Ubuntu
php-htmlpurifier package

Merge lp:~ari-tczew/ubuntu/lucid/php-htmlpurifier/security into lp:ubuntu/lucid/php-htmlpurifier

  1. Lucid (10.04)
  2. security
  3. Merge into lucid
Proposed by Artur Rona
Status: Needs review
Proposed branch: lp:~ari-tczew/ubuntu/lucid/php-htmlpurifier/security
Merge into: lp:ubuntu/lucid/php-htmlpurifier
Diff against target: 178 lines (+69/-44)
5 files modified
debian/changelog (+10/-0)
debian/control (+2/-1)
library/HTMLPurifier/AttrDef.php (+36/-0)
library/HTMLPurifier/AttrDef/CSS/FontFamily.php (+17/-35)
library/HTMLPurifier/AttrDef/CSS/URI.php (+4/-8)
To merge this branch: bzr merge lp:~ari-tczew/ubuntu/lucid/php-htmlpurifier/security
Reviewer Review Type Date Requested Status
Artur Rona (community) Needs Resubmitting
Jamie Strandboge Needs Fixing
Review via email: mp+29504@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Patch not the same as the tested fix in the bug.

review: Needs Fixing
Reply
lp:~ari-tczew/ubuntu/lucid/php-htmlpurifier/security updated
7. By Artur Rona

Remove done changes due to not correctly with packaging policy.

8. By Artur Rona

Patch files directly.

Revision history for this message
Artur Rona (ari-tczew) wrote :

I updated branches. Files have been patches directly, as correct with packaging policy. Bzr diff looks like not exactly with original patch, dunno why. I'll attach also debdiff.
Changes are the same such as François tested, but without using patchsystem. Packages built fine on my PPA.

review: Needs Resubmitting
Reply

Unmerged revisions

8. By Artur Rona

Patch files directly.

7. By Artur Rona

Remove done changes due to not correctly with packaging policy.

