diff -Nru mahara-1.2.4/debian/changelog mahara-1.2.4/debian/changelog --- mahara-1.2.4/debian/changelog 2010-04-06 21:07:53.000000000 +1200 +++ mahara-1.2.4/debian/changelog 2010-07-08 17:06:31.000000000 +1200 @@ -1,3 +1,27 @@ +mahara (1.2.4-1ubuntu0.1) lucid-security; urgency=low + + * SECURITY UPDATE: multiple cross-site scripting vulnerabilities + - debian/patches/CVE-2010-1667.patch: upstream patch + - CVE-2010-1667 + + * SECURITY UPDATE: multiple cross-site request forgery vulnerabilities + - debian/patches/CVE-2010-1668.patch: upstream patch + - CVE-2010-1668 + + * SECURITY UPDATE: SQL injection + - debian/patches/CVE-2010-1669.patch: upstream patch + - CVE-2010-1669 + + * SECURITY UPDATE: unsafe auth plugins configuration options + - debian/patches/CVE-2010-1670.patch: upstream patch + - CVE-2010-1670 + + * SECURITY UPDATE: IE-only cross-site scripting bug in HTML Purifier + - depend on php-htmlpurifier and stop using the bundled version + - CVE-2010-2479 + + -- Francois Marier Thu, 08 Jul 2010 17:02:43 +1200 + mahara (1.2.4-1) unstable; urgency=high * New upstream release diff -Nru mahara-1.2.4/debian/control mahara-1.2.4/debian/control --- mahara-1.2.4/debian/control 2010-04-06 21:07:53.000000000 +1200 +++ mahara-1.2.4/debian/control 2010-07-08 17:06:31.000000000 +1200 @@ -11,7 +11,7 @@ Package: mahara Architecture: all -Depends: ${misc:Depends}, php5-pgsql | php5-mysql, php5-cli, php5-gd, file, cron, perl, ttf-freefont, php-file, php-pear, dwoo, php5-curl +Depends: ${misc:Depends}, php5-pgsql | php5-mysql, php5-cli, php5-gd, file, cron, perl, ttf-freefont, php-file, php-pear, dwoo, php5-curl, php-htmlpurifier Recommends: mahara-apache2, postgresql | postgresql-8.3 | mysql-server | mysql-server-5.0, clamav, clamav-daemon, php5-xmlrpc, php5-imagick, libfile-slurp-perl, libtext-diff-perl Description: Electronic portfolio, weblog, and resume builder Mahara is a fully featured electronic portfolio, weblog, resume builder and diff -Nru mahara-1.2.4/debian/mahara.postinst mahara-1.2.4/debian/mahara.postinst --- mahara-1.2.4/debian/mahara.postinst 2010-04-06 21:07:53.000000000 +1200 +++ mahara-1.2.4/debian/mahara.postinst 2010-07-08 17:06:31.000000000 +1200 @@ -76,6 +76,9 @@ # Link to dwoo [ ! -h /usr/share/mahara/lib/dwoo/dwoo ] && ln -s /usr/share/php/dwoo /usr/share/mahara/lib/dwoo/ + + # Link to HTML Purifier + [ ! -h /usr/share/mahara/lib/htmlpurifier ] && ln -s /usr/share/php-htmlpurifier/library /usr/share/mahara/lib/htmlpurifier ;; abort-upgrade|abort-remove|abort-deconfigure) diff -Nru mahara-1.2.4/debian/mahara.postrm mahara-1.2.4/debian/mahara.postrm --- mahara-1.2.4/debian/mahara.postrm 2010-04-06 21:07:53.000000000 +1200 +++ mahara-1.2.4/debian/mahara.postrm 2010-07-08 17:06:31.000000000 +1200 @@ -35,6 +35,7 @@ find /usr/share/mahara/theme/ -name captcha.ttf -type l -exec rm {} \; fi rm -f /usr/share/mahara/lib/dwoo/dwoo + rm -f /usr/share/mahara/lib/htmlpurifier rm -rf /var/lib/mahara/dwoo/compile/* rm -rf /var/lib/mahara/dwoo/cache/* ;; diff -Nru mahara-1.2.4/debian/patches/CVE-2010-1667.patch mahara-1.2.4/debian/patches/CVE-2010-1667.patch --- mahara-1.2.4/debian/patches/CVE-2010-1667.patch 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.4/debian/patches/CVE-2010-1667.patch 2010-07-08 17:06:31.000000000 +1200 @@ -0,0 +1,328 @@ +From: Richard Mansfield +Subject: Fix multiple XSS issues +Origin: upstream + +diff --git a/htdocs/artefact/blog/theme/raw/artefactchooser-element.tpl b/htdocs/artefact/blog/theme/raw/artefactchooser-element.tpl +index 69a043e..9830583 100644 +--- a/htdocs/artefact/blog/theme/raw/artefactchooser-element.tpl ++++ b/htdocs/artefact/blog/theme/raw/artefactchooser-element.tpl +@@ -5,5 +5,5 @@ + + + +- {if $artefact->description}{$artefact->description}{/if} ++ {if $artefact->description}{$artefact->description|clean_html}{/if} + +diff --git a/htdocs/artefact/blog/theme/raw/view.tpl b/htdocs/artefact/blog/theme/raw/view.tpl +index f3074ee..2486fdf 100644 +--- a/htdocs/artefact/blog/theme/raw/view.tpl ++++ b/htdocs/artefact/blog/theme/raw/view.tpl +@@ -7,7 +7,7 @@ + {str section="artefact.blog" tag="addpost"} + + +-

