[Pkg-mediawiki-commits] r409 - in mediawiki-extensions/branches/wheezy/debian: . patches

Thorsten Glaser tg at alioth.debian.org
Mon Dec 17 16:26:46 UTC 2012 

Author: tg
Date: 2012-12-17 16:26:45 +0000 (Mon, 17 Dec 2012)
New Revision: 409

Modified:
   mediawiki-extensions/branches/wheezy/debian/changelog
   mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch
Log:
and here?\226?\128?\153s the fix for the javascript injection


Modified: mediawiki-extensions/branches/wheezy/debian/changelog
===================================================================
--- mediawiki-extensions/branches/wheezy/debian/changelog	2012-12-17 14:40:13 UTC (rev 408)
+++ mediawiki-extensions/branches/wheezy/debian/changelog	2012-12-17 16:26:45 UTC (rev 409)
@@ -1,3 +1,9 @@
+mediawiki-extensions (2.10) unstable; urgency=high
+
+  * RSS_Reader: fix Javascript injection (Closes: #696179)
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Mon, 17 Dec 2012 17:21:32 +0100
+
 mediawiki-extensions (2.9) unstable; urgency=low
 
   * Collection: fix downloading generated PDFs from the render server

Modified: mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch
===================================================================
--- mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch	2012-12-17 14:40:13 UTC (rev 408)
+++ mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch	2012-12-17 16:26:45 UTC (rev 409)
@@ -10,6 +10,7 @@
   a CSS class that can be used for styling RSS output instead
 * XHTML/1.0 Transitional validity of output
 * fix a bunch of PHP warnings
+* fix a user security issue wrt. HTML in RSS <title>s
 
 Also add documentation of these changes as README.Debian and point to
 upstream's documentation in form of a wikipage.
@@ -97,6 +98,17 @@
          if ($dispTitle) { //check if title should be displayed
            $output .=
              '<div class="RSSReader-head">'.
+@@ -209,7 +215,9 @@ function efCreateRSSReader($input, $argv
+           $output .= '<a href="'.$item['link'].'" ';
+           //decide if nofollow is needed
+           if ($egNoFollow) $output .= 'rel="nofollow"';
+-          $item_title=preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['title']));
++          $item_title=preg_replace("|\[rsslist:.+?\]|", "",
++            htmlspecialchars(html_entity_decode($rss->unhtmlentities($item['title']),
++            ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"));
+           $output .= '>'.$item_title.'</a>';
+           if ($text) {
+             $desc = preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['description']));
 --- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
 +++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
 @@ -149,14 +149,14 @@ class lastRSS {

More information about the Pkg-mediawiki-commits mailing list