rpms/wordpress-mu/EL-5 2.8.2-commentor-fix.patch, NONE, 1.1 wordpress-mu.spec, 1.8, 1.9
Bret Richard McMillan
bretm at fedoraproject.org
Thu Jul 30 16:40:59 UTC 2009
Author: bretm
Update of /cvs/pkgs/rpms/wordpress-mu/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13679
Modified Files:
wordpress-mu.spec
Added Files:
2.8.2-commentor-fix.patch
Log Message:
backport of 2.8.2 XSS fix
2.8.2-commentor-fix.patch:
wp-admin/comment.php | 4 ++--
wp-admin/edit-form-comment.php | 20 +++++++-------------
wp-admin/includes/template.php | 4 +---
wp-includes/comment-template.php | 26 ++++++++++++++++++++++++--
4 files changed, 34 insertions(+), 20 deletions(-)
--- NEW FILE 2.8.2-commentor-fix.patch ---
commit e8f2fc7acb6da2fc30a154ca6431449f0ea0d527
Author: Bret McMillan <bretm at redhat.com>
Date: Thu Jul 30 11:39:44 2009 -0400
backport of fixes for WordPress 2.8.2 XSS vulnerability
diff --git a/wp-admin/comment.php b/wp-admin/comment.php
index 00ea590..d92a717 100644
--- a/wp-admin/comment.php
+++ b/wp-admin/comment.php
@@ -22,7 +22,7 @@ if ( isset( $_POST['deletecomment'] ) )
*
* @param string $msg Error Message. Assumed to contain HTML and be sanitized.
*/
-function comment_footer_die( $msg ) { //
+function comment_footer_die( $msg ) {
echo "<div class='wrap'><p>$msg</p></div>";
include('admin-footer.php');
die;
@@ -119,7 +119,7 @@ if ( 'spam' == $_GET['dt'] ) {
<?php if ( $comment->comment_author_url ) { ?>
<tr>
<th scope="row"><?php _e('URL'); ?></th>
-<td><a href='<?php echo $comment->comment_author_url; ?>'><?php echo $comment->comment_author_url; ?></a></td>
+<td><a href="<?php echo $comment->comment_author_url; ?>"><?php echo $comment->comment_author_url; ?></a></td>
</tr>
<?php } ?>
<tr>
diff --git a/wp-admin/edit-form-comment.php b/wp-admin/edit-form-comment.php
index 531db65..40bede5 100644
--- a/wp-admin/edit-form-comment.php
+++ b/wp-admin/edit-form-comment.php
@@ -12,7 +12,8 @@
$submitbutton_text = __('Edit Comment');
$toprow_title = sprintf(__('Editing Comment # %s'), $comment->comment_ID);
$form_action = 'editedcomment';
-$form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . $comment->comment_ID . "' />\n<input type='hidden' name='comment_post_ID' value='" . $comment->comment_post_ID;
+$form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . attribute_escape($comment->comment_ID) . "' />\n<input type='hidden' name='comment_post_ID' value='" . attribute_escape($comment->comment_post_ID);
+$comment->comment_author_email = attribute_escape($comment->comment_author_email);
?>
<form name="post" action="comment.php" method="post" id="post">
@@ -24,12 +25,6 @@ $form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . $comment-
<div id="poststuff" class="metabox-holder">
<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
<input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' />
-<?php
-
-$email = attribute_escape( $comment->comment_author_email );
-$url = attribute_escape( $comment->comment_author_url );
-// add_meta_box('submitdiv', __('Save'), 'comment_submit_meta_box', 'comment', 'side', 'core');
-?>
<div id="side-info-column" class="inner-sidebar">
<div id="submitdiv" class="stuffbox" >
@@ -95,25 +90,24 @@ $date = date_i18n( $datef, strtotime( $comment->comment_date ) );
<tr valign="top">
<td class="first">
<?php
- if ( $email ) {
+ if ( $comment->comment_author_email ) {
printf( __( 'E-mail (%s):' ), get_comment_author_email_link( __( 'send e-mail' ), '', '' ) );
} else {
_e( 'E-mail:' );
}
?></td>
- <td><input type="text" name="newcomment_author_email" size="30" value="<?php echo $email; ?>" tabindex="2" id="email" /></td>
+ <td><input type="text" name="newcomment_author_email" size="30" value="<?php echo $comment->comment_author_email; ?>" tabindex="2" id="email" /></td>
</tr>
<tr valign="top">
<td class="first">
<?php
- $url = get_comment_author_url();
- if ( ! empty( $url ) && 'http://' != $url ) {
- $link = "<a href='$url' rel='external nofollow' target='_blank'>" . __('visit site') . "</a>";
+ if ( ! empty( $comment->comment_author_url ) && 'http://' != $comment->comment_author_url ) {
