[wordpress/f14/master] Fix for BZ 666782.

Jon Ciesla limb at fedoraproject.org
Tue Jan 11 16:58:46 UTC 2011 

commit 498511599be3000ff2bea796c05aafbc8bd316e6
Author: Jon Ciesla <limb at jcomserv.net>
Date:   Tue Jan 11 10:55:45 2011 -0600

    Fix for BZ 666782.

 wordpress-2.8.6-r17172.patch |   92 ++++++++++++++++++++++++++++++++++++++++++
 wordpress.spec               |    8 +++-
 2 files changed, 99 insertions(+), 1 deletions(-)
---
diff --git a/wordpress-2.8.6-r17172.patch b/wordpress-2.8.6-r17172.patch
new file mode 100644
index 0000000..b78b7ae
--- /dev/null
+++ b/wordpress-2.8.6-r17172.patch
@@ -0,0 +1,92 @@
+diff -r -U2 wordpress.orig/wp-includes/formatting.php wordpress/wp-includes/formatting.php
+--- wordpress.orig/wp-includes/formatting.php	2009-11-11 17:10:13.000000000 -0600
++++ wordpress/wp-includes/formatting.php	2011-01-11 10:34:13.970920002 -0600
+@@ -2092,6 +2092,7 @@
+ 	// Replace ampersands and single quotes only when displaying.
+ 	if ( 'display' == $context ) {
+-		$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&#038;$1', $url);
+-		$url = str_replace( "'", '&#039;', $url );
++        	$url = wp_kses_normalize_entities( $url );
++        	$url = str_replace( '&amp;', '&#038;', $url );		
++        	$url = str_replace( "'", '&#039;', $url );
+ 	}
+ 
+diff -r -U2 wordpress.orig/wp-includes/kses.php wordpress/wp-includes/kses.php
+--- wordpress.orig/wp-includes/kses.php	2009-07-08 04:53:22.000000000 -0500
++++ wordpress/wp-includes/kses.php	2011-01-11 10:47:04.468920001 -0600
+@@ -534,5 +534,5 @@
+ 				}
+ 
+-			if ( $arreach['name'] == 'style' ) {
++		        if ( strtolower($arreach['name']) == 'style' ) {
+ 				$orig_value = $arreach['value'];
+ 
+@@ -626,5 +626,5 @@
+ 					{
+ 					$thisval = $match[1];
+-					if ( in_array($attrname, $uris) )
++			                if ( in_array(strtolower($attrname), $uris) )
+ 						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
+ 
+@@ -642,5 +642,5 @@
+ 					{
+ 					$thisval = $match[1];
+-					if ( in_array($attrname, $uris) )
++					if ( in_array(strtolower($attrname), $uris) )
+ 						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
+ 
+@@ -658,5 +658,5 @@
+ 					{
+ 					$thisval = $match[1];
+-					if ( in_array($attrname, $uris) )
++					if ( in_array(strtolower($attrname), $uris) )
+ 						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
+ 
+@@ -882,12 +882,7 @@
+  */
+ function wp_kses_bad_protocol_once($string, $allowed_protocols) {
+-	global $_kses_allowed_protocols;
+-	$_kses_allowed_protocols = $allowed_protocols;
+-
+-	$string2 = preg_split('/:|&#58;|&#x3a;/i', $string, 2);
+-	if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) )
+-		$string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]);
+-	else
+-		$string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|&#58;|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string);
++    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
++    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) )
++        $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] );
+ 
+ 	return $string;
+@@ -903,19 +898,9 @@
+  * @since 1.0.0
+  *
+- * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols
++ * @param string $string URI scheme to check against the whitelist
++ * @param string $allowed_protocols Allowed protocols
+  * @return string Sanitized content
+  */
+-function wp_kses_bad_protocol_once2($matches) {
+-	global $_kses_allowed_protocols;
+-
+-	if ( is_array($matches) ) {
+-		if ( ! isset($matches[1]) || empty($matches[1]) )
+-			return '';
+-
+-		$string = $matches[1];
+-	} else {
+-		$string = $matches;
+-	}
+-
++function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
+ 	$string2 = wp_kses_decode_entities($string);
+ 	$string2 = preg_replace('/\s/', '', $string2);
+@@ -926,6 +911,6 @@
+ 
+ 	$allowed = false;
+-	foreach ( (array) $_kses_allowed_protocols as $one_protocol)
+-		if (strtolower($one_protocol) == $string2) {
++	foreach ( (array) $allowed_protocols as $one_protocol )
++        	if ( strtolower($one_protocol) == $string2 ) {
+ 			$allowed = true;
+ 			break;
diff --git a/wordpress.spec b/wordpress.spec
index e3d1adf..6d98d00 100644
--- a/wordpress.spec
+++ b/wordpress.spec
@@ -3,13 +3,15 @@ URL: http://www.wordpress.org
 Name: wordpress
 Version: 2.8.6
 Group: Applications/Publishing
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2
 Source0: http://wordpress.org/%{name}-%{version}.tar.gz
 Source1: wordpress-httpd-conf
 Source2: README.fedora.wordpress
 Patch0:  wordpress-2.8.6-r16625.patch
 Patch1:  wordpress-debian_patches_hello.patch
+Patch2:  wordpress-2.8.6-r17172.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: php >= 4.1.0, webserver, php-mysql
 BuildArch: noarch
@@ -23,6 +25,7 @@ almost trivial, to get information out to people on the web.
 
 %patch0 -p0 -b .16625
 %patch1 -p1 -b .dolly
+%patch2 -p1 -b .17172
 
 # disable wp_version_check, updates are always installed via rpm
 sed -i -e "s,\(.*\)'wp_version_check'\(.*\),#\1'wp_version_check'\2,g" \
@@ -87,6 +90,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %dir %{_sysconfdir}/wordpress
 
 %changelog
+* Mon Jan 03 2011 Jon Ciesla <limb at jcomserv.net> - 2.8.6-4
+- Patch for security vulnerability, BZ 666782.
+
 * Thu Dec 23 2010 Jon Ciesla <limb at jcomserv.net> - 2.8.6-3
 - Change Requires from httpd to webserver, BZ 523480.
 - Patch for Hello Dolly lyrics, BZ 663966.

More information about the scm-commits mailing list