--- mediawiki-1.13.3.orig/debian/mediawiki-math.install +++ mediawiki-1.13.3/debian/mediawiki-math.install @@ -0,0 +1 @@ +math/texvc usr/bin --- mediawiki-1.13.3.orig/debian/mediawiki.links +++ mediawiki-1.13.3/debian/mediawiki.links @@ -0,0 +1,7 @@ +etc/mediawiki/LocalSettings.php var/lib/mediawiki/LocalSettings.php +etc/mediawiki/AdminSettings.php var/lib/mediawiki/AdminSettings.php +var/lib/mediawiki/LocalSettings.php usr/share/mediawiki/LocalSettings.php +var/lib/mediawiki/AdminSettings.php usr/share/mediawiki/AdminSettings.php +var/lib/mediawiki/config usr/share/mediawiki/config +var/lib/mediawiki/images usr/share/mediawiki/images +var/lib/mediawiki/extensions usr/share/mediawiki/extensions --- mediawiki-1.13.3.orig/debian/mediawiki.examples +++ mediawiki-1.13.3/debian/mediawiki.examples @@ -0,0 +1 @@ +AdminSettings.sample --- mediawiki-1.13.3.orig/debian/README.Debian +++ mediawiki-1.13.3/debian/README.Debian @@ -0,0 +1,104 @@ +mediawiki for Debian +-------------------- + + +Optional features: + - Image thumbnailing : + Install 'php5-gd' or 'imagemagick' to use this feature. + - LaTeX-compatible math equations rendering : + Install 'texlive-latex-base', 'imagemagick' and a Ghostscript interpreter + ('gs-gpl' or 'gs-esp') to use this feature. + To be able to render non-ASCII characters, also install 'cjk-latex'. + Uncomment the following line in '/etc/mediawiki/LocalSettings.php' : + $wgUseTeX = true; + +Configuration: + The configuration uses an easy web-based system ; just go to this URL : + http://www.myserver.org/mediawiki/config/index.php + (replace by your own servername) + You may of course configure your webserver to serve this URL. A default + configuration can be found in /etc/mediawiki/. Apache and cherokee users + may have linked this in their configuration automatically if they asked + the installer to do so. + Then just copy the generated config to the real system location : + mv /var/lib/mediawiki/config/LocalSettings.php \ + /etc/mediawiki + You should change file permissions for LocalSettings.php as required to + prevent other users on the server from reading passwords and + altering configuration data. + . + Warning: to make this work, we have to define MW_INSTALL_PATH. This is done + automatically in this package. However, you may change this later if you plan + to set up multisite wikis. + After being configured, you should begin your surf on your new wiki using this url: + http://www.myserver.org/mediawiki + (replace by your own servername) + Enjoy !!! + +Security concerns: + 1) priviledge separation: + Once installed, you can improve security by separating sql priviledges. Thus having your standard + sql account be granted only SELECT/INSERT/DELETE/UPDATE on your mediawiki database, and an additional + account used for maintenance with additional CREATE/DROP/ALTER rights. + To use this feature, you only need to setup an additional account in the database and provide + the new credentials into /etc/mediawiki/AdminSettings.php (/usr/share/doc/mediawiki/examples contains + an example). Then don't forget to lower rights of the primary account. + 2) file upload check: + You can activate file upload virus checking by installing the 'clamav' package and setting the + following in LocalSettings.php: + $wgAntivirus = 'clamav'; + +Upgrading the database: + When upgrading to new releases, the database may need an upgrade before your wiki is able to + work. Here is a rapid sketch: + 1) Dump your database to a text file. + mysqldump --add-drop-table -u -p > /path/to/file.sql + 2) You will need an AdminSettings.php file. + If you don't have any, a sample is available at: + /usr/share/doc/mediawiki/examples/AdminSettings.sample + You may fill in this file and copy it in /etc/mediawiki. + If you use the mysql root account, you may delete it afterward. + 3) Then run this command: + php /var/lib/mediawiki/maintenance/update.php + This shall need a proper php5 binary, as provided in php5-cli + +Upgrading from mediawiki1.x packages: + A rapid sketch of what you need to do is as follow: + 1) Dump your database to a text file. + mysqldump --add-drop-table -u -p > /path/to/file.sql + 2) Copy the configuration files from /etc/mediawiki1.x to /var/lib/mediawiki and make them writable for + your webserver user -- usualy www-data. + cp /var/lib/mediawiki1.x/LocalSettings.php /etc/mediawiki + cp /var/mediawiki1.x/AdminSettings.php /etc/mediawiki (if exists) + 3) Add the following line at the begining of your /etc/mediawiki/LocalSettings.php if it does not exist: + define(MW_INSTALL_PATH,"/var/lib/mediawiki"); + 4) Execute the update script: + You will need an AdminSettings.php file. + If you don't have any, a sample is available at: + /usr/share/doc/mediawiki/examples/AdminSettings.sample + You may fill in this file and copy it in /etc/mediawiki. + If you use the mysql root account, you may delete it afterward. + Then run this command: + php /var/lib/mediawiki/maintenance/update.php + This shall need a proper php5 binary, as provided in php5-cli + 5) Execute the rebuildall script: + php /var/lib/mediawiki/maintenance/rebuildall.php + 6) Copy the old upload directory (this location has been switched to /images, according to upstream): + cp -rf /var/lib/mediawiki1.x/upload/* /var/lib/mediawiki/images/ + 7) Update your web server configuration to point to /var/lib/mediawiki + +Configuring apache and MySQL: + A good how-to to correctly setup the application used by mediawiki can be found there: + http://www.mediawiki.org/wiki/Manual:Running_MediaWiki_on_Debian_GNU/Linux + But, of course, you should NOT do the part that talks about mediawiki installation itself :) + +Editing and Syntax: + MediaWiki syntax is rather complex. + To prevent this README file from becoming a manual, + we don't provide here instructions on MediaWiki syntax. + But you can point your browser to this page: + http://meta.wikimedia.org/wiki/Help:Editing + Where you will find all that you'd like to know about it! + +-- Romain Beauxis and Marc Dequènes (Duck) + --- mediawiki-1.13.3.orig/debian/rules +++ mediawiki-1.13.3/debian/rules @@ -0,0 +1,60 @@ +#!