Skip to content

Commit

Permalink
Item11285: Last iteration of the patch
Browse files Browse the repository at this point in the history 
until the next one.

git-svn-id: http://svn.foswiki.org/trunk/PatchItem12285Contrib@16191 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
  • Loading branch information
GeorgeClark authored and GeorgeClark committed Dec 11, 2012
1 parent 835bf1f commit 35f81b9
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 220 deletions.
4 changes: 2 additions & 2 deletions data/System/PatchItem12285Contrib.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,7 @@ There is no "dependency order" established between patches. Patches are install

Patches will be mapped from the default Foswiki filename to the directory location used on the target system.

Note: This extension was re-released with a slightly different patch. The previous fix works fine, but escaped more than was required. The new version will re-apply the patch regardless of whether or not the old version was applied.

Note: This extension was re-released with a slightly different patch. It is strongly recommmended that prior versions of the patch be reverted and the final version be applied.

---++ Installation
%$INSTALL_INSTRUCTIONS%
Expand All @@ -45,6 +44,7 @@ Note: This extension was re-released with a slightly different patch. The prev
| Dependencies: | %$DEPENDENCIES% |
| Version: | %$VERSION% |
| Change History: | <!-- versions below in reverse order -->&nbsp; |
| 1.3 (10 Dec 2012) | Re-issue with more updates. |
| 1.2 (10 Dec 2012) | Reissue with different fix. |
| 1.1 (10 Dec 2012) | Minor changes |
| 1.0 (10 Dec 2012) | Initial version |
Expand Down
4 changes: 2 additions & 2 deletions lib/Foswiki/Contrib/PatchItem12285Contrib.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ use warnings;
# *must* exist in this package. This should always be in the format
# $Rev$ so that Foswiki can determine the checked-in status of the
# extension.
our $VERSION = '1.2';
our $VERSION = '1.3';

# $RELEASE is used in the "Find More Extensions" automation in configure.
# It is a manually maintained string used to identify functionality steps.
Expand All @@ -31,7 +31,7 @@ our $VERSION = '1.2';
# date - a date in 1 Jun 2009 format. Three letter English month names only.
# Note: it's important that this string is exactly the same in the extension
# topic - if you use %$RELEASE% with BuildContrib this is done automatically.
our $RELEASE = '1.2';
our $RELEASE = '1.3';

our $SHORTDESCRIPTION = 'Patch a critical vulnerability in Locale::Maketext.';

Expand Down
253 changes: 37 additions & 216 deletions working/configure/patch/Item12285-001.patch
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,20 @@
commit b4d14632bd9e00e2edb11e2da358cdf4d1cf47cd
commit ab616fbb6d95c450ec7d248a00fffcd90e32a71a
Author: GeorgeClark <GeorgeClark@0b4bb1d4-4e5a-0410-9cc4-b2b747904278>
Date: Mon Dec 10 00:49:20 2012 +0000

Item12285: Better validations

git-svn-id: http://svn.foswiki.org/trunk@16178 0b4bb1d4-4e5a-0410-9cc4-b2b747904278

~~~PATCH 72c86f0c71519caf6d26efbe174739f6 lib/Foswiki/Macros/MAKETEXT.pm (Foswiki 1.1.0 - Foswiki 1.1.2)
--- MAKETEXT.pm.orig 2012-12-09 20:20:07.865197810 -0500
+++ MAKETEXT.pm 2012-12-10 16:58:03.651591792 -0500
@@ -4,9 +4,18 @@
~~~PATCH 72c86f0c71519caf6d26efbe174739f6 lib/Foswiki/Macros/MAKETEXT.pm (Foswiki 1.1.0 - 1.1.2)
--- /home/gac/Foswiki/Foswiki-1.1.0/lib/Foswiki/Macros/MAKETEXT.pm 2010-10-04 11:26:34.000000000 -0400
+++ lib/Foswiki/Macros/MAKETEXT.pm 2012-12-11 11:26:04.034507184 -0500
@@ -4,9 +4,19 @@
use strict;
use warnings;

