rpms/moin/devel 00821_SECURITY_FIX_use_ACL_in_include_directive.patch, NONE, 1.1 00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch, NONE, 1.1 00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch, NONE, 1.1 10010_CVE-2007-0857.patch, NONE, 1.1 moin.spec, 1.14, 1.15

Matthias Saou (thias) fedora-extras-commits at redhat.com
Mon May 7 12:51:16 UTC 2007


Author: thias

Update of /cvs/extras/rpms/moin/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11811

Modified Files:
	moin.spec 
Added Files:
	00821_SECURITY_FIX_use_ACL_in_include_directive.patch 
	00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch 
	00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch 
	10010_CVE-2007-0857.patch 
Log Message:
Include security patches from Debian package (#228764, #238722).


00821_SECURITY_FIX_use_ACL_in_include_directive.patch:

--- NEW FILE 00821_SECURITY_FIX_use_ACL_in_include_directive.patch ---
# HG changeset patch
# User Alexander Schremmer <alex AT alexanderweb DOT de>
# Date Sun Feb 25 11:01:57 2007 +0100
# Node ID 4949ad88af4e2fce70f2170bf6d09f337b7b83bb
# parent: efdb7eef6c61ba7c2ea97992269ff51a0b96e3bf
Actually check the ACL for the include directive. Fixes a severe security issue.

--- a/MoinMoin/parser/rst.py	Fri Feb 23 19:24:52 2007 +0100
+++ b/MoinMoin/parser/rst.py	Sun Feb 25 11:01:57 2007 +0100
@@ -560,15 +560,19 @@ class MoinDirectives:
             return
 
         if len(content):
-            page = Page(page_name = content[0], request = self.request)
-            if page.exists():
-                text = page.get_raw_body()
-                lines = text.split('\n')
-                # Remove the "#format rst" line
-                if lines[0].startswith("#format"):
-                    del lines[0]
+            pagename = content[0]
+            page = Page(page_name=pagename, request=self.request)
+            if not self.request.user.may.read(pagename):
+                lines = [_("**You are not allowed to read the page: %s**") % (pagename, )]
             else:
-                lines = [_("**Could not find the referenced page: %s**") % (content[0],)]
+                if page.exists():
+                    text = page.get_raw_body()
+                    lines = text.split('\n')
+                    # Remove the "#format rst" line
+                    if lines[0].startswith("#format"):
+                        del lines[0]
+                else:
+                    lines = [_("**Could not find the referenced page: %s**") % (pagename, )]
             # Insert the text from the included document and then continue
             # parsing
             state_machine.insert_input(lines, 'MoinDirectives')


00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch:

--- NEW FILE 00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch ---
# HG changeset patch
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
# Date Mon Apr 02 23:05:14 2007 +0200
# Node ID 0e41a0429ee13f5bba8bca418bc5898df91c91f7
# parent: 5e758e78e32797bb9625bb210572881ac3841f23
MonthCalendar: ACL security fix

--- a/MoinMoin/macro/MonthCalendar.py	Sun Mar 18 23:14:08 2007 +0100
+++ b/MoinMoin/macro/MonthCalendar.py	Mon Apr 02 23:05:14 2007 +0200
@@ -389,7 +389,7 @@ def execute(macro, text):
                 else:
                     link = "%s/%4d-%02d-%02d" % (page, year, month, day)
                 daypage = Page(request, link)
-                if daypage.exists():
+                if daypage.exists() and request.user.may.read(link):
                     csslink = "cal-usedday"
                     query = {}
                     r, g, b, u = (255, 0, 0, 1)

00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch:

--- NEW FILE 00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch ---

# HG changeset patch
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
# Date 1178406230 -7200
# Node ID 288694f8dfde086358ca18f107cfb48cced03558
# Parent fe2e3e78c269f5f0024491fb9b6041970f4e7a1a
XSS fix for AttachFile 'do' parameter

--- a/MoinMoin/action/AttachFile.py	Tue Apr 24 11:08:20 2007 +0200
+++ b/MoinMoin/action/AttachFile.py	Sun May 06 01:03:50 2007 +0200
@@ -461,6 +461,9 @@ def execute(pagename, request):
     _ = request.getText
 
     msg = None
+    do = request.form.get('do')
+    if do is not None:
+        do = do[0]
     if action_name in request.cfg.actions_excluded:
         msg = _('File attachments are not allowed in this wiki!')
     elif request.form.has_key('filepath'):
@@ -470,9 +473,9 @@ def execute(pagename, request):
             request.write("OK")
         else:
             msg = _('You are not allowed to save a drawing on this page.')
-    elif not request.form.has_key('do'):
+    elif do is None:
         upload_form(pagename, request)
-    elif request.form['do'][0] == 'upload':
+    elif do == 'upload':
         if request.user.may.write(pagename):
             if request.form.has_key('file'):
                 do_upload(pagename, request)
@@ -482,17 +485,17 @@ def execute(pagename, request):
                 msg = _("No file content. Delete non ASCII characters from the file name and try again.")
         else:
             msg = _('You are not allowed to attach a file to this page.')
-    elif request.form['do'][0] == 'del':
+    elif do == 'del':
         if request.user.may.delete(pagename):
             del_file(pagename, request)
         else:
             msg = _('You are not allowed to delete attachments on this page.')
-    elif request.form['do'][0] == 'move':
+    elif do == 'move':
         if request.user.may.delete(pagename):
             send_moveform(pagename, request)
         else:
             msg = _('You are not allowed to move attachments from this page.')
-    elif request.form['do'][0] == 'attachment_move':
+    elif do == 'attachment_move':
         if request.form.has_key('cancel'):
             msg = _('Move aborted!')
             error_msg(pagename, request, msg)
@@ -505,28 +508,28 @@ def execute(pagename, request):
             attachment_move(pagename, request)
         else:
             msg = _('You are not allowed to move attachments from this page.')
-    elif request.form['do'][0] == 'get':
+    elif do == 'get':
         if request.user.may.read(pagename):
             get_file(pagename, request)
         else:
             msg = _('You are not allowed to get attachments from this page.')
-    elif request.form['do'][0] == 'unzip':
+    elif do == 'unzip':
          if request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename):
             unzip_file(pagename, request)
          else:
             msg = _('You are not allowed to unzip attachments of this page.')
-    elif request.form['do'][0] == 'install':
+    elif do == 'install':
          if request.user.isSuperUser():
             install_package(pagename, request)
          else:
             msg = _('You are not allowed to install files.')
-    elif request.form['do'][0] == 'view':
+    elif do == 'view':
         if request.user.may.read(pagename):
             view_file(pagename, request)
         else:
             msg = _('You are not allowed to view attachments of this page.')
     else:
-        msg = _('Unsupported upload action: %s') % (request.form['do'][0],)
+        msg = _('Unsupported upload action: %s') % (wikiutil.escape(do),)
 