/usr/bin/make -f + +MANPAGES := debian/texvc.1 + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/patchsys-quilt.mk + +# In order to regenerate 'debian/control' : +# DEB_AUTO_UPDATE_DEBIAN_CONTROL=yes fakeroot debian/rules clean +# Then check manually if everything's ok + +DEB_DH_SHLIBDEPS_ARGS := -Xdebian/mediawiki-math/usr/bin/texvc.bc + + +build/mediawiki-math:: $(MANPAGES) + if [ -x /usr/bin/ocamlopt ]; then\ + make -C math texvc;\ + else\ + make -C math texvc.bc;\ + mv math/texvc.bc math/texvc;\ + fi + +%.1: %.xml + xsltproc -nonet -o $@ /usr/share/sgml/docbook/stylesheet/xsl/nwalsh/manpages/docbook.xsl $< + +binary-install/mediawiki:: + cp -rf $(CURDIR)/debian/etc/* $(CURDIR)/debian/mediawiki/etc/mediawiki + chmod a+x debian/mediawiki/usr/share/mediawiki/maintenance/fetchInterwiki.pl + chmod a+x debian/mediawiki/usr/share/mediawiki/maintenance/postgres/compare_schemas.pl + chmod a+x debian/mediawiki/usr/share/mediawiki/maintenance/postgres/mediawiki_mysql2postgres.pl + find debian/mediawiki/usr/share/mediawiki -maxdepth 1 -mindepth 1 | grep -v "\(LocalSettings.php\|AdminSettings.php\|debian-scripts\|images\|extensions\|config\)" | \ + while read i; do \ + dh_link "`echo "$$i" | sed -e s#debian/mediawiki/##`" \ + "`echo "$$i" | sed -e s#debian/mediawiki/usr/share/mediawiki/#var/lib/mediawiki/#`"; \ + done + # Remove Makefiles + find debian/mediawiki/ -iname makefile -exec rm {} \; + # License added to copyright file: + rm -f debian/mediawiki/usr/share/mediawiki/skins/common/images/icons/COPYING + rm -f debian/mediawiki/usr/share/mediawiki/skins/common/images/cyrl/LICENSE + +binary-install/mediawiki-math:: + if [ -x /usr/bin/ocamlopt ]; then\ + echo "interpreter:Depends=" >> debian/mediawiki-math.substvars;\ + else\ + echo "interpreter:Depends=ocaml-base-nox" >> debian/mediawiki-math.substvars;\ + fi + + +binary-predeb/mediawiki:: + find debian/mediawiki -depth \( -name ".cvsignore" -o -name ".arch-ids" \) -exec rm -rf {} \; + +binary-predeb/mediawiki-math:: + find debian/mediawiki-math -depth \( -name ".cvsignore" -o -name ".arch-ids" \) -exec rm -rf {} \; + +clean:: + rm -f $(MANPAGES) + make -C math clean + debconf-updatepo + --- mediawiki-1.13.3.orig/debian/templates +++ mediawiki-1.13.3/debian/templates @@ -0,0 +1,17 @@ +# These templates have been reviewed by the debian-l10n-english +# team +# +# If modifications/additions/rewording are needed, please ask +# for an advice to debian-l10n-english@lists.debian.org +# +# Even minor modifications require translation updates and such +# changes should be coordinated with translators and reviewers. + +Template: mediawiki/webserver +Type: multiselect +Choices: apache, apache-ssl, apache2, cherokee +Default: apache2 +_Description: Web server(s) to configure automatically: + Please select the web server(s) that should be configured + automatically for MediaWiki. + --- mediawiki-1.13.3.orig/debian/mediawiki.config +++ mediawiki-1.13.3/debian/mediawiki.config @@ -0,0 +1,15 @@ +#!/bin/sh + +# Debconf config script for mediawiki + +set -e + +# Source debconf library +. /usr/share/debconf/confmodule + +db_input medium mediawiki/webserver || true +db_go + +db_stop + +exit 0 --- mediawiki-1.13.3.orig/debian/mediawiki.install +++ mediawiki-1.13.3/debian/mediawiki.install @@ -0,0 +1,2 @@ +*.php *.phtml includes index.php install-utils.inc languages maintenance skins usr/share/mediawiki +config extensions var/lib/mediawiki --- mediawiki-1.13.3.orig/debian/mediawiki.postinst +++ mediawiki-1.13.3/debian/mediawiki.postinst @@ -0,0 +1,71 @@ +#! /bin/sh +# postinst script for mediawiki +# +# see: dh_installdeb(1) + +set -e + +. /usr/share/debconf/confmodule + +case "$1" in + configure) + + db_get mediawiki/webserver || true + webserver=$RET + + webserver=`echo $webserver|sed -e 's/, */ /g'` + + for i in $webserver; do + if [ "$webserver" != "cherokee" ]; then + if [ ! -d /etc/$i/conf.d/ ]; then + install -d -m755 /etc/$i/conf.d/ + fi + if [ ! -e /etc/$i/conf.d/mediawiki.conf ]; then + ln -s /etc/mediawiki/apache.conf \ + /etc/$i/conf.d/mediawiki.conf + if [ -f /etc/init.d/$i ]; then + if which invoke-rc.d >/dev/null 2>&1; then + invoke-rc.d $i reload + else + /etc/init.d/$i reload + fi + fi + fi + else + if [ ! -d /etc/cherokee/sites-available/ ]; then + install -d -m755 /etc/cherokee/sites-available/ + fi + if [ ! -e /etc/cherokee/sites-available/mediawiki ]; then + ln -s /etc/mediawiki/cherokee.conf \ + /etc/cherokee/sites-available/mediawiki + if [ -f /etc/init.d/$i ]; then + if which invoke-rc.d >/dev/null 2>&1; then + invoke-rc.d $i reload + else + /etc/init.d/$i reload + fi + fi + fi + fi + done + + chown -R www-data:www-data /var/lib/mediawiki/config /var/lib/mediawiki/images + chmod 700 /var/lib/mediawiki/config /var/lib/mediawiki/images + + ;; + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- mediawiki-1.13.3.orig/debian/mediawiki.postrm +++ mediawiki-1.13.3/debian/mediawiki.postrm @@ -0,0 +1,23 @@ +#! /bin/sh +# postrm script for mediawiki +# +# see: dh_installdeb(1) + +set -e + +if [ -f /usr/share/debconf/confmodule ]; then +. /usr/share/debconf/confmodule +fi + +case "$1" in + purge) + rm -rf /etc/mediawiki /var/lib/mediawiki /etc/apache*/conf.d/mediawiki.conf /etc/cherokee/sites-available/mediawiki + ;; + *) + ;; +esac + + +#DEBHELPER# + +exit 0 --- mediawiki-1.13.3.orig/debian/mediawiki.dirs +++ mediawiki-1.13.3/debian/mediawiki.dirs @@ -0,0 +1,2 @@ +var/lib/mediawiki/images +etc/mediawiki --- mediawiki-1.13.3.orig/debian/mediawiki-math.manpages +++ mediawiki-1.13.3/debian/mediawiki-math.manpages @@ -0,0 +1 @@ +debian/texvc.1 --- mediawiki-1.13.3.orig/debian/changelog +++ mediawiki-1.13.3/debian/changelog @@ -0,0 +1,204 @@ +mediawiki (1:1.13.3-1ubuntu2.2) jaunty-security; urgency=low + + * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An + attacker who controls a user account on the target wiki can force the + victim to login as the attacker, via a script on an