[Pkg-mediawiki-commits] r231 - in mediawiki/lenny/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Fri Dec 17 21:58:41 UTC 2010 

Author: jmw
Date: 2010-12-17 21:58:41 +0000 (Fri, 17 Dec 2010)
New Revision: 231

Added:
   mediawiki/lenny/debian/patches/1.15.4-css-security.patch
Modified:
   mediawiki/lenny/debian/changelog
   mediawiki/lenny/debian/patches/series
Log:
Backport fix for XSS vulnerability affecting IE clients only, due to a CSS validation issue

Modified: mediawiki/lenny/debian/changelog
===================================================================
--- mediawiki/lenny/debian/changelog	2010-12-17 21:53:40 UTC (rev 230)
+++ mediawiki/lenny/debian/changelog	2010-12-17 21:58:41 UTC (rev 231)
@@ -3,9 +3,11 @@
   * Stable upload.
   * Fixed CSRF vulnerability in "e-mail me my password",
     "create account" and "create by e-mail" features of
-    [[Special:Userlogin]]
+    [[Special:Userlogin]]. CVE-2010-1648
+  * Fixed XSS vulnerability affecting IE clients only, due to a CSS
+    validation issue. CVE-2010-1647 (Closes: #585918)
 
- -- Jonathan Wiltshire <jmw at debian.org>  Fri, 17 Dec 2010 21:51:07 +0000
+ -- Jonathan Wiltshire <jmw at debian.org>  Fri, 17 Dec 2010 21:54:08 +0000
 
 mediawiki (1:1.12.0-2lenny5) stable-security; urgency=high
 

Added: mediawiki/lenny/debian/patches/1.15.4-css-security.patch
===================================================================
--- mediawiki/lenny/debian/patches/1.15.4-css-security.patch	                        (rev 0)
+++ mediawiki/lenny/debian/patches/1.15.4-css-security.patch	2010-12-17 21:58:41 UTC (rev 231)
@@ -0,0 +1,84 @@
+Description: Fixed XSS vulnerability affecting IE clients only, due to a CSS
+ validation issue.
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66992
+Author: Tim Starling
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
+Last-Update: 2010-12-17
+
+--- mediawiki-1.12.0.orig/includes/Sanitizer.php
++++ mediawiki-1.12.0/includes/Sanitizer.php
+@@ -609,10 +609,6 @@
+ 			# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
+ 			if( $attribute == 'style' ) {
+ 				$value = Sanitizer::checkCss( $value );
+-				if( $value === false ) {
+-					# haxx0r
+-					continue;
+-				}
+ 			}
+ 
+ 			if ( $attribute === 'id' )
+@@ -668,10 +664,8 @@
+ 		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+ 
+ 		// Decode escape sequences and line continuation
+-		// See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately.
+- 		// IE 8 doesn't implement it at all, but there's no way to introduce url() into
+-		// IE that doesn't hit Mozilla also.
+-		static $decodeRegex;
++		// See the grammar in the CSS 2 spec, appendix D.
++		static $decodeRegex, $reencodeTable;
+ 		if ( !$decodeRegex ) {
+ 			$space = '[\\x20\\t\\r\\n\\f]';
+ 			$nl = '(?:\\n|\\r\\n|\\r|\\f)';
+@@ -680,29 +674,39 @@
+ 				(?:
+ 					($nl) |  # 1. Line continuation
+ 					([0-9A-Fa-f]{1,6})$space? |  # 2. character number
+-					(.) # 3. backslash cancelling special meaning
++					(.) | # 3. backslash cancelling special meaning
++					() | # 4. backslash at end of string
+ 				)/xu";
+ 		}
+-		$decoded = preg_replace_callback( $decodeRegex,
++		$value = preg_replace_callback( $decodeRegex,
+ 			array( __CLASS__, 'cssDecodeCallback' ), $value );
+-		if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) {
+-			// Not allowed	
+-			return false;
+-		} else {
+-			// Allowed, return CSS with comments stripped
+-			return $value;
++		// Reject problematic keywords and control characters
++		if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
++			return '/* invalid control char */';
++		} elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
++			return '/* insecure input */';
+ 		}
++		return $value;
+ 	}
+ 
+ 	static function cssDecodeCallback( $matches ) {
+ 		if ( $matches[1] !== '' ) {
++			// Line continuation
+ 			return '';
+ 		} elseif ( $matches[2] !== '' ) {
+-			return codepointToUtf8( hexdec( $matches[2] ) );
++			$char = codepointToUtf8( hexdec( $matches[2] ) );
+ 		} elseif ( $matches[3] !== '' ) {
+-			return $matches[3];
++			$char = $matches[3];
++		} else {
++			$char = '\\';
++		}
++		if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) {
++			// These characters need to be escaped in strings
++			// Clean up the escape sequence to avoid parsing errors by clients
++			return '\\' . dechex( ord( $char ) ) . ' ';
+ 		} else {
+-			throw new MWException( __METHOD__.': invalid match' );
++			// Decode unnecessary escape
++			return $char;
+ 		}
+ 	}
+ 

Modified: mediawiki/lenny/debian/patches/series
===================================================================
--- mediawiki/lenny/debian/patches/series	2010-12-17 21:53:40 UTC (rev 230)
+++ mediawiki/lenny/debian/patches/series	2010-12-17 21:58:41 UTC (rev 231)
@@ -9,3 +9,4 @@
 DataLeakage-no-CVE_rev-63436.patch
 1.15.3-security.patch
 1.15.4-userlogin-security.patch
+1.15.4-css-security.patch

More information about the Pkg-mediawiki-commits mailing list