[Pkg-mediawiki-commits] r231 - in mediawiki/lenny/debian: . patches
Jonathan Wiltshire
jmw at alioth.debian.org
Fri Dec 17 21:58:41 UTC 2010
Author: jmw
Date: 2010-12-17 21:58:41 +0000 (Fri, 17 Dec 2010)
New Revision: 231
Added:
mediawiki/lenny/debian/patches/1.15.4-css-security.patch
Modified:
mediawiki/lenny/debian/changelog
mediawiki/lenny/debian/patches/series
Log:
Backport fix for XSS vulnerability affecting IE clients only, due to a CSS validation issue
Modified: mediawiki/lenny/debian/changelog
===================================================================
--- mediawiki/lenny/debian/changelog 2010-12-17 21:53:40 UTC (rev 230)
+++ mediawiki/lenny/debian/changelog 2010-12-17 21:58:41 UTC (rev 231)
@@ -3,9 +3,11 @@
* Stable upload.
* Fixed CSRF vulnerability in "e-mail me my password",
"create account" and "create by e-mail" features of
- [[Special:Userlogin]]
+ [[Special:Userlogin]]. CVE-2010-1648
+ * Fixed XSS vulnerability affecting IE clients only, due to a CSS
+ validation issue. CVE-2010-1647 (Closes: #585918)
- -- Jonathan Wiltshire <jmw at debian.org> Fri, 17 Dec 2010 21:51:07 +0000
+ -- Jonathan Wiltshire <jmw at debian.org> Fri, 17 Dec 2010 21:54:08 +0000
mediawiki (1:1.12.0-2lenny5) stable-security; urgency=high
Added: mediawiki/lenny/debian/patches/1.15.4-css-security.patch
===================================================================
--- mediawiki/lenny/debian/patches/1.15.4-css-security.patch (rev 0)
+++ mediawiki/lenny/debian/patches/1.15.4-css-security.patch 2010-12-17 21:58:41 UTC (rev 231)
@@ -0,0 +1,84 @@
+Description: Fixed XSS vulnerability affecting IE clients only, due to a CSS
+ validation issue.
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66992
+Author: Tim Starling
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
+Last-Update: 2010-12-17
+
+--- mediawiki-1.12.0.orig/includes/Sanitizer.php
++++ mediawiki-1.12.0/includes/Sanitizer.php
+@@ -609,10 +609,6 @@
+ # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
+ if( $attribute == 'style' ) {
+ $value = Sanitizer::checkCss( $value );
+- if( $value === false ) {
+- # haxx0r
+- continue;
+- }
+ }
+
+ if ( $attribute === 'id' )
+@@ -668,10 +664,8 @@
+ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+
+ // Decode escape sequences and line continuation
+- // See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately.
+- // IE 8 doesn't implement it at all, but there's no way to introduce url() into
+- // IE that doesn't hit Mozilla also.
+- static $decodeRegex;
++ // See the grammar in the CSS 2 spec, appendix D.
++ static $decodeRegex, $reencodeTable;
+ if ( !$decodeRegex ) {
+ $space = '[\\x20\\t\\r\\n\\f]';
+ $nl = '(?:\\n|\\r\\n|\\r|\\f)';
+@@ -680,29 +674,39 @@
+ (?:
+ ($nl) | # 1. Line continuation
+ ([0-9A-Fa-f]{1,6})$space? | # 2. character number
+- (.) # 3. backslash cancelling special meaning
++ (.) | # 3. backslash cancelling special meaning
++ () | # 4. backslash at end of string
+ )/xu";
+ }
+- $decoded = preg_replace_callback( $decodeRegex,
++ $value = preg_replace_callback( $decodeRegex,
+ array( __CLASS__, 'cssDecodeCallback' ), $value );
+- if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) {
+- // Not allowed
+- return false;
+- } else {
+- // Allowed, return CSS with comments stripped
+- return $value;
++ // Reject problematic keywords and control characters
++ if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
++ return '/* invalid control char */';
++ } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
++ return '/* insecure input */';
+ }
++ return $value;
+ }
+
+ static function cssDecodeCallback( $matches ) {
+ if ( $matches[1] !== '' ) {
++ // Line continuation
+ return '';
+ } elseif ( $matches[2] !== '' ) {
+- return codepointToUtf8( hexdec( $matches[2] ) );
++ $char = codepointToUtf8( hexdec( $matches[2] ) );
+ } elseif ( $matches[3] !== '' ) {
+- return $matches[3];
++ $char = $matches[3];
++ } else {
++ $char = '\\';
++ }
++ if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) {
++ // These characters need to be escaped in strings
++ // Clean up the escape sequence to avoid parsing errors by clients
++ return '\\' . dechex( ord( $char ) ) . ' ';
+ } else {
+- throw new MWException( __METHOD__.': invalid match' );
++ // Decode unnecessary escape
++ return $char;
+ }
+ }
+
Modified: mediawiki/lenny/debian/patches/series
===================================================================
--- mediawiki/lenny/debian/patches/series 2010-12-17 21:53:40 UTC (rev 230)
+++ mediawiki/lenny/debian/patches/series 2010-12-17 21:58:41 UTC (rev 231)
@@ -9,3 +9,4 @@
DataLeakage-no-CVE_rev-63436.patch
1.15.3-security.patch
1.15.4-userlogin-security.patch
+1.15.4-css-security.patch
More information about the Pkg-mediawiki-commits
mailing list