Bug#590669: mediawiki: XSS vulnerability in profileinfo.php

[Jonathan Wiltshire]

Patch against stable attached.

-- 
Jonathan Wiltshire

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Description: XSS vulnerability in profileinfo.php (CVE-2010-2788)
Origin: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-July/000092.html
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590669
Forwarded: not-needed
Last-Update: 2010-08-01

--- mediawiki-1.12.0.orig/profileinfo.php
+++ mediawiki-1.12.0/profileinfo.php
@@ -52,7 +52,8 @@
 require_once( './includes/GlobalFunctions.php' );
 
 if (!$wgEnableProfileInfo) {
-	echo "disabled\n";
+	echo "<p>Disabled</p>\n";
+	echo "</body></html>";
 	exit( 1 );
 }
 
@@ -95,7 +96,7 @@
 		else	$ex = false;
 		if (!$ex) {
 			if (count($this->children)) {
-				$url = makeurl(false, false, $expand + array($this->name() => true));
+				$url = getEscapedProfileUrl(false, false, $expand + array($this->name() => true));
 				$extet = " <a href=\"$url\">[+]</a>";
 			} else $extet = '';
 		} else {
@@ -104,7 +105,7 @@
 				if ($name != $this->name())
 					$e += array($name => $ep);
 
-			$extet = " <a href=\"" . makeurl(false, false, $e) . "\">[&ndash;]</a>";
+			$extet = " <a href=\"" . getEscapedProfileUrl(false, false, $e) . "\">[&ndash;]</a>";
 		}
 		?>
 		<tr>
@@ -181,26 +182,30 @@
 
 <table cellspacing="0">
 <tr id="top">
-<th><a href="<?php echo makeurl(false, "time") ?>">Time</a></th>
+<th><a href="<?php echo getEscapedProfileUrl(false, "time") ?>">Time</a></th>
 <th>Time (%)</th>
-<th><a href="<?php echo makeurl(false, "count") ?>">Count</a></th>
+<th><a href="<?php echo getEscapedProfileUrl(false, "count") ?>">Count</a></th>
 <th>Avg calls per request</th>
-<th><a href="<?php echo makeurl(false, "name") ?>">Name</a></th>
+<th><a href="<?php echo getEscapedProfileUrl(false, "name") ?>">Name</a></th>
 </tr>
 <?php
 $totaltime = 0.0;
 $totalcount = 0;
 
-function makeurl($_filter = false, $_sort = false, $_expand = false) {
+function getEscapedProfileUrl($_filter = false, $_sort = false, $_expand = false) {
 	global $filter, $sort, $expand;
 
-	if ($_expand === false)
+	if ( $_expand === false )
 		$_expand = $expand;
 
-	$nfilter = $_filter ? $_filter : $filter;
-	$nsort = $_sort ? $_sort : $sort;
-	$exp = urlencode(implode(',', array_keys($_expand)));
-	return "?filter=$nfilter&amp;sort=$nsort&amp;expand=$exp";
+	return htmlspecialchars(
+		'?' . 
+		wfArrayToCGI( array(
+			'filter' => $_filter ? $_filter : $filter,
+			'sort' => $_sort ? $_sort : $sort,
+			'expand' => implode( ',', array_keys( $_expand ) ) 
+		) )
+	);
 }
 
 $points = array();

signature.asc
Description: Digital signature