[Pkg-mediawiki-commits] r273 - mediawiki/lenny/debian/patches
Jonathan Wiltshire
jmw at alioth.debian.org
Mon Dec 5 22:14:51 UTC 2011
Author: jmw
Date: 2011-12-05 22:14:51 +0000 (Mon, 05 Dec 2011)
New Revision: 273
Modified:
mediawiki/lenny/debian/patches/CVE-2011-4360.patch
mediawiki/lenny/debian/patches/CVE-2011-4361.patch
Log:
Refresh patches
Modified: mediawiki/lenny/debian/patches/CVE-2011-4360.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-4360.patch 2011-12-01 12:38:40 UTC (rev 272)
+++ mediawiki/lenny/debian/patches/CVE-2011-4360.patch 2011-12-05 22:14:51 UTC (rev 273)
@@ -10,12 +10,12 @@
Last-Update: 2011-11-30
---- mediawiki-1.15.5.orig/includes/Wiki.php
-+++ mediawiki-1.15.5/includes/Wiki.php
-@@ -149,6 +149,16 @@
+--- mediawiki-1.12.0.orig/includes/Wiki.php
++++ mediawiki-1.12.0/includes/Wiki.php
+@@ -123,6 +123,16 @@
# the Read array in order for the user to see it. (We have to check here to
# catch special pages etc. We check again in Article::view())
- if( !is_null( $title ) && !$title->userCanRead() ) {
+ if ( !is_null( $title ) && !$title->userCanRead() ) {
+ // Bug 32276: allowing the skin to generate output with $wgTitle
+ // set to the input title would allow anonymous users to
+ // determine whether a page exists, potentially leaking private data. In fact, the
@@ -28,4 +28,4 @@
+
$output->loginToUse();
$output->output();
- $output->disable();
+ exit;
Modified: mediawiki/lenny/debian/patches/CVE-2011-4361.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-4361.patch 2011-12-01 12:38:40 UTC (rev 272)
+++ mediawiki/lenny/debian/patches/CVE-2011-4361.patch 2011-12-05 22:14:51 UTC (rev 273)
@@ -8,9 +8,9 @@
Forwarded: not-needed
Last-Update: 2011-11-30
---- mediawiki-1.15.5.orig/includes/AjaxDispatcher.php
-+++ mediawiki-1.15.5/includes/AjaxDispatcher.php
-@@ -78,7 +78,7 @@
+--- mediawiki-1.12.0.orig/includes/AjaxDispatcher.php
++++ mediawiki-1.12.0/includes/AjaxDispatcher.php
+@@ -73,7 +73,7 @@
* request.
*/
function performAction() {
@@ -19,8 +19,8 @@
if ( empty( $this->mode ) ) {
return;
-@@ -90,6 +90,13 @@
-
+@@ -83,6 +83,13 @@
+ if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
wfHttpError( 400, 'Bad Request',
"unknown function " . (string) $this->func_name );
+ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
@@ -31,5 +31,5 @@
+ 'Forbidden',
+ 'You must log in to view pages.' );
} else {
- wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );
-
+ if ( strpos( $this->func_name, '::' ) !== false ) {
+ $func = explode( '::', $this->func_name, 2 );
More information about the Pkg-mediawiki-commits
mailing list