external website. + IMPORTANT: Fix includes a breaking change to the API login action. Any + clients using it will need to be updated. (LP: #557159) + - debian/patches/CSRF-no-CVE_rev-64680.patch + - patch based on upstream SVN rev. 64680 + - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html + - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 + - CVE-2010-1150 + + -- Andreas Wenning Wed, 07 Apr 2010 11:56:59 +0200 + +mediawiki (1:1.13.3-1ubuntu2.1) jaunty-security; urgency=low + + * SECURITY UPDATE: CSS validation issue allowing external images to be included + into wikis where that is disallowed by conf. (LP: #537974) + - debian/patches/CSS-no-CVE_rev-63429.patch + - patch from upstream SVN rev. 63429 + - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html + + -- Andreas Wenning Fri, 12 Mar 2010 11:51:52 +0100 + +mediawiki (1:1.13.3-1ubuntu2) jaunty; urgency=low + + * SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in + the web-based installer (config/index.php). (LP: #348858) + - CVE-2009-0737 + - debian/patches/CVE-2009-0737.patch + - patch based on upstream patches for 1.13.4 and 1.13.5 + - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547 + - http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html + + -- Andreas Wenning Thu, 26 Mar 2009 09:25:16 +0100 + +mediawiki (1:1.13.3-1ubuntu1) jaunty; urgency=low + + * includes/mime.types: Add mimetypes for opendocument files (LP: #314220 ). + + -- Thomas Bechtold Sat, 21 Feb 2009 15:49:26 +0100 + +mediawiki (1:1.13.3-1) unstable; urgency=low + + * New upstream release. + * Fix CVE-2008-5249: XSS vulnerability in MediaWiki: + "An XSS vulnerability affecting all MediaWiki installations between + 1.13.0 and 1.13.2." + Closes: #508868 + * Fix CVE-2008-5250: several local script injection vulnerabilities + in MediaWiki: + "o A local script injection vulnerability affecting Internet Explorer + clients for all MediaWiki installations with uploads enabled. + o A local script injection vulnerability affecting clients with SVG + scripting capability (such as Firefox 1.5+), for all MediaWiki + installations with SVG uploads enabled." + Closes: #508869 + * Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import + feature in MediaWiki: + "A CSRF vulnerability affecting the Special:Import feature, for all + MediaWiki installations since the feature was introduced in 1.3.0." + Closes: #508870 + + -- Romain Beauxis Thu, 18 Dec 2008 02:37:58 +0100 + +mediawiki (1:1.13.2-1) unstable; urgency=low + + * New upstream release + * Fix CVE-2008-4408: XSS in mediawiki: + "Cross-site scripting (XSS) vulnerability allows remote attackers + to inject arbitrary web script or HTML via the useskin parameter + to an unspecified component." + Closes: #501115 + + -- Romain Beauxis Sat, 11 Oct 2008 15:02:39 +0200 + +mediawiki (1:1.13.0-2) unstable; urgency=low + + * Removed buggy postgresql patch + Closes: #497042 + + -- Romain Beauxis Sat, 30 Aug 2008 14:06:47 +0200 + +mediawiki (1:1.13.0-1) unstable; urgency=low + + * New upstream release + * Fixed watch file. Closes: #490009 + * Refreshed patches + * Bumped standard-version to 3.8.0 + * Fixed latex-related dependencies in mediawiki-math + * Removed obsolete linda override, thanks lintian ! + + -- Romain Beauxis Sun, 17 Aug 2008 11:01:43 +0200 + +mediawiki (1:1.12.0-2) unstable; urgency=low + + * Fixed postgresql dependency + Closes: #472987 + * Added instructions to install and upgrade + Closes: #472990, #472831 + + -- Romain Beauxis Mon, 24 Mar 2008 02:49:15 +0100 + +mediawiki (1:1.12.0-1) unstable; urgency=low + + * New upstream release + * Updated patch for postfix support: dropped what + has been implemented upstream + * Refreshed other patches, thanks to quilt + * Changed postgresql recommends to "postgresql" package + Closes: #469582 + + -- Romain Beauxis Mon, 24 Mar 2008 02:20:12 +0100 + +mediawiki (1:1.11.2-2) unstable; urgency=high + + * Added patch to fix pgsql select, thanks to Marc Dequènes + Closes: #469841 + * Upated README.Debian to mention php5-gd instead of php5-gd2 + and texlive-latex-base instead to tetex-bin. + Closes: #469558 + * still setting urgency to high since previous upload didn't make it + to testing. + + -- Romain Beauxis Mon, 03 Mar 2008 13:58:57 +0100 + +mediawiki (1:1.11.2-1) unstable; urgency=high + + * New upstream release + * Security fix: + "Possible cross-site information leaks using the callback + parameter for JSON-formatted results in the API are prevented by + dropping user credentials." + * Added informations on LocalSettings.php in README.Debian + Closes: #462609 + + -- Romain Beauxis Mon, 03 Mar 2008 13:16:27 +0100 + +mediawiki (1:1.11.1-1) unstable; urgency=high + + * New upstream release + * A potential XSS injection vector affecting + Microsoft Internet Explorer users has been + closed. + + -- Romain Beauxis Sat, 26 Jan 2008 02:57:53 +0100 + +mediawiki (1:1.11.0-4) unstable; urgency=low + + * Really add the patch for #459312 + * Added also patch to fix #459617 + Closes: #459617 + * Merged two previous patches + + -- Romain Beauxis Fri, 18 Jan 2008 16:14:59 +0100 + +mediawiki (1:1.11.0-3) unstable; urgency=low + + * Really remove debian specific scripts + * Backported patch to fix unserialize with postgre + Closes: #459312 + * Added finnish translation of the debconf templates, thanks to Esko + Arajärvi. Closes: #456983 + * Updated standards to 3.7.3 (no changes) + + -- Romain Beauxis Mon, 07 Jan 2008 15:03:15 +0100 + +mediawiki (1:1.11.0-2) unstable; urgency=low + + * Initial upload of 1.11.0 to unstable + + -- Romain Beauxis Sat, 03 Nov 2007 16:39:47 +0100 + +mediawiki (1:1.11.0-1) experimental; urgency=low + + * Removed mediawikiX versioned packages + * Updated to mediawiki 1.11 + * Removed automatic upgrade script + * Updated README.Debian (Closes: #442311, #442302) + * Changed default upload directory (Closes: #444445) + + -- Romain Beauxis Sun, 21 Oct 2007 20:54:00 +0200 + +mediawiki (1:1.10) unstable; urgency=low + + * Switched to mediawiki1.10 + * Mediawiki1.10 recommends