Bug#1059291: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u4

[David Prévot]

Control: retitle -1 bookworm-pu: package spip/4.1.9+dfsg-1+deb12u4

Le Sat, Dec 30, 2023 at 12:06:56PM +0100, Salvatore Bonaccorso a écrit :
> On Fri, Dec 22, 2023 at 01:28:00PM +0100, David Prévot wrote:
[…]
> > This issue is similar to #1059289 for oldstable.
> > 
> > Another upstream release fixed a security (XSS) issue. The last two
> > updates of this kind didn’t warrant a DSA, so I guess this one will not
> > warrant one either (security team X-D-CCed in case I’m wrong).

And here we are again, another XSS was fixed (in a plugin not provided
by the version in oldstable), second debdiff attached, thanks in advance
for considering.

Regards,

taffit

diff --git a/debian/changelog b/debian/changelog
index 333c4146c1..23a523a96a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+spip (4.1.9+dfsg-1+deb12u4) bookworm; urgency=medium
+
+  * Backport security fix from 4.1.15
+    - fix XSS in uploaded files using bigup
+
+ -- David Prévot <taf...@debian.org>  Fri, 12 Jan 2024 13:42:36 +0100
+
 spip (4.1.9+dfsg-1+deb12u3) bookworm; urgency=medium
 
   * Backport security fix from 4.1.13
diff --git a/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch b/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch
new file mode 100644
index 0000000000..7c72b8539d
--- /dev/null
+++ b/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch
@@ -0,0 +1,79 @@
+From: Matthieu Marcillaud <marci...@rezo.net>
+Date: Sun, 7 Jan 2024 22:07:19 +0100
+Subject: =?utf-8?q?fix=3A_=C3=89viter_de_possibles_XSS_avec_le_nom_des_fich?=
+ =?utf-8?q?iers_upload=C3=A9s_=28en_js=29?=
+
+(cherry picked from commit df7543f1dc9d04f068dd12c901b89a98db535961)
+
+Origin: upstream, https://git.spip.net/spip/bigup/commit/ada821c076d67d1147a195178223d0b4a6d8cecc
+---
+ plugins-dist/bigup/javascript/bigup.js       | 34 ++++++++++++++++++----------
+ plugins-dist/bigup/javascript/bigup.utils.js | 12 +++++++++-
+ 2 files changed, 33 insertions(+), 13 deletions(-)
+
+diff --git a/plugins-dist/bigup/javascript/bigup.js b/plugins-dist/bigup/javascript/bigup.js
+index bd84fc1..5b9b5be 100644
+--- a/plugins-dist/bigup/javascript/bigup.js
++++ b/plugins-dist/bigup/javascript/bigup.js
+@@ -190,18 +190,28 @@ function Bigup(params, opts, callbacks) {
+ 				var extension = $.trouver_extension(file.name);
+ 
+ 				var template =
+-					'\n<div class="fichier">'
+-					+ '\n\t<div class="description">'
+-					+ '\n\t\t<div class="vignette_extension ' + extension + '" title="' + file.type + '"><span></span></div>'
+-					+ '\n\t\t<div class="infos">'
+-					+ '\n\t\t\t<span class="name"><strong>' + file.name + '</strong></span>'
+-					+ '\n\t\t\t<span class="size">' + $.taille_en_octets(file.size) + '</span>'
+-					+ '\n\t\t</div>'
+-					+ '\n\t\t<div class="actions">'
+-					+ '\n\t\t\t<span class="bigup-btn btn btn-default cancel" onClick="$.bigup_enlever_fichier(this); return false;">' + _T("bigup:bouton_annuler") + '</span>'
+-					+ '\n\t\t</div>'
+-					+ '\n\t</div>'
+-					+ '\n</div>\n';
++					'\n<div class="fichier">' +
++					'\n\t<div class="description">' +
++					'\n\t\t<div class="vignette_extension ' +
++					$.escapeHtml(extension) +
++					'" title="' +
++					file.type +
++					'"><span></span></div>' +
++					'\n\t\t<div class="infos">' +
++					'\n\t\t\t<span class="name"><strong>' +
++					$.escapeHtml(file.name) +
++					'</strong></span>' +
++					'\n\t\t\t<span class="size">' +
++					$.taille_en_octets(file.size) +
++					'</span>' +
++					'\n\t\t</div>' +
++					'\n\t\t<div class="actions">' +
++					'\n\t\t\t<span class="bigup-btn btn btn-default cancel" onClick="$.bigup_enlever_fichier(this);">' +
++					_T('bigup:bouton_annuler') +
++					'</span>' +
++					'\n\t\t</div>' +
++					'\n\t</div>' +
++					'\n</div>\n';
+ 
+ 				return template;
+ 			}
+diff --git a/plugins-dist/bigup/javascript/bigup.utils.js b/plugins-dist/bigup/javascript/bigup.utils.js
+index 872123b..4a1bad9 100644
+--- a/plugins-dist/bigup/javascript/bigup.utils.js
++++ b/plugins-dist/bigup/javascript/bigup.utils.js
+@@ -171,4 +171,14 @@ $.mime_type_image = function(extension) {
+ 			break;
+ 	}
+ 	return mime;
+-};
+\ No newline at end of file
++};
++
++/** Escape HTML */
++$.escapeHtml = function(unsafe) {
++	return unsafe
++		.replaceAll('&', '&amp;')
++		.replaceAll('<', '&lt;')
++		.replaceAll('>', '&gt;')
++		.replaceAll('"', '&quot;')
++		.replaceAll("'", '&#039;');
++}
diff --git a/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch b/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch
new file mode 100644
index 0000000000..33e6a87c7e
--- /dev/null
+++ b/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch
@@ -0,0 +1,21 @@
+From: Glop <glopg...@riseup.net>
+Date: Thu, 11 Jan 2024 17:16:45 +0100
+Subject: fix: Ajout d'un point-virgule manquant
+
+(cherry picked from commit ac51139245cea6e6dd44dba47b30122b69ff1f1c)
+
+Origin: upstream, https://git.spip.net/spip/bigup/commit/0757f015717cb72b84dba0e9a375ec71caddf1c2
+---
+ plugins-dist/bigup/javascript/bigup.utils.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins-dist/bigup/javascript/bigup.utils.js b/plugins-dist/bigup/javascript/bigup.utils.js
+index 4a1bad9..a255f2f 100644
+--- a/plugins-dist/bigup/javascript/bigup.utils.js
++++ b/plugins-dist/bigup/javascript/bigup.utils.js
+@@ -181,4 +181,4 @@ $.escapeHtml = function(unsafe) {
+ 		.replaceAll('>', '&gt;')
+ 		.replaceAll('"', '&quot;')
+ 		.replaceAll("'", '&#039;');
+-}
++};
diff --git a/debian/patches/series b/debian/patches/series
index c0ceb74e71..38c2a1189b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,5 @@
 0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
 0011-fix-Inclusion-manquante-dans-5663.patch
 0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch
+0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch
+0014-fix-Ajout-d-un-point-virgule-manquant.patch

signature.asc
Description: PGP signature