[WebCalendar/f17] * Fri Feb 17 2012 Patrick Monnerat <pm at datasphere.ch> 1.2.4-3 - Patch "cve2012_0846" fixes CVE-2012-

Patrick Monnerat monnerat at fedoraproject.org
Fri Feb 17 13:00:23 UTC 2012 

commit 17d96c82298c4d19b01afc3a5dcbd4c6bc4d82c6
Author: Patrick Monnerat <pm at datasphere.ch>
Date:   Fri Feb 17 14:00:14 2012 +0100

    * Fri Feb 17 2012 Patrick Monnerat <pm at datasphere.ch> 1.2.4-3
    - Patch "cve2012_0846" fixes CVE-2012-0846 and some other XSS vulnerabilities.
      http://sourceforge.net/tracker/?func=detail&aid=3472745&group_id=3870&atid=103870

 WebCalendar-1.2.4-cve2012_0846.patch |   70 ++++++++++++++++++++++++++++++++++
 WebCalendar.spec                     |   12 ++++-
 2 files changed, 79 insertions(+), 3 deletions(-)
---
diff --git a/WebCalendar-1.2.4-cve2012_0846.patch b/WebCalendar-1.2.4-cve2012_0846.patch
new file mode 100644
index 0000000..3a346ee
--- /dev/null
+++ b/WebCalendar-1.2.4-cve2012_0846.patch
@@ -0,0 +1,70 @@
+diff -Naur WebCalendar-1.2.4.orig/edit_entry_handler.php WebCalendar-1.2.4.new/edit_entry_handler.php
+--- WebCalendar-1.2.4.orig/edit_entry_handler.php	2012-02-17 11:09:49.523345221 +0100
++++ WebCalendar-1.2.4.new/edit_entry_handler.php	2012-02-17 12:50:59.541471469 +0100
+@@ -152,16 +152,19 @@
+   $location = strip_tags ( $location );
+ }
+ 
+-// Don't allow certain HTML tags in description.
++// Don't allow certain HTML tags in name, description and location.
+ // Malicious users can use meta refresh to redirect users to another
+ // site (possibly a malware site).  This could be form a public submission
+ // on an event calendar, and the admin gets sent to the malware site when
+ // viewing the event to approve/reject it.
+ $bannedTags = array ( 'HTML', 'HEAD', 'TITLE', 'BODY',
+   'SCRIPT', 'META', 'LINK', 'OBJECT', 'APPLET' );
+-for ( $i = 0; $i < count ( $bannedTags ); $i++ ) {
+-  if ( preg_match ( "/<\s*$bannedTags[$i]/i", $description ) ) {
+-    $error = translate('Security violation!');
++foreach (array($name, $description, $location) as $chkfld) {
++  for ( $i = 0; $i < count ( $bannedTags ); $i++ ) {
++    if ( preg_match ( "/<\s*$bannedTags[$i]/i", $chkfld ) ) {
++      $error = translate('Security violation!');
++      break 2;
++    }
+   }
+ }
+ 
+diff -Naur WebCalendar-1.2.4.orig/view_entry.php WebCalendar-1.2.4.new/view_entry.php
+--- WebCalendar-1.2.4.orig/view_entry.php	2012-02-17 11:09:49.466347759 +0100
++++ WebCalendar-1.2.4.new/view_entry.php	2012-02-17 12:41:58.190467151 +0100
+@@ -421,7 +421,7 @@
+       </tr>' : '' ) . ( $DISABLE_URL_FIELD != 'Y' && ! empty ( $url ) ? '
+       <tr>
+         <td class="aligntop bold">' . translate ( 'URL' ) . ':</td>
+-        <td>' . activate_urls ( $url ) . '</td>
++        <td>' . activate_urls(htmlspecialchars($url)) . '</td>
+       </tr>' : '' );
+ 
+ if ( $event_status != 'A' && ! empty ( $event_status ) ) {
+@@ -685,10 +685,10 @@
+               <td width="30%">';
+       if ( strlen ( $tempemail ) && $can_email != 'N' ) {