mediawiki-math (Closes: #428021) + + -- Romain Beauxis Tue, 10 Jul 2007 19:29:01 +0200 + +mediawiki (1:1.9) unstable; urgency=low + + * Switched to mediawiki1.9, closes: #392932 + * Corrected typo in control, closes: #414121 + * Seperated -math extension to a single package, closes: #401714 + + -- Romain Beauxis Thu, 12 Apr 2007 17:02:05 +0200 + +mediawiki (1:1.7) unstable; urgency=low + + * Initial Release + + -- Romain Beauxis Mon, 6 Nov 2006 15:36:44 +0100 --- mediawiki-1.13.3.orig/debian/compat +++ mediawiki-1.13.3/debian/compat @@ -0,0 +1 @@ +4 --- mediawiki-1.13.3.orig/debian/control.in +++ mediawiki-1.13.3/debian/control.in @@ -0,0 +1,44 @@ +Source: mediawiki +Section: web +Priority: optional +Maintainer: Ubuntu MOTU Developers +XSBC-Original-Maintainer: Mediawiki Maintenance Team +Uploaders: Romain Beauxis +Build-Depends: @cdbs@, ocaml-nox | ocaml, xsltproc, docbook-xml, docbook-xsl, po-debconf +Homepage: http://www.mediawiki.org/ +Standards-Version: 3.8.0 + +Package: mediawiki +Architecture: all +Depends: apache2 | httpd, php5, php5-mysql | php5-pgsql, mime-support, ${misc:Depends} +Recommends: mysql-server | postgresql-contrib, php5-cli +Suggests: php5-gd | imagemagick, mediawiki-math, memcached, clamav +Description: website engine for collaborative work + MediaWiki is a wiki engine (a program for creating a collaboratively + edited website). It is designed to handle heavy websites containing + library-like document collections, and supports user uploads of + images/sounds, multilingual content, TOC autogeneration, ISBN links, + etc. + . + Moreover, it keeps track of changes, so users can receive + notifications, view diffs and revert edits. This system has many + other features and can easily be extended. + +Package: mediawiki-math +Architecture: any +Depends: ${interpreter:Depends}, texlive-latex-base, ghostscript, imagemagick, ${shlibs:Depends} +Replaces: mediawiki1.5-math, mediawiki1.9-math, mediawiki1.10-math +Recommends: mediawiki, latex-cjk-all, texlive-latex-extra +Description: math rendering plugin for MediaWiki + MediaWiki is a wiki engine (a program for creating a collaboratively + edited website). It is designed to handle heavy websites containing + library-like document collections, and supports user uploads of + images/sounds, multilingual content, TOC autogeneration, ISBN links, + etc. + . + Moreover, it keeps track of changes, so users can receive + notifications, view diffs and revert edits. This system has many + other features and can easily be extended. + . + This package contains the math rendering plugin. + --- mediawiki-1.13.3.orig/debian/copyright +++ mediawiki-1.13.3/debian/copyright @@ -0,0 +1,93 @@ +This package was debianized by Marc Dequènes on +Fri, 31 Dec 2004 00:11:42 +0100. + +It was downloaded from http://wikipedia.sourceforge.net/ + +Upstream Authors: Mediawiki Development Team + +Copyright: + File profileinfo.php has the following copyright: + + + File includes/memcached-client.php has the following copyright: +// +---------------------------------------------------------------------------+ +// | memcached client, PHP | +// +---------------------------------------------------------------------------+ +// | Copyright (c) 2003 Ryan T. Dean | +// | All rights reserved. | +// | | +// | Redistribution and use in source and binary forms, with or without | +// | modification, are permitted provided that the following conditions | +// | are met: | +// | | +// | 1. Redistributions of source code must retain the above copyright | +// | notice, this list of conditions and the following disclaimer. | +// | 2. Redistributions in binary form must reproduce the above copyright | +// | notice, this list of conditions and the following disclaimer in the | +// | documentation and/or other materials provided with the distribution. | +// | | +// | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | +// | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | +// | OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | +// | IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | +// | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | +// | NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | +// | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | +// | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | +// | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | +// | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | +// +---------------------------------------------------------------------------+ +// | Author: Ryan T. Dean | +// | Heavily influenced by the Perl memcached client by Brad Fitzpatrick. | +// | Permission granted by Brad Fitzpatrick for relicense of ported Perl | +// | client logic under 2-clause BSD license. | +// +---------------------------------------------------------------------------+ + + + Images found on the common skins icons images are licensed under + GNU LGPL License. + + Everything else is under the following copyright/license. + + Copyright (C) 2003-2004 Mediawiki Development Team + + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + 02110-1301, USA. + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + --- mediawiki-1.13.3.orig/debian/watch +++ mediawiki-1.13.3/debian/watch @@ -0,0 +1,11 @@ +# Example watch control file for uscan +# Rename this file to "watch" and then you can run the "uscan" command +# to check for upstream updates and more. +# See uscan(1) for format + +# Compulsory line, this is a version 3 file +version=3 + +# Uncomment to examine a Webserver directory +http://www.mediawiki.org/wiki/Download http://download.wikimedia.org/mediawiki/.*/mediawiki-(.*).tar.gz + --- mediawiki-1.13.3.orig/debian/texvc.xml +++ mediawiki-1.13.3/debian/texvc.xml @@ -0,0 +1,178 @@ + +.
will be generated. You may view the +manual page with: nroff -man .
