocus = "this.value='';";
+-		$texte = $bandeau = $err = '';
++		$url_aff = '';
++		$bandeau = $err = '';
+ 	} else {
+ 		include_spip('inc/distant');
+ 
+@@ -99,7 +98,6 @@ function valider_xml_ok($url, $req_ext, $limit, $rec)
+ 			} else { $dir = 'exec'; $script = $url; $args = true;}
+ 
+ 			$transformer_xml = charger_fonction('valider', 'xml');
+-			$onfocus = "this.value='" . addslashes($url) . "';";
+ 			if (preg_match(',^[a-z][0-9a-z_]*$,i', $url)) {
+ 				$res = $transformer_xml(charger_fonction($url, $dir), $args);
+ 				$url_aff = valider_pseudo_url($dir, $script);
+@@ -124,11 +122,11 @@ function valider_xml_ok($url, $req_ext, $limit, $rec)
+ 	$jq = http_script("", 'jquery.js');
+ 	
+ 	echo str_replace('<head>', "<head>$jq", $debut);
+-	$onfocus = '<input type="text" size="70" value="' .$url_aff .'" name="var_url" id="var_url" onfocus="'.$onfocus . '" />';
+-	$onfocus = generer_form_ecrire('valider_xml', $onfocus, " method='get'");
++	$texte = '<input type="text" size="70" value="' . $url_aff . '" name="var_url" id="var_url" placeholder="http://"; />';
++	$texte = generer_form_ecrire('valider_xml', $texte, " method='get'");
+ 
+-	echo "<h1>", $titre, '<br>', $bandeau, '</h1>',
+-	  "<div style='text-align: center'>", $onfocus, "</div>",
++	echo "<h1 class='grostitre'>", $titre, $bandeau, '</h1>',
++	  "<div style='text-align: center'>", $texte, "</div>",
+ 	  $res,
+ 	  fin_page();
+ }
diff -Nru spip-3.0.17/debian/patches/0019-Report-de-r23186-echapper-les-guillemets-dans-les-no.patch spip-3.0.17/debian/patches/0019-Report-de-r23186-echapper-les-guillemets-dans-les-no.patch
--- spip-3.0.17/debian/patches/0019-Report-de-r23186-echapper-les-guillemets-dans-les-no.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0019-Report-de-r23186-echapper-les-guillemets-dans-les-no.patch	2017-04-26 17:49:08.000000000 -1000
@@ -0,0 +1,32 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Tue, 27 Sep 2016 15:22:00 +0000
+Subject: Report de r23186 : echapper les guillemets dans les noms de fichier
+ pour ne pas generer du code invalide (Nicolas Chatelain)
+
+Origin: upstream, https://core.spip.net/projects/spip/repository/revisions/23192
+---
+ ecrire/public/compiler.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/public/compiler.php b/ecrire/public/compiler.php
+index 468243f..e786dc3 100644
+--- a/ecrire/public/compiler.php
++++ b/ecrire/public/compiler.php
+@@ -139,7 +139,7 @@ function calculer_inclure($p, &$boucles, $id_boucle) {
+ 	$_contexte = argumenter_inclure($p->param, false, $p, $boucles, $id_boucle, true, '', true);
+ 	if (is_string($p->texte)) {
+ 		$fichier = $p->texte;
+-		$code = "\"$fichier\"";
++		$code = "\"".str_replace('"','\"',$fichier)."\"";
+ 
+ 	} else {
+ 		$code = calculer_liste($p->texte, $p->descr, $boucles, $id_boucle);
+@@ -183,7 +183,7 @@ function calculer_inclure($p, &$boucles, $id_boucle) {
+ 	}
+ 
+ 	// s'il y a une extension .php, ce n'est pas un squelette
+-	if (preg_match('/^.+[.]php$/s', $fichier)) {
++	if ($fichier and preg_match('/^.+[.]php$/s', $fichier)) {
+ 		$code = sandbox_composer_inclure_php($fichier, $p, $contexte);
+ 	} else 	{
+ 		$_options[] = "\"compil\"=>array($compil)";
diff -Nru spip-3.0.17/debian/patches/0020-Report-de-r23200-exec-valider_xml-n-est-executable-q.patch spip-3.0.17/debian/patches/0020-Report-de-r23200-exec-valider_xml-n-est-executable-q.patch
