[Pkg-mediawiki-commits] r416 - in mediawiki-extensions/trunk: . debian debian/patches

Sat Dec 29 21:58:33 UTC 2012

Author: tg
Date: 2012-12-29 21:58:33 +0000 (Sat, 29 Dec 2012)
New Revision: 416

Modified:
   mediawiki-extensions/trunk/
   mediawiki-extensions/trunk/debian/changelog
   mediawiki-extensions/trunk/debian/patches/fix_rssreader.patch
Log:
wheezy pending merges:
  tg 2012-12-29 prepare for upload, with changed RSS_Reader version number
    tg 2012-12-19 draft using MediaWiki Sanitizer::removeHTMLtags in favour


Property changes on: mediawiki-extensions/trunk
___________________________________________________________________
Modified: svn:mergeinfo
   - /mediawiki-extensions/tags/2.9:387
/mediawiki-extensions/branches/wheezy:399,409

   + /mediawiki-extensions/tags/2.9:387
/mediawiki-extensions/branches/wheezy:399,409,414-415

Modified: svk:merge
   - c8d5af4f-db58-4189-9c90-7fc989bc9e04:/mediawiki-extensions/branches/wheezy:409

   + c8d5af4f-db58-4189-9c90-7fc989bc9e04:/mediawiki-extensions/branches/wheezy:409
c8d5af4f-db58-4189-9c90-7fc989bc9e04:/mediawiki-extensions/branches/wheezy:415


Modified: mediawiki-extensions/trunk/debian/changelog
===================================================================

--- mediawiki-extensions/trunk/debian/changelog	2012-12-29 19:13:29 UTC (rev 415)
+++ mediawiki-extensions/trunk/debian/changelog	2012-12-29 21:58:33 UTC (rev 416)
@@ -1,3 +1,9 @@
+mediawiki-extensions (3.2) xexperimental; urgency=medium
+
+  * Merge mediawiki-extensions (2.11) upload (Closes: #696179)
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Sat, 29 Dec 2012 22:57:53 +0100
+
 mediawiki-extensions (3.1) experimental; urgency=high
 
   * RSS_Reader: fix Javascript injection (Closes: #696179)
@@ -11,6 +17,21 @@
 
  -- Thorsten Glaser <tg at mirbsd.de>  Thu, 29 Nov 2012 16:55:02 +0100
 
+mediawiki-extensions (2.11) unstable; urgency=medium
+
+  * RSS_Reader: correctly sanitise the message body as well,
+    fixes another injection and HTML validity (the bodies are
+    not normally shown though, so only medium urgency); same
+    as 2.10; no CVE identifier yet (Closes: #696179)
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Sat, 29 Dec 2012 19:12:39 +0100
+
+mediawiki-extensions (2.10) unstable; urgency=high
+
+  * RSS_Reader: fix Javascript injection (Closes: #696179)
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Mon, 17 Dec 2012 17:21:32 +0100
+
 mediawiki-extensions (2.9) unstable; urgency=low
 
   * Collection: fix downloading generated PDFs from the render server

Modified: mediawiki-extensions/trunk/debian/patches/fix_rssreader.patch
===================================================================
--- mediawiki-extensions/trunk/debian/patches/fix_rssreader.patch	2012-12-29 19:13:29 UTC (rev 415)
+++ mediawiki-extensions/trunk/debian/patches/fix_rssreader.patch	2012-12-29 21:58:33 UTC (rev 416)
@@ -11,17 +11,22 @@
 * XHTML/1.0 Transitional validity of output
 * fix a bunch of PHP warnings
 * fix a user security issue wrt. HTML in RSS <title>s
+* stop using $rss->unhtmlentities and sanitise RSS bodies correctly
 
 Also add documentation of these changes as README.Debian and point to
 upstream's documentation in form of a wikipage.
 
+Bump the version to 0.2.6 to denote fixing the RSS title and body
+input sanitisation vulnerability, but do not rebase against the new
+upstream version to keep the diff small.
+
 --- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
 +++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
 @@ -22,10 +22,11 @@ if ( !defined('MEDIAWIKI') ) {
  }
  
  $wgExtensionFunctions[] = 'efRSSReader';
-+$wgRSSReaderExtVersion = '0.2.5';
++$wgRSSReaderExtVersion = '0.2.6';
  
  $wgExtensionCredits['parserhook'][] = array(
  	'name' => 'RSS Reader',
@@ -98,17 +103,24 @@
          if ($dispTitle) { //check if title should be displayed
            $output .=
              '<div class="RSSReader-head">'.
-@@ -209,7 +215,9 @@ function efCreateRSSReader($input, $argv
+@@ -209,10 +215,15 @@ function efCreateRSSReader($input, $argv
            $output .= '<a href="'.$item['link'].'" ';
            //decide if nofollow is needed
            if ($egNoFollow) $output .= 'rel="nofollow"';
 -          $item_title=preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['title']));
 +          $item_title=preg_replace("|\[rsslist:.+?\]|", "",
-+            htmlspecialchars(html_entity_decode($rss->unhtmlentities($item['title']),
-+            ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"));
++            htmlspecialchars(html_entity_decode(html_entity_decode($item['title'],
++            ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"));
            $output .= '>'.$item_title.'</a>';
            if ($text) {
-             $desc = preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['description']));
+-            $desc = preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['description']));
++            $desc = preg_replace("|\[rsslist:.+?\]|", "",
++              Sanitizer::removeHTMLtags(html_entity_decode($item['description'],
++              ENT_QUOTES, "UTF-8"), null, array(),
++              array('a', /* does not work */ 'img')));
+             $output .= "</h3>\n$desc</div>\n";
+           } else $output .= "</li>\n";
+           /*if reached the number of desired display items stop working on
 --- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
 +++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
 @@ -149,14 +149,14 @@ class lastRSS {