| less'. A +typical entry in a Makefile or Makefile.am is: + +DB2MAN=/usr/share/sgml/docbook/stylesheet/xsl/nwalsh/\ +manpages/docbook.xsl +XP=xsltproc -''-nonet + +manpage.1: manpage.dbk + $(XP) $(DB2MAN) $< + +The xsltproc binary is found in the xsltproc package. The +XSL files are in docbook-xsl. Please remember that if you +create the nroff version in one of the debian/rules file +targets (such as build), you will need to include xsltproc +and docbook-xsl in your Build-Depends control field. + +--> + + + Marc"> + Dequ\[`e]nes"> + + 2005-01-02"> + + 1"> + Duck@DuckCorp.org"> + + TEXVC"> + + + Debian"> + GNU"> + GPL"> +]> + + + +
+ &dhemail; +
+ + &dhfirstname; + &dhsurname; + + + 2003 + &dhusername; + + &dhdate; + + + &dhucpackage; + + &dhsection; + + + &dhpackage; + + math equation PNG renderer + + + + &dhpackage; + + tempdir + outputdir + texcode + encoding + + + + + DESCRIPTION + + &dhpackage; is designed to render math + equations written in latex code into PNG images. + + + + + OPTIONS + + + + + tempdir + + + directory where temporary files are created. + + + + + outputdir + + + directory where the result image is stored. + + + + + texcode + + + latex code string representing math equations. + + + + + encoding + + + used encoding in latex code string. + + + + + + OUTPUT + Status codes and HTML/MathML transformations are returned on stdout. + A rasterized PNG file will be written to the output directory, named + for the MD5 hash code. + + + texvc output format is like this: + + +%5 ok, but not html or mathml + c%5%h ok, conservative html, no mathml + m%5%h ok, moderate html, no mathml + l%5%h ok, liberal html, no mathml + C%5%h\0%m ok, conservative html, with mathml + M%5%h\0%m ok, moderate html, with mathml + L%5%h\0%m ok, liberal html, with mathml + X%5%m ok, no html, with mathml + S syntax error + E lexing error + F%s unknown function %s + - other error + + + + with the following codes: + + \0 - null character + %5 - md5, 32 hex characters + %h - html code, without \0 characters + %m - mathml code, without \0 characters + + + + + AUTHOR + + This manual page was written by &dhusername; &dhemail; for + the &debian; system (but may be used by others). Permission is + granted to copy, distribute and/or modify this document under + the terms of the &gnu; General Public License, Version 2 any + later version published by the Free Software Foundation. + + + On Debian systems, the complete text of the GNU General Public + License can be found in /usr/share/common-licenses/GPL. + + + + + --- mediawiki-1.13.3.orig/debian/control +++ mediawiki-1.13.3/debian/control @@ -0,0 +1,44 @@ +Source: mediawiki +Section: web +Priority: optional +Maintainer: Ubuntu MOTU Developers +XSBC-Original-Maintainer: Mediawiki Maintenance Team +Uploaders: Romain Beauxis +Build-Depends: debhelper (>= 4.2.0), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), ocaml-nox | ocaml, xsltproc, docbook-xml, docbook-xsl, po-debconf +Homepage: http://www.mediawiki.org/ +Standards-Version: 3.8.0 + +Package: mediawiki +Architecture: all +Depends: apache2 | httpd, php5, php5-mysql | php5-pgsql, mime-support, ${misc:Depends} +Recommends: mysql-server | postgresql-contrib, php5-cli +Suggests: php5-gd | imagemagick, mediawiki-math, memcached, clamav +Description: website engine for collaborative work + MediaWiki is a wiki engine (a program for creating a collaboratively + edited website). It is designed to handle heavy websites containing + library-like document collections, and supports user uploads of + images/sounds, multilingual content, TOC autogeneration, ISBN links, + etc. + . + Moreover, it keeps track of changes, so users can receive + notifications, view diffs and revert edits. This system has many + other features and can easily be extended. + +Package: mediawiki-math +Architecture: any +Depends: ${interpreter:Depends}, texlive-latex-base, ghostscript, imagemagick, ${shlibs:Depends} +Replaces: mediawiki1.5-math, mediawiki1.9-math, mediawiki1.10-math +Recommends: mediawiki, latex-cjk-all, texlive-latex-extra +Description: math rendering plugin for MediaWiki + MediaWiki is a wiki engine (a program for creating a collaboratively + edited website). It is designed to handle heavy websites containing + library-like document collections, and supports user uploads of + images/sounds, multilingual content, TOC autogeneration, ISBN links, + etc. + . + Moreover, it keeps track of changes, so users can receive + notifications, view diffs and revert edits. This system has many + other features and can easily be extended. + . + This package contains the math rendering plugin. + --- mediawiki-1.13.3.orig/debian/mediawiki.docs +++ mediawiki-1.13.3/debian/mediawiki.docs @@ -0,0 +1,5 @@ +docs +RELEASE-NOTES +FAQ +HISTORY +UPGRADE --- mediawiki-1.13.3.orig/debian/etc/cherokee.conf +++ mediawiki-1.13.3/debian/etc/cherokee.conf @@ -0,0 +1,9 @@ + +## +## Virtual server for mediawiki +## +Directory /mediawiki { + Handler common + DocumentRoot /var/lib/mediawiki/ +} + --- mediawiki-1.13.3.orig/debian/etc/apache.conf +++ mediawiki-1.13.3/debian/etc/apache.conf @@ -0,0 +1,20 @@ +# Uncomment this to add an alias. +# This does not work properly with virtual hosts.. +#Alias /mediawiki /var/lib/mediawiki + + + Options +FollowSymLinks + AllowOverride All + order allow,deny + allow from all + + +# some directories must be protected + + Options -FollowSymLinks + AllowOverride None + + + Options -FollowSymLinks + AllowOverride None + --- mediawiki-1.13.3.orig/debian/patches/series +++ mediawiki-1.13.3/debian/patches/series @@ -0,0 +1,7 @@ +texvc_location.patch +mimetypes.patch +debian_specific_config.patch +add-OOo-Mimetypes.diff +CVE-2009-0737.patch +CSS-no-CVE_rev-63429.patch +CSRF-no-CVE_rev-64680.patch --- mediawiki-1.13.3.orig/debian/patches/debian_specific_config.patch +++ mediawiki-1.13.3/debian/patches/debian_specific_config.patch @@ -0,0 +1,65 @@ +Index: mediawiki-1.13.0/config/index.php +=================================================================== +--- mediawiki-1.13.0.orig/config/index.php 2008-07-20 16:29:04.000000000 +0200 ++++ mediawiki-1.13.0/config/index.php 2008-08-17 11:12:07.000000000 +0200 +@@ -223,7 +223,7 @@ + if( !is_writable( "." ) ) { + dieout( "

