rpms/moin/F-7 moin-1.5.8-attachfilexssfix.patch, NONE, 1.1 moin-1.5.8-loginxssfix.patch, NONE, 1.1 moin.spec, 1.17, 1.18

Lubomir Kundrak (lkundrak) fedora-extras-commits at redhat.com
Wed Feb 20 11:24:02 UTC 2008


Author: lkundrak

Update of /cvs/pkgs/rpms/moin/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12703/F-7

Modified Files:
	moin.spec 
Added Files:
	moin-1.5.8-attachfilexssfix.patch moin-1.5.8-loginxssfix.patch 
Log Message:
Fix various XSS

moin-1.5.8-attachfilexssfix.patch:

--- NEW FILE moin-1.5.8-attachfilexssfix.patch ---
#From: http://hg.moinmo.in/moin/1.5/rev/2f952fa361c7
# HG changeset patch
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
# Date 1201046099 -3600
# Node ID db212dfc58eff3ff7d1c9860d5fe79933217dc6e
# Parent e69a16b6e63020ac615e74b3184d6e89597352e0

fix XSS issues in AttachFile action

diff -urp moin-1.5.8.orig/docs/CHANGES moin-1.5.8/docs/CHANGES
--- moin-1.5.8.orig/docs/CHANGES	2008-02-20 12:09:26.000000000 +0100
+++ moin-1.5.8/docs/CHANGES	2008-02-20 12:11:36.000000000 +0100
@@ -29,7 +29,7 @@ Known main issues:
     method. USE BOTH ON YOUR OWN RISK!
 
 Version 1.5.8:
-  Fedora: * Fixed XSS issue in login action.
+  Fedora: * Fixed XSS issues in login and AttachFile action.
   New features:
     * Added timing.log to help performance debugging. Use cfg.log_timing = True
       to update <data_dir>/timing.log (default is False, meaning no logging).
diff -urp moin-1.5.8.orig/MoinMoin/action/AttachFile.py moin-1.5.8/MoinMoin/action/AttachFile.py
--- moin-1.5.8.orig/MoinMoin/action/AttachFile.py	2007-05-06 00:48:23.000000000 +0200
+++ moin-1.5.8/MoinMoin/action/AttachFile.py	2008-02-20 12:10:38.000000000 +0100
@@ -440,7 +440,7 @@ Otherwise, if "Rename to" is left blank,
     'action_name': action_name,
     'upload_label_file': _('File to upload'),
     'upload_label_rename': _('Rename to'),
-    'rename': request.form.get('rename', [''])[0],
+    'rename': wikiutil.escape(request.form.get('rename', [''])[0], 1),
     'upload_label_overwrite': _('Overwrite existing attachment of same name'),
     'overwrite_checked': ('', 'checked')[request.form.get('overwrite', ['0'])[0] == '1'],
     'upload_button': _('Upload'),
@@ -536,6 +536,8 @@ def execute(pagename, request):
 
 
 def upload_form(pagename, request, msg=''):
+    if msg:
+        msg = wikiutil.escape(msg)
     _ = request.getText
 
     request.http_headers()
@@ -733,7 +735,7 @@ def send_moveform(pagename, request):
     d = {'action': 'AttachFile',
          'do': 'attachment_move',
          'ticket': wikiutil.createTicket(request),
-         'pagename': pagename,
+         'pagename': wikiutil.escape(pagename, 1),
          'attachment_name': filename,
          'move': _('Move'),
          'cancel': _('Cancel'),
@@ -820,13 +822,13 @@ def install_package(pagename, request):
 
     if package.isPackage():
         if package.installPackage():
-            msg=_("Attachment '%(filename)s' installed.") % {'filename': wikiutil.escape(target)}
+            msg=_("Attachment '%(filename)s' installed.") % {'filename': target}
         else:
-            msg=_("Installation of '%(filename)s' failed.") % {'filename': wikiutil.escape(target)}
+            msg=_("Installation of '%(filename)s' failed.") % {'filename': target}
         if package.msg != "":
             msg += "<br><pre>" + wikiutil.escape(package.msg) + "</pre>"
     else:
-        msg = _('The file %s is not a MoinMoin package file.' % wikiutil.escape(target))
+        msg = _('The file %s is not a MoinMoin package file.' % target)
 
     upload_form(pagename, request, msg=msg)
 