{$blog->get('description')}

++

{$blog->get('description')|clean_html}

+ {if $blog->get('tags')}

{str tag=tags}: {list_tags owner=$blog->get('owner') tags=$blog->get('tags')}

{/if} + + {if $blog->count_children() > 0} +diff --git a/htdocs/artefact/file/blocktype/filedownload/lib.php b/htdocs/artefact/file/blocktype/filedownload/lib.php +index d2c484c..0afa084 100644 +--- a/htdocs/artefact/file/blocktype/filedownload/lib.php ++++ b/htdocs/artefact/file/blocktype/filedownload/lib.php +@@ -77,7 +77,7 @@ class PluginBlocktypeFiledownload extends PluginBlocktype { + . '" alt="">'; + $result .= '
'; + +- $result .= '

' . str_shorten_text($artefact->get('title'), 20) . '

'; ++ $result .= '

' . hsc(str_shorten_text($artefact->get('title'), 20)) . '

'; + + $description = $artefact->get('description'); + if ($description) { +diff --git a/htdocs/artefact/file/theme/raw/form/ownersubtabs.tpl b/htdocs/artefact/file/theme/raw/form/ownersubtabs.tpl +index ca7fba3..65217ab 100644 +--- a/htdocs/artefact/file/theme/raw/form/ownersubtabs.tpl ++++ b/htdocs/artefact/file/theme/raw/form/ownersubtabs.tpl +@@ -1,7 +1,7 @@ + {if $tabs.subtabs} + + {/if} +diff --git a/htdocs/blocktype/wall/theme/raw/wallposts.tpl b/htdocs/blocktype/wall/theme/raw/wallposts.tpl +index 4e2f492..26fe761 100644 +--- a/htdocs/blocktype/wall/theme/raw/wallposts.tpl ++++ b/htdocs/blocktype/wall/theme/raw/wallposts.tpl +@@ -1,7 +1,7 @@ + {include file="header.tpl"} + +
+-

{$owner->displayname}: {str tag='wall' section='blocktype.wall'}

++

{$owner->displayname|escape}: {str tag='wall' section='blocktype.wall'}

+ ( {str tag='backtoprofile' section='blocktype.wall'} ) + {include file="blocktype:wall:inlineposts.tpl"} +
+diff --git a/htdocs/interaction/forum/theme/raw/view.tpl b/htdocs/interaction/forum/theme/raw/view.tpl +index 7d98a37..100d34d 100644 +--- a/htdocs/interaction/forum/theme/raw/view.tpl ++++ b/htdocs/interaction/forum/theme/raw/view.tpl +@@ -8,7 +8,7 @@ + {/if} + {if $membership}{$forum->subscribe}{/if} +
+-
{$forum->description}
++
{$forum->description|clean_html}
+
+

