Bug#804172: jessie-pu: package spip/3.0.17-2+deb8u1

[Adam D. Barratt]

Control: tags -1 + pending

On Thu, 2015-11-26 at 22:12 -0400, David Prévot wrote:
> Le 26/11/2015 17:21, Adam D. Barratt a écrit :
> > On Thu, 2015-11-05 at 14:10 -0400, David Prévot wrote:
> >> As agreed with the security team, the two XSS fixes from the latest
> >> upstream version do not deserve a DSA, yet I’d like to fix them via pu
> 
> > Please go ahead; sorry for the delay.
> 
> Uploaded and accepted, thanks.

Flagged for acceptance.

Regards,

Adam

Bug#804172: jessie-pu: package spip/3.0.17-2+deb8u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Thu, 2015-11-05 at 14:10 -0400, David Prévot wrote:
> As agreed with the security team, the two XSS fixes from the latest
> upstream version do not deserve a DSA, yet I’d like to fix them via pu
> if you agree, debdiff attached. There is no upstream fix available (yet)
> for the 2.1 branch (that is still supported), so I won’t follow up with
> a pu request for Wheezy for the moment.

Please go ahead; sorry for the delay.

Regards,

Adam

Bug#804172: jessie-pu: package spip/3.0.17-2+deb8u1

[David Prévot]

Le 26/11/2015 17:21, Adam D. Barratt a écrit :
> On Thu, 2015-11-05 at 14:10 -0400, David Prévot wrote:
>> As agreed with the security team, the two XSS fixes from the latest
>> upstream version do not deserve a DSA, yet I’d like to fix them via pu

> Please go ahead; sorry for the delay.

Uploaded and accepted, thanks.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#804172: jessie-pu: package spip/3.0.17-2+deb8u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

As agreed with the security team, the two XSS fixes from the latest
upstream version do not deserve a DSA, yet I’d like to fix them via pu
if you agree, debdiff attached. There is no upstream fix available (yet)
for the 2.1 branch (that is still supported), so I won’t follow up with
a pu request for Wheezy for the moment.

Regards

David
diff -Nru spip-3.0.17/debian/changelog spip-3.0.17/debian/changelog
--- spip-3.0.17/debian/changelog	2014-10-25 20:52:48.0 -0400
+++ spip-3.0.17/debian/changelog	2015-11-01 15:34:31.0 -0400
@@ -1,3 +1,10 @@
+spip (3.0.17-2+deb8u1) jessie; urgency=medium
+
+  * Track Jessie
+  * Backport XSS fixes in private content from 3.0.21
+
+ -- David Prévot   Sun, 01 Nov 2015 15:34:00 -0400
+
 spip (3.0.17-2) unstable; urgency=medium
 
   [ Frans Spiesschaert ]
diff -Nru spip-3.0.17/debian/gbp.conf spip-3.0.17/debian/gbp.conf
--- spip-3.0.17/debian/gbp.conf	2014-10-25 20:50:16.0 -0400
+++ spip-3.0.17/debian/gbp.conf	2015-11-01 15:11:01.0 -0400
@@ -1,3 +1,3 @@
 [DEFAULT]
-debian-branch = 3.0
+debian-branch = jessie
 upstream-branch = upstream-3.0
diff -Nru spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch
--- spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch	1969-12-31 20:00:00.0 -0400
+++ spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch	2015-11-01 15:31:01.0 -0400
@@ -0,0 +1,173 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= 
+Date: Sat, 10 Oct 2015 10:44:19 +
+Subject: Fix XSS in private content
+
+Bug: https://core.spip.net/issues/3371
+Origin: Upstream, http://zone.spip.org/trac/spip-zone/changeset/92236,
+ https://core.spip.net/projects/spip/repository/revisions/22427,
+ https://core.spip.net/projects/spip/repository/revisions/22450,
+ https://core.spip.net/projects/spip/repository/revisions/22429
+---
+ ecrire/inc/texte.php   |  7 
+ ecrire/inc/texte_mini.php  | 43 --
+ plugins-dist/revisions/inc/revisions.php   |  3 ++
+ .../prive/squelettes/contenu/revision.html |  6 +--
+ prive/squelettes/ajax.html |  2 +-
+ prive/squelettes/head/dist.html|  2 +-
+ prive/squelettes/structure.html|  4 +-
+ 7 files changed, 57 insertions(+), 10 deletions(-)
+
+diff --git a/ecrire/inc/texte.php b/ecrire/inc/texte.php
+index af706b3..c0cec0b 100644
+--- a/ecrire/inc/texte.php
 b/ecrire/inc/texte.php
+@@ -156,6 +156,7 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ 	if (is_null($connect)){
+ 		$connect = '';
+ 		$interdire_script = true;
++		$env['espace_prive'] = 1;
+ 	}
+ 
+ 	// Echapper les codes  etc
+@@ -183,6 +184,12 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ 	if ($interdire_script)
+ 		$letexte = interdire_scripts($letexte);
+ 
++	// Dans l'espace prive on se mefie de tout contenu dangereux
++	// https://core.spip.net/issues/3371
++	if (isset($env['espace_prive']) AND $env['espace_prive']){
++		$letexte = echapper_html_suspect($letexte);
++	}
++
+ 	return $letexte;
+ }
+ 
+diff --git a/ecrire/inc/texte_mini.php b/ecrire/inc/texte_mini.php
+index f3c2429..901d903 100644
+--- a/ecrire/inc/texte_mini.php
 b/ecrire/inc/texte_mini.php
+@@ -385,15 +385,52 @@ function echapper_faux_tags($letexte){
+   $letexte = "";
+   while (count($textMatches)) {
+   	// un texte a echapper
+-  	$letexte .= str_replace(array("<"),array(''),array_shift($textMatches));
++  	$letexte .= str_replace("<",'',array_shift($textMatches));
+   	// un tag html qui a servit a faite le split
+  		$letexte .= array_shift($textMatches);
+   }
+   return $letexte;
+ }
+ 
+-// Securite : utiliser SafeHTML s'il est present dans ecrire/safehtml/
+-// http://doc.spip.org/@safehtml
++/**
++ * Si le html contenu dans un texte ne passe pas sans transformation a travers safehtml
++ * on l'echappe
++ * si safehtml ne renvoie pas la meme chose on echappe les < en  pour montrer le contenu brut
++ *
++ * @param string $texte
++ * @return string
++ */
++function echapper_html_suspect($texte){
++	if (strpos($texte,'<')===false OR strpos($texte,'=')===false)
++		return $texte;
++
++	// on teste sur strlen car safehtml supprime le contenu dangereux
++	// mais il peut aussi changer des ' en " sur les attributs html,
++	// donc un test d'egalite est trop strict
++	if (strlen(safehtml($texte))!==strlen($texte)){
++		$texte = str_replace("<","",$texte);
++	}
++
++	return $texte;
++}
++
++
++/**
++ * Sécurise un texte HTML 
++ *
++ * Échappe le code PHP et JS.
++ * Applique en plus safehtml si un plugin le définit dans inc/safehtml.php
++ *
++ * Permet de protéger les textes issus d'une origine douteuse