rpms/moin/FC-6 00821_SECURITY_FIX_use_ACL_in_include_directive.patch, NONE, 1.1 00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch, NONE, 1.1 00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch, NONE, 1.1 10010_CVE-2007-0857.patch, NONE, 1.1 moin.spec, 1.11, 1.12
Matthias Saou (thias)
fedora-extras-commits at redhat.com
Mon May 7 12:59:46 UTC 2007
- Previous message (by thread): rpms/moin/FC-5 00821_SECURITY_FIX_use_ACL_in_include_directive.patch, NONE, 1.1 00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch, NONE, 1.1 00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch, NONE, 1.1 10010_CVE-2007-0857.patch, NONE, 1.1 moin.spec, 1.8, 1.9
- Next message (by thread): rpms/logwatch/devel logwatch-7.3.4-named.patch, NONE, 1.1 logwatch-7.3.4-sshd3.patch, NONE, 1.1 logwatch.spec, 1.68, 1.69
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: thias
Update of /cvs/extras/rpms/moin/FC-6
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12139/FC-6
Modified Files:
moin.spec
Added Files:
00821_SECURITY_FIX_use_ACL_in_include_directive.patch
00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch
00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch
10010_CVE-2007-0857.patch
Log Message:
Include security patches from Debian package (#228764, #238722).
00821_SECURITY_FIX_use_ACL_in_include_directive.patch:
--- NEW FILE 00821_SECURITY_FIX_use_ACL_in_include_directive.patch ---
# HG changeset patch
# User Alexander Schremmer <alex AT alexanderweb DOT de>
# Date Sun Feb 25 11:01:57 2007 +0100
# Node ID 4949ad88af4e2fce70f2170bf6d09f337b7b83bb
# parent: efdb7eef6c61ba7c2ea97992269ff51a0b96e3bf
Actually check the ACL for the include directive. Fixes a severe security issue.
--- a/MoinMoin/parser/rst.py Fri Feb 23 19:24:52 2007 +0100
+++ b/MoinMoin/parser/rst.py Sun Feb 25 11:01:57 2007 +0100
@@ -560,15 +560,19 @@ class MoinDirectives:
return
if len(content):
- page = Page(page_name = content[0], request = self.request)
- if page.exists():
- text = page.get_raw_body()
- lines = text.split('\n')
- # Remove the "#format rst" line
- if lines[0].startswith("#format"):
- del lines[0]
+ pagename = content[0]
+ page = Page(page_name=pagename, request=self.request)
+ if not self.request.user.may.read(pagename):
+ lines = [_("**You are not allowed to read the page: %s**") % (pagename, )]
else:
- lines = [_("**Could not find the referenced page: %s**") % (content[0],)]
+ if page.exists():
+ text = page.get_raw_body()
+ lines = text.split('\n')
+ # Remove the "#format rst" line
+ if lines[0].startswith("#format"):
+ del lines[0]
+ else:
+ lines = [_("**Could not find the referenced page: %s**") % (pagename, )]
# Insert the text from the included document and then continue
# parsing
state_machine.insert_input(lines, 'MoinDirectives')
00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch:
--- NEW FILE 00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch ---
# HG changeset patch
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
# Date Mon Apr 02 23:05:14 2007 +0200
# Node ID 0e41a0429ee13f5bba8bca418bc5898df91c91f7
# parent: 5e758e78e32797bb9625bb210572881ac3841f23
MonthCalendar: ACL security fix
--- a/MoinMoin/macro/MonthCalendar.py Sun Mar 18 23:14:08 2007 +0100
+++ b/MoinMoin/macro/MonthCalendar.py Mon Apr 02 23:05:14 2007 +0200
@@ -389,7 +389,7 @@ def execute(macro, text):
else:
link = "%s/%4d-%02d-%02d" % (page, year, month, day)
daypage = Page(request, link)
- if daypage.exists():
+ if daypage.exists() and request.user.may.read(link):
csslink = "cal-usedday"
query = {}
r, g, b, u = (255, 0, 0, 1)
00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch:
--- NEW FILE 00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch ---
# HG changeset patch
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
# Date 1178406230 -7200
# Node ID 288694f8dfde086358ca18f107cfb48cced03558
# Parent fe2e3e78c269f5f0024491fb9b6041970f4e7a1a
XSS fix for AttachFile 'do' parameter
--- a/MoinMoin/action/AttachFile.py Tue Apr 24 11:08:20 2007 +0200
+++ b/MoinMoin/action/AttachFile.py Sun May 06 01:03:50 2007 +0200
@@ -461,6 +461,9 @@ def execute(pagename, request):
_ = request.getText
msg = None
+ do = request.form.get('do')
+ if do is not None:
+ do = do[0]
if action_name in request.cfg.actions_excluded:
msg = _('File attachments are not allowed in this wiki!')
