r81333 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r81332‎ \| r81333 \| r81334 >
Date:	22:37, 1 February 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	(bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. The StringUtils.php patch is by Roan, the Sanitizer.php patch is by me.
Modified paths:	/branches/REL1_15/phase3/RELEASE-NOTES (modified) (history) /branches/REL1_15/phase3/includes/Sanitizer.php (modified) (history) /branches/REL1_15/phase3/includes/StringUtils.php (modified) (history)

Diff [purge]

Index: branches/REL1_15/phase3/includes/Sanitizer.php
—	—	@@ -659,6 +659,13 @@
660	660	// Remove any comments; IE gets token splitting wrong
661	661	$value = StringUtils::delimiterReplace( '/', '/', ' ', $value );
662	662
	663	+ // Remove anything after a comment-start token, to guard against
	664	+ // incorrect client implementations.
	665	+ $commentPos = strpos( $value, '/*' );
	666	+ if ( $commentPos !== false ) {
	667	+ $value = substr( $value, 0, $commentPos );
	668	+ }
	669	+
663	670	// Decode escape sequences and line continuation
664	671	// See the grammar in the CSS 2 spec, appendix D.
665	672	static $decodeRegex, $reencodeTable;
Index: branches/REL1_15/phase3/includes/StringUtils.php
—	—	@@ -77,16 +77,20 @@
78	78	}
79	79
80	80	if ( $tokenType == 'start' ) {
81		~~- $inputPos = $tokenOffset + $tokenLength;~~
82	81	# Only move the start position if we haven't already found a start
83	82	# This means that START START END matches outer pair
84	83	if ( !$foundStart ) {
85	84	# Found start
	85	+ $inputPos = $tokenOffset + $tokenLength;
86	86	# Write out the non-matching section
87	87	$output .= substr( $subject, $outputPos, $tokenOffset - $outputPos );
88	88	$outputPos = $tokenOffset;
89	89	$contentPos = $inputPos;
90	90	$foundStart = true;
	91	+ } else {
	92	+ # Move the input position past the first character of START,
	93	+ # to protect against missing END when it overlaps with START
	94	+ $inputPos = $tokenOffset + 1;
91	95	}
92	96	} elseif ( $tokenType == 'end' ) {
93	97	if ( $foundStart ) {
Index: branches/REL1_15/phase3/RELEASE-NOTES
—	—	@@ -9,6 +9,7 @@
10	10	* (bug 24740) limit=max still causing problems on 1.15.5 (backport r70078,
11	11	bug 24564)
12	12	* Fixed $wgLicenseTerms register globals.
	13	+* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability.
13	14
14	15	== MediaWiki 1.15.5 ==
15	16

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r81330	(bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. The StringUtil...	tstarling	22:36, 1 February 2011
r81331	(bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. The StringUtil...	tstarling	22:37, 1 February 2011
r81332	(bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. The StringUtil...	tstarling	22:37, 1 February 2011

Status & tagging log

15:47, 2 March 2011 😂 (talk | contribs) changed the status of r81333 [removed: new added: ok]