found 606311 4.2.3-1+lenny1
thanks
On Wed, Dec 08, 2010 at 07:51:50PM +0000, Dominic Hargreaves wrote:
> The changes can be summarised roughly as follows:
>
> lib/MT/App/Search.pm | 22 +++++++++++++++++-----
>
> Input checking
Patch does not apply to 4.2.3-1+lenny1
> lib/MT/CMS/Tools.pm | 5 ++++-
>
> HTML/JS escaping
Patch does not apply to 4.2.3-1+lenny1
> lib/MT/Template/Context/Search.pm | 4 ++--
>
> URI encoding
Applies to 4.2.3-1+lenny1
> lib/MT/Template/ContextHandlers.pm | 26 ++++++++++++++++----------
>
> Input checking, HTML escaping
Applied with small adaptation.
> php/extlib/ezsql/ezsql_postgres.php | 2 +-
>
> Modifying input checking
Applies to 4.2.3-1+lenny1
> php/lib/mtdb_base.php | 23 +++++++++++++++++++----
>
> Modifying logic to accommodate escaping
Applies to 4.2.3-1+lenny1
> php/mt.php | 5 +++--
>
> Modifying input checking
Applies to 4.2.3-1+lenny1
> Although not well documented it's clear that these changes are all
> security-relevant, so I propose to upload 4.3.5 to unstable and have it
> migrate to testing. I will go ahead with an upload to unstable this
> evening unless someone shouts.
> Still TODO: assess stable.
So, at least some of these issues probably apply to stable. I'd
appreciate any help validating these changes (I haven't had a chance
to build or test yet) and helping determine whether the two fixes which
didn't apply at all need adjusting (ie whether the issues exist in 4.23
in a different form).
I've attached the results of the above patching.
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
diff -urN movabletype-opensource-4.2.3/lib/MT/Template/Context/Search.pm movabletype-opensource-4.2.3.new/lib/MT/Template/Context/Search.pm
--- movabletype-opensource-4.2.3/lib/MT/Template/Context/Search.pm 2008-11-19 00:30:58.000000000 +0000
+++ movabletype-opensource-4.2.3.new/lib/MT/Template/Context/Search.pm 2010-12-08 22:54:40.000000000 +0000
@@ -380,10 +380,10 @@
$link .= "&type=$type";
}
if ( my $include_blogs = $ctx->stash('include_blogs') ) {
- $link .= "&IncludeBlogs=$include_blogs";
+ $link .= "&IncludeBlogs=" . encode_url($include_blogs);
}
elsif ( my $blog_id = $ctx->stash('blog_id') ) {
- $link .= "&blog_id=$blog_id";
+ $link .= "&blog_id=" . encode_url($blog_id);
}
if ( my $format = $ctx->stash('format') ) {
$link .= '&format=' . encode_url($format);
diff -urN movabletype-opensource-4.2.3/lib/MT/Template/ContextHandlers.pm movabletype-opensource-4.2.3.new/lib/MT/Template/ContextHandlers.pm
--- movabletype-opensource-4.2.3/lib/MT/Template/ContextHandlers.pm 2008-11-19 01:01:17.000000000 +0000
+++ movabletype-opensource-4.2.3.new/lib/MT/Template/ContextHandlers.pm 2010-12-08 23:09:17.000000000 +0000
@@ -8838,6 +8838,8 @@
my $flag = lc $args->{flag}
or return $ctx->error(MT->translate(
'You used <$MTEntryFlag$> without a flag.' ));
+ $e->has_column($flag)
+ or return $ctx->error(MT->translate("You have an error in your '[_2]' attribute: [_1]", $flag, 'flag'));
my $v = $e->$flag();
## The logic here: when we added the convert_breaks flag, we wanted it
## to default to checked, because we added it in 2.0, and people had
@@ -11159,7 +11161,8 @@
return $ctx->_no_comment_error();
my $label = $args->{label} || $args->{text} || MT->translate('Reply');
- my $comment_author = MT::Util::encode_html( MT::Util::encode_js($comment->author) );
+ my $comment_author = MT::Util::encode_html(
+ MT::Util::encode_html( MT::Util::encode_js( $comment->author ) ), 1 );
my $onclick = sprintf( $args->{onclick} || "mtReplyCommentOnClick(%d, '%s')", $comment->id, $comment_author);
return sprintf(qq(<a title="%s" href="javascript:void(0);" onclick="$onclick">%s</a>),
@@ -16170,6 +16173,7 @@
AssetsHeader => !$i,
AssetsFooter => !defined $assets[$i+1],
});
+ return $ctx->error( $builder->errstr ) unless defined $out;
