r81332 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r81331‎ \| r81332 \| r81333 >
Date:	22:37, 1 February 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	(bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. The StringUtils.php patch is by Roan, the Sanitizer.php patch is by me.
Modified paths:	/branches/REL1_16/phase3/RELEASE-NOTES (modified) (history) /branches/REL1_16/phase3/includes/Sanitizer.php (modified) (history) /branches/REL1_16/phase3/includes/StringUtils.php (modified) (history)

Diff [purge]

Index: branches/REL1_16/phase3/includes/Sanitizer.php
—	—	@@ -739,6 +739,13 @@
740	740	// Remove any comments; IE gets token splitting wrong
741	741	$value = StringUtils::delimiterReplace( '/', '/', ' ', $value );
742	742
	743	+ // Remove anything after a comment-start token, to guard against
	744	+ // incorrect client implementations.
	745	+ $commentPos = strpos( $value, '/*' );
	746	+ if ( $commentPos !== false ) {
	747	+ $value = substr( $value, 0, $commentPos );
	748	+ }
	749	+
743	750	// Decode escape sequences and line continuation
744	751	// See the grammar in the CSS 2 spec, appendix D.
745	752	static $decodeRegex, $reencodeTable;
Index: branches/REL1_16/phase3/includes/StringUtils.php
—	—	@@ -77,16 +77,20 @@
78	78	}
79	79
80	80	if ( $tokenType == 'start' ) {
81		~~- $inputPos = $tokenOffset + $tokenLength;~~
82	81	# Only move the start position if we haven't already found a start
83	82	# This means that START START END matches outer pair
84	83	if ( !$foundStart ) {
85	84	# Found start
	85	+ $inputPos = $tokenOffset + $tokenLength;
86	86	# Write out the non-matching section
87	87	$output .= substr( $subject, $outputPos, $tokenOffset - $outputPos );
88	88	$outputPos = $tokenOffset;
89	89	$contentPos = $inputPos;
90	90	$foundStart = true;
	91	+ } else {
	92	+ # Move the input position past the first character of START,
	93	+ # to protect against missing END when it overlaps with START
	94	+ $inputPos = $tokenOffset + 1;
91	95	}
92	96	} elseif ( $tokenType == 'end' ) {
93	97	if ( $foundStart ) {
Index: branches/REL1_16/phase3/RELEASE-NOTES
—	—	@@ -47,6 +47,7 @@
48	48	* (bug 26642) Fixed incorrect translated namespace due to a regression in the
49	49	language converter.
50	50	* The interface translations were updated.
	51	+* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability.
51	52
52	53	== Changes since 1.16.0 ==
53	54

Follow-up revisions

Revision	Commit summary	Author	Date
r81333	(bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. The StringUtil...	tstarling	22:37, 1 February 2011

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r81330	(bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. The StringUtil...	tstarling	22:36, 1 February 2011
r81331	(bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. The StringUtil...	tstarling	22:37, 1 February 2011

Status & tagging log

15:47, 2 March 2011 😂 (talk | contribs) changed the status of r81332 [removed: new added: ok]