{str tag=Topics section="interaction.forum"}

+ {if $membership && ($moderator || $forum->newtopicusers != 'moderators') } +diff --git a/htdocs/lib/pieforms/pieform/elements/select.php b/htdocs/lib/pieforms/pieform/elements/select.php +index f8ca2ab..9435b85 100644 +--- a/htdocs/lib/pieforms/pieform/elements/select.php ++++ b/htdocs/lib/pieforms/pieform/elements/select.php +@@ -51,7 +51,7 @@ function pieform_element_select(Pieform $form, $element) {/*{{{*/ + if (is_array($value)) { + $value = $value['value']; + } +- $result = $value . ''; ++ $result = hsc($value) . ''; + } + return $result; + } +diff --git a/htdocs/lib/searchlib.php b/htdocs/lib/searchlib.php +index aa1ca1b..df516a5 100644 +--- a/htdocs/lib/searchlib.php ++++ b/htdocs/lib/searchlib.php +@@ -303,7 +303,7 @@ function build_admin_user_search_results($search, $offset, $limit, $sortby, $sor + $institutions = get_records_assoc('institution', '', '', '', 'name,displayname'); + if (count($institutions) > 1) { + $cols['institution'] = array('name' => get_string('institution'), +- 'template' => '{if empty($r.institutions)}{$institutions.mahara->displayname}{else}{foreach from=$r.institutions item=i}
{$institutions[$i]->displayname}
{/foreach}{/if}{if !empty($r.requested)}{foreach from=$r.requested item=i}
{str tag=requestto section=admin} {$institutions[$i]->displayname}{if $USER->is_institutional_admin("$i")} ({str tag=confirm section=admin}){/if}
{/foreach}{/if}{if !empty($r.invitedby)}{foreach from=$r.invitedby item=i}
{str tag=invitedby section=admin} {$institutions[$i]->displayname}
{/foreach}{/if}'); ++ 'template' => '{if empty($r.institutions)}{$institutions.mahara->displayname|escape}{else}{foreach from=$r.institutions item=i}
{$institutions[$i]->displayname|escape}
{/foreach}{/if}{if !empty($r.requested)}{foreach from=$r.requested item=i}
{str tag=requestto section=admin} {$institutions[$i]->displayname|escape}{if $USER->is_institutional_admin("$i")} ({str tag=confirm section=admin}){/if}
{/foreach}{/if}{if !empty($r.invitedby)}{foreach from=$r.invitedby item=i}
{str tag=invitedby section=admin} {$institutions[$i]->displayname|escape}
{/foreach}{/if}'); + } + + $smarty = smarty_core(); +diff --git a/htdocs/lib/view.php b/htdocs/lib/view.php +index 735f18e..86c8db9 100644 +--- a/htdocs/lib/view.php ++++ b/htdocs/lib/view.php +@@ -2026,12 +2026,17 @@ class View { + $data[$i]['removable'] = self::can_remove_viewtype($viewdata[$i]->type); + $data[$i]['description'] = $viewdata[$i]->description; + if (!empty($viewdata[$i]->submitgroupid)) { +- $data[$i]['submittedto'] = get_string('viewsubmittedtogroup', 'view', +- get_config('wwwroot') . 'group/view.php?id=' . $viewdata[$i]->submitgroupid, +- $viewdata[$i]->submitgroupname); ++ $data[$i]['submittedto'] = get_string( ++ 'viewsubmittedtogroup', 'view', ++ get_config('wwwroot') . 'group/view.php?id=' . $viewdata[$i]->submitgroupid, ++ hsc($viewdata[$i]->submitgroupname) ++ ); + } + else if (!empty($viewdata[$i]->submithostwwwroot)) { +- $data[$i]['submittedto'] = get_string('viewsubmittedtogroup', 'view', $viewdata[$i]->submithostwwwroot, $viewdata[$i]->submithostname); ++ $data[$i]['submittedto'] = get_string( ++ 'viewsubmittedtogroup', 'view', ++ $viewdata[$i]->submithostwwwroot, hsc($viewdata[$i]->submithostname) ++ ); + } + $data[$i]['artefacts'] = array(); + $data[$i]['accessgroups'] = array(); +diff --git a/htdocs/lib/web.php b/htdocs/lib/web.php +index 6770062..6ac10e0 100644 +--- a/htdocs/lib/web.php ++++ b/htdocs/lib/web.php +@@ -525,7 +525,7 @@ EOF; + $smarty->assign('masqueradedetails', get_string('youaremasqueradingas', 'mahara', hsc(display_name($USER)))); + $smarty->assign('becomeyouagain', + ' ' +- . get_string('becomeadminagain', 'admin', $USER->get('parentuser')->name) ++ . get_string('becomeadminagain', 'admin', hsc($USER->get('parentuser')->name)) + . ''); + } + +@@ -2534,9 +2534,9 @@ function display_cleaned_html($html, $filename, $params) { + $smarty = smarty_core(); + $smarty->assign('params', $params); + if ($params['owner']) { +- $smarty->assign('htmlremovedmessage', get_string('htmlremovedmessage', 'artefact.file', $filename, get_config('wwwroot') . 'user/view.php?id=' . $params['owner'], display_name($params['owner']))); ++ $smarty->assign('htmlremovedmessage', get_string('htmlremovedmessage', 'artefact.file', hsc($filename), get_config('wwwroot') . 