--- spip-3.0.17/debian/patches/0020-Report-de-r23200-exec-valider_xml-n-est-executable-q.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0020-Report-de-r23200-exec-valider_xml-n-est-executable-q.patch	2017-04-26 17:49:08.000000000 -1000
@@ -0,0 +1,180 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Wed, 28 Sep 2016 12:44:09 +0000
+Subject: Report de r23200 : - ?exec=valider_xml n'est executable que par les
+ webmestres - var_url ne doit pas contenir de ../../ ni de ..\..\ (windows) -
+ elle ne lance une action que si on a un var_token qui correspond soit a la
+ signature de l'action en POST soit a la signature de l'action+var_url en
+ GET. Ceci evite de faire lancer le validateur par un lien malveillant fourni
+ a un webmstre d'un site auquel on a pas acces (CSRF)
+
+(Nicolas Chatelain)
+
+Origin: upstream, https://core.spip.net/projects/spip/repository/revisions/23202
+---
+ ecrire/exec/valider_xml.php | 96 ++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 69 insertions(+), 27 deletions(-)
+
+diff --git a/ecrire/exec/valider_xml.php b/ecrire/exec/valider_xml.php
+index c90d6bb..e6973d5 100644
+--- a/ecrire/exec/valider_xml.php
++++ b/ecrire/exec/valider_xml.php
+@@ -27,7 +27,7 @@ include_spip('public/debusquer');
+ // http://doc.spip.org/@exec_valider_xml_dist
+ function exec_valider_xml_dist()
+ {
+-	if (!autoriser('sauvegarder')) {
++	if (!autoriser('webmestre')) {
+ 		include_spip('inc/minipres');
+ 		echo minipres();
+ 	} else {
+@@ -35,27 +35,45 @@ function exec_valider_xml_dist()
+ 		// verifier que les var de l'URL sont conformes avant d'appeler la fonction
+ 		$url = trim(_request('var_url'));
+ 		if (strncmp($url,'/',1)==0) $erreur = 'Chemin absolu interdit pour var_url';
+-		// on a pas le droit de remonter plus de 1 fois dans le path (pas 2 occurences de ../)
+-		if (($p=strpos($url,'../'))!==false AND strpos($url,'../',$p+3)!==false) $erreur = 'Interdit de remonter en dehors de la racine';
++		// on a pas le droit de remonter plus de 1 fois dans le path (pas 2 occurences de ../ ou ..\ (win))
++		if (($p=strpos($url,'..'))!==false AND strpos($url,'..',$p+3)!==false) $erreur = 'Interdit de remonter en dehors de la racine';
+ 		if (strpos($url,'://')!==false or strpos($url,':\\')!==false) $erreur = 'URL absolue interdite pour var_url';
+ 
+ 		$ext = trim(_request('ext'));
+ 		$ext = ltrim($ext,'.'); // precaution
+ 		if (preg_match('/\W/',$ext)) $erreur = 'Extension invalide';
+ 
++		// en GET var_url doit etre signee, en POST seule l'action est signee
++		// CSRF safe
++		$process = true;
++		if ($url){
++			include_spip('inc/securiser_action');
++			if ($_SERVER["REQUEST_METHOD"]=='POST'){
++				if (!$token = _request('var_token')
++				  or !verifier_cle_action("valider_xml",$token)){
++					$process = false;
++				}
++			}
++			if ($_SERVER["REQUEST_METHOD"]!='POST'){
++				if (!$token = _request('var_token')
++				  or !verifier_cle_action("valider_xml&var_url=$url",$token)){
++					$process = false;
++				}
++			}
++		}
++
+ 		if ($erreur){
+ 			include_spip('inc/minipres');
+ 			echo minipres($erreur);
+ 		}
+ 		else {
+-			valider_xml_ok($url, $ext, intval(_request('limit')), _request('recur'));
++			valider_xml_ok($url, $ext, intval(_request('limit')), _request('recur'), $process);
+ 		}
+ 	}
+ }
+ 
+ // http://doc.spip.org/@valider_xml_ok
+-function valider_xml_ok($url, $req_ext, $limit, $rec)
+-{