+use Locale::Maketext;
+my $escape =
+ ( $Foswiki::cfg{UserInterfaceInternationalisation}
+ && ( Locale::Maketext->VERSION() < 1.23 ) );
+ ( $Foswiki::cfg{UserInterfaceInternationalisation}
+ && $Locale::Maketext::VERSION
+ && $Locale::Maketext::VERSION < 1.23 );
+
sub MAKETEXT {
my ( $this, $params ) = @_;
Expand All @@ -29,7 +26,7 @@ Date: Mon Dec 10 00:49:20 2012 +0000
my $str = $params->{_DEFAULT} || $params->{string} || "";
return "" unless $str;

@@ -18,20 +27,24 @@
@@ -18,15 +28,22 @@
$str =~ s/~~\[/~[/g;
$str =~ s/~~\]/~]/g;

Expand All @@ -43,28 +40,26 @@ Date: Mon Dec 10 00:49:20 2012 +0000
+ $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2, $max, $min, $param_error)/ge;
$str =~
-s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min, $param_error, $escape)/ge;
+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min, $param_error)/ge;
+ return $str if ($param_error);

# get the args to be interpolated.
my $argsStr = $params->{args} || "";

+ # Escape any escapes.
+ $str =~ s#\\#\\\\#g if ($escape); # escape any escapes
+
my @args = split( /\s*,\s*/, $argsStr );

- # fill omitted args with zeros
+ # fill omitted args with empty strings
while ( ( scalar @args ) < $max ) {
- push( @args, 0 );
+ push( @args, '' );
}

# do the magic:
@@ -47,6 +60,35 @@
# fill omitted args with zeros
@@ -47,6 +64,26 @@
return $result;
}

+sub _validate {
+
+ #my ( $contents, $number, $max, $min, $param_error ) = @_
+
+ $_[2] = $_[1] if ( $_[1] > $_[2] ); # Record maximum param number
+ $_[3] = $_[1] if ( $_[1] < $_[3] ); # Record minimum param number
+
Expand All @@ -78,122 +73,27 @@ Date: Mon Dec 10 00:49:20 2012 +0000
+ return
+"<span class=\"foswikiAlert\">Invalid parameter <code>\"$_[0]\"</code>, MAKETEXT rejected.</span>";
+ }
+
+ if ( $_[5] ) {
+
+ # Escape any escapes.
+ my $str = $_[0]; # copy to allow modification
+ $str =~ s#\\#\\\\#g; # escape any escapes
+ return "[$str]";
+ }
+ else {
+ return
+ "[$_[0]]"; # Return the complete bracket parameter without escapes
+ }
+ return "[$_[0]]"; # Return the complete bracket parameter without escapes
+}
+
1;
__END__
Foswiki - The Free and Open Source Wiki, http://foswiki.org/

~~~PATCH e7d32c175961f232a523ebcc3b45310f lib/Foswiki/Macros/MAKETEXT.pm (Foswiki-1.1.0 - Foswiki-1.1.2 Patched)
--- MAKETEXT.pm 2012-12-10 11:18:32.932577919 -0500
+++ MAKETEXT.pm 2012-12-10 16:58:03.651591792 -0500
@@ -9,13 +9,13 @@
( $Foswiki::cfg{UserInterfaceInternationalisation}
&& ( Locale::Maketext->VERSION() < 1.23 ) );

-my $max;
-my $min;
-my $param_error;
-
sub MAKETEXT {
my ( $this, $params ) = @_;

+ my $max;
+ my $min;
+ my $param_error;
+
my $str = $params->{_DEFAULT} || $params->{string} || "";
return "" unless $str;

@@ -32,20 +32,19 @@
$param_error = 0;

# unescape parameters and calculate highest parameter number:
- $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2)/ge;
- $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2)/ge;
+ $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2, $max, $min, $param_error)/ge;
+ $str =~
+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min, $param_error, $escape)/ge;
return $str if ($param_error);

- $str =~ s#\\#\\\\#g if $escape;
-
# get the args to be interpolated.
my $argsStr = $params->{args} || "";

my @args = split( /\s*,\s*/, $argsStr );

- # fill omitted args with zeros
+ # fill omitted args with empty strings
while ( ( scalar @args ) < $max ) {
- push( @args, 0 );
+ push( @args, '' );
}

# do the magic:
@@ -62,19 +61,32 @@
}

sub _validate {
- $max = $_[1] if ( $_[1] > $max );
- $min = $_[1] if ( $_[1] < $min );
+
+ $_[2] = $_[1] if ( $_[1] > $_[2] ); # Record maximum param number
+ $_[3] = $_[1] if ( $_[1] < $_[3] ); # Record minimum param number
+
if ( $_[1] > 100 ) {
- $param_error = 1;
+ $_[4] = 1; # Set error flag
return
-"<span class=\"foswikiAlert\">Excessive parameter number $max, MAKETEXT rejected.</span>";
+"<span class=\"foswikiAlert\">Excessive parameter number $_[2], MAKETEXT rejected.</span>";
}
if ( $_[1] < 1 ) {
- $param_error = 1;
+ $_[4] = 1; # Set error flag
return
"<span class=\"foswikiAlert\">Invalid parameter <code>\"$_[0]\"</code>, MAKETEXT rejected.</span>";
}
- return "[$_[0]]";
+
+ if ( $_[5] ) {
+
+ # Escape any escapes.
+ my $str = $_[0]; # copy to allow modification
+ $str =~ s#\\#\\\\#g; # escape any escapes
+ return "[$str]";
+ }
+ else {
+ return
+ "[$_[0]]"; # Return the complete bracket parameter without escapes
+ }
}

1;