'user/view.php?id=' . (int) $params['owner'], hsc(display_name($params['owner'])))); + } else { +- $smarty->assign('htmlremovedmessage', get_string('htmlremovedmessagenoowner', 'artefact.file', $filename)); ++ $smarty->assign('htmlremovedmessage', get_string('htmlremovedmessagenoowner', 'artefact.file', hsc($filename))); + } + $smarty->assign('content', clean_html($html)); + $smarty->display('cleanedhtml.tpl'); +diff --git a/htdocs/search/internal/lib.php b/htdocs/search/internal/lib.php +index 90d2b51..f4337eb 100644 +--- a/htdocs/search/internal/lib.php ++++ b/htdocs/search/internal/lib.php +@@ -737,6 +737,7 @@ class PluginSearchInternal extends PluginSearch { + else { + $newresult['summary'] = $newresult['description']; + } ++ $newresult['summary'] = clean_html($newresult['summary']); + $result = $newresult; + } + +diff --git a/htdocs/theme/raw/templates/admin/users/notifications.tpl b/htdocs/theme/raw/templates/admin/users/notifications.tpl +index 30fea06..3de57d9 100644 +--- a/htdocs/theme/raw/templates/admin/users/notifications.tpl ++++ b/htdocs/theme/raw/templates/admin/users/notifications.tpl +@@ -15,10 +15,10 @@ + {foreach from=$users item='user' key='userid'} + + profile icon +- {display_name user=$user.user} ++ {$user.user|display_name|escape} + + {foreach from=$user.user->institutions item=i} +-
{$i}
++
{$i|escape}
+ {/foreach} + + {foreach from=$types key='type' item='name'} +diff --git a/htdocs/theme/raw/templates/group/view.tpl b/htdocs/theme/raw/templates/group/view.tpl +index 34fadd2..51ee2f2 100644 +--- a/htdocs/theme/raw/templates/group/view.tpl ++++ b/htdocs/theme/raw/templates/group/view.tpl +@@ -1,7 +1,7 @@ + {include file="header.tpl"} + + {if $GROUP->description} +-
{$GROUP->description}
++
{$GROUP->description|clean_html}
+ {/if} + +
+@@ -42,11 +42,11 @@ + {if $view.sharedby} + {str tag=by section=view} + {if $view.group} +- {$view.sharedby} ++ {$view.sharedby|escape} + {elseif $view.owner} +- {$view.sharedby} ++ {$view.sharedby|escape} + {else} +- {$view.sharedby} ++ {$view.sharedby|escape} + {/if} + {/if} +
{$view.shortdescription}
+@@ -73,11 +73,11 @@ + {if $view.sharedby} + {str tag=by section=view} + {if $view.group} +- {$view.sharedby} ++ {$view.sharedby|escape} + {elseif $view.owner} +- {$view.sharedby} ++ {$view.sharedby|escape} + {else} +- {$view.sharedby} ++ {$view.sharedby|escape} + {/if} + {/if} +
{$view.shortdescription}
+diff --git a/htdocs/theme/raw/templates/sideblocks/linksandresources.tpl b/htdocs/theme/raw/templates/sideblocks/linksandresources.tpl +index 9ad3ebf..6ec48ab 100644 +--- a/htdocs/theme/raw/templates/sideblocks/linksandresources.tpl ++++ b/htdocs/theme/raw/templates/sideblocks/linksandresources.tpl +@@ -4,7 +4,7 @@ + {if $sbdata} + + {/if} +diff --git a/htdocs/theme/raw/templates/user/view.tpl b/htdocs/theme/raw/templates/user/view.tpl +index 73516d6..aa5bd87 100644 +--- a/htdocs/theme/raw/templates/user/view.tpl ++++ b/htdocs/theme/raw/templates/user/view.tpl +@@ -1,7 +1,7 @@ + {include file="header.tpl"} +
+
+- {$institutions} ++ {$institutions|escape} + {if $loginas} + {$loginas} + {if $USER->get('admin')}{str tag=accountsettings section=admin}{/if} +@@ -17,13 +17,13 @@ + {str tag='requestfriendship' section='group'} + {/if} + {if $invitedlist} +-
{str tag=groupinvitesfrom section=group}{$invitedlist}
++
{str tag=groupinvitesfrom section=group}{$invitedlist|escape}
+ {/if} + {if $inviteform} +
{$inviteform}
+ {/if} + {if $requestedlist} +-
{str tag=requestedmembershipin section=group}{$requestedlist}
++
{str tag=requestedmembershipin section=group}{$requestedlist|escape}
+ {/if} +
{if $addform}{$addform}{/if}
+
{$togglepublic}
+diff --git a/htdocs/theme/raw/templates/view/feedbacklist.tpl b/htdocs/theme/raw/templates/view/feedbacklist.tpl +index d3085e1..775e9e1 100644 +--- a/htdocs/theme/raw/templates/view/feedbacklist.tpl ++++ b/htdocs/theme/raw/templates/view/feedbacklist.tpl +@@ -8,7 +8,7 @@ +
+ {$item->author|display_name} +
+- {$item->author|display_name} ++ {$item->author|display_name|escape} + {else} + {$item->authorname|escape} + {/if} +diff --git a/htdocs/theme/raw/templates/view/index.tpl b/htdocs/theme/raw/templates/view/index.tpl +index d8f7aed..7eda232 100644 +--- a/htdocs/theme/raw/templates/view/index.tpl ++++ b/htdocs/theme/raw/templates/view/index.tpl +@@ -29,7 +29,7 @@ +
+

