[mediawiki119] Added backport for bug 40995

Fri Dec 7 12:49:46 UTC 2012

commit 2d2aafb8f274b99755edecfb0b0fc27f7c431784
Author: Patrick Uiterwijk <puiterwijk at gmail.com>
Date:   Fri Dec 7 13:49:35 2012 +0100

    Added backport for bug 40995

 mediawiki-1.19.2-backport-bug40995.patch |   75 ++++++++++++++++++++++++++++++
 1 files changed, 75 insertions(+), 0 deletions(-)
---

diff --git a/mediawiki-1.19.2-backport-bug40995.patch b/mediawiki-1.19.2-backport-bug40995.patch
new file mode 100644
index 0000000..587226a
--- /dev/null
+++ b/mediawiki-1.19.2-backport-bug40995.patch
@@ -0,0 +1,75 @@
+diff -rupN includes/GlobalFunctions.php mediawiki-1.19.2/includes/GlobalFunctions.php
+--- includes/GlobalFunctions.php	2012-08-31 00:25:34.000000000 +0200
++++ includes/GlobalFunctions.php	2012-12-07 13:43:09.119920361 +0100
+@@ -3292,6 +3292,19 @@ function wfHttpOnlySafe() {
+ 	return true;
+ }
+ 
++//BACKPORT OF FIX FOR SECURITY ISSUE 40995 (RHBZ 882325)
++/**
++ * Check if there is sufficent entropy in php's built-in session generation
++ * @return bool true = there is sufficient entropy
++ */
++function wfCheckEntropy() {
++    return (
++        ( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
++        || ini_get( 'session.entropy_file' )
++    )
++    && intval( ini_get( 'session.entropy_length' ) ) >= 32;
++}
++
+ /**
+  * Override session_id before session startup if php's built-in
+  * session generation code is not secure.
+@@ -3306,11 +3319,8 @@ function wfFixSessionID() {
+ 	// - entropy_file is set or you're on Windows with php 5.3.3+
+ 	// - AND entropy_length is > 0
+ 	// We treat it as disabled if it doesn't have an entropy length of at least 32
+-	$entropyEnabled = (
+-			( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
+-			|| ini_get( 'session.entropy_file' )
+-		)
+-		&& intval( ini_get( 'session.entropy_length' ) ) >= 32;
++    //BACKPORT OF FIX FOR SECURITY ISSUE 40995 (RHBZ 882325)
++	$entropyEnabled = wfCheckEntropy();
+ 	
+ 	// If built-in entropy is not enabled or not sufficient override php's built in session id generation code
+ 	if ( !$entropyEnabled ) {
+diff -rupN mediawiki-1.19.2/includes/specials/SpecialUserlogin.php mediawiki-1.19.2/includes/specials/SpecialUserlogin.php
+--- includes/specials/SpecialUserlogin.php	2012-08-31 00:25:34.000000000 +0200
++++ includes/specials/SpecialUserlogin.php	2012-12-07 13:46:40.432316382 +0100
+@@ -745,6 +745,8 @@ class LoginForm extends SpecialPage {
+ 					$userLang = Language::factory( $code );
+ 					$wgLang = $userLang;
+ 					$this->getContext()->setLanguage( $userLang );
++                    //BACKPORT OF FIX FOR SECURITY ISSUE 40995 (RHBZ 882325)
++                    $this->renewSessionId();
+ 					return $this->successfulLogin();
+ 				} else {
+ 					return $this->cookieRedirectCheck( 'login' );
+@@ -1179,7 +1181,24 @@ class LoginForm extends SpecialPage {
+ 		$wgRequest->setSessionData( 'wsCreateaccountToken', null );
+ 	}
+ 
+-	/**
++    /**
++    * Renew the user's session id, using strong entropy
++    */
++    private function renewSessionId() {
++        if ( wfCheckEntropy() ) {
++            session_regenerate_id( false );
++        } else {
++            //If we don't trust PHP's entropy, we have to replace the session manually
++            $tmp = $_SESSION;
++            session_unset();
++            session_write_close();
++            session_id( MWCryptRand::generateHex( 32 ) );
++            session_start();
++            $_SESSION = $tmp;
++        }
++    }
++ 
++   /**
+ 	 * @private
+ 	 */
+ 	function cookieRedirectCheck( $type ) {
