[Pkg-mediawiki-commits] r478 - in mediawiki/branches/wheezy/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Sun Sep 8 18:42:52 UTC 2013 

Author: jmw
Date: 2013-09-08 18:42:51 +0000 (Sun, 08 Sep 2013)
New Revision: 478

Added:
   mediawiki/branches/wheezy/debian/patches/CVE-2013-4302.patch
Modified:
   mediawiki/branches/wheezy/debian/changelog
   mediawiki/branches/wheezy/debian/patches/series
Log:
Apply upstream patch for CVE-2013-4302

Modified: mediawiki/branches/wheezy/debian/changelog
===================================================================
--- mediawiki/branches/wheezy/debian/changelog	2013-09-08 14:42:13 UTC (rev 477)
+++ mediawiki/branches/wheezy/debian/changelog	2013-09-08 18:42:51 UTC (rev 478)
@@ -1,3 +1,10 @@
+mediawiki (1:1.19.5-1+deb7u1) stable-security; urgency=low
+
+  * CVE-2013-4302: apply patch from upstream to prevent
+    access to anti-CSRF tokens via JSONP
+
+ -- Jonathan Wiltshire <jmw at debian.org>  Sun, 08 Sep 2013 19:40:24 +0100
+
 mediawiki (1:1.19.5-1) unstable; urgency=high
 
   [ Platonides ]

Added: mediawiki/branches/wheezy/debian/patches/CVE-2013-4302.patch
===================================================================
--- mediawiki/branches/wheezy/debian/patches/CVE-2013-4302.patch	                        (rev 0)
+++ mediawiki/branches/wheezy/debian/patches/CVE-2013-4302.patch	2013-09-08 18:42:51 UTC (rev 478)
@@ -0,0 +1,87 @@
+From f8998c726550b85ab6a4362c364a51f1604ea687 Mon Sep 17 00:00:00 2001
+From: Brad Jorsch <bjorsch at wikimedia.org>
+Date: Tue, 3 Sep 2013 07:59:13 -0700
+Subject: [PATCH] SECURITY: Prevent tokens in jsonp mode
+
+Add checks to token-returning functions to prevent returning tokens in
+jsonp mode. This affects action=login, action=block, action=unblock, and
+action=query&list=deletedrevs.
+
+Bug: 49090
+Change-Id: Ibeaa5c72d8084585092b15935a3f5709104bf7f7
+---
+ includes/api/ApiBlock.php            |    4 ++++
+ includes/api/ApiLogin.php            |    9 +++++++++
+ includes/api/ApiQueryDeletedrevs.php |    5 +++++
+ includes/api/ApiUnblock.php          |    4 ++++
+ 5 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php
+index 351ac6b..5c9e68f 100644
+--- a/includes/api/ApiBlock.php
++++ b/includes/api/ApiBlock.php
+@@ -47,6 +47,10 @@ class ApiBlock extends ApiBase {
+ 		$params = $this->extractRequestParams();
+ 
+ 		if ( $params['gettoken'] ) {
++			// If we're in JSON callback mode, no tokens can be obtained
++			if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++				$this->dieUsage( 'Cannot get token when using a callback', 'aborted' );
++			}
+ 			$res['blocktoken'] = $user->getEditToken( '', $this->getMain()->getRequest() );
+ 			$this->getResult()->addValue( null, $this->getModuleName(), $res );
+ 			return;
+diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
+index aa570cb..3384910 100644
+--- a/includes/api/ApiLogin.php
++++ b/includes/api/ApiLogin.php
+@@ -46,6 +46,15 @@ class ApiLogin extends ApiBase {
+ 	 * is reached. The expiry is $this->mLoginThrottle.
+ 	 */
+ 	public function execute() {
++		// If we're in JSON callback mode, no tokens can be obtained
++		if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++			$this->getResult()->addValue( null, 'login', array(
++				'result' => 'Aborted',
++				'reason' => 'Cannot log in when using a callback',
++			) );
++			return;
++		}
++
+ 		$params = $this->extractRequestParams();
+ 
+ 		$result = array();
+diff --git a/includes/api/ApiQueryDeletedrevs.php b/includes/api/ApiQueryDeletedrevs.php
+index 0a0cc93..13978f9 100644
+--- a/includes/api/ApiQueryDeletedrevs.php
++++ b/includes/api/ApiQueryDeletedrevs.php
+@@ -57,6 +57,11 @@ class ApiQueryDeletedrevs extends ApiQueryBase {
+ 		$fld_content = isset( $prop['content'] );
+ 		$fld_token = isset( $prop['token'] );
+ 
++		// If we're in JSON callback mode, no tokens can be obtained
++		if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++			$fld_token = false;
++		}
++
+ 		$result = $this->getResult();
+ 		$pageSet = $this->getPageSet();
+ 		$titles = $pageSet->getTitles();
+diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php
+index d0ad3a8..122cb98 100644
+--- a/includes/api/ApiUnblock.php
++++ b/includes/api/ApiUnblock.php
+@@ -44,6 +44,10 @@ class ApiUnblock extends ApiBase {
+ 		$params = $this->extractRequestParams();
+ 
+ 		if ( $params['gettoken'] ) {
++			// If we're in JSON callback mode, no tokens can be obtained
++			if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++				$this->dieUsage( 'Cannot get token when using a callback', 'aborted' );
++			}
+ 			$res['unblocktoken'] = $user->getEditToken( '', $this->getMain()->getRequest() );
+ 			$this->getResult()->addValue( null, $this->getModuleName(), $res );
+ 			return;
+-- 
+1.7.10.4
+

Modified: mediawiki/branches/wheezy/debian/patches/series
===================================================================
--- mediawiki/branches/wheezy/debian/patches/series	2013-09-08 14:42:13 UTC (rev 477)
+++ mediawiki/branches/wheezy/debian/patches/series	2013-09-08 18:42:51 UTC (rev 478)
@@ -7,3 +7,4 @@
 bz40889.patch
 bz39635.patch
 debian_specific_config.patch
+CVE-2013-4302.patch

More information about the Pkg-mediawiki-commits mailing list