Your message dated Sun, 10 Apr 2016 16:54:49 +0000 with message-id <[email protected]> and subject line Bug#818708: fixed in didiwiki 0.5-13 has caused the Debian Bug report #818708, regarding didiwiki regression: fix for CVE-2013-7448 renders many existing pages inaccessible to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 818708: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818708 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: didiwiki Version: 0.5-11+deb8u1 Severity: important In its attempt to prevent escape from /var/lib/didiwiki, patch 91_check_page_path.patch goes way too far and renders a large class of reasonable and previously valid page names inaccessible. The main culprit is the check for isalnum(page_name[0]): this is painful for CJK users since Chinese characters aren't alphanumeric. More generally, it's unlikely to work as intended with UTF8-encoded names; e.g. page names that start with á (which is alphanumeric in some locales) are rejected. I guess the intent was to exclude absolute pathnames. That's more properly coded if (page_name[0] == '/') return FALSE; The checks are done after %-escapes are processed, so there is no need to separately guard against a leading %2F . (Also, I'd only disallow ".." if it's preceded and followed by either a slash or an extremity of the string. No need to forbid ellipsis in page names...)
--- End Message ---
--- Begin Message ---Source: didiwiki Source-Version: 0.5-13 We believe that the bug you reported is fixed in the latest version of didiwiki, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ignace Mouzannar <[email protected]> (supplier of updated didiwiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 10 Apr 2016 12:21:29 -0400 Source: didiwiki Binary: didiwiki Architecture: source amd64 Version: 0.5-13 Distribution: unstable Urgency: medium Maintainer: Ignace Mouzannar <[email protected]> Changed-By: Ignace Mouzannar <[email protected]> Description: didiwiki - simple wiki implementation with built-in webserver Closes: 818708 Changes: didiwiki (0.5-13) unstable; urgency=medium . * debian/patches: - 91_check_page_path.patch: updated patch to correct restrictive behavior, rendering pages beginning with non alpha-numeric UTF-8 characters, such as "à", inaccessible. Thank you Sergio Gelato <[email protected]> for your report and help! (Closes: #818708) * debian/control: - Bumped standards-version to 3.9.7. Checksums-Sha1: de0b36d764075ceee1beaf5f190eb330c513be30 1641 didiwiki_0.5-13.dsc de6e0f49719237ee38f3886155cb94b7ca3a2230 13996 didiwiki_0.5-13.debian.tar.xz b261b779916cc853182f72974656f9456b132b4f 32010 didiwiki-dbgsym_0.5-13_amd64.deb 49043dd0deacfa1c00735e55a08d9cbfc93c8d51 27732 didiwiki_0.5-13_amd64.deb Checksums-Sha256: f441fca89a67454bfaaf799464c00e903f6bd2afbdefaa274136bcb4e2183d1d 1641 didiwiki_0.5-13.dsc 7f0bc4dd6b24c13cd1b48d984a56e53c46a2ad48b5a56369ba348e8d0c6e7d8a 13996 didiwiki_0.5-13.debian.tar.xz 0360d5a00c745207536c65d8f2256360ff661c9174781ff158f7a8bd0f7fc33b 32010 didiwiki-dbgsym_0.5-13_amd64.deb 176a05e6abecc33e7b78aabbdc245dec7fc99580dcb1ddbe4e420b005ebe92b3 27732 didiwiki_0.5-13_amd64.deb Files: f01d8b3248bd8f3f250b14307341c9c1 1641 web optional didiwiki_0.5-13.dsc 2f1a3fe5eb52ab6cf7d362cdce099725 13996 web optional didiwiki_0.5-13.debian.tar.xz 5e39995cefb0a27015991657fc5b72bc 32010 debug extra didiwiki-dbgsym_0.5-13_amd64.deb ed33f03611d5ad75c7bc9b0f45f1b896 27732 web optional didiwiki_0.5-13_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXCn2qAAoJELwssaJob/h/IUQP/0XXBKX4BGBcm01mz1gqCoj6 Wa0FX22z/n/FrxKssXm0aEG128kj0dZkB7gaXPpT8aNkhjgUuNQX/cNh0jJxmUxZ ZYghCshxszy1TP/ZisAQe/GmWB5JHcWOGtkF8LxU6b4PFlyL1uhfs0UGuopOABAl 8BjAqqlM/aNdM7kUMgjkgWwSyNFFRsPgtD+2IBRo4y/GTDrwsMk6RQcJvKq/A/X6 yM70/qn1pj7Xoayqdb05FVV13VckOIlJNiayd8bdTlXmLP4Sk1W9DM3OHzT8q1AK OGoAs6RoimcgBJwM0ogCyakZwGVPzlNXo0iqDlZObnOa5Rfuah9Q4uNm+Qc3fkfX zo52ypH0zSXC0L0wPFRQCDhvvk2B5vXeQqEqD9/E9omqFFIYpShLVTQUG20OpocG 4VvEx7sF2U6qKuzz90aoD+QP/ra/lGeseW7YYXmkHsNr1W4pfLsvDttoCvRwC6ja J8R+9mNOB6+5o3VlgAzM0PxhMesyQBhJx5TRhhI9ZyAu6XUcyscb2rxjZMbUxDJY ediUdqEAPEJpwSme8TOuaAV3Bv+V+TD0O2dBdi4Hf/g+ZdcC9xAr6Aak5UbTHtTq W4rQeDF4o8nh1PfhyuI5POLtsXrbrC6PofbF3prT1gJM4+C2RFyOFTDBBztVrPTt kAv21r1THQQMePZP3566 =Z007 -----END PGP SIGNATURE-----
--- End Message ---
