diff -Nru mediawiki-1.19.20+dfsg/debian/changelog mediawiki-1.19.20+dfsg/debian/changelog --- mediawiki-1.19.20+dfsg/debian/changelog 2014-12-14 18:27:31.000000000 +0100 +++ mediawiki-1.19.20+dfsg/debian/changelog 2014-12-21 13:11:10.000000000 +0100 @@ -1,3 +1,12 @@ +mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium + + * Non-maintainer upload. + * Add patch fixing T76686: thumb.php outputs wikitext message as raw + HTML, which could lead to xss. Permission to edit MediaWiki namespace + is required to exploit this. + + -- Sebastien Delafond <s...@debian.org> Sun, 21 Dec 2014 13:11:10 +0100 + mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru mediawiki-1.19.20+dfsg/debian/patches/series mediawiki-1.19.20+dfsg/debian/patches/series --- mediawiki-1.19.20+dfsg/debian/patches/series 2014-12-14 18:22:55.000000000 +0100 +++ mediawiki-1.19.20+dfsg/debian/patches/series 2014-12-21 13:10:23.000000000 +0100 @@ -11,3 +11,4 @@ suppress_warnings.patch CVE-2014-9277_1.patch CVE-2014-9277_2.patch +T76686.patch diff -Nru mediawiki-1.19.20+dfsg/debian/patches/T76686.patch mediawiki-1.19.20+dfsg/debian/patches/T76686.patch --- mediawiki-1.19.20+dfsg/debian/patches/T76686.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.19.20+dfsg/debian/patches/T76686.patch 2014-12-21 13:10:21.000000000 +0100 @@ -0,0 +1,55 @@ +From fdd3f464ef9aa7f3276a2a8dddc85e3769cfda83 Mon Sep 17 00:00:00 2001 +From: Kunal Mehta <lego...@gmail.com> +Date: Thu, 4 Dec 2014 14:06:55 -0800 +Subject: [PATCH] thumb.php: Set proper output formats for messages going into + HTML + +* Use ->parse() instead of ->text() for wikitext messages that were + being treated as HTML +* Explicitly specify ->parse() if no output format was set +* Document that wfThumbError() takes HTML + +Bug: T76686 +Change-Id: Id6e7548b2e081cfda7803772ed0395a15feb1f84 +--- + thumb.php | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/thumb.php b/thumb.php +index 60a7ffb..a7a09fc 100644 +--- a/thumb.php ++++ b/thumb.php +@@ -107,13 +107,13 @@ function wfStreamThumb( array $params ) { + // Format is <timestamp>!<name> + $bits = explode( '!', $fileName, 2 ); + if ( count( $bits ) != 2 ) { +- wfThumbError( 404, wfMsg( 'badtitletext' ) ); ++ wfThumbError( 404, wfMessage( 'badtitletext' )->parse() ); + wfProfileOut( __METHOD__ ); + return; + } + $title = Title::makeTitleSafe( NS_FILE, $bits[1] ); + if ( !$title ) { +- wfThumbError( 404, wfMsg( 'badtitletext' ) ); ++ wfThumbError( 404, wfMessage( 'badtitletext' )->parse() ); + wfProfileOut( __METHOD__ ); + return; + } +@@ -136,7 +136,7 @@ function wfStreamThumb( array $params ) { + + // Check the source file storage path + if ( !$img ) { +- wfThumbError( 404, wfMsg( 'badtitletext' ) ); ++ wfThumbError( 404, wfMessage( 'badtitletext' )->parse() ); + wfProfileOut( __METHOD__ ); + return; + } +@@ -291,7 +291,7 @@ function wfExtractThumbParams( $uri ) { + * Output a thumbnail generation error message + * + * @param $status integer +- * @param $msg string ++ * @param string $msg HTML + * @return void + */ + function wfThumbError( $status, $msg ) {