$res .= $out;
$row_count++;
$row_count = 0 if $row_count > $per_row;
@@ -16753,6 +16757,8 @@
} elsif ($prop =~ m/^image_/) {
$ret = 0;
} else {
+ $a->has_column($prop)
+ or return $ctx->error(MT->translate("You have an error in your '[_2]' attribute: [_1]", $prop, 'property'));
$ret = $a->$prop || '';
}
@@ -19627,8 +19633,8 @@
$link .= '?';
}
}
- $link .= "limit=$limit";
- $link .= "&offset=$offset" if $offset;
+ $link .= "limit=" . encode_url($limit);
+ $link .= "&offset=" . encode_url($offset) if $offset;
return $link;
}
diff -urN movabletype-opensource-4.2.3/php/extlib/ezsql/ezsql_postgres.php movabletype-opensource-4.2.3.new/php/extlib/ezsql/ezsql_postgres.php
--- movabletype-opensource-4.2.3/php/extlib/ezsql/ezsql_postgres.php 2008-11-19 00:30:04.000000000 +0000
+++ movabletype-opensource-4.2.3.new/php/extlib/ezsql/ezsql_postgres.php 2010-12-08 22:54:40.000000000 +0000
@@ -160,7 +160,7 @@
// try to find table name
- eregi ("insert *into *([^ ]+).*", $query, $regs);
+ preg_match ("/insert *into *([^ ]+).*/i", $query, $regs);
//print_r($regs);
diff -urN movabletype-opensource-4.2.3/php/lib/mtdb_base.php movabletype-opensource-4.2.3.new/php/lib/mtdb_base.php
--- movabletype-opensource-4.2.3/php/lib/mtdb_base.php 2008-11-19 00:29:54.000000000 +0000
+++ movabletype-opensource-4.2.3.new/php/lib/mtdb_base.php 2010-12-08 22:54:40.000000000 +0000
@@ -56,7 +56,8 @@
function unserialize($data) {
if (!$this->serializer) {
require_once("MTSerialize.php");
- $this->serializer =& new MTSerialize();
+ $serializer = new MTSerialize();
+ $this->serializer =& $serializer;
}
return $this->serializer->unserialize($data);
}
@@ -66,9 +67,8 @@
parent::query($query);
}
- function &resolve_url($path, $blog_id) {
+ function &resolve_url($path, $blog_id, $build_type = 3) {
$path = preg_replace('!/$!', '', $path);
- $path = $this->escape($path);
$blog_id = intval($blog_id);
# resolve for $path -- one of:
# /path/to/file.html
@@ -89,7 +89,7 @@
and template_id = fileinfo_template_id
order by length(fileinfo_url) asc
";
- $rows = $this->get_results(sprintf($sql,$p), ARRAY_A);
+ $rows = $this->get_results(sprintf($sql,$this->escape($p)), ARRAY_A);
if ($rows) {
break;
}
@@ -99,6 +99,21 @@
$found = false;
foreach ($rows as $row) {
+ if ( !empty( $build_type ) ) {
+ if ( !is_array( $build_type ) ) {
+ $build_type_array = array( $build_type );
+ } else {
+ $build_type_array = $build_type;
+ }
+
+ $type = isset($row['templatemap_build_type']) && strlen($row['templatemap_build_type']) > 0
+ ? $row['templatemap_build_type'] : $row['template_build_type'];
+
+ if ( !in_array( $type, $build_type_array ) ) {
+ continue;
+ }
+ }
+
$fiurl = $row['fileinfo_url'];
if ($fiurl == $path) {
$found = true;
diff -urN movabletype-opensource-4.2.3/php/mt.php movabletype-opensource-4.2.3.new/php/mt.php
--- movabletype-opensource-4.2.3/php/mt.php 2008-11-19 01:46:04.000000000 +0000
+++ movabletype-opensource-4.2.3.new/php/mt.php 2010-12-08 22:54:40.000000000 +0000
@@ -199,7 +199,7 @@
if ($fp = file($file)) {
foreach ($fp as $line) {
// search through the file
- if (!ereg('^\s*\#',$line)) {
+ if (!preg_match('/^\s*\#/',$line)) {
// ignore lines starting with the hash symbol
if (preg_match('/^\s*(\S+)\s+(.*)$/', $line, $regs)) {
$key = strtolower(trim($regs[1]));
@@ -286,7 +286,7 @@
$data = preg_split('/[\r?\n]/', $data);
foreach ($data as $line) {
// search through the file
- if (!ereg('^\s*\#',$line)) {
+ if (!preg_match('/^\s*\#/',$line)) {
// ignore lines starting with the hash symbol
if (preg_match('/^\s*(\S+)\s+(.*)$/', $line, $regs)) {
$key = strtolower(trim($regs[1]));
@@ -447,6 +447,7 @@
}
// now set the path so it may be queried
+ $path = preg_replace('/\\\\/', '\\\\\\\\', $path );
$this->request = $path;
// When we are invoked as an ErrorDocument, the parameters are