     if msg:
         error_msg(pagename, request, msg)

10010_CVE-2007-0857.patch:

--- NEW FILE 10010_CVE-2007-0857.patch ---
diff -Nur moin-1.5.3/MoinMoin/action/LikePages.py moin-1.5.3.new/MoinMoin/action/LikePages.py
--- moin-1.5.3/MoinMoin/action/LikePages.py	2006-03-22 01:25:59.000000000 -0800
+++ moin-1.5.3.new/MoinMoin/action/LikePages.py	2007-02-09 13:55:30.283298168 -0800
@@ -28,14 +28,14 @@
     # No matches
     if not matches:
         Page(request, pagename).send_page(request,
-            msg = _('No pages like "%s"!') % (pagename,))
+            msg = _('No pages like "%s"!') % (wikiutil.escape(pagename),))
         return
 
     # One match - display it
     if len(matches) == 1:
         Page(request, matches.keys()[0]).send_page(request,
             msg = _('Exactly one page like "%s" found, redirecting to page.') % (
-            pagename,))
+            wikiutil.escape(pagename),))
         return
 
     # more than one match, list 'em
@@ -44,7 +44,7 @@
     # This action generate data using the user language
     request.setContentLanguage(request.lang)
 
-    wikiutil.send_title(request, _('Pages like "%s"') % (pagename),
+    wikiutil.send_title(request, _('Pages like "%s"') % (wikiutil.escape(pagename)),
                         pagename=pagename)
         
     # Start content - IMPORTANT - without content div, there is no
diff -Nur moin-1.5.3/MoinMoin/theme/__init__.py moin-1.5.3.new/MoinMoin/theme/__init__.py
--- moin-1.5.3/MoinMoin/theme/__init__.py	2006-04-15 12:09:38.000000000 -0700
+++ moin-1.5.3.new/MoinMoin/theme/__init__.py	2007-02-09 13:55:30.287298372 -0800
@@ -628,7 +628,7 @@
                     info = _("last edited %(time)s by %(editor)s") % info
                 else:
                     info = _("last modified %(time)s") % info
-                pagename = page.page_name
+                pagename = wikiutil.escape(page.page_name)
                 if self.request.cfg.show_interwiki:
                     pagename = "%s: %s" % (self.request.cfg.interwikiname, pagename)
                 info = "%s  (%s)" % (pagename, info)


Index: moin.spec
===================================================================
RCS file: /cvs/extras/rpms/moin/devel/moin.spec,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- moin.spec	9 Feb 2007 16:17:19 -0000	1.14
+++ moin.spec	7 May 2007 12:50:40 -0000	1.15
@@ -1,7 +1,7 @@
 Summary: MoinMoin is a Python clone of WikiWiki
 Name:    moin
 Version: 1.5.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL
 Group:   Applications/Internet
 URL:     http://moinmoin.wikiwikiweb.de/
@@ -9,6 +9,11 @@
 Source1: README-rpm
 Patch0:  moin-1.5.2-config.patch
 Patch1:  moin-1.3.5-xml_newline.patch
+# Security patches, mostly (all?) from the Debian package
+Patch10: 00821_SECURITY_FIX_use_ACL_in_include_directive.patch
+Patch11: 00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch
+Patch12: 00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch
+Patch13: 10010_CVE-2007-0857.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: python-devel, dos2unix
 BuildArch: noarch
@@ -26,6 +31,11 @@
 # This is required, as patch gets confused by the ^Ms otherwise
 dos2unix MoinMoin/formatter/xml_docbook.py
 %patch1 -p1 -b .xml_newline
+# Security fixes
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
 
 
 %build
@@ -52,6 +62,13 @@
 
 
 %changelog
+* Mon May  7 2007 Matthias Saou <http://freshrpms.net/> 1.5.7-2
+- Include security fixes from the Debian package (Jonas Smedegaard).
+- FIX_use_ACL_in_include_directive (Alexander Schremmer).
+- fix_MonthCalendar_respect_ACLs (Thomas Waldmann).
+- FIX_XSS_in_AttachFile_do_parameter (Thomas Waldmann).
+- CVE-2007-0857.
+
 * Fri Feb  9 2007 Matthias Saou <http://freshrpms.net/> 1.5.7-1
 - Update to 1.5.7.
 




More information about the fedora-extras-commits mailing list