r81338 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r81337‎ \| r81338 \| r81339 >
Date:	22:44, 1 February 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	(bug 27094) fix path traversal vulnerability
Modified paths:	/branches/REL1_15/phase3/RELEASE-NOTES (modified) (history) /branches/REL1_15/phase3/includes/StubObject.php (modified) (history) /branches/REL1_15/phase3/languages/Language.php (modified) (history)

Diff [purge]

Index: branches/REL1_15/phase3/includes/StubObject.php
—	—	@@ -154,7 +154,7 @@
155	155	}
156	156
157	157	# Validate $code
158		~~- if( empty( $code ) \|\| !preg_match( '/^[a-z-]+$/', $code ) \|\| ( $code === 'qqq' ) ) {~~
	158	+ if( empty( $code ) \|\| !Language::isValidCode( $code ) \|\| ( $code === 'qqq' ) ) {
159	159	wfDebug( "Invalid user language code\n" );
160	160	$code = $wgContLanguageCode;
161	161	}
Index: branches/REL1_15/phase3/languages/Language.php
—	—	@@ -150,6 +150,14 @@
151	151	protected static function newFromCode( $code ) {
152	152	global $IP;
153	153	static $recursionLevel = 0;
	154	+
	155	+ // Protect against path traversal below
	156	+ if ( !Language::isValidCode( $code )
	157	+ \|\| strcspn( $code, "/\\\000" ) !== strlen( $code ) )
	158	+ {
	159	+ throw new MWException( "Invalid language code \"$code\"" );
	160	+ }
	161	+
154	162	if ( $code == 'en' ) {
155	163	$class = 'Language';
156	164	} else {
—	—	@@ -179,6 +187,14 @@
180	188	return $lang;
181	189	}
182	190
	191	+ /**
	192	+ * Returns true if a language code string is of a valid form, whether or
	193	+ * not it exists.
	194	+ */
	195	+ public static function isValidCode( $code ) {
	196	+ return (bool)preg_match( '/^[a-z-]+$/', $code );
	197	+ }
	198	+
183	199	function __construct() {
184	200	$this->mConverter = new FakeConverter($this);
185	201	// Set the code to the name of the descendant
—	—	@@ -2318,6 +2334,13 @@
2319	2335	}
2320	2336
2321	2337	static function getFileName( $prefix = 'Language', $code, $suffix = '.php' ) {
	2338	+ // Protect against path traversal
	2339	+ if ( !Language::isValidCode( $code )
	2340	+ \|\| strcspn( $code, "/\\\000" ) !== strlen( $code ) )
	2341	+ {
	2342	+ throw new MWException( "Invalid language code \"$code\"" );
	2343	+ }
	2344	+
2322	2345	return $prefix . str_replace( '-', '_', ucfirst( $code ) ) . $suffix;
2323	2346	}
2324	2347
Index: branches/REL1_15/phase3/RELEASE-NOTES
—	—	@@ -10,6 +10,9 @@
11	11	bug 24564)
12	12	* Fixed $wgLicenseTerms register globals.
13	13	* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability.
	14	+* (bug 27094) Fixed server-side arbitrary script inclusion vulnerability.
	15	+ Affects Windows servers only. A malicious file with extension ".php" must
	16	+ exist on the server for the exploit to be effective.
14	17
15	18	== MediaWiki 1.15.5 ==
16	19

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r81335	(bug 27094) fix path traversal vulnerability	tstarling	22:43, 1 February 2011
r81336	(bug 27094) fix path traversal vulnerability	tstarling	22:44, 1 February 2011
r81337	(bug 27094) fix path traversal vulnerability	tstarling	22:44, 1 February 2011

Status & tagging log

22:17, 15 April 2011 Reedy (talk | contribs) changed the status of r81338 [removed: new added: ok]