++function valider_xml_ok($url, $req_ext, $limit, $rec, $process = true) {
+ 	$url = urldecode($url);
+ 	$rec = !$rec ? false : array();
+ 	if (!$limit) $limit = 200;
+@@ -97,23 +115,28 @@ function valider_xml_ok($url, $req_ext, $limit, $rec)
+ 				}
+ 			} else { $dir = 'exec'; $script = $url; $args = true;}
+ 
+-			$transformer_xml = charger_fonction('valider', 'xml');
+-			if (preg_match(',^[a-z][0-9a-z_]*$,i', $url)) {
+-				$res = $transformer_xml(charger_fonction($url, $dir), $args);
+-				$url_aff = valider_pseudo_url($dir, $script);
+-			} else {
+-				$res = $transformer_xml(recuperer_page($url));
+-				$url_aff = entites_html($url);
+-			}
+-			list($texte, $err) = emboite_texte($res);
+-			if (!$err) {
+-				$err = '<h3>' . _T('spip_conforme_dtd') . '</h3>';
++			$url_aff = entites_html($url);
++			$bandeau = "";
++			$res = "";
++			if ($process) {
++				$transformer_xml = charger_fonction('valider', 'xml');
++				if (preg_match(',^[a-z][0-9a-z_]*$,i', $url)) {
++					$res = $transformer_xml(charger_fonction($url, $dir), $args);
++					$url_aff = valider_pseudo_url($dir, $script);
++				} else {
++					$res = $transformer_xml(recuperer_page($url));
++					$url_aff = entites_html($url);
++				}
++				list($texte, $err) = emboite_texte($res);
++				if (!$err) {
++					$err = '<h3>' . _T('spip_conforme_dtd') . '</h3>';
++				}
++				$res =
++					"<div style='text-align: center'>" . $err . "</div>" .
++					"<div style='margin: 10px; text-align: left'>" . $texte . '</div>';
++				$bandeau = "<a href='$url_aff'>".$url_aff."</a>";
+ 			}
+ 
+-			$res =
+-			"<div style='text-align: center'>" . $err . "</div>" .
+-			"<div style='margin: 10px; text-align: left'>" . $texte . '</div>';
+-			$bandeau = "<a href='$url_aff'>".$url_aff."</a>";
+ 		}
+ 	}
+ 
+@@ -121,19 +144,34 @@ function valider_xml_ok($url, $req_ext, $limit, $rec)
+ 	$debut = $commencer_page($titre);
+ 	$jq = http_script("", 'jquery.js');
+ 	
++
+ 	echo str_replace('<head>', "<head>$jq", $debut);
++	include_spip('inc/securiser_action');
++	$token = calculer_cle_action("valider_xml");
+ 	$texte = '<input type="text" size="70" value="' . $url_aff . '" name="var_url" id="var_url" placeholder="http://"; />';
+-	$texte = generer_form_ecrire('valider_xml', $texte, " method='get'");
++	$texte .= '<input type="hidden" value="' . $token . '" name="var_token" />';
++	$texte .= '<input type="hidden" value="' . $req_ext . '" name="ext" />';
++	$texte .= '<input type="submit" value="Go" />';
++	$texte = generer_form_ecrire('valider_xml', $texte, " method='post'");
++
++	$self = generer_url_ecrire('valider_xml');
++	$self = parametre_url($self, 'var_url', $url);
++	$self = parametre_url($self, 'ext', $req_ext);
++	$self = parametre_url($self, 'limit', $limit);
++	$self = parametre_url($self, 'rec', $rec);
++	$self = "<a href='$self'>$self</a>";
+ 
+-	echo "<h1 class='grostitre'>", $titre, $bandeau, '</h1>',
++	echo "<h1 class='grostitre'>", $titre, " <small>$bandeau</small>", '</h1>',
+ 	  "<div style='text-align: center'>", $texte, "</div>",
+ 	  $res,
++	  "<br /><br /><p><small>$self</small></p>",
+ 	  fin_page();
+ }
+ 
+ // http://doc.spip.org/@valider_resultats
+ function valider_resultats($res, $mode)
+ {
++	include_spip('inc/securiser_action');
+ 	$i = $j = 0;
+ 	$table = '';
+ 	rsort($res);
+@@ -150,10 +188,14 @@ function valider_resultats($res, $mode)
+ 		  ($erreurs[0][0] . ' ' . _T('ligne') . ' ' .