~~~PATCH 160f04fc478c5f9b81d2ef6c9e614074 lib/Foswiki/Macros/MAKETEXT.pm (Foswiki 1.1.3 - Foswiki 1.1.6)
--- lib/Foswiki/Macros/MAKETEXT.pm.orig 2012-12-09 20:23:52.457636561 -0500
+++ lib/Foswiki/Macros/MAKETEXT.pm 2012-12-10 16:58:03.651591792 -0500
@@ -4,9 +4,18 @@
--- lib/Foswiki/Macros/MAKETEXT.pm 2012-12-11 10:51:12.959268829 -0500
+++ lib/Foswiki/Macros/MAKETEXT.pm.new 2012-12-11 10:37:31.674486503 -0500
@@ -4,9 +4,19 @@
use strict;
use warnings;

+use Locale::Maketext;
+my $escape =
+ ( $Foswiki::cfg{UserInterfaceInternationalisation}
+ && ( Locale::Maketext->VERSION() < 1.23 ) );
+ ( $Foswiki::cfg{UserInterfaceInternationalisation}
+ && $Locale::Maketext::VERSION
+ && $Locale::Maketext::VERSION < 1.23 );
+
sub MAKETEXT {
my ( $this, $params ) = @_;
Expand All @@ -205,7 +105,7 @@ Date: Mon Dec 10 00:49:20 2012 +0000
my $str = $params->{_DEFAULT} || $params->{string} || "";
return "" unless $str;

@@ -18,11 +27,15 @@
@@ -18,15 +28,22 @@
$str =~ s/~~\[/~[/g;
$str =~ s/~~\]/~]/g;

Expand All @@ -219,17 +119,26 @@ Date: Mon Dec 10 00:49:20 2012 +0000
+ $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2, $max, $min, $param_error)/ge;
$str =~
-s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min, $param_error, $escape)/ge;
+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min, $param_error)/ge;
+ return $str if ($param_error);

# get the args to be interpolated.
my $argsStr = $params->{args} || "";
@@ -47,6 +60,35 @@

+ # Escape any escapes.
+ $str =~ s#\\#\\\\#g if ($escape); # escape any escapes
+
my @args = split( /\s*,\s*/, $argsStr );