elif request.form.has_key('filepath'):
@@ -470,9 +473,9 @@ def execute(pagename, request):
request.write("OK")
else:
msg = _('You are not allowed to save a drawing on this page.')
- elif not request.form.has_key('do'):
+ elif do is None:
upload_form(pagename, request)
- elif request.form['do'][0] == 'upload':
+ elif do == 'upload':
if request.user.may.write(pagename):
if request.form.has_key('file'):
do_upload(pagename, request)
@@ -482,17 +485,17 @@ def execute(pagename, request):
msg = _("No file content. Delete non ASCII characters from the file name and try again.")
else:
msg = _('You are not allowed to attach a file to this page.')
- elif request.form['do'][0] == 'del':
+ elif do == 'del':
if request.user.may.delete(pagename):
del_file(pagename, request)
else:
msg = _('You are not allowed to delete attachments on this page.')
- elif request.form['do'][0] == 'move':
+ elif do == 'move':
if request.user.may.delete(pagename):
send_moveform(pagename, request)
else:
msg = _('You are not allowed to move attachments from this page.')
- elif request.form['do'][0] == 'attachment_move':
+ elif do == 'attachment_move':
if request.form.has_key('cancel'):
msg = _('Move aborted!')
error_msg(pagename, request, msg)
@@ -505,28 +508,28 @@ def execute(pagename, request):
attachment_move(pagename, request)
else:
msg = _('You are not allowed to move attachments from this page.')
- elif request.form['do'][0] == 'get':
+ elif do == 'get':
if request.user.may.read(pagename):
get_file(pagename, request)
else:
msg = _('You are not allowed to get attachments from this page.')
- elif request.form['do'][0] == 'unzip':
+ elif do == 'unzip':
if request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename):
unzip_file(pagename, request)
else:
msg = _('You are not allowed to unzip attachments of this page.')
- elif request.form['do'][0] == 'install':
+ elif do == 'install':
if request.user.isSuperUser():
install_package(pagename, request)
else:
msg = _('You are not allowed to install files.')
- elif request.form['do'][0] == 'view':
+ elif do == 'view':
if request.user.may.read(pagename):
view_file(pagename, request)
else:
msg = _('You are not allowed to view attachments of this page.')