+ 		   $erreurs[0][1] .($nb==1? '': '  ...'));
+ 		if ($err) $j++;
+-		$h = $mode
+-		? ($appel . '&var_mode=debug&var_mode_affiche=validation')
+-		: generer_url_ecrire('valider_xml', "var_url=" . urlencode($appel));
+-		
++		if ($mode) {
++			$h = $appel . '&var_mode=debug&var_mode_affiche=validation';
++		}
++		else {
++			$h = generer_url_ecrire('valider_xml', "var_url=" . urlencode($appel));
++			$h = parametre_url($h,'var_token', calculer_cle_action("valider_xml&var_url=$appel"));
++		}
++
+ 		$table .= "<tr class='$class'>"
+ 		. "<td style='text-align: right'>$nb</td>"
+ 		. "<td style='text-align: right$color'>$texte</td>"
diff -Nru spip-3.0.17/debian/patches/0021-Fix-3845-s-curiser-les-exec-info_plugin-et-puce_stat.patch spip-3.0.17/debian/patches/0021-Fix-3845-s-curiser-les-exec-info_plugin-et-puce_stat.patch
--- spip-3.0.17/debian/patches/0021-Fix-3845-s-curiser-les-exec-info_plugin-et-puce_stat.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0021-Fix-3845-s-curiser-les-exec-info_plugin-et-puce_stat.patch	2017-04-26 17:51:41.000000000 -1000
@@ -0,0 +1,56 @@
+From: b_b <brunobergot@gmail.com>
+Date: Wed, 30 Nov 2016 17:50:22 +0000
+Subject: =?utf-8?q?Fix_=233845_=3A_s=C3=A9curiser_les_exec_info=5Fplugin_e?=
+ =?utf-8?q?t_puce=5Fstatut?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+merci à felixk3y de PKAV Team pour le signalement
+
+Origin: backport, https://core.spip.net/projects/spip/repository/revisions/23288
+---
+ ecrire/exec/info_plugin.php | 2 +-
+ ecrire/exec/puce_statut.php | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ecrire/exec/info_plugin.php b/ecrire/exec/info_plugin.php
+index 0a93b48..7090fb5 100644
+--- a/ecrire/exec/info_plugin.php
++++ b/ecrire/exec/info_plugin.php
+@@ -9,7 +9,7 @@ function exec_info_plugin_dist() {
+ 		include_spip('inc/minipres');
+ 		echo minipres();
+ 	} else {
+-		$plug = _DIR_RACINE . _request('plugin');
++		$plug = _DIR_RACINE . htmlspecialchars(_request('plugin'));
+ 		$get_infos = charger_fonction('get_infos','plugins');
+ 		$dir = "";
+ 		if (strncmp($plug,_DIR_PLUGINS,strlen(_DIR_PLUGINS))==0)
+diff --git a/ecrire/exec/puce_statut.php b/ecrire/exec/puce_statut.php
+index 50a6d36..34188d8 100644
+--- a/ecrire/exec/puce_statut.php
++++ b/ecrire/exec/puce_statut.php
+@@ -23,12 +23,12 @@ function exec_puce_statut_dist()
+ // http://doc.spip.org/@exec_puce_statut_args
+ function exec_puce_statut_args($id, $type)
+ {
++	$id = intval($id);
+ 	if ($table_objet_sql = table_objet_sql($type)
+ 		AND $d = lister_tables_objets_sql($table_objet_sql)
+ 		AND isset($d['statut_textes_instituer'])
+ 	  AND $d['statut_textes_instituer']) {
+ 		$prim = id_table_objet($type);
+-		$id = intval($id);
+ 		if (isset($d['field']['id_rubrique']))
+ 			$select = "id_rubrique,statut";
+ 		else
+@@ -38,7 +38,7 @@ function exec_puce_statut_args($id, $type)
+ 		$id_rubrique = $r['id_rubrique'];
+ 	}
+ 	else {
+-		$id_rubrique = intval($id);
++		$id_rubrique = $id;
+ 		$statut = 'prop'; // arbitraire
+ 	}
+ 	$puce_statut = charger_fonction('puce_statut', 'inc');
diff -Nru spip-3.0.17/debian/patches/0022-Fix-3847-s-curiser-exec-plonger.patch spip-3.0.17/debian/patches/0022-Fix-3847-s-curiser-exec-plonger.patch
--- spip-3.0.17/debian/patches/0022-Fix-3847-s-curiser-exec-plonger.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0022-Fix-3847-s-curiser-exec-plonger.patch	2017-04-26 17:51:41.000000000 -1000
@@ -0,0 +1,27 @@
+From: b_b <brunobergot@gmail.com>
