Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]

Frank Lin PIAT Wed, 06 May 2009 15:44:10 -0700

On Wed, 2009-05-06 at 21:22 +1000, Steffen Joeris wrote:
> On Tue, 5 May 2009 09:28:08 pm Jonas Smedegaard wrote:
> > On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote:
> > >P.S. can "you" upload moin 1.7, I can't since I am not DD/DM.
> >
> > I'll do it now!
> >
> >   - Jonas
> 
> Also, please upload fixed packages for unstable with urgency high. :)


Jonas,

Here's a patch for unstable (against 1.8.2-2).

Could you review and upload it please?

Franklin

diff -u -r -N moin-1.8.2-2/debian/changelog moin-1.8.2-2+unstable1/debian/changelog
--- moin-1.8.2-2/debian/changelog	2009-05-07 00:07:45.000000000 +0200
+++ moin-1.8.2-2+unstable1/debian/changelog	2009-05-07 00:06:26.000000000 +0200
@@ -1,3 +1,14 @@
+moin (1.8.2-2+unstable1) unstable; urgency=high
+
+  [ Frank Lin PIAT ]
+  * Fix cross-site scripting vulnerability in action/AttachFile.py
+    (Closes: #526594), Thanks to Steffen Joeris.
+    Fixes: CVE-2009-1482
+  * Add mode escaping to AttachFile move (maybe not XSS exploitable
+    though)
+
+ -- Jonas Smedegaard <d...@jones.dk>  Thu, 07 May 2009 00:02:29 +0200
+
 moin (1.8.2-2) unstable; urgency=low
 
   [ Jonas Smedegaard ]
diff -u -r -N moin-1.8.2-2/debian/patches/00003_CVE-2009-1482.patch moin-1.8.2-2+unstable1/debian/patches/00003_CVE-2009-1482.patch
--- moin-1.8.2-2/debian/patches/00003_CVE-2009-1482.patch	1970-01-01 01:00:00.000000000 +0100
+++ moin-1.8.2-2+unstable1/debian/patches/00003_CVE-2009-1482.patch	2009-05-06 23:57:04.000000000 +0200
@@ -0,0 +1,55 @@
+--- a/MoinMoin/action/AttachFile.py	2009-05-06 23:53:46.000000000 +0200
++++ b/MoinMoin/action/AttachFile.py	2009-05-06 23:56:21.000000000 +0200
+@@ -387,6 +387,7 @@
+ 
+ 
+ def error_msg(pagename, request, msg):
++    msg = wikiutil.escape(msg)
+     request.theme.add_msg(msg, "error")
+     Page(request, pagename).send_page()
+ 
+@@ -512,7 +513,7 @@
+     if handler:
+         msg = handler(pagename, request)
+     else:
+-        msg = _('Unsupported AttachFile sub-action: %s') % (wikiutil.escape(do[0]), )
++        msg = _('Unsupported AttachFile sub-action: %s') % do[0]
+     if msg:
+         error_msg(pagename, request, msg)
+ 
+@@ -522,6 +523,8 @@
+ 
+ 
+ def upload_form(pagename, request, msg=''):
++    if msg:
++        msg = wikiutil.escape(msg)
+     _ = request.getText
+ 
+     request.emit_http_headers()
+@@ -838,13 +841,13 @@
+ 
+     if package.isPackage():
+         if package.installPackage():
+-            msg = _("Attachment '%(filename)s' installed.") % {'filename': wikiutil.escape(target)}
++            msg = _("Attachment '%(filename)s' installed.") % {'filename': target}
+         else:
+-            msg = _("Installation of '%(filename)s' failed.") % {'filename': wikiutil.escape(target)}
++            msg = _("Installation of '%(filename)s' failed.") % {'filename': target}
+         if package.msg:
+-            msg += "<br><pre>%s</pre>" % wikiutil.escape(package.msg)
++            msg += " " + package.msg
+     else:
+-        msg = _('The file %s is not a MoinMoin package file.') % wikiutil.escape(target)
++        msg = _('The file %s is not a MoinMoin package file.') % target
+ 
+     upload_form(pagename, request, msg=msg)
+ 
+@@ -948,7 +951,7 @@
+         logging.exception("An exception within zip file attachment handling occurred:")
+         msg = _("A severe error occurred:") + ' ' + str(err)
+ 
+-    upload_form(pagename, request, msg=wikiutil.escape(msg))
++    upload_form(pagename, request, msg=msg)
+ 
+ 
+ def send_viewfile(pagename, request):
diff -u -r -N moin-1.8.2-2/debian/patches/00004_CVE-2009-1482-extra.patch moin-1.8.2-2+unstable1/debian/patches/00004_CVE-2009-1482-extra.patch
--- moin-1.8.2-2/debian/patches/00004_CVE-2009-1482-extra.patch	1970-01-01 01:00:00.000000000 +0100
+++ moin-1.8.2-2+unstable1/debian/patches/00004_CVE-2009-1482-extra.patch	2009-05-06 23:58:27.000000000 +0200
@@ -0,0 +1,14 @@
+--- a/MoinMoin/action/AttachFile.py	2009-05-06 23:57:38.000000000 +0200
++++ b/MoinMoin/action/AttachFile.py	2009-05-06 23:57:43.000000000 +0200
+@@ -749,9 +749,9 @@
+          'baseurl': request.getScriptname(),
+          'do': 'attachment_move',
+          'ticket': wikiutil.createTicket(request),
+-         'pagename': pagename,
++         'pagename': wikiutil.escape(pagename, 1),
+          'pagename_quoted': wikiutil.quoteWikinameURL(pagename),
+-         'attachment_name': filename,
++         'attachment_name': wikiutil.escape(filename, 1),
+          'move': _('Move'),
+          'cancel': _('Cancel'),
+          'newname_label': _("New page name"),
diff -u -r -N moin-1.8.2-2/debian/patches/series moin-1.8.2-2+unstable1/debian/patches/series
--- moin-1.8.2-2/debian/patches/series	2009-05-07 00:07:45.000000000 +0200
+++ moin-1.8.2-2+unstable1/debian/patches/series	2009-05-06 23:59:06.000000000 +0200
@@ -1,3 +1,5 @@
 #10001_disable_RenderAsDocbook_if_no_xml.patch
 20002_hardcode_configdir.patch
 20003_disable_gui_editor_if_fckeditor_missing.patch
+00003_CVE-2009-1482.patch
+00004_CVE-2009-1482-extra.patch

Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]

Reply via email to