+ $link = '<a href="' . $comment->comment_author_url . '" rel="external nofollow" target="_blank">' . __('visit site') . '</a>';
printf( __( 'URL (%s):' ), apply_filters('get_comment_author_link', $link ) );
} else {
_e( 'URL:' );
} ?></td>
- <td><input type="text" id="newcomment_author_url" name="newcomment_author_url" size="30" value="<?php echo $url; ?>" tabindex="3" /></td>
+ <td><input type="text" id="newcomment_author_url" name="newcomment_author_url" size="30" value="<?php echo attribute_escape($comment->comment_author_url); ?>" tabindex="3" /></td>
</tr>
</tbody>
</table>
diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php
index e89ea83..075da6a 100644
--- a/wp-admin/includes/template.php
+++ b/wp-admin/includes/template.php
@@ -1960,9 +1960,7 @@ function _wp_comment_row( $comment_id, $mode, $comment_status, $checkbox = true,
$author_url = get_comment_author_url();
if ( 'http://' == $author_url )
$author_url = '';
- $author_url_display = $author_url;
- $author_url_display = str_replace('http://www.', '', $author_url_display);
- $author_url_display = str_replace('http://', '', $author_url_display);
+ $author_url_display = preg_replace('|http://(www\.)?|i', '', $author_url);
if ( strlen($author_url_display) > 50 )
$author_url_display = substr($author_url_display, 0, 49) . '...';
diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php
index a4a126b..f31f6b5 100644
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@@ -193,7 +193,9 @@ function comment_author_IP() {
*/
function get_comment_author_url() {
global $comment;
- return apply_filters('get_comment_author_url', $comment->comment_author_url);
+ $url = ('http://' == $comment->comment_author_url) ? '' : $comment->comment_author_url;
+ $url = clean_url( $url, array('http', 'https') );
+ return apply_filters('get_comment_author_url', $url);
}
/**
@@ -809,8 +811,28 @@ function comments_template( $file = '/comments.php', $separate_comments = false
$file = '/comments.php';
$req = get_option('require_name_email');
+
+ /**
+ * Comment author information fetched from the comment cookies.
+ *
+ * @uses wp_get_current_commenter()
+ */
$commenter = wp_get_current_commenter();
- extract($commenter, EXTR_SKIP);
+
+ /**
+ * The name of the current comment author escaped for use in attributes.
+ */
+ $comment_author = $commenter['comment_author']; // Escaped by sanitize_comment_cookies()
+
+ /**
+ * The email address of the current comment author escaped for use in attributes.
+ */
+ $comment_author_email = $commenter['comment_author_email']; // Escaped by sanitize_comment_cookies()
+
+ /**
+ * The url of the current comment author escaped for use in attributes.
+ */
+ $comment_author_url = clean_url($commenter['comment_author_url']);
/** @todo Use API instead of SELECTs. */
if ( $user_ID) {
Index: wordpress-mu.spec
===================================================================
RCS file: /cvs/pkgs/rpms/wordpress-mu/EL-5/wordpress-mu.spec,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9
--- wordpress-mu.spec 10 Jul 2009 18:40:36 -0000 1.8
+++ wordpress-mu.spec 30 Jul 2009 16:40:58 -0000 1.9
@@ -2,13 +2,14 @@ Summary: WordPress-MU multi-user bloggin
URL: http://mu.wordpress.org/latest.tar.gz
Name: wordpress-mu
Version: 2.7
-Release: 6%{?dist}
+Release: 8%{?dist}
Group: Applications/Publishing
License: GPLv2
Source0: %{name}-%{version}.tar.gz
Source1: wordpress-mu-httpd-conf
Source2: README.fedora.wordpress-mu
Patch0: cve-2009-2334.patch
+Patch1: 2.8.2-commentor-fix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: php >= 4.1.0, httpd, php-mysql
BuildArch: noarch
@@ -20,6 +21,7 @@ one instance to serve multiple users.
%prep
%setup -q -n wordpress-mu
%patch0 -p1 -b .patch1
+%patch1 -p1 -b .patch2
# disable-wordpress-core-update, updates are always installed via rpm
#
@@ -100,6 +102,9 @@ rm -rf %{buildroot}
%dir %{_sysconfdir}/wordpress-mu
%changelog
+* Thu Jul 30 2009 Bret McMillan <bretm at koom> - 2.7-8
+- fix backported for 2.8.2 comment author XSS vulnerability
+
* Fri Jul 10 2009 Bret McMillan <bretm at redhat.com> - 2.7-6
- Patch for CVE-2009-2334
More information about the fedora-extras-commits
mailing list