[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925314: unblock: wordpress/5.0.3+dfsg1-1

Hi,
  Attached is a debdiff between 5.0.3 to 5.04 which is essentially the changesets I previously reference from the upstream SVN repository.

Option 1 is my preference, the main difference between #1 and #2 was the changelog version.

 - Craig

diff -Nru wordpress-5.0.3+dfsg1/debian/changelog wordpress-5.0.4+dfsg1/debian/changelog
--- wordpress-5.0.3+dfsg1/debian/changelog	2019-02-05 22:23:39.000000000 +1100
+++ wordpress-5.0.4+dfsg1/debian/changelog	2019-03-24 09:20:02.000000000 +1100
@@ -1,3 +1,10 @@
+wordpress (5.0.4+dfsg1-1) testing-proposed-updates; urgency=medium
+
+  * Backport of 5.1.1 patches
+  * Fix XSS security hole in comments Closes: #924546 CVE-2019-9787
+
+ -- Craig Small <csmall@debian.org>  Sun, 24 Mar 2019 09:20:02 +1100
+
 wordpress (5.0.3+dfsg1-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru wordpress-5.0.3+dfsg1/wp-admin/about.php wordpress-5.0.4+dfsg1/wp-admin/about.php
--- wordpress-5.0.3+dfsg1/wp-admin/about.php	2019-02-05 21:54:35.000000000 +1100
+++ wordpress-5.0.4+dfsg1/wp-admin/about.php	2019-03-24 09:14:11.000000000 +1100
@@ -65,6 +65,26 @@
 			<p>
 				<?php
 				printf(
+					/* translators: %s: WordPress version number */
+					__( '<strong>Version %s</strong> addressed some security issues.' ),
+					'5.0.4'
+				);
+				?>
+				<?php
+				printf(
+					/* translators: %s: HelpHub URL */
+					__( 'For more information, see <a href="%s">the release notes</a>.' ),
+					sprintf(
+						/* translators: %s: WordPress version */
+						esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+						sanitize_title( '5.0.4' )
+					)
+				);
+				?>
+			</p>
+			<p>
+				<?php
+				printf(
 					/* translators: 1: WordPress version number, 2: plural number of bugs. */
 					_n(
 						'<strong>Version %1$s</strong> addressed %2$s bug.',
diff -Nru wordpress-5.0.3+dfsg1/wp-admin/includes/ajax-actions.php wordpress-5.0.4+dfsg1/wp-admin/includes/ajax-actions.php
--- wordpress-5.0.3+dfsg1/wp-admin/includes/ajax-actions.php	2019-02-05 21:54:35.000000000 +1100
+++ wordpress-5.0.4+dfsg1/wp-admin/includes/ajax-actions.php	2019-03-24 09:14:11.000000000 +1100
@@ -1070,6 +1070,8 @@
 			if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
 				kses_remove_filters(); // start with a clean slate
 				kses_init_filters(); // set up the filters
+				remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+				add_filter( 'pre_comment_content', 'wp_filter_kses' );
 			}
 		}
 	} else {
diff -Nru wordpress-5.0.3+dfsg1/wp-includes/comment.php wordpress-5.0.4+dfsg1/wp-includes/comment.php
--- wordpress-5.0.3+dfsg1/wp-includes/comment.php	2019-02-05 21:54:35.000000000 +1100
+++ wordpress-5.0.4+dfsg1/wp-includes/comment.php	2019-03-24 09:14:11.000000000 +1100
@@ -3098,6 +3098,8 @@
 			) {
 				kses_remove_filters(); // start with a clean slate
 				kses_init_filters(); // set up the filters
+				remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+				add_filter( 'pre_comment_content', 'wp_filter_kses' );
 			}
 		}
 	} else {
diff -Nru wordpress-5.0.3+dfsg1/wp-includes/formatting.php wordpress-5.0.4+dfsg1/wp-includes/formatting.php
--- wordpress-5.0.3+dfsg1/wp-includes/formatting.php	2019-02-05 21:54:35.000000000 +1100
+++ wordpress-5.0.4+dfsg1/wp-includes/formatting.php	2019-03-24 09:14:11.000000000 +1100
@@ -2750,10 +2750,12 @@
 	$atts = shortcode_parse_atts( $matches[1] );
 	$rel  = 'nofollow';
 
-	if ( preg_match( '%href=["\'](' . preg_quote( set_url_scheme( home_url(), 'http' ) ) . ')%i', $text ) ||
-	     preg_match( '%href=["\'](' . preg_quote( set_url_scheme( home_url(), 'https' ) ) . ')%i', $text )
-	) {
-		return "<a $text>";
+	if ( ! empty( $atts['href'] ) ) {
+		if ( in_array( strtolower( wp_parse_url( $atts['href'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) {
+			if ( strtolower( wp_parse_url( $atts['href'], PHP_URL_HOST ) ) === strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) ) ) {
+				return "<a $text>";
+			}
+		}
 	}
 
 	if ( ! empty( $atts['rel'] ) ) {
@@ -2766,11 +2768,11 @@
 
 		$html = '';
 		foreach ( $atts as $name => $value ) {
-			$html .= "{$name}=\"$value\" ";
+			$html .= "{$name}=\"" . esc_attr( $value ) . "\" ";
 		}
 		$text = trim( $html );
 	}
-	return "<a $text rel=\"$rel\">";
+	return "<a $text rel=\"" . esc_attr( $rel ) . "\">";
 }
 
 /**
diff -Nru wordpress-5.0.3+dfsg1/wp-includes/version.php wordpress-5.0.4+dfsg1/wp-includes/version.php
--- wordpress-5.0.3+dfsg1/wp-includes/version.php	2019-02-05 21:54:35.000000000 +1100
+++ wordpress-5.0.4+dfsg1/wp-includes/version.php	2019-03-24 09:14:11.000000000 +1100
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.0.3';
+$wp_version = '5.0.4';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
@@ -33,3 +33,4 @@
  * @global string $required_mysql_version
  */
 $required_mysql_version = '5.0';
+	
\ No newline at end of file
Reply to: