[Pkg-mediawiki-commits] r479 - in mediawiki/branches/squeeze/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Sun Sep 8 18:55:25 UTC 2013 

Author: jmw
Date: 2013-09-08 18:55:24 +0000 (Sun, 08 Sep 2013)
New Revision: 479

Added:
   mediawiki/branches/squeeze/debian/patches/CVE-2013-4302.patch
Modified:
   mediawiki/branches/squeeze/debian/changelog
   mediawiki/branches/squeeze/debian/patches/series
Log:
Apply upstream patch for CVE-2013-4302

Modified: mediawiki/branches/squeeze/debian/changelog
===================================================================
--- mediawiki/branches/squeeze/debian/changelog	2013-09-08 18:42:51 UTC (rev 478)
+++ mediawiki/branches/squeeze/debian/changelog	2013-09-08 18:55:24 UTC (rev 479)
@@ -1,3 +1,10 @@
+mediawiki (1:1.15.5-2squeeze6) stable-security; urgency=low
+
+  * CVE-2013-4302: apply patch from upstream to prevent
+    access to anti-CSRF tokens via JSONP
+
+ -- Jonathan Wiltshire <jmw at debian.org>  Sun, 08 Sep 2013 19:53:58 +0100
+
 mediawiki (1:1.15.5-2squeeze5) stable; urgency=low
 
   [ Dominik George ]

Added: mediawiki/branches/squeeze/debian/patches/CVE-2013-4302.patch
===================================================================
--- mediawiki/branches/squeeze/debian/patches/CVE-2013-4302.patch	                        (rev 0)
+++ mediawiki/branches/squeeze/debian/patches/CVE-2013-4302.patch	2013-09-08 18:55:24 UTC (rev 479)
@@ -0,0 +1,76 @@
+From f8998c726550b85ab6a4362c364a51f1604ea687 Mon Sep 17 00:00:00 2001
+From: Brad Jorsch <bjorsch at wikimedia.org>
+Date: Tue, 3 Sep 2013 07:59:13 -0700
+Subject: [PATCH] SECURITY: Prevent tokens in jsonp mode
+
+Add checks to token-returning functions to prevent returning tokens in
+jsonp mode. This affects action=login, action=block, action=unblock, and
+action=query&list=deletedrevs.
+
+Bug: 49090
+Change-Id: Ibeaa5c72d8084585092b15935a3f5709104bf7f7
+---
+ includes/api/ApiBlock.php            |    4 ++++
+ includes/api/ApiLogin.php            |    9 +++++++++
+ includes/api/ApiQueryDeletedrevs.php |    5 +++++
+ includes/api/ApiUnblock.php          |    4 ++++
+ 5 files changed, 24 insertions(+), 1 deletion(-)
+
+--- mediawiki-1.15.5.orig/includes/api/ApiBlock.php
++++ mediawiki-1.15.5/includes/api/ApiBlock.php
+@@ -54,6 +54,10 @@
+ 
+ 		if($params['gettoken'])
+ 		{
++			// If we're in JSON callback mode, no tokens can be obtained
++			if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++				$this->dieUsage( 'Cannot get token when using a callback', 'aborted' );
++			}
+ 			$res['blocktoken'] = $wgUser->editToken();
+ 			$this->getResult()->addValue(null, $this->getModuleName(), $res);
+ 			return;
+--- mediawiki-1.15.5.orig/includes/api/ApiLogin.php
++++ mediawiki-1.15.5/includes/api/ApiLogin.php
+@@ -52,6 +52,15 @@
+ 	 * @access public
+ 	 */
+ 	public function execute() {
++		// If we're in JSON callback mode, no tokens can be obtained
++		if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++			$this->getResult()->addValue( null, 'login', array(
++				'result' => 'Aborted',
++				'reason' => 'Cannot log in when using a callback',
++			) );
++			return;
++		}
++
+ 		$params = $this->extractRequestParams();
+ 
+ 		$result = array ();
+--- mediawiki-1.15.5.orig/includes/api/ApiQueryDeletedrevs.php
++++ mediawiki-1.15.5/includes/api/ApiQueryDeletedrevs.php
+@@ -57,6 +57,11 @@
+ 		$fld_content = isset($prop['content']);
+ 		$fld_token = isset($prop['token']);
+ 		
++		// If we're in JSON callback mode, no tokens can be obtained
++		if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++			$fld_token = false;
++		}
++
+ 		$result = $this->getResult();
+ 		$pageSet = $this->getPageSet();
+ 		$titles = $pageSet->getTitles();
+--- mediawiki-1.15.5.orig/includes/api/ApiUnblock.php
++++ mediawiki-1.15.5/includes/api/ApiUnblock.php
+@@ -48,6 +48,10 @@
+ 
+ 		if($params['gettoken'])
+ 		{
++			// If we're in JSON callback mode, no tokens can be obtained
++			if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
++				$this->dieUsage( 'Cannot get token when using a callback', 'aborted' );
++			}
+ 			$res['unblocktoken'] = $wgUser->editToken();
+ 			$this->getResult()->addValue(null, $this->getModuleName(), $res);
+ 			return;

Modified: mediawiki/branches/squeeze/debian/patches/series
===================================================================
--- mediawiki/branches/squeeze/debian/patches/series	2013-09-08 18:42:51 UTC (rev 478)
+++ mediawiki/branches/squeeze/debian/patches/series	2013-09-08 18:55:24 UTC (rev 479)
@@ -15,3 +15,4 @@
 CVE-2012-0046.patch
 CVE-2012-5391.patch
 pcre-linker-backtrack.patch
+CVE-2013-4302.patch

More information about the Pkg-mediawiki-commits mailing list