else:
- msg = _('Unsupported upload action: %s') % (request.form['do'][0],)
+ msg = _('Unsupported upload action: %s') % (wikiutil.escape(do),)
if msg:
error_msg(pagename, request, msg)
10010_CVE-2007-0857.patch:
--- NEW FILE 10010_CVE-2007-0857.patch ---
diff -Nur moin-1.5.3/MoinMoin/action/LikePages.py moin-1.5.3.new/MoinMoin/action/LikePages.py
--- moin-1.5.3/MoinMoin/action/LikePages.py 2006-03-22 01:25:59.000000000 -0800
+++ moin-1.5.3.new/MoinMoin/action/LikePages.py 2007-02-09 13:55:30.283298168 -0800
@@ -28,14 +28,14 @@
# No matches
if not matches:
Page(request, pagename).send_page(request,
- msg = _('No pages like "%s"!') % (pagename,))
+ msg = _('No pages like "%s"!') % (wikiutil.escape(pagename),))
return
# One match - display it
if len(matches) == 1:
Page(request, matches.keys()[0]).send_page(request,
msg = _('Exactly one page like "%s" found, redirecting to page.') % (
- pagename,))
+ wikiutil.escape(pagename),))
return
# more than one match, list 'em
@@ -44,7 +44,7 @@
# This action generate data using the user language
request.setContentLanguage(request.lang)
- wikiutil.send_title(request, _('Pages like "%s"') % (pagename),
+ wikiutil.send_title(request, _('Pages like "%s"') % (wikiutil.escape(pagename)),
pagename=pagename)
# Start content - IMPORTANT - without content div, there is no
diff -Nur moin-1.5.3/MoinMoin/theme/__init__.py moin-1.5.3.new/MoinMoin/theme/__init__.py
--- moin-1.5.3/MoinMoin/theme/__init__.py 2006-04-15 12:09:38.000000000 -0700
+++ moin-1.5.3.new/MoinMoin/theme/__init__.py 2007-02-09 13:55:30.287298372 -0800
@@ -628,7 +628,7 @@
info = _("last edited %(time)s by %(editor)s") % info
else:
info = _("last modified %(time)s") % info
- pagename = page.page_name
+ pagename = wikiutil.escape(page.page_name)
if self.request.cfg.show_interwiki:
pagename = "%s: %s" % (self.request.cfg.interwikiname, pagename)
info = "%s (%s)" % (pagename, info)
Index: moin.spec
===================================================================
RCS file: /cvs/extras/rpms/moin/FC-6/moin.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- moin.spec 12 Feb 2007 10:45:32 -0000 1.11
+++ moin.spec 7 May 2007 12:59:12 -0000 1.12
@@ -1,7 +1,7 @@
Summary: MoinMoin is a Python clone of WikiWiki
Name: moin
Version: 1.5.7
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPL
Group: Applications/Internet
URL: http://moinmoin.wikiwikiweb.de/
@@ -9,6 +9,11 @@
Source1: README-rpm
Patch0: moin-1.5.2-config.patch
Patch1: moin-1.3.5-xml_newline.patch
+# Security patches, mostly (all?) from the Debian package
+Patch10: 00821_SECURITY_FIX_use_ACL_in_include_directive.patch
+Patch11: 00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch
+Patch12: 00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch
+Patch13: 10010_CVE-2007-0857.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: python-devel, dos2unix
BuildArch: noarch
@@ -26,6 +31,11 @@
# This is required, as patch gets confused by the ^Ms otherwise
dos2unix MoinMoin/formatter/xml_docbook.py
%patch1 -p1 -b .xml_newline
+# Security fixes
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
%build
@@ -52,6 +62,13 @@
%changelog
+* Mon May 7 2007 Matthias Saou <http://freshrpms.net/> 1.5.7-2
+- Include security fixes from the Debian package (Jonas Smedegaard).
+- FIX_use_ACL_in_include_directive (Alexander Schremmer).
+- fix_MonthCalendar_respect_ACLs (Thomas Waldmann).
+- FIX_XSS_in_AttachFile_do_parameter (Thomas Waldmann).
+- CVE-2007-0857.
+
* Fri Feb 9 2007 Matthias Saou <http://freshrpms.net/> 1.5.7-1
- Update to 1.5.7.
- Previous message (by thread): rpms/moin/FC-5 00821_SECURITY_FIX_use_ACL_in_include_directive.patch, NONE, 1.1 00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch, NONE, 1.1 00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch, NONE, 1.1 10010_CVE-2007-0857.patch, NONE, 1.1 moin.spec, 1.8, 1.9
- Next message (by thread): rpms/logwatch/devel logwatch-7.3.4-named.patch, NONE, 1.1 logwatch-7.3.4-sshd3.patch, NONE, 1.1 logwatch.spec, 1.68, 1.69
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list