[Pkg-mediawiki-commits] r273 - mediawiki/lenny/debian/patches

Jonathan Wiltshire jmw at alioth.debian.org
Mon Dec 5 22:14:51 UTC 2011 

Author: jmw
Date: 2011-12-05 22:14:51 +0000 (Mon, 05 Dec 2011)
New Revision: 273

Modified:
   mediawiki/lenny/debian/patches/CVE-2011-4360.patch
   mediawiki/lenny/debian/patches/CVE-2011-4361.patch
Log:
Refresh patches

Modified: mediawiki/lenny/debian/patches/CVE-2011-4360.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-4360.patch	2011-12-01 12:38:40 UTC (rev 272)
+++ mediawiki/lenny/debian/patches/CVE-2011-4360.patch	2011-12-05 22:14:51 UTC (rev 273)
@@ -10,12 +10,12 @@
 Last-Update: 2011-11-30
 
 
---- mediawiki-1.15.5.orig/includes/Wiki.php
-+++ mediawiki-1.15.5/includes/Wiki.php
-@@ -149,6 +149,16 @@
+--- mediawiki-1.12.0.orig/includes/Wiki.php
++++ mediawiki-1.12.0/includes/Wiki.php
+@@ -123,6 +123,16 @@
  		# the Read array in order for the user to see it. (We have to check here to
  		# catch special pages etc. We check again in Article::view())
- 		if( !is_null( $title ) && !$title->userCanRead() ) {
+ 		if ( !is_null( $title ) && !$title->userCanRead() ) {
 +			// Bug 32276: allowing the skin to generate output with $wgTitle
 +			// set to the input title would allow anonymous users to
 +			// determine whether a page exists, potentially leaking private data. In fact, the
@@ -28,4 +28,4 @@
 +
  			$output->loginToUse();
  			$output->output();
- 			$output->disable();
+ 			exit;

Modified: mediawiki/lenny/debian/patches/CVE-2011-4361.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-4361.patch	2011-12-01 12:38:40 UTC (rev 272)
+++ mediawiki/lenny/debian/patches/CVE-2011-4361.patch	2011-12-05 22:14:51 UTC (rev 273)
@@ -8,9 +8,9 @@
 Forwarded: not-needed
 Last-Update: 2011-11-30
 
---- mediawiki-1.15.5.orig/includes/AjaxDispatcher.php
-+++ mediawiki-1.15.5/includes/AjaxDispatcher.php
-@@ -78,7 +78,7 @@
+--- mediawiki-1.12.0.orig/includes/AjaxDispatcher.php
++++ mediawiki-1.12.0/includes/AjaxDispatcher.php
+@@ -73,7 +73,7 @@
  	 * request.
  	 */
  	function performAction() {
@@ -19,8 +19,8 @@
  
  		if ( empty( $this->mode ) ) {
  			return;
-@@ -90,6 +90,13 @@
- 
+@@ -83,6 +83,13 @@
+ 		if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
  			wfHttpError( 400, 'Bad Request',
  				"unknown function " . (string) $this->func_name );
 +		} elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
@@ -31,5 +31,5 @@
 +				'Forbidden',
 +				'You must log in to view pages.' );
  		} else {
- 			wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );
- 
+ 			if ( strpos( $this->func_name, '::' ) !== false ) {
+ 				$func = explode( '::', $this->func_name, 2 );

More information about the Pkg-mediawiki-commits mailing list