# fill omitted args with empty strings
@@ -47,6 +64,26 @@
return $result;
}

+sub _validate {
+
+ #my ( $contents, $number, $max, $min, $param_error ) = @_
+
+ $_[2] = $_[1] if ( $_[1] > $_[2] ); # Record maximum param number
+ $_[3] = $_[1] if ( $_[1] < $_[3] ); # Record minimum param number
+
Expand All @@ -243,98 +152,10 @@ Date: Mon Dec 10 00:49:20 2012 +0000
+ return
+"<span class=\"foswikiAlert\">Invalid parameter <code>\"$_[0]\"</code>, MAKETEXT rejected.</span>";
+ }
+
+ if ( $_[5] ) {
+
+ # Escape any escapes.
+ my $str = $_[0]; # copy to allow modification
+ $str =~ s#\\#\\\\#g; # escape any escapes
+ return "[$str]";
+ }
+ else {
+ return
+ "[$_[0]]"; # Return the complete bracket parameter without escapes
+ }
+ return "[$_[0]]"; # Return the complete bracket parameter without escapes
+}
+
1;
__END__
Foswiki - The Free and Open Source Wiki, http://foswiki.org/

~~~PATCH 69d038b822d92083af189037aa254dab lib/Foswiki/Macros/MAKETEXT.pm (Foswiki-1.1.3 - Foswiki-1.1.6 Patched)
--- lib/Foswiki/Macros/MAKETEXT.pm 2012-12-10 00:04:59.830761183 -0500
+++ lib/Foswiki/Macros/MAKETEXT.pm 2012-12-10 16:58:03.651591792 -0500
@@ -9,13 +9,13 @@
( $Foswiki::cfg{UserInterfaceInternationalisation}
&& ( Locale::Maketext->VERSION() < 1.23 ) );

-my $max;
-my $min;
-my $param_error;
-
sub MAKETEXT {
my ( $this, $params ) = @_;

+ my $max;
+ my $min;
+ my $param_error;
+
my $str = $params->{_DEFAULT} || $params->{string} || "";
return "" unless $str;

@@ -32,12 +32,11 @@
$param_error = 0;

# unescape parameters and calculate highest parameter number:
- $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2)/ge;
- $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2)/ge;
+ $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2, $max, $min, $param_error)/ge;
+ $str =~
+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min, $param_error, $escape)/ge;
return $str if ($param_error);

- $str =~ s#\\#\\\\#g if $escape;
-
# get the args to be interpolated.
my $argsStr = $params->{args} || "";

@@ -62,19 +61,32 @@
}

sub _validate {
- $max = $_[1] if ( $_[1] > $max );
- $min = $_[1] if ( $_[1] < $min );
+
+ $_[2] = $_[1] if ( $_[1] > $_[2] ); # Record maximum param number
+ $_[3] = $_[1] if ( $_[1] < $_[3] ); # Record minimum param number
+
if ( $_[1] > 100 ) {
- $param_error = 1;
+ $_[4] = 1; # Set error flag
return
-"<span class=\"foswikiAlert\">Excessive parameter number $max, MAKETEXT rejected.</span>";
+"<span class=\"foswikiAlert\">Excessive parameter number $_[2], MAKETEXT rejected.</span>";
}
if ( $_[1] < 1 ) {
- $param_error = 1;
+ $_[4] = 1; # Set error flag
return
"<span class=\"foswikiAlert\">Invalid parameter <code>\"$_[0]\"</code>, MAKETEXT rejected.</span>";
}
- return "[$_[0]]";
+
+ if ( $_[5] ) {
+
+ # Escape any escapes.
+ my $str = $_[0]; # copy to allow modification
+ $str =~ s#\\#\\\\#g; # escape any escapes
+ return "[$str]";
+ }
+ else {
+ return
+ "[$_[0]]"; # Return the complete bracket parameter without escapes
+ }
}

1;

0 comments on commit 35f81b9

Please sign in to comment.