On Sat, 2010-12-18 at 00:28 +0000, Jonathan Wiltshire wrote: > * Fixed CSRF vulnerability in "e-mail me my password", > "create account" and "create by e-mail" features of > [[Special:Userlogin]]. CVE-2010-1648 > * Fixed XSS vulnerability affecting IE clients only, due to a CSS > validation issue. CVE-2010-1647 (Closes: #585918)
The security tracker seems to be somewhat confused here, fwiw - http://security-tracker.debian.org/tracker/CVE-2010-164{7,8} both claim that the issue was fixed in -2lenny5. > * Fixed an XSS vulnerability in profileinfo.php for installations > with $wgEnableProfileInfo = true (false by default) (Closes: #590669) +- if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) { +- // Not allowed +- return false; +- } else { +- // Allowed, return CSS with comments stripped +- return $value; ++ // Reject problematic keywords and control characters ++ if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { ++ return '/* invalid control char */'; ++ } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) { ++ return '/* insecure input */'; Hmmm, the removal of the hard-coded "https?://" looks a little strange there; other than that, the patch looks okay; thanks. Regards, Adam -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
