[Pkg-mediawiki-commits] r416 - in mediawiki-extensions/trunk: . debian debian/patches
Thorsten Glaser
tg at alioth.debian.org
Sat Dec 29 21:58:33 UTC 2012
Author: tg
Date: 2012-12-29 21:58:33 +0000 (Sat, 29 Dec 2012)
New Revision: 416
Modified:
mediawiki-extensions/trunk/
mediawiki-extensions/trunk/debian/changelog
mediawiki-extensions/trunk/debian/patches/fix_rssreader.patch
Log:
wheezy pending merges:
tg 2012-12-29 prepare for upload, with changed RSS_Reader version number
tg 2012-12-19 draft using MediaWiki Sanitizer::removeHTMLtags in favour
Property changes on: mediawiki-extensions/trunk
___________________________________________________________________
Modified: svn:mergeinfo
- /mediawiki-extensions/tags/2.9:387
/mediawiki-extensions/branches/wheezy:399,409
+ /mediawiki-extensions/tags/2.9:387
/mediawiki-extensions/branches/wheezy:399,409,414-415
Modified: svk:merge
- c8d5af4f-db58-4189-9c90-7fc989bc9e04:/mediawiki-extensions/branches/wheezy:409
+ c8d5af4f-db58-4189-9c90-7fc989bc9e04:/mediawiki-extensions/branches/wheezy:409
c8d5af4f-db58-4189-9c90-7fc989bc9e04:/mediawiki-extensions/branches/wheezy:415
Modified: mediawiki-extensions/trunk/debian/changelog
===================================================================
--- mediawiki-extensions/trunk/debian/changelog 2012-12-29 19:13:29 UTC (rev 415)
+++ mediawiki-extensions/trunk/debian/changelog 2012-12-29 21:58:33 UTC (rev 416)
@@ -1,3 +1,9 @@
+mediawiki-extensions (3.2) xexperimental; urgency=medium
+
+ * Merge mediawiki-extensions (2.11) upload (Closes: #696179)
+
+ -- Thorsten Glaser <tg at mirbsd.de> Sat, 29 Dec 2012 22:57:53 +0100
+
mediawiki-extensions (3.1) experimental; urgency=high
* RSS_Reader: fix Javascript injection (Closes: #696179)
@@ -11,6 +17,21 @@
-- Thorsten Glaser <tg at mirbsd.de> Thu, 29 Nov 2012 16:55:02 +0100
+mediawiki-extensions (2.11) unstable; urgency=medium
+
+ * RSS_Reader: correctly sanitise the message body as well,
+ fixes another injection and HTML validity (the bodies are
+ not normally shown though, so only medium urgency); same
+ as 2.10; no CVE identifier yet (Closes: #696179)
+
+ -- Thorsten Glaser <tg at mirbsd.de> Sat, 29 Dec 2012 19:12:39 +0100
+
+mediawiki-extensions (2.10) unstable; urgency=high
+
+ * RSS_Reader: fix Javascript injection (Closes: #696179)
+
+ -- Thorsten Glaser <tg at mirbsd.de> Mon, 17 Dec 2012 17:21:32 +0100
+
mediawiki-extensions (2.9) unstable; urgency=low
* Collection: fix downloading generated PDFs from the render server
Modified: mediawiki-extensions/trunk/debian/patches/fix_rssreader.patch
===================================================================
--- mediawiki-extensions/trunk/debian/patches/fix_rssreader.patch 2012-12-29 19:13:29 UTC (rev 415)
+++ mediawiki-extensions/trunk/debian/patches/fix_rssreader.patch 2012-12-29 21:58:33 UTC (rev 416)
@@ -11,17 +11,22 @@
* XHTML/1.0 Transitional validity of output
* fix a bunch of PHP warnings
* fix a user security issue wrt. HTML in RSS <title>s
+* stop using $rss->unhtmlentities and sanitise RSS bodies correctly
Also add documentation of these changes as README.Debian and point to
upstream's documentation in form of a wikipage.
+Bump the version to 0.2.6 to denote fixing the RSS title and body
+input sanitisation vulnerability, but do not rebase against the new
+upstream version to keep the diff small.
+
--- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
+++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
@@ -22,10 +22,11 @@ if ( !defined('MEDIAWIKI') ) {
}
$wgExtensionFunctions[] = 'efRSSReader';
-+$wgRSSReaderExtVersion = '0.2.5';
++$wgRSSReaderExtVersion = '0.2.6';
$wgExtensionCredits['parserhook'][] = array(
'name' => 'RSS Reader',
@@ -98,17 +103,24 @@
if ($dispTitle) { //check if title should be displayed
$output .=
'<div class="RSSReader-head">'.
-@@ -209,7 +215,9 @@ function efCreateRSSReader($input, $argv
+@@ -209,10 +215,15 @@ function efCreateRSSReader($input, $argv
$output .= '<a href="'.$item['link'].'" ';
//decide if nofollow is needed
if ($egNoFollow) $output .= 'rel="nofollow"';
- $item_title=preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['title']));
+ $item_title=preg_replace("|\[rsslist:.+?\]|", "",
-+ htmlspecialchars(html_entity_decode($rss->unhtmlentities($item['title']),
-+ ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"));
++ htmlspecialchars(html_entity_decode(html_entity_decode($item['title'],
++ ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"));
$output .= '>'.$item_title.'</a>';
if ($text) {
- $desc = preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['description']));
+- $desc = preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['description']));
++ $desc = preg_replace("|\[rsslist:.+?\]|", "",
++ Sanitizer::removeHTMLtags(html_entity_decode($item['description'],
++ ENT_QUOTES, "UTF-8"), null, array(),
++ array('a', /* does not work */ 'img')));
+ $output .= "</h3>\n$desc</div>\n";
+ } else $output .= "</li>\n";
+ /*if reached the number of desired display items stop working on
--- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
+++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
@@ -149,14 +149,14 @@ class lastRSS {
More information about the Pkg-mediawiki-commits
mailing list