[Pkg-mediawiki-commits] r276 - in mediawiki/squeeze/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Sat Dec 17 23:22:29 UTC 2011 

Author: jmw
Date: 2011-12-17 23:22:29 +0000 (Sat, 17 Dec 2011)
New Revision: 276

Added:
   mediawiki/squeeze/debian/patches/CVE-2011-1580.patch
Modified:
   mediawiki/squeeze/debian/changelog
   mediawiki/squeeze/debian/patches/series
Log:
CVE-2011-1580 Access control checks on transwiki import feature


Modified: mediawiki/squeeze/debian/changelog
===================================================================
--- mediawiki/squeeze/debian/changelog	2011-12-17 23:21:05 UTC (rev 275)
+++ mediawiki/squeeze/debian/changelog	2011-12-17 23:22:29 UTC (rev 276)
@@ -7,8 +7,9 @@
     relevant function without any read permission checks being done
     CVE-2011-1578 - XSS for IE <= 6
     CVE-2011-1579 - CSS validation error in wikitext parser
+    CVE-2011-1580 - access control checks on transwiki import feature
 
- -- Jonathan Wiltshire <jmw at debian.org>  Sat, 17 Dec 2011 23:20:08 +0000
+ -- Jonathan Wiltshire <jmw at debian.org>  Sat, 17 Dec 2011 23:21:33 +0000
 
 mediawiki (1:1.15.5-2squeeze1) stable; urgency=high
 

Added: mediawiki/squeeze/debian/patches/CVE-2011-1580.patch
===================================================================
--- mediawiki/squeeze/debian/patches/CVE-2011-1580.patch	                        (rev 0)
+++ mediawiki/squeeze/debian/patches/CVE-2011-1580.patch	2011-12-17 23:22:29 UTC (rev 276)
@@ -0,0 +1,68 @@
+Description: access control check on transwiki import feature
+ The transwiki import feature is disabled by default. If it is enabled,
+ it allows wiki pages to be copied from a remote wiki listed in
+ $wgImportSources. The issue means that any user can trigger such an
+ import to occur.
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85099
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28449
+Last-Update: 2011-12-17
+
+--- mediawiki-1.15.5.orig/includes/Title.php
++++ mediawiki-1.15.5/includes/Title.php
+@@ -1090,8 +1090,14 @@
+ 			$errors[] = array( 'confirmedittext' );
+ 		}
+ 
+-		// Edit blocks should not affect reading. Account creation blocks handled at userlogin.
+-		if ( $action != 'read' && $action != 'createaccount' && $user->isBlockedFrom( $this ) ) {
++		if ( in_array( $action, array( 'read', 'createaccount', 'unblock' ) ) ){
++			// Edit blocks should not affect reading.
++			// Account creation blocks handled at userlogin.
++			// Unblocking handled in SpecialUnblock
++		} elseif( ( $action == 'edit' || $action == 'create' ) && !$user->isBlockedFrom( $this ) ){
++			// Don't block the user from editing their own talk page unless they've been
++			// explicitly blocked from that too.
++		} elseif( $user->isBlocked() && $user->mBlock->prevents( $action ) !== false ) {
+ 			$block = $user->mBlock;
+ 
+ 			// This is from OutputPage::blockedPage
+--- mediawiki-1.15.5.orig/includes/specials/SpecialImport.php
++++ mediawiki-1.15.5/includes/specials/SpecialImport.php
+@@ -45,7 +45,7 @@
+ 	 * Execute
+ 	 */
+ 	function execute( $par ) {
+-		global $wgRequest;
++		global $wgRequest, $wgUser, $wgOut;
+ 		
+ 		$this->setHeaders();
+ 		$this->outputHeader();
+@@ -55,7 +55,18 @@
+ 			$wgOut->readOnlyPage();
+ 			return;
+ 		}
+-		
++
++		if( !$wgUser->isAllowedAny( 'import', 'importupload' ) ) {
++			return $wgOut->permissionRequired( 'import' );
++		}
++
++		# TODO: allow Title::getUserPermissionsErrors() to take an array
++		# FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what
++		# getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected'
++		$errors = wfMergeErrorArrays(
++			$this->getTitle()->getUserPermissionsErrors( 'import', $wgUser, true, array( 'ns-specialprotected' ) ),
++			$this->getTitle()->getUserPermissionsErrors( 'importupload', $wgUser, true, array( 'ns-specialprotected' ) )
++		);
+ 		if ( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit' ) {
+ 			$this->doImport();
+ 		}
+@@ -133,8 +144,6 @@
+ 
+ 	private function showForm() {
+ 		global $wgUser, $wgOut, $wgRequest, $wgTitle, $wgImportSources, $wgExportMaxLinkDepth;
+-		if( !$wgUser->isAllowed( 'import' ) && !$wgUser->isAllowed( 'importupload' ) )
+-			return $wgOut->permissionRequired( 'import' );
+ 
+ 		$action = $wgTitle->getLocalUrl( 'action=submit' );
+ 

Modified: mediawiki/squeeze/debian/patches/series
===================================================================
--- mediawiki/squeeze/debian/patches/series	2011-12-17 23:21:05 UTC (rev 275)
+++ mediawiki/squeeze/debian/patches/series	2011-12-17 23:22:29 UTC (rev 276)
@@ -9,5 +9,6 @@
 CVE-2011-0047.patch
 CVE-2011-1578.patch
 CVE-2011-1579.patch
+CVE-2011-1580.patch
 CVE-2011-4360.patch
 CVE-2011-4361.patch

More information about the Pkg-mediawiki-commits mailing list