6. By Artur Rona

* SECURITY UPDATE (LP: #582576). More information on:
  - http://secunia.com/advisories/39613/
* debian/patches/01-fix_XSS_IE.dpatch: Cross-Site
  Scripting Vulnerability
  - SA39613
* debian/{control,rules}: Add support for dpatch.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2010-03-16 14:04:20 +0000
3+++ debian/changelog 2010-11-24 22:47:32 +0000
4@@ -1,3 +1,13 @@
5+php-htmlpurifier (4.0.0+dfsg1-1ubuntu0.1) lucid-security; urgency=low
6+
7+ * SECURITY UPDATE (LP: #582576).
8+ * A vulnerability has been reported in HTML Purifier, which can be
9+ exploited by malicious people to conduct cross-site scripting
10+ attacks.
11+ * CVE-2010-2479
12+
13+ -- Artur Rona <ari-tczew@ubuntu.com> Wed, 24 Nov 2010 22:36:10 +0100
14+
15 php-htmlpurifier (4.0.0+dfsg1-1) unstable; urgency=low
16
17 * Take original upstream tarball, removing non-DFSG-free XHTML
18
19=== modified file 'debian/control'
20--- debian/control 2010-03-16 14:04:20 +0000
21+++ debian/control 2010-11-24 22:47:32 +0000
22@@ -1,7 +1,8 @@
23 Source: php-htmlpurifier
24 Section: php
25 Priority: optional
26-Maintainer: Christian Bayle <bayle@debian.org>
27+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
28+XSBC-Original-Maintainer: Christian Bayle <bayle@debian.org>
29 Uploaders: Thorsten Glaser <tg@mirbsd.de>, Roland Mas <lolando@debian.org>
30 Homepage: http://htmlpurifier.org/
31 Build-Depends: debhelper (>= 5)
32
33=== modified file 'library/HTMLPurifier/AttrDef.php'
34--- library/HTMLPurifier/AttrDef.php 2010-03-16 14:04:20 +0000
35+++ library/HTMLPurifier/AttrDef.php 2010-11-24 22:47:32 +0000
36@@ -82,6 +82,42 @@
37 return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/', 'rgb(\1,\2,\3)', $string);
38 }
39
40+ /**
41+ * Parses a possibly escaped CSS string and returns the "pure"
42+ * version of it.
43+ */
44+ protected function expandCSSEscape($string) {
45+ // flexibly parse it
46+ $ret = '';
47+ for ($i = 0, $c = strlen($string); $i < $c; $i++) {
48+ if ($string[$i] === '\\') {
49+ $i++;
50+ if ($i >= $c) {
51+ $ret .= '\\';
52+ break;
53+ }
54+ if (ctype_xdigit($string[$i])) {
55+ $code = $string[$i];
56+ for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
57+ if (!ctype_xdigit($string[$i])) break;
58+ $code .= $string[$i];
59+ }
60+ // We have to be extremely careful when adding
61+ // new characters, to make sure we're not breaking
62+ // the encoding.
63+ $char = HTMLPurifier_Encoder::unichr(hexdec($code));
64+ if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
65+ $ret .= $char;
66+ if ($i < $c && trim($string[$i]) !== '') $i--;
67+ continue;
68+ }
69+ if ($string[$i] === "\n") continue;
70+ }
71+ $ret .= $string[$i];
72+ }
73+ return $ret;
74+ }
75+
76 }
77
78 // vim: et sw=4 sts=4
79
80=== modified file 'library/HTMLPurifier/AttrDef/CSS/FontFamily.php'
81--- library/HTMLPurifier/AttrDef/CSS/FontFamily.php 2010-03-16 14:04:20 +0000
82+++ library/HTMLPurifier/AttrDef/CSS/FontFamily.php 2010-11-24 22:47:32 +0000
83@@ -34,37 +34,10 @@
84 $quote = $font[0];
85 if ($font[$length - 1] !== $quote) continue;
86 $font = substr($font, 1, $length - 2);
87-
88- $new_font = '';
89- for ($i = 0, $c = strlen($font); $i < $c; $i++) {
90- if ($font[$i] === '\\') {
91- $i++;
92- if ($i >= $c) {
93- $new_font .= '\\';
94- break;
95- }
96- if (ctype_xdigit($font[$i])) {
97- $code = $font[$i];
98- for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
99- if (!ctype_xdigit($font[$i])) break;
100- $code .= $font[$i];
101- }
102- // We have to be extremely careful when adding
103- // new characters, to make sure we're not breaking
104- // the encoding.
105- $char = HTMLPurifier_Encoder::unichr(hexdec($code));
106- if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
107- $new_font .= $char;
108- if ($i < $c && trim($font[$i]) !== '') $i--;
109- continue;
110- }
111- if ($font[$i] === "\n") continue;
112- }
113- $new_font .= $font[$i];
114- }
115-
116- $font = $new_font;
117 }
118+
119+ $font = $this->expandCSSEscape($font);
120+
121 // $font is a pure representation of the font name
122
123 if (ctype_alnum($font) && $font !== '') {
124@@ -73,12 +46,21 @@
125 continue;
126 }
127
128+ // bugger out on whitespace. form feed (0C) really
129+ // shouldn't show up regardless
130+ $font = str_replace(array("\n", "\t", "\r", "\x0C"), ' ', $font);
131+
132+ // These ugly transforms don't pose a security
133+ // risk (as \\ and \" might). We could try to be clever and
134+ // use single-quote wrapping when there is a double quote
135+ // present, but I have choosen not to implement that.
136+ // (warning: this code relies on the selection of quotation
137+ // mark below)
138+ $font = str_replace('\\', '\\5C ', $font);
139+ $font = str_replace('"', '\\22 ', $font);
140+
141 // complicated font, requires quoting
142-
143- // armor single quotes and new lines
144- $font = str_replace("\\", "\\\\", $font);
145- $font = str_replace("'", "\\'", $font);
146- $final .= "'$font', ";
147+ $final .= "\"$font\", "; // note that this will later get turned into &quot;
148 }
149 $final = rtrim($final, ', ');
150 if ($final === '') return false;
151
152=== modified file 'library/HTMLPurifier/AttrDef/CSS/URI.php'
153--- library/HTMLPurifier/AttrDef/CSS/URI.php 2010-03-16 14:04:20 +0000
154+++ library/HTMLPurifier/AttrDef/CSS/URI.php 2010-11-24 22:47:32 +0000
155@@ -34,20 +34,16 @@
156 $uri = substr($uri, 1, $new_length - 1);
157 }
158
159- $keys = array( '(', ')', ',', ' ', '"', "'");
160- $values = array('\\(', '\\)', '\\,', '\\ ', '\\"', "\\'");
161- $uri = str_replace($values, $keys, $uri);
162+ $uri = $this->expandCSSEscape($uri);
163
164 $result = parent::validate($uri, $config, $context);
165
166 if ($result === false) return false;
167
168- // escape necessary characters according to CSS spec
169- // except for the comma, none of these should appear in the
170- // URI at all
171- $result = str_replace($keys, $values, $result);
172+ // extra sanity check; should have been done by URI
173+ $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
174
175- return "url($result)";
176+ return "url(\"$result\")";
177
178 }
179

Subscribers

People subscribed via source and target branches

to all changes: