Control: tags 851770 + patch Control: tags 851770 + pending Dear maintainer,
I've prepared an NMU for php-gettext (versioned as 1.0.12-0.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -Nru php-gettext-1.0.11/debian/changelog php-gettext-1.0.12/debian/changelog --- php-gettext-1.0.11/debian/changelog 2016-09-11 00:27:12.000000000 +0100 +++ php-gettext-1.0.12/debian/changelog 2017-01-29 15:13:07.000000000 +0000 @@ -1,3 +1,18 @@ +php-gettext (1.0.12-0.1) unstable; urgency=medium + + * Non-maintainer upload. + * New upstream release: + - throw an exception when select_string/ngettext + functions get non-numeric parameter + Closes: #851770 (CVE-2015-8980) + - do not assume mbstring functions are always there, + pass text through if they aren't + - add 'sign' rule to build system + * Add missing phpunit build-dependency so that tests + actually get run + + -- Jonathan Wiltshire <j...@debian.org> Sun, 29 Jan 2017 15:13:07 +0000 + php-gettext (1.0.11-4) unstable; urgency=high * php-php-gettext (after rename) doesn't ship the actual code diff -Nru php-gettext-1.0.11/debian/control php-gettext-1.0.12/debian/control --- php-gettext-1.0.11/debian/control 2016-09-11 00:27:12.000000000 +0100 +++ php-gettext-1.0.12/debian/control 2017-01-29 15:13:07.000000000 +0000 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org> Uploaders: Marcelo Jorge Vieira <me...@debian.org> -Build-Depends: debhelper (>= 9) +Build-Depends: debhelper (>= 9), phpunit Standards-Version: 3.9.8 Homepage: https://launchpad.net/php-gettext/ Vcs-Git: git://anonscm.debian.org/pkg-php/php-gettext.git diff -Nru php-gettext-1.0.11/gettext.inc php-gettext-1.0.12/gettext.inc --- php-gettext-1.0.11/gettext.inc 2010-12-24 23:30:49.000000000 +0000 +++ php-gettext-1.0.12/gettext.inc 2015-11-11 15:27:04.000000000 +0000 @@ -174,14 +174,13 @@ * Convert the given string to the encoding set by bind_textdomain_codeset. */ function _encode($text) { + $target_encoding = _get_codeset(); + if (function_exists("mb_detect_encoding")) { $source_encoding = mb_detect_encoding($text); - $target_encoding = _get_codeset(); - if ($source_encoding != $target_encoding) { - return mb_convert_encoding($text, $target_encoding, $source_encoding); - } - else { - return $text; - } + if ($source_encoding != $target_encoding) + $text = mb_convert_encoding($text, $target_encoding, $source_encoding); + } + return $text; } diff -Nru php-gettext-1.0.11/gettext.php php-gettext-1.0.12/gettext.php --- php-gettext-1.0.11/gettext.php 2010-12-24 23:15:19.000000000 +0000 +++ php-gettext-1.0.12/gettext.php 2015-11-11 16:54:13.000000000 +0000 @@ -350,6 +350,10 @@ * @return int array index of the right plural form */ function select_string($n) { + if (!is_int($n)) { + throw new InvalidArgumentException( + "Select_string only accepts integers: " . $n); + } $string = $this->get_plural_forms(); $string = str_replace('nplurals',"\$total",$string); $string = str_replace("n",$n,$string); diff -Nru php-gettext-1.0.11/Makefile php-gettext-1.0.12/Makefile --- php-gettext-1.0.11/Makefile 2010-12-24 23:42:51.000000000 +0000 +++ php-gettext-1.0.12/Makefile 2015-11-11 17:18:47.000000000 +0000 @@ -1,5 +1,5 @@ PACKAGE = php-gettext-$(VERSION) -VERSION = 1.0.11 +VERSION = 1.0.12 DIST_FILES = \ gettext.php \ @@ -34,5 +34,8 @@ rm -rf $(PACKAGE); \ fi; +sign: dist + gpg --armor --sign --detach-sig $(PACKAGE).tar.gz + clean: - rm -f $(PACKAGE).tar.gz + rm -f $(PACKAGE).tar.gz $(PACKAGE).tar.gz.asc diff -Nru php-gettext-1.0.11/tests/LocalesTest.php php-gettext-1.0.12/tests/LocalesTest.php --- php-gettext-1.0.11/tests/LocalesTest.php 2010-12-24 23:41:55.000000000 +0000 +++ php-gettext-1.0.12/tests/LocalesTest.php 2015-11-11 16:54:13.000000000 +0000 @@ -1,5 +1,4 @@ <?php -require_once('PHPUnit/Framework.php'); require_once('gettext.inc'); class LocaleTest extends PHPUnit_Framework_TestCase diff -Nru php-gettext-1.0.11/tests/ParsingTest.php php-gettext-1.0.12/tests/ParsingTest.php --- php-gettext-1.0.11/tests/ParsingTest.php 2010-12-24 23:15:19.000000000 +0000 +++ php-gettext-1.0.12/tests/ParsingTest.php 2015-11-11 16:54:13.000000000 +0000 @@ -1,6 +1,4 @@ <?php -require_once('PHPUnit/Framework.php'); -//require_once('gettext.php'); class ParsingTest extends PHPUnit_Framework_TestCase { @@ -39,6 +37,37 @@ } /** + * @expectedException InvalidArgumentException + */ + public function test_select_string_disallows_nonint_numbers() + { + $pofile_data = '' + ."msgid \"\"\n" + ."msgstr \"\"\n" + ."\"Content-Type: text/plain; charset=utf-8\\n\"\n" + ."\"Plural-Forms: nplurals=2; plural= n == 1 ? 0 : 1;\\n\"\n"; + $mofile = tempnam(sys_get_temp_dir(), "pg"); + $msgfmt = popen("msgfmt -o $mofile -", "w"); + fwrite($msgfmt, $pofile_data); + pclose($msgfmt); + + $modata = new CachedFileReader($mofile); + unlink($mofile); + $parser = new gettext_reader($modata); + // It defaults to a "Western-style" plural header. + $this->assertEquals( + 'nplurals=2; plural=n == 1 ? 0 : 1;', + $parser->extract_plural_forms_header_from_po_header("")); + + $new_tempfile = tempnam(sys_get_temp_dir(), "pg"); + $parser->select_string( + "(file_put_contents('$new_tempfile', 'boom'))"); + + $this->assertEquals("", file_get_contents($new_tempfile)); + unlink($new_tempfile); + } + + /** * @dataProvider data_provider_test_npgettext */ public function test_npgettext($number, $expected) {
