On Tue, Sep 12, 2017 at 06:33:02AM +0200, Salvatore Bonaccorso wrote:
> Control: retitle -1 wordpress-shibboleth: CVE-2017-14313: XSS due to
> add_query_arg
>
> Hi Dominic, Craig, Michael,
>
> FTR, I requested a CVE for this issue and it got assigned
> CVE-2017-14313.
Thanks. I assume you would like a security upload? Here is the minimal
fix which should apply to stretch and jessie.
I am waiting for some real world testing from a colleague.
Let me know if I'm okay to upload.
Cheers,
Dominic.
diff -u wordpress-shibboleth-1.4/debian/changelog
wordpress-shibboleth-1.4/debian/changelog
--- wordpress-shibboleth-1.4/debian/changelog
+++ wordpress-shibboleth-1.4/debian/changelog
@@ -1,3 +1,9 @@
+wordpress-shibboleth (1.4-2+deb9u1) UNRELEASED; urgency=medium
+
+ * [CVE-2017-14313]: Fix XSS in login form (Closes: #874416)
+
+ -- Dominic Hargreaves <d...@earth.li> Tue, 12 Sep 2017 13:46:36 +0100
+
wordpress-shibboleth (1.4-2) unstable; urgency=low
* Add debian/watch file
only in patch2:
unchanged:
--- wordpress-shibboleth-1.4.orig/shibboleth.php
+++ wordpress-shibboleth-1.4/shibboleth.php
@@ -439,7 +439,7 @@
*/
function shibboleth_login_form() {
$login_url = add_query_arg('action', 'shibboleth');
- echo '<p id="shibboleth_login"><a href="' . $login_url . '">' .
__('Login with Shibboleth', 'shibboleth') . '</a></p>';
+ echo '<p id="shibboleth_login"><a href="' . esc_url($login_url) . '">'
. __('Login with Shibboleth', 'shibboleth') . '</a></p>';
}
add_action('login_form', 'shibboleth_login_form');
