r81337 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r81336‎ \| r81337 \| r81338 >
Date:	22:44, 1 February 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	(bug 27094) fix path traversal vulnerability
Modified paths:	/branches/REL1_16/phase3/RELEASE-NOTES (modified) (history) /branches/REL1_16/phase3/includes/StubObject.php (modified) (history) /branches/REL1_16/phase3/languages/Language.php (modified) (history)

Diff [purge]

Index: branches/REL1_16/phase3/includes/StubObject.php
—	—	@@ -152,7 +152,7 @@
153	153	$code = strtolower( $code );
154	154
155	155	# Validate $code
156		~~- if( empty( $code ) \|\| !preg_match( '/^[a-z-]+$/', $code ) \|\| ( $code === 'qqq' ) ) {~~
	156	+ if( empty( $code ) \|\| !Language::isValidCode( $code ) \|\| ( $code === 'qqq' ) ) {
157	157	wfDebug( "Invalid user language code\n" );
158	158	$code = $wgContLanguageCode;
159	159	}
Index: branches/REL1_16/phase3/languages/Language.php
—	—	@@ -144,6 +144,14 @@
145	145	protected static function newFromCode( $code ) {
146	146	global $IP;
147	147	static $recursionLevel = 0;
	148	+
	149	+ // Protect against path traversal below
	150	+ if ( !Language::isValidCode( $code )
	151	+ \|\| strcspn( $code, "/\\\000" ) !== strlen( $code ) )
	152	+ {
	153	+ throw new MWException( "Invalid language code \"$code\"" );
	154	+ }
	155	+
148	156	if ( $code == 'en' ) {
149	157	$class = 'Language';
150	158	} else {
—	—	@@ -174,6 +182,14 @@
175	183	}
176	184
177	185	/**
	186	+ * Returns true if a language code string is of a valid form, whether or
	187	+ * not it exists.
	188	+ */
	189	+ public static function isValidCode( $code ) {
	190	+ return (bool)preg_match( '/^[a-z-]+$/', $code );
	191	+ }
	192	+
	193	+ /**
178	194	* Get the LocalisationCache instance
179	195	*/
180	196	public static function getLocalisationCache() {
—	—	@@ -2462,6 +2478,13 @@
2463	2479	* @return string $prefix . $mangledCode . $suffix
2464	2480	*/
2465	2481	static function getFileName( $prefix = 'Language', $code, $suffix = '.php' ) {
	2482	+ // Protect against path traversal
	2483	+ if ( !Language::isValidCode( $code )
	2484	+ \|\| strcspn( $code, "/\\\000" ) !== strlen( $code ) )
	2485	+ {
	2486	+ throw new MWException( "Invalid language code \"$code\"" );
	2487	+ }
	2488	+
2466	2489	return $prefix . str_replace( '-', '_', ucfirst( $code ) ) . $suffix;
2467	2490	}
2468	2491
Index: branches/REL1_16/phase3/RELEASE-NOTES
—	—	@@ -2,6 +2,8 @@
3	3
4	4	== MediaWiki 1.16.2 ==
5	5
	6	+2011-02-01
	7	+
6	8	This is a security and maintenance release of the MediaWiki 1.16 branch.
7	9
8	10	=== Summary of selected changes in 1.16 ===
—	—	@@ -48,6 +50,9 @@
49	51	language converter.
50	52	* The interface translations were updated.
51	53	* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability.
	54	+* (bug 27094) Fixed server-side arbitrary script inclusion vulnerability.
	55	+ Affects Windows servers only. A malicious file with extension ".php" must
	56	+ exist on the server for the exploit to be effective.
52	57
53	58	== Changes since 1.16.0 ==
54	59

Follow-up revisions

Revision	Commit summary	Author	Date
r81338	(bug 27094) fix path traversal vulnerability	tstarling	22:44, 1 February 2011

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r81335	(bug 27094) fix path traversal vulnerability	tstarling	22:43, 1 February 2011
r81336	(bug 27094) fix path traversal vulnerability	tstarling	22:44, 1 February 2011

Status & tagging log

22:17, 15 April 2011 Reedy (talk | contribs) changed the status of r81337 [removed: new added: ok]