Can't write config file, aborting

+ +-

In order to configure the wiki you have to make the config subdirectory ++

In order to configure the wiki you have to make the /var/lib/mediawiki/config subdirectory + writable by the web server. Once configuration is done you'll move the created + LocalSettings.php to the parent directory, and for added safety you can + then remove the config subdirectory entirely.

+@@ -1472,16 +1472,7 @@ +
+

Installation successful!

+

To complete the installation, please do the following: +-

    +-
  1. Download config/LocalSettings.php with your FTP client or file manager
    2. +-
  2. Upload it to the parent directory
    3. +-
  3. Delete config/LocalSettings.php
    4. +-
  4. Start using your wiki! +-
+-

If you are in a shared hosting environment, do not just move LocalSettings.php +-remotely. LocalSettings.php is currently owned by the user your webserver is running under, +-which means that anyone on the same server can read your database password! Downloading +-it and uploading it again will hopefully change the ownership to a user ID specific to you.

++

Move /var/lib/mediawiki/config/LocalSettings.php to /etc/mediawiki/LocalSettings.php for normal install, root of your install for multisite, with rights 640

+
+ EOT; + } else { +@@ -1489,7 +1480,7 @@ +
+

+ Installation successful! +-Move the config/LocalSettings.php file to the parent directory, then follow ++Move /var/lib/mediawiki/config/LocalSettings.php to /etc/mediawiki, then follow + this link to your wiki.

+

You should change file permissions for LocalSettings.php as required to + prevent other users on the server reading passwords and altering configuration data.

