Package: twiki Version: 1:4.0.5-5 Severity: critical Justification: breaks unrelated software Tags: patch
Sven Dowideit wrote: > it contains a fix for a bug i reported to bugs.debian.org about 6 > hours ago, but it's still not gotten a number ;( It is not there yet... Did you use reportbug? I am trying again here :) > in case something went wrong with the bug submission I've appended it > here > > could you please take a peek for me some time :) I'll be away for the > weekend I sure will! > Merry Christmas :) You too! > ----------------------------- > Package: twiki > Version: 1:4.0.5-5 > Severity: critical > Justification: breaks unrelated software > > an possible phishing risk has been found in the ability of TWiki to > redirect to any URL via the ?topic= parmeter. > > The following patch prevents this. > > --- lib/TWiki.pm.orig 2006-10-25 02:16:05.000000000 +0200 > +++ lib/TWiki.pm 2006-12-21 16:52:23.000000000 +0100 > @@ -720,6 +720,19 @@ > > ASSERT($this->isa( 'TWiki')) if DEBUG; > > + # prevent phishing byt only allowing redirect to configured host > + if( $url =~ m!^([^:]*://[^/]*)(/.*)?$! ) { > + my $host = $1; > + unless ($host eq $TWiki::cfg{DefaultUrlHost}) { > + $url = $this->getOopsUrl( 'accessdenied', > + def => 'topic_access', > + web => $this->{web} || $TWiki::cfg > {UsersWebName}, > + topic => $this->{topic} || > $TWiki::cfg{HomeTopicName}, > + params => [ 'redirect', 'unsafe > redirect to '.$url ]); > + } > + #die 'unsafe redirect to '.$url unless ($host eq $TWiki::cfg > {DefaultUrlHost}); > + } > + > my $query = $this->{cgiQuery}; > unless( $this->{plugins}->redirectCgiQueryHandler( $query, > $url ) ) { > if ( $query && $query->param( 'noredirect' )) { > > > Sven Dowideit > > -- System Information: > Debian Release: 4.0 > APT prefers testing > APT policy: (500, 'testing') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.17-2-686 > Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1) > > Versions of packages twiki depends on: > ii apache-common 1.3.34-4 support files for all > Apache webse > ii apache2.2-common 2.2.3-3.1 Next generation, > scalable, extenda > ii debconf [debconf-2.0] 1.5.8 Debian configuration > management sy > ii libalgorithm-diff-perl 1.19.01-2 a perl library for > finding Longest > ii libcgi-session-perl 4.14-1 Persistent session data > in CGI app > ii libdigest-sha1-perl 2.11-1 NIST SHA-1 message > digest algorith > ii liberror-perl 0.15-8 Perl module for error/ > exception ha > ii liblocale-maketext-lexicon-pe 0.62-1 Lexicon-handling > backends for "Loc > ii libtext-diff-perl 0.35-2 Perform diffs on files > and record > ii perl [libmime-base64-perl] 5.8.8-6.1 Larry Wall's Practical > Extraction > ii perl-modules [libnet-perl] 5.8.8-6.1 Core Perl modules > ii rcs 5.7-18 The GNU Revision Control > System > > twiki recommends no packages. -- ยท''`. If I can't dance to it, it's not my revolution : :' : -- Emma Goldman `. `' Proudly running Debian GNU/Linux (unstable) `- www.amayita.com www.malapecora.com www.chicasduras.com