[MediaWiki-CVS] SVN: [65401] branches/REL1_16/phase3

Wed, 21 Apr 2010 08:35:25 -0700 

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/65401

Revision: 65401
Author:   tstarling
Date:     2010-04-21 15:35:12 +0000 (Wed, 21 Apr 2010)

Log Message:
-----------
MFT r64932, bug 23148: ImageMagick comment escaping. Noted security 
implications.

Modified Paths:
--------------
    branches/REL1_16/phase3/RELEASE-NOTES
    branches/REL1_16/phase3/includes/media/Bitmap.php

Property Changed:
----------------
    branches/REL1_16/phase3/includes/media/Bitmap.php

Modified: branches/REL1_16/phase3/RELEASE-NOTES
===================================================================
--- branches/REL1_16/phase3/RELEASE-NOTES       2010-04-21 15:31:23 UTC (rev 
65400)
+++ branches/REL1_16/phase3/RELEASE-NOTES       2010-04-21 15:35:12 UTC (rev 
65401)
@@ -53,6 +53,8 @@
   showed the same text.
 * (bug 23115, bug 23124) Fixed various problems with <title> and <h1> elements
   in page views and previews when the language converter is enabled.
+* (bug 23148) Fixed a local path disclosure vulnerability in ImageMagick image
+  scaling, which was introduced in 1.16 beta 1. 
 
 === Changes since 1.16 beta 1 ===
 

Modified: branches/REL1_16/phase3/includes/media/Bitmap.php
===================================================================
--- branches/REL1_16/phase3/includes/media/Bitmap.php   2010-04-21 15:31:23 UTC 
(rev 65400)
+++ branches/REL1_16/phase3/includes/media/Bitmap.php   2010-04-21 15:35:12 UTC 
(rev 65401)
@@ -155,7 +155,7 @@
                                // or ImageMagick may decide your ratio is 
wrong and slice off
                                // a pixel.
                                " -thumbnail " . wfEscapeShellArg( 
"{$physicalWidth}x{$physicalHeight}!" ) .
-                               " -set comment " . wfEscapeShellArg( 
"{$descriptionUrl}" ) .
+                               " -set comment " . wfEscapeShellArg( 
str_replace( '%', '%%', $descriptionUrl ) ) .
                                " -depth 8 $sharpen " .
                                wfEscapeShellArg($dstPath) . " 2>&1";
                        wfDebug( __METHOD__.": running ImageMagick: $cmd\n");


Property changes on: branches/REL1_16/phase3/includes/media/Bitmap.php
___________________________________________________________________
Added: svn:mergeinfo
   + /branches/REL1_15/phase3/includes/media/Bitmap.php:51646
/branches/sqlite/includes/media/Bitmap.php:58211-58321
/branches/wmf-deployment/includes/media/Bitmap.php:53381
/trunk/phase3/includes/media/Bitmap.php:63549,63764,63897-63901,64876,64881,64932



_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs

Reply via email to