@@ -910,9 +912,9 @@ def unzip_file(pagename, request):
                           "files are too big, .zip files only, exist already or "
                           "reside in folders.") % {'filename': filename}
         else:
-            msg = _('The file %(target)s is not a .zip file.' % target)
+            msg = _('The file %(target)s is not a .zip file.' % {'target': filename}) 
 
-    upload_form(pagename, request, msg=wikiutil.escape(msg))
+    upload_form(pagename, request, msg=msg)
 
 def send_viewfile(pagename, request):
     _ = request.getText

moin-1.5.8-loginxssfix.patch:

--- NEW FILE moin-1.5.8-loginxssfix.patch ---
#From: http://hg.moinmo.in/moin/1.5/rev/db212dfc58ef
# HG changeset patch
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
# Date 1200847002 -3600
# Node ID 2f952fa361c7bc6ed127ec0618038272385186cd
# Parent dbe95b27954adcb135e392ff1f9c883d0cfb7dc6

XSS fix for login action, thanks to Fernando Quintero for reporting this

diff -urp moin-1.5.8.orig/docs/CHANGES moin-1.5.8/docs/CHANGES
--- moin-1.5.8.orig/docs/CHANGES	2007-05-13 00:18:34.000000000 +0200
+++ moin-1.5.8/docs/CHANGES	2008-02-20 12:09:26.000000000 +0100
@@ -29,6 +29,7 @@ Known main issues:
     method. USE BOTH ON YOUR OWN RISK!
 
 Version 1.5.8:
+  Fedora: * Fixed XSS issue in login action.
   New features:
     * Added timing.log to help performance debugging. Use cfg.log_timing = True
       to update <data_dir>/timing.log (default is False, meaning no logging).
diff -urp moin-1.5.8.orig/MoinMoin/action/login.py moin-1.5.8/MoinMoin/action/login.py
--- moin-1.5.8.orig/MoinMoin/action/login.py	2006-05-11 18:24:00.000000000 +0200
+++ moin-1.5.8/MoinMoin/action/login.py	2008-02-20 12:07:41.000000000 +0100
@@ -40,12 +40,12 @@ class LoginHandler:
             if not user.isValidName(request, name):
                  error = _("""Invalid user name {{{'%s'}}}.
 Name may contain any Unicode alpha numeric character, with optional one
-space between words. Group page name is not allowed.""") % name
+space between words. Group page name is not allowed.""") % wikiutil.escape(name)
 
             # Check that user exists
             elif not user.getUserId(request, name):
                 error = _('Unknown user name: {{{"%s"}}}. Please enter'
-                             ' user name and password.') % name
+                             ' user name and password.') % wikiutil.escape(name)
 
             # Require password
             else:


Index: moin.spec
===================================================================
RCS file: /cvs/pkgs/rpms/moin/F-7/moin.spec,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- moin.spec	9 Feb 2008 14:48:30 -0000	1.17
+++ moin.spec	20 Feb 2008 11:23:14 -0000	1.18
@@ -3,7 +3,7 @@
 Summary: MoinMoin is a Python clone of WikiWiki
 Name: moin
 Version: 1.5.8
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: Applications/Internet
 URL: http://moinmoin.wikiwikiweb.de/
@@ -13,6 +13,8 @@
 Patch1: moin-1.3.5-xml_newline.patch
 Patch10: 10010_CVE-2007-0857.patch
 Patch11: moin-1.5.8-cookieidfix.patch
+Patch12: moin-1.5.8-loginxssfix.patch
+Patch13: moin-1.5.8-attachfilexssfix.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: python-devel
 BuildArch: noarch
@@ -30,6 +32,8 @@
 %patch1 -p1 -b .xml_newline
 %patch10 -p1 -b .CVE-2007-0857
 %patch11 -p1 -b .cookieidfix
+%patch12 -p1 -b .loginxssfix
+%patch13 -p1 -b .attachfilexssfix
 
 
 %build
@@ -56,6 +60,10 @@
 
 
 %changelog
+* Wed Feb 20 2008 Lubomir Kundrak <lkundrak at redhat.com> 1.5.8-4
+- Fix CVE-2008-0780 XSS in login action (2f952fa361c7)
+- Fix CVE-2008-0781 multiple XSS in AttachFile action (db212dfc58ef)
+
 * Fri Feb  8 2008 Matthias Saou <http://freshrpms.net/> 1.5.8-3
 - Include e69a16b6e630 1.5 changeset as cookieidfix (#432017).
 




More information about the fedora-extras-commits mailing list