[Pkg-mediawiki-commits] r423 - in mediawiki-extensions/branches/squeeze/debian: . patches
Jonathan Wiltshire
jmw at alioth.debian.org
Sun Dec 30 14:33:34 UTC 2012
Author: jmw
Date: 2012-12-30 14:33:33 +0000 (Sun, 30 Dec 2012)
New Revision: 423
Modified:
mediawiki-extensions/branches/squeeze/debian/changelog
mediawiki-extensions/branches/squeeze/debian/patches/fix_rssreader.patch
Log:
Backport fix for RSSReader injection vulnerability
Modified: mediawiki-extensions/branches/squeeze/debian/changelog
===================================================================
--- mediawiki-extensions/branches/squeeze/debian/changelog 2012-12-29 22:56:08 UTC (rev 422)
+++ mediawiki-extensions/branches/squeeze/debian/changelog 2012-12-30 14:33:33 UTC (rev 423)
@@ -1,3 +1,10 @@
+mediawiki-extensions (2.3squeeze2) stable-security; urgency=high
+
+ * RSSReader: Protect against an injection attack by malicious
+ feeds (CLoses: #696179)
+
+ -- Jonathan Wiltshire <jmw at debian.org> Sun, 30 Dec 2012 14:15:58 +0000
+
mediawiki-extensions (2.3squeeze1) stable; urgency=low
* Non-maintainer upload.
Modified: mediawiki-extensions/branches/squeeze/debian/patches/fix_rssreader.patch
===================================================================
--- mediawiki-extensions/branches/squeeze/debian/patches/fix_rssreader.patch 2012-12-29 22:56:08 UTC (rev 422)
+++ mediawiki-extensions/branches/squeeze/debian/patches/fix_rssreader.patch 2012-12-30 14:33:33 UTC (rev 423)
@@ -6,19 +6,22 @@
* add $egCacheDir which can be overridden by people who like to cache
* fix rendering path to CSS
* make work with PHP 5.3
+* stop using $rss->unhtmlentities and sanitise RSS bodies correctly
Also add documentation of these changes as README.Debian and point to
upstream's documentation in form of a wikipage.
-Index: trunk/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
-===================================================================
---- trunk/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php (revision 196)
-+++ trunk/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php (working copy)
-@@ -22,10 +22,11 @@
+Bump the version to 0.2.6 to denote fixing the RSS title and body
+input sanitisation vulnerability, but do not rebase against the new
+upstream version to keep the diff small.
+
+--- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
++++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
+@@ -22,10 +22,11 @@ if ( !defined('MEDIAWIKI') ) {
}
$wgExtensionFunctions[] = 'efRSSReader';
-+$wgRSSReaderExtVersion = '0.2.5';
++$wgRSSReaderExtVersion = '0.2.6';
$wgExtensionCredits['parserhook'][] = array(
'name' => 'RSS Reader',
@@ -71,6 +74,61 @@
}
$rss->cache = $egCache; //cache attribute
$rss->cache_time = $cacheTime; //refresh time in seconds
+@@ -183,7 +189,7 @@ function efCreateRSSReader($input, $argv
+ foreach ($fields as $field) {
+ //table cell that contains a single RSS feed
+ $output .= '<td valign="top" style="width: '.$width.'%;">';
+- if ($rssArray = $rss->get($field)){
++ if (($rssArray = $rss->get($field)) && (isset($rssArray['link']) || isset($rssArray['title']) || isset($rssArray['description']))) {
+ if ($dispTitle) { //check if title should be displayed
+ $output .=
+ '<div class="RSSReader-head">'.
+@@ -209,10 +215,15 @@ function efCreateRSSReader($input, $argv
+ $output .= '<a href="'.$item['link'].'" ';
+ //decide if nofollow is needed
+ if ($egNoFollow) $output .= 'rel="nofollow"';
+- $item_title=preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['title']));
++ $item_title=preg_replace("|\[rsslist:.+?\]|", "",
++ htmlspecialchars(html_entity_decode(html_entity_decode($item['title'],
++ ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"));
+ $output .= '>'.$item_title.'</a>';
+ if ($text) {
+- $desc = preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['description']));
++ $desc = preg_replace("|\[rsslist:.+?\]|", "",
++ Sanitizer::removeHTMLtags(html_entity_decode($item['description'],
++ ENT_QUOTES, "UTF-8"), null, array(),
++ array('a', /* does not work */ 'img')));
+ $output .= "</h3>\n$desc</div>\n";
+ } else $output .= "</li>\n";
+ /*if reached the number of desired display items stop working on
+--- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
++++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
+@@ -149,14 +149,14 @@ class lastRSS {
+ { $this->rsscp = $this->default_cp; } // This is used in my_preg_match()
+
+ // Parse CHANNEL info
+- preg_match("'<channel.*?>(.*?)</channel>'si", $rss_content, $out_channel);
++ preg_match("'<channel.*?>(.*)</channel>'si", $rss_content, $out_channel);
+ foreach($this->channeltags as $channeltag)
+ {
+ $temp = $this->my_preg_match("'<$channeltag.*?>(.*?)</$channeltag>'si", $out_channel[1]);
+ if ($temp != '') $result[$channeltag] = $temp; // Set only if not empty
+ }
+ // If date_format is specified and lastBuildDate is valid
+- if ($this->date_format != '' && ($timestamp = strtotime($result['lastBuildDate'])) !==-1) {
++ if ($this->date_format != '' && isset($result['lastBuildDate']) && ($timestamp = strtotime($result['lastBuildDate'])) !==-1) {
+ // convert lastBuildDate to specified date format
+ $result['lastBuildDate'] = date($this->date_format, $timestamp);
+ }
+@@ -198,7 +198,7 @@ class lastRSS {
+ if ($this->stripHTML && $result['items'][$i]['title'])
+ $result['items'][$i]['title'] = strip_tags($this->unhtmlentities(strip_tags($result['items'][$i]['title'])));
+ // If date_format is specified and pubDate is valid
+- if ($this->date_format != '' && ($timestamp = strtotime($result['items'][$i]['pubDate'])) !==-1) {
++ if ($this->date_format != '' && isset($result['items'][$i]['pubDate']) && ($timestamp = strtotime($result['items'][$i]['pubDate'])) !== -1) {
+ // convert pubDate to specified date format
+ $result['items'][$i]['pubDate'] = date($this->date_format, $timestamp);
+ }
--- /dev/null
+++ mediawiki-extensions-2.3/dist/mediawiki-extensions-base/usr/share/doc/mediawiki-extensions/base/RSS_Reader/README.Debian 2010-06-25 15:44:30.000000000 +0200
@@ -0,0 +1,10 @@
More information about the Pkg-mediawiki-commits
mailing list