+Date: Fri, 2 Dec 2016 17:08:47 +0000
+Subject: =?utf-8?q?Fix_=233847_=3A_s=C3=A9curiser_exec_plonger?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+merci à xiaoL pour le signalement
+
+Origin: backport, https://core.spip.net/projects/spip/repository/revisions/23290
+---
+ ecrire/exec/plonger.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ecrire/exec/plonger.php b/ecrire/exec/plonger.php
+index 838daf7..10dafd7 100644
+--- a/ecrire/exec/plonger.php
++++ b/ecrire/exec/plonger.php
+@@ -19,7 +19,7 @@ function exec_plonger_dist()
+ {
+ 	include_spip('inc/actions');
+ 	
+-	$rac = _request('rac');
++	$rac = preg_replace(',[^\w\,/#&;-]+,', ' ', _request('rac'));
+ 	$id = intval(_request('id'));
+ 	$exclus = intval(_request('exclus'));
+ 	$col = intval(_request('col'));
diff -Nru spip-3.0.17/debian/patches/0023-chapper-le-contenu-de-l-ent-te.patch spip-3.0.17/debian/patches/0023-chapper-le-contenu-de-l-ent-te.patch
--- spip-3.0.17/debian/patches/0023-chapper-le-contenu-de-l-ent-te.patch	1969-12-31 14:00:00.000000000 -1000
+++ spip-3.0.17/debian/patches/0023-chapper-le-contenu-de-l-ent-te.patch	2017-04-26 17:52:11.000000000 -1000
@@ -0,0 +1,25 @@
+From: Fil <fil@rezo.net>
+Date: Mon, 6 Mar 2017 13:01:41 +0000
+Subject: =?utf-8?q?=C3=A9chapper_le_contenu_de_l=27ent=C3=AAte?=
+
+Origin: backport, https://core.spip.net/projects/spip/repository/revisions/23440
+---
+ ecrire/public/balises.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/public/balises.php b/ecrire/public/balises.php
+index 27b8f19..47721ce 100644
+--- a/ecrire/public/balises.php
++++ b/ecrire/public/balises.php
+@@ -899,9 +899,9 @@ function balise_HTTP_HEADER_dist($p) {
+ 	if (!$header) {
+ 		$err_b_s_a = array('zbug_balise_sans_argument', array('balise' => 'HTTP_HEADER'));
+ 		erreur_squelette($err_b_s_a, $p);
+-	} else 	$p->code = "'<'.'?php header(\"' . "
++	} else  $p->code = "'<'.'?php header(' . _q("
+ 		. $header
+-		. " . '\"); ?'.'>'";
++		. ") . '); ?'.'>'";
+ 	$p->interdire_scripts = false;
+ 	return $p;
+ }
diff -Nru spip-3.0.17/debian/patches/series spip-3.0.17/debian/patches/series
--- spip-3.0.17/debian/patches/series	2016-03-11 10:32:29.000000000 -1000
+++ spip-3.0.17/debian/patches/series	2017-04-26 17:52:11.000000000 -1000
@@ -7,3 +7,17 @@
 0007-Fix-objects-injection-via-unserialize.patch
 0008-Increase-sanitizing-to-fix-PHP-code-injection.patch
 0009-Update-security-screen.patch
+0010-Report-de-r23063-Sanitizer-controler-les-entree-four.patch
+0011-ne-pas-permettre-n-importe-quoi-en-url-de-site-Tim-C.patch
+0012-Report-de-r23151-Eviter-d-accepter-n-importe-quoi-da.patch
+0013-l-URL-de-rappel-de-mot-de-passe-doit-etre-une-URL-sa.patch
+0014-Eviter-des-illegal-offset-si-l-utilisateur-n-est-pas.patch
+0015-Fix-3831-report-de-r23141-et-r23148.patch
+0016-Report-de-r23179-ne-pas-afficher-l-url-brute-venant-.patch
+0017-Report-de-r23180-pas-d-url-absolue-dans-var_url-Nico.patch
+0018-Report-de-r23185-Eviter-aussi-les-urls-absolues-wind.patch
+0019-Report-de-r23186-echapper-les-guillemets-dans-les-no.patch
+0020-Report-de-r23200-exec-valider_xml-n-est-executable-q.patch
+0021-Fix-3845-s-curiser-les-exec-info_plugin-et-puce_stat.patch
+0022-Fix-3847-s-curiser-exec-plonger.patch
+0023-chapper-le-contenu-de-l-ent-te.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
Version: 8.8

Hi,

Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!

Regards,

Adam

--- End Message ---

Reply to: