[Pkg-mediawiki-commits] r233 - in mediawiki/lenny/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Fri Dec 17 23:36:17 UTC 2010 

Author: jmw
Date: 2010-12-17 23:36:17 +0000 (Fri, 17 Dec 2010)
New Revision: 233

Added:
   mediawiki/lenny/debian/patches/1.15.5-profileinfo-security.patch
Modified:
   mediawiki/lenny/debian/changelog
   mediawiki/lenny/debian/patches/series
Log:
Backport fix for XSS vulnerability in profileinfo.php for installations with $wgEnableProfileInfo = true (false by default)

Modified: mediawiki/lenny/debian/changelog
===================================================================
--- mediawiki/lenny/debian/changelog	2010-12-17 22:26:22 UTC (rev 232)
+++ mediawiki/lenny/debian/changelog	2010-12-17 23:36:17 UTC (rev 233)
@@ -6,8 +6,10 @@
     [[Special:Userlogin]]. CVE-2010-1648
   * Fixed XSS vulnerability affecting IE clients only, due to a CSS
     validation issue. CVE-2010-1647 (Closes: #585918)
+  * Fixed an XSS vulnerability in profileinfo.php for installations
+    with $wgEnableProfileInfo = true (false by default) (Closes: #590669)
 
- -- Jonathan Wiltshire <jmw at debian.org>  Fri, 17 Dec 2010 21:54:08 +0000
+ -- Jonathan Wiltshire <jmw at debian.org>  Fri, 17 Dec 2010 23:32:46 +0000
 
 mediawiki (1:1.12.0-2lenny5) stable-security; urgency=high
 

Added: mediawiki/lenny/debian/patches/1.15.5-profileinfo-security.patch
===================================================================
--- mediawiki/lenny/debian/patches/1.15.5-profileinfo-security.patch	                        (rev 0)
+++ mediawiki/lenny/debian/patches/1.15.5-profileinfo-security.patch	2010-12-17 23:36:17 UTC (rev 233)
@@ -0,0 +1,76 @@
+Descripto: Fixed an XSS vulnerability in profileinfo.php for installations
+ with $wgEnableProfileInfo = true (false by default)
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66989
+Author: Tim Starling
+Last-Update: 2010-12-17
+
+--- mediawiki-1.12.0.orig/profileinfo.php
++++ mediawiki-1.12.0/profileinfo.php
+@@ -52,7 +52,8 @@
+ require_once( './includes/GlobalFunctions.php' );
+ 
+ if (!$wgEnableProfileInfo) {
+-	echo "disabled\n";
++	echo "<p>Disabled</p>\n";
++	echo "</body></html>";
+ 	exit( 1 );
+ }
+ 
+@@ -95,7 +96,7 @@
+ 		else	$ex = false;
+ 		if (!$ex) {
+ 			if (count($this->children)) {
+-				$url = makeurl(false, false, $expand + array($this->name() => true));
++				$url = getEscapedProfileUrl(false, false, $expand + array($this->name() => true));
+ 				$extet = " <a href=\"$url\">[+]</a>";
+ 			} else $extet = '';
+ 		} else {
+@@ -104,7 +105,7 @@
+ 				if ($name != $this->name())
+ 					$e += array($name => $ep);
+ 
+-			$extet = " <a href=\"" . makeurl(false, false, $e) . "\">[&ndash;]</a>";
++			$extet = " <a href=\"" . getEscapedProfileUrl(false, false, $e) . "\">[&ndash;]</a>";
+ 		}
+ 		?>
+ 		<tr>
+@@ -181,26 +182,30 @@
+ 
+ <table cellspacing="0">
+ <tr id="top">
+-<th><a href="<?php echo makeurl(false, "time") ?>">Time</a></th>
++<th><a href="<?php echo getEscapedProfileUrl(false, "time") ?>">Time</a></th>
+ <th>Time (%)</th>
+-<th><a href="<?php echo makeurl(false, "count") ?>">Count</a></th>
++<th><a href="<?php echo getEscapedProfileUrl(false, "count") ?>">Count</a></th>
+ <th>Avg calls per request</th>
+-<th><a href="<?php echo makeurl(false, "name") ?>">Name</a></th>
++<th><a href="<?php echo getEscapedProfileUrl(false, "name") ?>">Name</a></th>
+ </tr>
+ <?php
+ $totaltime = 0.0;
+ $totalcount = 0;
+ 
+-function makeurl($_filter = false, $_sort = false, $_expand = false) {
++function getEscapedProfileUrl( $_filter = false, $_sort = false, $_expand = false ) {
+ 	global $filter, $sort, $expand;
+ 
+-	if ($_expand === false)
++	if ( $_expand === false )
+ 		$_expand = $expand;
+ 
+-	$nfilter = $_filter ? $_filter : $filter;
+-	$nsort = $_sort ? $_sort : $sort;
+-	$exp = urlencode(implode(',', array_keys($_expand)));
+-	return "?filter=$nfilter&amp;sort=$nsort&amp;expand=$exp";
++	return htmlspecialchars(
++		'?' .
++		wfArrayToCGI( array(
++			'filter' => $_filter ? $_filter : $filter,
++			'sort' => $_sort ? $_sort : $sort,
++			'expand' => implode( ',', array_keys( $_expand ) )
++		) )
++	);
+ }
+ 
+ $points = array();

Modified: mediawiki/lenny/debian/patches/series
===================================================================
--- mediawiki/lenny/debian/patches/series	2010-12-17 22:26:22 UTC (rev 232)
+++ mediawiki/lenny/debian/patches/series	2010-12-17 23:36:17 UTC (rev 233)
@@ -10,3 +10,4 @@
 1.15.3-security.patch
 1.15.4-userlogin-security.patch
 1.15.4-css-security.patch
+1.15.5-profileinfo-security.patch

More information about the Pkg-mediawiki-commits mailing list