+@@ -1630,6 +1621,12 @@ + + # If you customize your file layout, set \$IP to the directory that contains + # the other MediaWiki files. It will be used as a base to locate files. ++ ++# We define this to allow the configuration file to be explicitly ++# located in /etc/mediawiki. ++# Change this if you are setting up multisite wikis on your server. ++define('MW_INSTALL_PATH','/var/lib/mediawiki'); ++ + if( defined( 'MW_INSTALL_PATH' ) ) { + \$IP = MW_INSTALL_PATH; + } else { +@@ -1724,6 +1721,11 @@ + + \$wgDiff3 = \"{$slconf['diff3']}\"; + ++# debian specific include: ++if (is_file(\"/etc/mediawiki-extensions/extensions.php\")) { ++ include( \"/etc/mediawiki-extensions/extensions.php\" ); ++} ++ + # When you make changes to this configuration file, this will make + # sure that cached pages are cleared. + \$wgCacheEpoch = max( \$wgCacheEpoch, gmdate( 'YmdHis', @filemtime( __FILE__ ) ) ); --- mediawiki-1.13.3.orig/debian/patches/mimetypes.patch +++ mediawiki-1.13.3/debian/patches/mimetypes.patch @@ -0,0 +1,15 @@ +Index: mediawiki-1.13.0/includes/DefaultSettings.php +=================================================================== +--- mediawiki-1.13.0.orig/includes/DefaultSettings.php 2008-08-17 11:10:34.000000000 +0200 ++++ mediawiki-1.13.0/includes/DefaultSettings.php 2008-08-17 11:11:45.000000000 +0200 +@@ -343,8 +343,8 @@ + $wgVerifyMimeType= true; + + /** Sets the mime type definition file to use by MimeMagic.php. */ +-$wgMimeTypeFile= "includes/mime.types"; +-#$wgMimeTypeFile= "/etc/mime.types"; ++#$wgMimeTypeFile= "includes/mime.types"; ++$wgMimeTypeFile= "/etc/mime.types"; + #$wgMimeTypeFile= NULL; #use built-in defaults only. + + /** Sets the mime type info file to use by MimeMagic.php. */ --- mediawiki-1.13.3.orig/debian/patches/texvc_location.patch +++ mediawiki-1.13.3/debian/patches/texvc_location.patch @@ -0,0 +1,13 @@ +Index: mediawiki-1.13.0/includes/DefaultSettings.php +=================================================================== +--- mediawiki-1.13.0.orig/includes/DefaultSettings.php 2008-08-17 11:10:06.000000000 +0200 ++++ mediawiki-1.13.0/includes/DefaultSettings.php 2008-08-17 11:10:24.000000000 +0200 +@@ -1606,7 +1606,7 @@ + */ + $wgUseTeX = false; + /** Location of the texvc binary */ +-$wgTexvc = './math/texvc'; ++$wgTexvc = '/usr/bin/texvc'; + + # + # Profiling / debugging --- mediawiki-1.13.3.orig/debian/patches/CSRF-no-CVE_rev-64680.patch +++ mediawiki-1.13.3/debian/patches/CSRF-no-CVE_rev-64680.patch @@ -0,0 +1,244 @@ +Subject: Fixes login CSRF vulnerability. Fix includes a breaking change to the +API login action. Any clients using it will need to be updated. +Origin: http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=64680 +Index: b/includes/User.php +=================================================================== +--- a/includes/User.php 2010-04-07 10:51:09.000000000 +0200 ++++ b/includes/User.php 2010-04-07 11:23:08.000000000 +0200 +@@ -2497,7 +2497,7 @@ + return EDIT_TOKEN_SUFFIX; + } else { + if( !isset( $_SESSION['wsEditToken'] ) ) { +- $token = $this->generateToken(); ++ $token = self::generateToken(); + $_SESSION['wsEditToken'] = $token; + } else { + $token = $_SESSION['wsEditToken']; +@@ -2514,7 +2514,7 @@ + * Could be made more cryptographically sure if someone cares. + * @return string + */ +- function generateToken( $salt = '' ) { ++ public static function generateToken( $salt = '' ) { + $token = dechex( mt_rand() ) . dechex( mt_rand() ); + return md5( $token . $salt ); + } +@@ -2607,7 +2607,7 @@ + $now = time(); + $expires = $now + 7 * 24 * 60 * 60; + $expiration = wfTimestamp( TS_MW, $expires ); +- $token = $this->generateToken( $this->mId . $this->mEmail . $expires ); ++ $token = self::generateToken( $this->mId . $this->mEmail . $expires ); + $hash = md5( $token ); + $this->load(); + $this->mEmailToken = $hash; +Index: b/includes/api/ApiLogin.php +=================================================================== +--- a/includes/api/ApiLogin.php 2010-04-07 10:51:09.000000000 +0200 ++++ b/includes/api/ApiLogin.php 2010-04-07 11:23:08.000000000 +0200 +@@ -88,6 +88,7 @@ + 'wpName' => $name, + 'wpPassword' => $password, + 'wpDomain' => $domain, ++ 'wpLoginToken' => $token, + 'wpRemember' => '' + )); + +@@ -116,6 +117,15 @@ + $result['cookieprefix'] = $wgCookiePrefix; + $result['sessionid'] = session_id(); + break; ++ ++ case LoginForm::NEED_TOKEN: ++ $result['result'] = 'NeedToken'; ++ $result['token'] = $loginForm->getLoginToken(); ++ break; ++ ++ case LoginForm::WRONG_TOKEN: ++ $result['result'] = 'WrongToken'; ++ break; + + case LoginForm :: NO_NAME : + $result['result'] = 'NoName'; +@@ -234,7 +244,8 @@ + return array ( + 'name' => null, + 'password' => null, +- 'domain' => null ++ 'domain' => null, ++ 'token' => null, + ); + } + +@@ -242,7 +253,8 @@ + return array ( + 'name' => 'User Name', + 'password' => 'Password', +- 'domain' => 'Domain (optional)' ++ 'domain' => 'Domain (optional)', ++ 'token' => 'Login token obtained in first request', + ); + } + +Index: b/includes/specials/SpecialUserlogin.php +=================================================================== +--- a/includes/specials/SpecialUserlogin.php 2010-04-07 10:51:09.000000000 +0200 ++++ b/includes/specials/SpecialUserlogin.php 2010-04-07 11:23:08.000000000 +0200 +@@ -33,10 +33,14 @@ + const RESET_PASS = 7; + const ABORTED = 8; + const CREATE_BLOCKED = 9; ++ const USER_BLOCKED = 11; ++ const NEED_TOKEN = 12; ++ const WRONG_TOKEN = 13; + + var $mName, $mPassword, $mRetype, $mReturnTo, $mCookieCheck, $mPosted; + var $mAction, $mCreateaccount, $mCreateaccountMail, $mMailmypassword; + var $mLoginattempt, $mRemember, $mEmail, $mDomain, $mLanguage, $mSkipCookieCheck; ++ var $mToken; + + /** + * Constructor +@@ -64,6 +68,7 @@ + $this->mRemember = $request->getCheck( 'wpRemember' ); + $this->mLanguage = $request->getText( 'uselang' ); + $this->mSkipCookieCheck = $request->getCheck( 'wpSkipCookieCheck' ); ++ $this->mToken = $request->getVal( 'wpLoginToken' ); + + if( $wgEnableEmail ) { + $this->mEmail = $request->getText( 'wpEmail' ); +@@ -373,6 +378,21 @@ + return self::NO_NAME; + } + ++ // We require a login token to prevent login CSRF ++ // Handle part of this before incrementing the throttle so ++ // token-less login attempts don't count towards the throttle ++ // but wrong-token attempts do. ++ ++ // If the user doesn't have a login token yet, set one. ++ if ( !self::getLoginToken() ) { ++ self::setLoginToken(); ++ return self::NEED_TOKEN; ++ } ++ // If the user didn't pass a login token, tell them we need one ++ if ( !