Bug#903305: dokuwiki: diff for NMU version 0.0.20160626.a-2.1

Sun, 08 Jul 2018 09:21:47 -0700 

Package: dokuwiki
Version: 0.0.20160626.a-2
Severity: normal
Tags: patch pending

Dear maintainer,

I've prepared an NMU for dokuwiki (versioned as 0.0.20160626.a-2.1) and
uploaded it to DELAYED/5. The main motivation for the NMU was to fix the
security issue that prevents migration to testing. While testing the
patch, I realized that the current state of the dokuwiki package doesn't
result in the CSS being rendered correctly, so I included some patches
from the BTS in order have a package that renders correctly on a default
installation.

Please feel free to tell me if I should delay it longer.

I think the best course of action would be to package a newer upstream
version, but I leave that to you, the actual maintainer of the package.

Thanks for your work in packaging and maintaining dokuwiki.

Reinhard

diff -Nru dokuwiki-0.0.20160626.a/debian/add-ons/preload.php dokuwiki-0.0.20160626.a/debian/add-ons/preload.php
--- dokuwiki-0.0.20160626.a/debian/add-ons/preload.php	2016-02-25 09:02:29.000000000 -0500
+++ dokuwiki-0.0.20160626.a/debian/add-ons/preload.php	2018-07-07 11:59:53.000000000 -0400
@@ -138,14 +138,14 @@
         'default'   => DOKU_CONF.'users.auth.php',
     ),
     'userstyle' => array(
-        'default' => DOKU_CONF.'userstyle.css', // 'default' was renamed to 'screen' on 2011-02-26, so will be deprecated in the next version
-        'screen'  => DOKU_CONF.'userstyle.css',
-        'rtl'     => DOKU_CONF.'userrtl.css',
-        'print'   => DOKU_CONF.'userprint.css',
-        'feed'    => DOKU_CONF.'userfeed.css',
-        'all'     => DOKU_CONF.'userall.css',
+        'default' => array(DOKU_CONF.'userstyle.css'), // 'default' was renamed to 'screen' on 2011-02-26, so will be deprecated in the next version
+        'screen'  => array(DOKU_CONF.'userstyle.css'),
+        'rtl'     => array(DOKU_CONF.'userrtl.css'),
+        'print'   => array(DOKU_CONF.'userprint.css'),
+        'feed'    => array(DOKU_CONF.'userfeed.css'),
+        'all'     => array(DOKU_CONF.'userall.css'),
     ),
     'userscript' => array(
-        'default' => DOKU_CONF.'userscript.js'
+        'default' => array(DOKU_CONF.'userscript.js')
     ),
 );
diff -Nru dokuwiki-0.0.20160626.a/debian/changelog dokuwiki-0.0.20160626.a/debian/changelog
--- dokuwiki-0.0.20160626.a/debian/changelog	2017-04-14 09:38:06.000000000 -0400
+++ dokuwiki-0.0.20160626.a/debian/changelog	2018-07-07 11:59:53.000000000 -0400
@@ -1,3 +1,15 @@
+dokuwiki (0.0.20160626.a-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2017-18123: fix remote code execution through reflected file
+    download. Originally prepared by  Antoine Beaupré <anar...@debian.org>
+    (Closes: #889281)
+  * Fix loading of css (Closes: #894018)
+  * Fix 'Invalid argument supplied for foreach() .../lib/exe/js.php'
+    (Closes: #866245)
+
+ -- Reinhard Tartler <siret...@tauware.de>  Sat, 07 Jul 2018 11:59:53 -0400
+
 dokuwiki (0.0.20160626.a-2) unstable; urgency=medium
 
   * debian/control: depend on php-seclib (<<2) as the new php-phpseclib
diff -Nru dokuwiki-0.0.20160626.a/debian/patches/filter-special-chars-from-ajax-call-para dokuwiki-0.0.20160626.a/debian/patches/filter-special-chars-from-ajax-call-para
--- dokuwiki-0.0.20160626.a/debian/patches/filter-special-chars-from-ajax-call-para	1969-12-31 19:00:00.000000000 -0500
+++ dokuwiki-0.0.20160626.a/debian/patches/filter-special-chars-from-ajax-call-para	2018-07-07 11:59:53.000000000 -0400
@@ -0,0 +1,22 @@
+From: Andreas Gohr <g...@cosmocode.de>
+Date: Tue, 27 Jun 2017 15:04:23 +0200
+X-Dgit-Generated: 0.0.20160626.a-2.1 ed9c66b49d621314958ae269c1c4c66e28b3f68b
+Subject: filter special chars from ajax call parameter. fixes #2019
+
+
+---
+
+--- dokuwiki-0.0.20160626.a.orig/lib/exe/ajax.php
++++ dokuwiki-0.0.20160626.a/lib/exe/ajax.php
+@@ -15,9 +15,9 @@ header('Content-Type: text/html; charset
+ 
+ //call the requested function
+ if($INPUT->post->has('call')){
+-    $call = $INPUT->post->str('call');
++    $call = $INPUT->post->filter('utf8_stripspecials')->str('call');
+ }else if($INPUT->get->has('call')){
+-    $call = $INPUT->get->str('call');
++    $call = $INPUT->get->filter('utf8_stripspecials')->str('call');
+ }else{
+     exit;
+ }
diff -Nru dokuwiki-0.0.20160626.a/debian/patches/fix-loading-of-css-closes-894018 dokuwiki-0.0.20160626.a/debian/patches/fix-loading-of-css-closes-894018
--- dokuwiki-0.0.20160626.a/debian/patches/fix-loading-of-css-closes-894018	1969-12-31 19:00:00.000000000 -0500
+++ dokuwiki-0.0.20160626.a/debian/patches/fix-loading-of-css-closes-894018	2018-07-07 11:59:53.000000000 -0400
@@ -0,0 +1,20 @@
+From: Reinhard Tartler <siret...@tauware.de>
+Date: Sun, 8 Jul 2018 07:52:19 -0400
+X-Dgit-Generated: 0.0.20160626.a-2.1 04dae39dc34ab2df6b21cf7d6b557edb2483ba02
+Subject: Fix loading of css (Closes: #894018)
+
+Patch provided by Francesco Potortì <poto...@isti.cnr.it>
+
+---
+
+--- dokuwiki-0.0.20160626.a.orig/lib/exe/css.php
++++ dokuwiki-0.0.20160626.a/lib/exe/css.php
+@@ -166,7 +166,7 @@ function css_parseless($css) {
+     global $conf;
+ 
+     $less = new lessc();
+-    $less->importDir[] = DOKU_INC;
++    $less->importDir = array(DOKU_INC);
+     $less->setPreserveComments(!$conf['compress']);
+ 
+     if (defined('DOKU_UNITTEST')){
diff -Nru dokuwiki-0.0.20160626.a/debian/patches/series dokuwiki-0.0.20160626.a/debian/patches/series
--- dokuwiki-0.0.20160626.a/debian/patches/series	2016-02-25 09:02:29.000000000 -0500
+++ dokuwiki-0.0.20160626.a/debian/patches/series	2018-07-07 11:59:53.000000000 -0400
@@ -4,3 +4,5 @@
 debianize.diff
 soften_email_validator.diff
 use_packaged_jquery.diff
+filter-special-chars-from-ajax-call-para
+fix-loading-of-css-closes-894018

Reply via email to