[Pkg-mediawiki-devel] Bug#685324: Local File Inclusion Vulnerability in contrib script
jandd at debian.org
Sat Aug 25 12:32:06 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Aug 21, 2012 at 11:41:43PM +0100, Steven Chamberlain wrote:
> Bug affects an example script in the documentation only.
> Untrusted paths are used by file() and opendir(). A patch committed
> upstream tries to sanitise the inputs. 
> But these and other user-supplied data are still echoed out unescaped,
> so I think would allow XSS if someone used the script on a public-facing
> webserver. The code looks like it might have all sorts of other issues.
> It seems obsoleted by cssgen2.php, which does not need to accept user
> input at all. That is distributed already in php-geshi 188.8.131.52-1.
> So I suggest removing the cssgen.php file altogether. Thank you.
Thanks for this suggestion. I will prepare an upload that removes this file
from the examples directory and will ask the release team for a freeze
On Thu, Aug 23, 2012 at 11:23:10AM +0200, Thorsten Glaser wrote:
> On Tue, 21 Aug 2012, Benny Baumann wrote:
> > Given exactly the
> > 2-3 years this package will be in stable/oldstable is the reason why
> > there should be an update to something reasonably recent before the
> > package is put into a distribution.
> Sorry, it’s now too late for that. In May, something could have
> been done, but not now. No new upstream versions, any more.
> (That being said, updating it in sid now would be reasonable,
> and wheezy users could just pull that package from sid.)
If the change suggested above by Steven will be accepted by the release team
I will upload a new upstream version to unstable after the fixed version
migrated to testing.
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Pkg-mediawiki-devel