[Pkg-mediawiki-commits] r478 - in mediawiki/branches/wheezy/debian: . patches
Jonathan Wiltshire
jmw at alioth.debian.org
Sun Sep 8 18:42:52 UTC 2013
Author: jmw
Date: 2013-09-08 18:42:51 +0000 (Sun, 08 Sep 2013)
New Revision: 478
Added:
mediawiki/branches/wheezy/debian/patches/CVE-2013-4302.patch
Modified:
mediawiki/branches/wheezy/debian/changelog
mediawiki/branches/wheezy/debian/patches/series
Log:
Apply upstream patch for CVE-2013-4302
Modified: mediawiki/branches/wheezy/debian/changelog
===================================================================
--- mediawiki/branches/wheezy/debian/changelog 2013-09-08 14:42:13 UTC (rev 477)
+++ mediawiki/branches/wheezy/debian/changelog 2013-09-08 18:42:51 UTC (rev 478)
@@ -1,3 +1,10 @@
+mediawiki (1:1.19.5-1+deb7u1) stable-security; urgency=low
+
+ * CVE-2013-4302: apply patch from upstream to prevent
+ access to anti-CSRF tokens via JSONP
+
+ -- Jonathan Wiltshire <jmw at debian.org> Sun, 08 Sep 2013 19:40:24 +0100
+
mediawiki (1:1.19.5-1) unstable; urgency=high
[ Platonides ]
Added: mediawiki/branches/wheezy/debian/patches/CVE-2013-4302.patch
===================================================================
--- mediawiki/branches/wheezy/debian/patches/CVE-2013-4302.patch (rev 0)
+++ mediawiki/branches/wheezy/debian/patches/CVE-2013-4302.patch 2013-09-08 18:42:51 UTC (rev 478)
@@ -0,0 +1,87 @@
+From f8998c726550b85ab6a4362c364a51f1604ea687 Mon Sep 17 00:00:00 2001
+From: Brad Jorsch <bjorsch at wikimedia.org>
+Date: Tue, 3 Sep 2013 07:59:13 -0700
+Subject: [PATCH] SECURITY: Prevent tokens in jsonp mode
+
+Add checks to token-returning functions to prevent returning tokens in
+jsonp mode. This affects action=login, action=block, action=unblock, and
+action=query&list=deletedrevs.
+
+Bug: 49090
+Change-Id: Ibeaa5c72d8084585092b15935a3f5709104bf7f7
+---
+ includes/api/ApiBlock.php | 4 ++++
+ includes/api/ApiLogin.php | 9 +++++++++
+ includes/api/ApiQueryDeletedrevs.php | 5 +++++
+ includes/api/ApiUnblock.php | 4 ++++
+ 5 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php
+index 351ac6b..5c9e68f 100644
+--- a/includes/api/ApiBlock.php
++++ b/includes/api/ApiBlock.php
+@@ -47,6 +47,10 @@ class ApiBlock extends ApiBase {
+ $params = $this->extractRequestParams();
+
+ if ( $params['gettoken'] ) {
++ // If we're in JSON callback mode, no tokens can be obtained
++ if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++ $this->dieUsage( 'Cannot get token when using a callback', 'aborted' );
++ }
+ $res['blocktoken'] = $user->getEditToken( '', $this->getMain()->getRequest() );
+ $this->getResult()->addValue( null, $this->getModuleName(), $res );
+ return;
+diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
+index aa570cb..3384910 100644
+--- a/includes/api/ApiLogin.php
++++ b/includes/api/ApiLogin.php
+@@ -46,6 +46,15 @@ class ApiLogin extends ApiBase {
+ * is reached. The expiry is $this->mLoginThrottle.
+ */
+ public function execute() {
++ // If we're in JSON callback mode, no tokens can be obtained
++ if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++ $this->getResult()->addValue( null, 'login', array(
++ 'result' => 'Aborted',
++ 'reason' => 'Cannot log in when using a callback',
++ ) );
++ return;
++ }
++
+ $params = $this->extractRequestParams();
+
+ $result = array();
+diff --git a/includes/api/ApiQueryDeletedrevs.php b/includes/api/ApiQueryDeletedrevs.php
+index 0a0cc93..13978f9 100644
+--- a/includes/api/ApiQueryDeletedrevs.php
++++ b/includes/api/ApiQueryDeletedrevs.php
+@@ -57,6 +57,11 @@ class ApiQueryDeletedrevs extends ApiQueryBase {
+ $fld_content = isset( $prop['content'] );
+ $fld_token = isset( $prop['token'] );
+
++ // If we're in JSON callback mode, no tokens can be obtained
++ if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++ $fld_token = false;
++ }
++
+ $result = $this->getResult();
+ $pageSet = $this->getPageSet();
+ $titles = $pageSet->getTitles();
+diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php
+index d0ad3a8..122cb98 100644
+--- a/includes/api/ApiUnblock.php
++++ b/includes/api/ApiUnblock.php
+@@ -44,6 +44,10 @@ class ApiUnblock extends ApiBase {
+ $params = $this->extractRequestParams();
+
+ if ( $params['gettoken'] ) {
++ // If we're in JSON callback mode, no tokens can be obtained
++ if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++ $this->dieUsage( 'Cannot get token when using a callback', 'aborted' );
++ }
+ $res['unblocktoken'] = $user->getEditToken( '', $this->getMain()->getRequest() );
+ $this->getResult()->addValue( null, $this->getModuleName(), $res );
+ return;
+--
+1.7.10.4
+
Modified: mediawiki/branches/wheezy/debian/patches/series
===================================================================
--- mediawiki/branches/wheezy/debian/patches/series 2013-09-08 14:42:13 UTC (rev 477)
+++ mediawiki/branches/wheezy/debian/patches/series 2013-09-08 18:42:51 UTC (rev 478)
@@ -7,3 +7,4 @@
bz40889.patch
bz39635.patch
debian_specific_config.patch
+CVE-2013-4302.patch
More information about the Pkg-mediawiki-commits
mailing list