$this->mToken ) { ++ return self::NEED_TOKEN; ++ } ++ + // Load $wgUser now, and check to see if we're logging in as the same name. + // This is necessary because loading $wgUser (say by calling getName()) calls + // the UserLoadFromSession hook, which potentially creates the user in the +@@ -398,6 +418,11 @@ + } else { + $u->load(); + } ++ ++ // Validate the login token ++ if ( $this->mToken !== self::getLoginToken() ) { ++ return self::WRONG_TOKEN; ++ } + + // Give general extensions, such as a captcha, a chance to abort logins + $abort = self::ABORTED; +@@ -501,6 +526,7 @@ + $wgUser->invalidateCache(); + } + $wgUser->setCookies(); ++ self::clearLoginToken(); + + if( $this->hasSessionCookie() || $this->mSkipCookieCheck ) { + /* Replace the language object to provide user interface in correct +@@ -514,7 +540,11 @@ + return $this->cookieRedirectCheck( 'login' ); + } + break; +- ++ ++ case self::NEED_TOKEN: ++ case self::WRONG_TOKEN: ++ $this->mainLoginForm( wfMsg( 'sessionfailure' ) ); ++ break; + case self::NO_NAME: + case self::ILLEGAL: + $this->mainLoginForm( wfMsg( 'noname' ) ); +@@ -794,6 +824,11 @@ + $template->set( 'canreset', $wgAuth->allowPasswordChange() ); + $template->set( 'remember', $wgUser->getOption( 'rememberpassword' ) or $this->mRemember ); + ++ if ( !self::getLoginToken() ) { ++ self::setLoginToken(); ++ } ++ $template->set( 'token', self::getLoginToken() ); ++ + # Prepare language selection links as needed + if( $wgLoginLanguageSelector ) { + $template->set( 'languages', $this->makeLanguageSelector() ); +@@ -842,6 +877,32 @@ + global $wgDisableCookieCheck, $wgRequest; + return $wgDisableCookieCheck ? true : $wgRequest->checkSessionCookie(); + } ++ ++ /** ++ * Get the login token from the current session ++ */ ++ public static function getLoginToken() { ++ global $wgRequest; ++ return $wgRequest->getSessionData( 'wsLoginToken' ); ++ } ++ ++ /** ++ * Generate a new login token and attach it to the current session ++ */ ++ public static function setLoginToken() { ++ global $wgRequest; ++ // Use User::generateToken() instead of $user->editToken() ++ // because the latter reuses $_SESSION['wsEditToken'] ++ $wgRequest->setSessionData( 'wsLoginToken', User::generateToken() ); ++ } ++ ++ /** ++ * Remove any login token attached to the current session ++ */ ++ public static function clearLoginToken() { ++ global $wgRequest; ++ $wgRequest->setSessionData( 'wsLoginToken', null ); ++ } + + /** + * @private +Index: b/includes/templates/Userlogin.php +=================================================================== +--- a/includes/templates/Userlogin.php 2010-04-07 10:51:09.000000000 +0200 ++++ b/includes/templates/Userlogin.php 2010-04-07 11:23:08.000000000 +0200 +@@ -85,6 +85,7 @@ + + + haveData( 'uselang' ) ) { ?> ++haveData( 'token' ) ) { ?> + +
+
msgWiki( 'loginend' ); ?>
+Index: b/includes/WebRequest.php +=================================================================== +--- a/includes/WebRequest.php 2010-04-07 10:51:09.000000000 +0200 ++++ b/includes/WebRequest.php 2010-04-07 11:23:08.000000000 +0200 +@@ -636,6 +636,18 @@ + } + } + } ++ ++ /* ++ * Get data from $_SESSION ++ */ ++ function getSessionData( $key ) { ++ if( !isset( $_SESSION[$key] ) ) ++ return null; ++ return $_SESSION[$key]; ++ } ++ function setSessionData( $key, $data ) { ++ $_SESSION[$key] = $data; ++ } + } + + /** --- mediawiki-1.13.3.orig/debian/patches/CSS-no-CVE_rev-63429.patch +++ mediawiki-1.13.3/debian/patches/CSS-no-CVE_rev-63429.patch @@ -0,0 +1,97 @@ +Subject: Fixed a CSS validation issue which allowed external images to be +included into wikis where that is disallowed by configuration. +Origin: http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=63429 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/537974 +Index: b/maintenance/parserTests.txt +=================================================================== +--- a/maintenance/parserTests.txt 2008-07-12 16:11:52.000000000 +0200 ++++ b/maintenance/parserTests.txt 2010-03-12 11:36:05.000000000 +0100 +@@ -4196,6 +4196,23 @@ + + !! end + ++!! test ++CSS line continuation 1 ++!! input ++
++!! result ++
++ ++!! end ++ ++!! test ++CSS line continuation 2 ++!! input ++
++!! result ++
++ ++!! end + + !! article + Template:Identity +Index: b/includes/Sanitizer.php +=================================================================== +--- a/includes/Sanitizer.php 2008-07-15 23:13:34.000000000 +0200 ++++ b/includes/Sanitizer.php 2010-03-12 11:36:05.000000000 +0100 +@@ -663,24 +663,48 @@ + * @return mixed + */ + static function checkCss( $value ) { +- $stripped = Sanitizer::decodeCharReferences( $value ); ++ $value = Sanitizer::decodeCharReferences( $value ); + + // Remove any comments; IE gets token splitting wrong +- $stripped = StringUtils::delimiterReplace( '/*', '*/', ' ', $stripped ); ++ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); + +- $value = $stripped; +- +- // ... and continue checks +- $stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e', +- 'codepointToUtf8(hexdec("$1"))', $stripped ); +- $stripped = str_replace( '\\', '', $stripped ); +- if( preg_match( '/(?:expression|tps*:\/\/|url\\s*\().*/is', +- $stripped ) ) { +- # haxx0r ++ // Decode escape sequences and line continuation ++ // See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately. ++ // IE 8 doesn't implement it at all, but there's no way to introduce url() into ++ // IE that doesn't hit Mozilla also. ++ static $decodeRegex; ++ if ( !$decodeRegex ) { ++ $space = '[\\x20\\t\\r\\n\\f]'; ++ $nl = '(?:\\n|\\r\\n|\\r|\\f)'; ++ $backslash = '\\\\'; ++ $decodeRegex = "/ $backslash ++ (?: ++ ($nl) | # 1. Line continuation ++ ([0-9A-Fa-f]{1,6})$space? | # 2. character number ++ (.) # 3. backslash cancelling special meaning ++ )/xu"; ++ } ++ $decoded = preg_replace_callback( $decodeRegex, ++ array( __CLASS__, 'cssDecodeCallback' ), $value ); ++ if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) { ++ // Not allowed + return false; ++ } else { ++ // Allowed, return CSS with comments stripped ++ return $value; + } ++ } + +- return $value; ++ static function cssDecodeCallback( $matches ) { ++ if ( $matches[1] !== '' ) { ++ return ''; ++ } elseif ( $matches[2] !== '' ) { ++ return codepointToUtf8( hexdec( $matches[2] ) ); ++ } elseif ( $matches[3] !== '' ) { ++ return $matches[3]; ++ } else { ++ throw new MWException( __METHOD__.': invalid match' ); ++ } + } + + /** --- mediawiki-1.13.3.orig/debian/patches/CVE-2009-0737.patch +++ mediawiki-1.13.3/debian/patches/CVE-2009-0737.patch @@ -0,0 +1,2229 @@ +Index: b/config/index.php +=================================================================== +--- a/config/index.php 2009-03-26 09:23:44.000000000 +0100 ++++ b/config/index.php 2009-03-26 09:24:13.000000000 +0100 +@@ -84,7 +84,8 @@ + + + +- MediaWiki <?php echo( $wgVersion ); ?> Installation ++ ++ MediaWiki <?php echo htmlspecialchars( $wgVersion ); ?> Installation +