Bug#925314: unblock: wordpress/5.0.3+dfsg1-1
Hi,
Attached is a debdiff between 5.0.3 to 5.04 which is essentially the changesets I previously reference from the upstream SVN repository.
Option 1 is my preference, the main difference between #1 and #2 was the changelog version.
- Craig
diff -Nru wordpress-5.0.3+dfsg1/debian/changelog wordpress-5.0.4+dfsg1/debian/changelog
--- wordpress-5.0.3+dfsg1/debian/changelog 2019-02-05 22:23:39.000000000 +1100
+++ wordpress-5.0.4+dfsg1/debian/changelog 2019-03-24 09:20:02.000000000 +1100
@@ -1,3 +1,10 @@
+wordpress (5.0.4+dfsg1-1) testing-proposed-updates; urgency=medium
+
+ * Backport of 5.1.1 patches
+ * Fix XSS security hole in comments Closes: #924546 CVE-2019-9787
+
+ -- Craig Small <csmall@debian.org> Sun, 24 Mar 2019 09:20:02 +1100
+
wordpress (5.0.3+dfsg1-1) unstable; urgency=medium
* New upstream release
diff -Nru wordpress-5.0.3+dfsg1/wp-admin/about.php wordpress-5.0.4+dfsg1/wp-admin/about.php
--- wordpress-5.0.3+dfsg1/wp-admin/about.php 2019-02-05 21:54:35.000000000 +1100
+++ wordpress-5.0.4+dfsg1/wp-admin/about.php 2019-03-24 09:14:11.000000000 +1100
@@ -65,6 +65,26 @@
<p>
<?php
printf(
+ /* translators: %s: WordPress version number */
+ __( '<strong>Version %s</strong> addressed some security issues.' ),
+ '5.0.4'
+ );
+ ?>
+ <?php
+ printf(
+ /* translators: %s: HelpHub URL */
+ __( 'For more information, see <a href="%s">the release notes</a>.' ),
+ sprintf(
+ /* translators: %s: WordPress version */
+ esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+ sanitize_title( '5.0.4' )
+ )
+ );
+ ?>
+ </p>
+ <p>
+ <?php
+ printf(
/* translators: 1: WordPress version number, 2: plural number of bugs. */
_n(
'<strong>Version %1$s</strong> addressed %2$s bug.',
diff -Nru wordpress-5.0.3+dfsg1/wp-admin/includes/ajax-actions.php wordpress-5.0.4+dfsg1/wp-admin/includes/ajax-actions.php
--- wordpress-5.0.3+dfsg1/wp-admin/includes/ajax-actions.php 2019-02-05 21:54:35.000000000 +1100
+++ wordpress-5.0.4+dfsg1/wp-admin/includes/ajax-actions.php 2019-03-24 09:14:11.000000000 +1100
@@ -1070,6 +1070,8 @@
if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
kses_remove_filters(); // start with a clean slate
kses_init_filters(); // set up the filters
+ remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+ add_filter( 'pre_comment_content', 'wp_filter_kses' );
}
}
} else {
diff -Nru wordpress-5.0.3+dfsg1/wp-includes/comment.php wordpress-5.0.4+dfsg1/wp-includes/comment.php
--- wordpress-5.0.3+dfsg1/wp-includes/comment.php 2019-02-05 21:54:35.000000000 +1100
+++ wordpress-5.0.4+dfsg1/wp-includes/comment.php 2019-03-24 09:14:11.000000000 +1100
@@ -3098,6 +3098,8 @@
) {
kses_remove_filters(); // start with a clean slate
kses_init_filters(); // set up the filters
+ remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+ add_filter( 'pre_comment_content', 'wp_filter_kses' );
}
}
} else {
diff -Nru wordpress-5.0.3+dfsg1/wp-includes/formatting.php wordpress-5.0.4+dfsg1/wp-includes/formatting.php
--- wordpress-5.0.3+dfsg1/wp-includes/formatting.php 2019-02-05 21:54:35.000000000 +1100
+++ wordpress-5.0.4+dfsg1/wp-includes/formatting.php 2019-03-24 09:14:11.000000000 +1100
@@ -2750,10 +2750,12 @@
$atts = shortcode_parse_atts( $matches[1] );
$rel = 'nofollow';
- if ( preg_match( '%href=["\'](' . preg_quote( set_url_scheme( home_url(), 'http' ) ) . ')%i', $text ) ||
- preg_match( '%href=["\'](' . preg_quote( set_url_scheme( home_url(), 'https' ) ) . ')%i', $text )
- ) {
- return "<a $text>";
+ if ( ! empty( $atts['href'] ) ) {
+ if ( in_array( strtolower( wp_parse_url( $atts['href'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) {
+ if ( strtolower( wp_parse_url( $atts['href'], PHP_URL_HOST ) ) === strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) ) ) {
+ return "<a $text>";
+ }
+ }
}
if ( ! empty( $atts['rel'] ) ) {
@@ -2766,11 +2768,11 @@
$html = '';
foreach ( $atts as $name => $value ) {
- $html .= "{$name}=\"$value\" ";
+ $html .= "{$name}=\"" . esc_attr( $value ) . "\" ";
}
$text = trim( $html );
}
- return "<a $text rel=\"$rel\">";
+ return "<a $text rel=\"" . esc_attr( $rel ) . "\">";
}
/**
diff -Nru wordpress-5.0.3+dfsg1/wp-includes/version.php wordpress-5.0.4+dfsg1/wp-includes/version.php
--- wordpress-5.0.3+dfsg1/wp-includes/version.php 2019-02-05 21:54:35.000000000 +1100
+++ wordpress-5.0.4+dfsg1/wp-includes/version.php 2019-03-24 09:14:11.000000000 +1100
@@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
-$wp_version = '5.0.3';
+$wp_version = '5.0.4';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
@@ -33,3 +33,4 @@
* @global string $required_mysql_version
*/
$required_mysql_version = '5.0';
+
\ No newline at end of file
Reply to: