~ubuntu-branches/ubuntu/quantal/mediawiki/quantal

Viewing changes to .pc/CVE-2011-4361.patch/includes/AjaxDispatcher.php

Committer: Package Import Robot
Author(s): Jonathan Wiltshire, Thorsten Glaser, Jonathan Wiltshire
Date: 2011-11-30 22:42:52 UTC
mfrom: (16.1.12 sid)
Revision ID: package-import@ubuntu.com-20111130224252-zhag0n99qzf8jc7x

Tags: 1:1.15.5-4

http://bugs.debian.org/615983

http://bugs.debian.org/650434

[ Thorsten Glaser ]
* debian/patches/fix_invalid_sql.patch: new (Closes: #615983)

[ Jonathan Wiltshire ]
* Security fixes from upstream (Closes: #650434):
  CVE-2011-4360 - page titles on private wikis could be exposed
  bypassing different page ids to index.php
  CVE-2011-4361 - action=ajax requests were dispatched to the
  relevant function without any read permission checks being done

files added:
.pc/CVE-2011-4360.patch

.pc/CVE-2011-4360.patch/includes

.pc/CVE-2011-4360.patch/includes/Wiki.php

.pc/CVE-2011-4361.patch

.pc/CVE-2011-4361.patch/includes

.pc/CVE-2011-4361.patch/includes/AjaxDispatcher.php

.pc/fix_invalid_sql.patch

.pc/fix_invalid_sql.patch/includes

.pc/fix_invalid_sql.patch/includes/Title.php

debian/patches/CVE-2011-4360.patch

debian/patches/CVE-2011-4361.patch

debian/patches/fix_invalid_sql.patch

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

includes/AjaxDispatcher.php

includes/Title.php

includes/Wiki.php

Show diffs side-by-side

added added

removed removed

.pc/CVE-2011-4361.patch/includes/AjaxDispatcher.php

<?php

/**

* @defgroup Ajax Ajax

* @file

* @ingroup Ajax

* Handle ajax requests and send them to the proper handler.

if( !(defined( 'MEDIAWIKI' ) && $wgUseAjax ) ) {

die( 1 );

}

require_once( 'AjaxFunctions.php' );

/**

* Object-Oriented Ajax functions.

* @ingroup Ajax

class AjaxDispatcher {

/** The way the request was made, either a 'get' or a 'post' */

private $mode;

/** Name of the requested handler */

private $func_name;

/** Arguments passed */

private $args;

/** Load up our object with user supplied data */

function __construct() {

wfProfileIn( __METHOD__ );

$this->mode = "";

if (! empty($_GET["rs"])) {

$this->mode = "get";

}

if (!empty($_POST["rs"])) {

$this->mode = "post";

}

switch( $this->mode ) {

case 'get':

$this->func_name = isset( $_GET["rs"] ) ? $_GET["rs"] : '';

if (! empty($_GET["rsargs"])) {

$this->args = $_GET["rsargs"];

} else {

$this->args = array();

}

break;

case 'post':

$this->func_name = isset( $_POST["rs"] ) ? $_POST["rs"] : '';

if (! empty($_POST["rsargs"])) {

$this->args = $_POST["rsargs"];

} else {

$this->args = array();

}

break;

default:

wfProfileOut( __METHOD__ );

return;

# Or we could throw an exception:

#throw new MWException( __METHOD__ . ' called without any data (mode empty).' );

}

wfProfileOut( __METHOD__ );

}

/** Pass the request to our internal function.

* BEWARE! Data are passed as they have been supplied by the user,

* they should be carefully handled in the function processing the

* request.

function performAction() {

global $wgAjaxExportList, $wgOut;

if ( empty( $this->mode ) ) {

return;

}

wfProfileIn( __METHOD__ );

if (! in_array( $this->func_name, $wgAjaxExportList ) ) {

wfDebug( __METHOD__ . ' Bad Request for unknown function ' . $this->func_name . "\n" );

wfHttpError( 400, 'Bad Request',

"unknown function " . (string) $this->func_name );

} else {

wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );

if ( strpos( $this->func_name, '::' ) !== false ) {

$func = explode( '::', $this->func_name, 2 );

} else {

$func = $this->func_name;

100

}

101

try {

102

$result = call_user_func_array($func, $this->args);

103

104

if ( $result === false || $result === NULL ) {

105

wfDebug( __METHOD__ . ' ERROR while dispatching '

106

. $this->func_name . "(" . var_export( $this->args, true ) . "): "

107

. "no data returned\n" );

108

109

wfHttpError( 500, 'Internal Error',

110

"{$this->func_name} returned no data" );

111

}

112

else {

113

if ( is_string( $result ) ) {

114

$result= new AjaxResponse( $result );

115

}

116

117

$result->sendHeaders();

118

$result->printText();

119

120

wfDebug( __METHOD__ . ' dispatch complete for ' . $this->func_name . "\n" );

121

}

122

123

} catch (Exception $e) {

124

wfDebug( __METHOD__ . ' ERROR while dispatching '

125

. $this->func_name . "(" . var_export( $this->args, true ) . "): "

126

. get_class($e) . ": " . $e->getMessage() . "\n" );

127

128

if (!headers_sent()) {

129

wfHttpError( 500, 'Internal Error',

130

$e->getMessage() );

131

} else {

132

print $e->getMessage();

133

}

134

}

135

}

136

137

wfProfileOut( __METHOD__ );

138

$wgOut = null;

139

}

140

}

Older »