[Pkg-mediawiki-commits] r423 - in mediawiki-extensions/branches/squeeze/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Sun Dec 30 14:33:34 UTC 2012 

Author: jmw
Date: 2012-12-30 14:33:33 +0000 (Sun, 30 Dec 2012)
New Revision: 423

Modified:
   mediawiki-extensions/branches/squeeze/debian/changelog
   mediawiki-extensions/branches/squeeze/debian/patches/fix_rssreader.patch
Log:
Backport fix for RSSReader injection vulnerability

Modified: mediawiki-extensions/branches/squeeze/debian/changelog
===================================================================
--- mediawiki-extensions/branches/squeeze/debian/changelog	2012-12-29 22:56:08 UTC (rev 422)
+++ mediawiki-extensions/branches/squeeze/debian/changelog	2012-12-30 14:33:33 UTC (rev 423)
@@ -1,3 +1,10 @@
+mediawiki-extensions (2.3squeeze2) stable-security; urgency=high
+
+  * RSSReader: Protect against an injection attack by malicious
+    feeds (CLoses: #696179)
+
+ -- Jonathan Wiltshire <jmw at debian.org>  Sun, 30 Dec 2012 14:15:58 +0000
+
 mediawiki-extensions (2.3squeeze1) stable; urgency=low
 
   * Non-maintainer upload.

Modified: mediawiki-extensions/branches/squeeze/debian/patches/fix_rssreader.patch
===================================================================
--- mediawiki-extensions/branches/squeeze/debian/patches/fix_rssreader.patch	2012-12-29 22:56:08 UTC (rev 422)
+++ mediawiki-extensions/branches/squeeze/debian/patches/fix_rssreader.patch	2012-12-30 14:33:33 UTC (rev 423)
@@ -6,19 +6,22 @@
 * add $egCacheDir which can be overridden by people who like to cache
 * fix rendering path to CSS
 * make work with PHP 5.3
+* stop using $rss->unhtmlentities and sanitise RSS bodies correctly
 
 Also add documentation of these changes as README.Debian and point to
 upstream's documentation in form of a wikipage.
 
-Index: trunk/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
-===================================================================
---- trunk/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php	(revision 196)
-+++ trunk/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php	(working copy)
-@@ -22,10 +22,11 @@
+Bump the version to 0.2.6 to denote fixing the RSS title and body
+input sanitisation vulnerability, but do not rebase against the new
+upstream version to keep the diff small.
+
+--- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
++++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/RSSReader.php
+@@ -22,10 +22,11 @@ if ( !defined('MEDIAWIKI') ) {
  }
  
  $wgExtensionFunctions[] = 'efRSSReader';
-+$wgRSSReaderExtVersion = '0.2.5';
++$wgRSSReaderExtVersion = '0.2.6';
  
  $wgExtensionCredits['parserhook'][] = array(
  	'name' => 'RSS Reader',
@@ -71,6 +74,61 @@
      }
      $rss->cache = $egCache; //cache attribute
      $rss->cache_time = $cacheTime; //refresh time in seconds
+@@ -183,7 +189,7 @@ function efCreateRSSReader($input, $argv
+     foreach ($fields as $field) {
+       //table cell that contains a single RSS feed
+       $output .= '<td valign="top" style="width: '.$width.'%;">';
+-      if ($rssArray = $rss->get($field)){
++      if (($rssArray = $rss->get($field)) && (isset($rssArray['link']) || isset($rssArray['title']) || isset($rssArray['description']))) {
+         if ($dispTitle) { //check if title should be displayed
+           $output .=
+             '<div class="RSSReader-head">'.
+@@ -209,10 +215,15 @@ function efCreateRSSReader($input, $argv
+           $output .= '<a href="'.$item['link'].'" ';
+           //decide if nofollow is needed
+           if ($egNoFollow) $output .= 'rel="nofollow"';
+-          $item_title=preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['title']));
++          $item_title=preg_replace("|\[rsslist:.+?\]|", "",
++            htmlspecialchars(html_entity_decode(html_entity_decode($item['title'],
++            ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"));
+           $output .= '>'.$item_title.'</a>';
+           if ($text) {
+-            $desc = preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['description']));
++            $desc = preg_replace("|\[rsslist:.+?\]|", "",
++              Sanitizer::removeHTMLtags(html_entity_decode($item['description'],
++              ENT_QUOTES, "UTF-8"), null, array(),
++              array('a', /* does not work */ 'img')));
+             $output .= "</h3>\n$desc</div>\n";
+           } else $output .= "</li>\n";
+           /*if reached the number of desired display items stop working on
+--- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
++++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
+@@ -149,14 +149,14 @@ class lastRSS {
+ 				{ $this->rsscp = $this->default_cp; } // This is used in my_preg_match()
+ 
+ 			// Parse CHANNEL info
+-			preg_match("'<channel.*?>(.*?)</channel>'si", $rss_content, $out_channel);
++			preg_match("'<channel.*?>(.*)</channel>'si", $rss_content, $out_channel);
+ 			foreach($this->channeltags as $channeltag)
+ 			{
+ 				$temp = $this->my_preg_match("'<$channeltag.*?>(.*?)</$channeltag>'si", $out_channel[1]);
+ 				if ($temp != '') $result[$channeltag] = $temp; // Set only if not empty
+ 			}
+ 			// If date_format is specified and lastBuildDate is valid
+-			if ($this->date_format != '' && ($timestamp = strtotime($result['lastBuildDate'])) !==-1) {
++			if ($this->date_format != '' && isset($result['lastBuildDate']) && ($timestamp = strtotime($result['lastBuildDate'])) !==-1) {
+ 						// convert lastBuildDate to specified date format
+ 						$result['lastBuildDate'] = date($this->date_format, $timestamp);
+ 			}
+@@ -198,7 +198,7 @@ class lastRSS {
+ 					if ($this->stripHTML && $result['items'][$i]['title'])
+ 						$result['items'][$i]['title'] = strip_tags($this->unhtmlentities(strip_tags($result['items'][$i]['title'])));
+ 					// If date_format is specified and pubDate is valid
+-					if ($this->date_format != '' && ($timestamp = strtotime($result['items'][$i]['pubDate'])) !==-1) {
++					if ($this->date_format != '' && isset($result['items'][$i]['pubDate']) && ($timestamp = strtotime($result['items'][$i]['pubDate'])) !== -1) {
+ 						// convert pubDate to specified date format
+ 						$result['items'][$i]['pubDate'] = date($this->date_format, $timestamp);
+ 					}
 --- /dev/null
 +++ mediawiki-extensions-2.3/dist/mediawiki-extensions-base/usr/share/doc/mediawiki-extensions/base/RSS_Reader/README.Debian	2010-06-25 15:44:30.000000000 +0200
 @@ -0,0 +1,10 @@

More information about the Pkg-mediawiki-commits mailing list