+         echo '<a href="mailto:' . $tempemail . '?subject=' . $subject
+-         . '">&nbsp;' . $tempfullname . '</a>';
++         . '">&nbsp;' . htmlspecialchars($tempfullname) . '</a>';
+         $allmails[] = $tempemail;
+       } else
+-        echo '&nbsp;' . $tempfullname;
++        echo '&nbsp;' . htmlspecialchars($tempfullname);
+ 
+       echo '</td>
+               <td width="5%" align="center">' . $percentage . '%</td>
+@@ -711,7 +711,7 @@
+           ';
+       if ( strlen ( $tempemail ) > 0 && $can_email != 'N' ) {
+         echo '<a href="mailto:' . $tempemail . '?subject=' . $subject . '">'
+-         . $tempfullname . '</a>';
++         . htmlspecialchars($tempfullname) . '</a>';
+         $allmails[] = $tempemail;
+       } else
+         echo $tempfullname;
+@@ -727,7 +727,7 @@
+         for ( $i = 0, $cnt = count ( $ext_users ); $i < $cnt; $i++ ) {
+           if ( ! empty ( $ext_users[$i] ) ) {
+             echo '
+-          ' . $ext_users[$i] . ' (' . $externUserStr . ')<br />';
++          ' . htmlspecialchars($ext_users[$i]) . ' (' . $externUserStr . ')<br />';
+             if ( preg_match ( '/mailto: (\S+)"/', $ext_users[$i], $match ) )
+               $allmails[] = $match[1];
+           }
diff --git a/WebCalendar.spec b/WebCalendar.spec
index f4a7fb4..f8d2a2a 100644
--- a/WebCalendar.spec
+++ b/WebCalendar.spec
@@ -20,7 +20,7 @@
 Name:		WebCalendar
 Summary:	Single/multi-user web-based calendar application
 Version:	1.2.4
-Release:	2%{?dist}
+Release:	3%{?dist}
 License:	GPLv2
 Group:		Applications/Internet
 Source0:	WebCalendar-%{version}-clean.tar.gz
@@ -46,6 +46,7 @@ Patch15:	WebCalendar-1.2.3-authsettings.patch
 Patch16:	WebCalendar-1.2.3-etp.patch
 Patch17:	WebCalendar-1.2.3-canadd.patch
 Patch18:	WebCalendar-1.2.4-cve2011_3814.patch
+Patch19:	WebCalendar-1.2.4-cve2012_0846.patch
 URL:		http://www.k5n.us/webcalendar.php
 Requires:	webserver
 Requires:	php >= 4.1.0
@@ -117,6 +118,7 @@ rm -rf includes/classes/captcha
 %patch16 -p 1
 %patch17 -p 1
 %patch18 -p 1
+%patch19 -p 1
 
 
 #-------------------------------------------------------------------------------
@@ -260,11 +262,15 @@ rm -rf "${RPM_BUILD_ROOT}"
 
 #-------------------------------------------------------------------------------
 %changelog
+#-------------------------------------------------------------------------------
+
+* Fri Feb 17 2012 Patrick Monnerat <pm at datasphere.ch> 1.2.4-3
+- Patch "cve2012_0846" fixes CVE-2012-0846 and some other XSS vulnerabilities.
+  http://sourceforge.net/tracker/?func=detail&aid=3472745&group_id=3870&atid=103870
+
 * Thu Jan 12 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.2.4-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
 
-#-------------------------------------------------------------------------------
-
 * Tue Oct 11 2011 Patrick Monnerat <pm at datasphere.ch> 1.2.4-1
 - New upstream release.
 - Patch "cve2011_3814" to fix CVE-2011-3814 vulnerability.

More information about the scm-commits mailing list