[wordpress-mu/f14/master] Security fixes.

Tue Jan 11 17:47:26 UTC 2011

commit 97c4082295f4b24b8fc01fd11481a93143a96e60
Author: Jon Ciesla <limb at jcomserv.net>
Date:   Tue Jan 11 11:44:28 2011 -0600

    Security fixes.

 wordpress-mu-2.9.2-r17172.patch |   92 +++++++++++++++++++++++++++++++++++++++
 wordpress-mu.spec               |    7 +++-
 2 files changed, 98 insertions(+), 1 deletions(-)
---

diff --git a/wordpress-mu-2.9.2-r17172.patch b/wordpress-mu-2.9.2-r17172.patch
new file mode 100644
index 0000000..b78b7ae
--- /dev/null
+++ b/wordpress-mu-2.9.2-r17172.patch
@@ -0,0 +1,92 @@
+diff -r -U2 wordpress.orig/wp-includes/formatting.php wordpress/wp-includes/formatting.php
+--- wordpress.orig/wp-includes/formatting.php	2009-11-11 17:10:13.000000000 -0600
++++ wordpress/wp-includes/formatting.php	2011-01-11 10:34:13.970920002 -0600
+@@ -2092,6 +2092,7 @@
+ 	// Replace ampersands and single quotes only when displaying.
+ 	if ( 'display' == $context ) {
+-		$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&#038;$1', $url);
+-		$url = str_replace( "'", '&#039;', $url );
++        	$url = wp_kses_normalize_entities( $url );
++        	$url = str_replace( '&amp;', '&#038;', $url );		
++        	$url = str_replace( "'", '&#039;', $url );
+ 	}
+ 
+diff -r -U2 wordpress.orig/wp-includes/kses.php wordpress/wp-includes/kses.php
+--- wordpress.orig/wp-includes/kses.php	2009-07-08 04:53:22.000000000 -0500
++++ wordpress/wp-includes/kses.php	2011-01-11 10:47:04.468920001 -0600
+@@ -534,5 +534,5 @@
+ 				}
+ 
+-			if ( $arreach['name'] == 'style' ) {
++		        if ( strtolower($arreach['name']) == 'style' ) {
+ 				$orig_value = $arreach['value'];
+ 
+@@ -626,5 +626,5 @@
+ 					{
+ 					$thisval = $match[1];
+-					if ( in_array($attrname, $uris) )
++			                if ( in_array(strtolower($attrname), $uris) )
+ 						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
+ 
+@@ -642,5 +642,5 @@
+ 					{
+ 					$thisval = $match[1];
+-					if ( in_array($attrname, $uris) )
++					if ( in_array(strtolower($attrname), $uris) )
+ 						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
+ 
+@@ -658,5 +658,5 @@
+ 					{
+ 					$thisval = $match[1];
+-					if ( in_array($attrname, $uris) )
++					if ( in_array(strtolower($attrname), $uris) )
+ 						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
+ 
+@@ -882,12 +882,7 @@
+  */
+ function wp_kses_bad_protocol_once($string, $allowed_protocols) {
+-	global $_kses_allowed_protocols;
+-	$_kses_allowed_protocols = $allowed_protocols;
+-
+-	$string2 = preg_split('/:|&#58;|&#x3a;/i', $string, 2);
+-	if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) )
+-		$string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]);
+-	else
+-		$string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|&#58;|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string);
++    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
++    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) )
++        $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] );
+ 
+ 	return $string;
+@@ -903,19 +898,9 @@
+  * @since 1.0.0
+  *
+- * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols
++ * @param string $string URI scheme to check against the whitelist
++ * @param string $allowed_protocols Allowed protocols
+  * @return string Sanitized content
+  */
+-function wp_kses_bad_protocol_once2($matches) {
+-	global $_kses_allowed_protocols;
+-
+-	if ( is_array($matches) ) {
+-		if ( ! isset($matches[1]) || empty($matches[1]) )
+-			return '';
+-
+-		$string = $matches[1];
+-	} else {
+-		$string = $matches;
+-	}
+-
++function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
+ 	$string2 = wp_kses_decode_entities($string);
+ 	$string2 = preg_replace('/\s/', '', $string2);
+@@ -926,6 +911,6 @@
+ 
+ 	$allowed = false;
+-	foreach ( (array) $_kses_allowed_protocols as $one_protocol)
+-		if (strtolower($one_protocol) == $string2) {
++	foreach ( (array) $allowed_protocols as $one_protocol )
++        	if ( strtolower($one_protocol) == $string2 ) {
+ 			$allowed = true;
+ 			break;
diff --git a/wordpress-mu.spec b/wordpress-mu.spec
index 9a072c5..553378b 100644
--- a/wordpress-mu.spec
+++ b/wordpress-mu.spec
@@ -2,13 +2,14 @@ Summary: WordPress-MU multi-user blogging software
 URL: http://mu.wordpress.org/latest.tar.gz
 Name: wordpress-mu
 Version: 2.9.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Applications/Publishing
 License: GPLv2
 Source0: %{name}-%{version}.tar.gz
 Source1: wordpress-mu-httpd-conf
 Source2: README.fedora.wordpress-mu
 Patch0:  wordpress-mu-2.9.2-r16625.patch
+Patch1:  wordpress-mu-2.9.2-r17172.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: php >= 4.1.0, webserver, php-mysql
 BuildArch: noarch
@@ -21,6 +22,7 @@ one instance to serve multiple users.
 %setup -q -n wordpress-mu
 
 %patch0 -p0 -b .16625
+%patch1 -p1 -b .17172
 
 # disable-wordpress-core-update, updates are always installed via rpm
 #
@@ -102,6 +104,9 @@ rm -rf %{buildroot}
 %dir %{_sysconfdir}/wordpress-mu
 
 %changelog
+* Tue Jan 11 2011 Jon Ciesla <limb at jcomserv.net> - 2.9.2-3
+- Patches for security flaws, BZ 668192.
+
 * Thu Dec 23 2010 Jon Ciesla <limb at jcomserv.net> - 2.9.2-2
 - Change Requires from httpd to webserver, BZ 523480.
 - Patch for security vulnerability, BZ 659319.