{str tag="editviewnameanddescription" section="view"}

+ {if $view.description} +-
{$view.description}
++
{$view.description|clean_html}
+ {/if} + {if $view.tags} +
{str tag=tags}: {list_tags owner=$view.owner tags=$view.tags}
+diff --git a/htdocs/theme/raw/templates/view/sharedviews.tpl b/htdocs/theme/raw/templates/view/sharedviews.tpl +index 9b0c0e4..fbc5567 100644 +--- a/htdocs/theme/raw/templates/view/sharedviews.tpl ++++ b/htdocs/theme/raw/templates/view/sharedviews.tpl +@@ -6,11 +6,11 @@ + + +
{$view.title|escape} {str tag=by section=view} +- {if $view.sharedby}{$view.sharedby}{else}{$groupname}{/if} ++ {if $view.sharedby}{$view.sharedby|escape}{else}{$groupname|escape}{/if} +
+ + {if $view.description} +- {$view.description} ++ {$view.description|clean_html} + {/if} + {if $view.description && $view.artefacts}
{/if} + {if $view.artefacts} +diff --git a/htdocs/theme/raw/templates/view/view.tpl b/htdocs/theme/raw/templates/view/view.tpl +index 81129bf..eaa78ad 100644 +--- a/htdocs/theme/raw/templates/view/view.tpl ++++ b/htdocs/theme/raw/templates/view/view.tpl +@@ -2,7 +2,7 @@ + +

{if !$new}{/if}{$viewtitle|escape}{if !$new}{/if}

+ +-

{$viewdescription}

++

{$viewdescription|clean_html}

+ +
+
diff -Nru mahara-1.2.4/debian/patches/CVE-2010-1668.patch mahara-1.2.4/debian/patches/CVE-2010-1668.patch --- mahara-1.2.4/debian/patches/CVE-2010-1668.patch 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.4/debian/patches/CVE-2010-1668.patch 2010-07-08 17:06:31.000000000 +1200 @@ -0,0 +1,137 @@ +From: Richard Mansfield +Subject: Add session key checks to avoid CSRF +Origin: upstream + +diff --git a/htdocs/admin/users/addauthority.php b/htdocs/admin/users/addauthority.php +index 1663e66..a69f891 100644 +--- a/htdocs/admin/users/addauthority.php ++++ b/htdocs/admin/users/addauthority.php +@@ -56,6 +56,16 @@ if ($institution && $plugin) { + // We've been asked to add an instance of an auth plugin that has no + // config options. We've been called by an AJAX request, so we just + // add the instance and generate an acknowledgement. ++ ++ // The session key has not been checked yet, because this page doesn't ++ // define JSON ++ try { ++ form_validate(param_alphanum('sesskey', null)); ++ } ++ catch (UserException $e) { ++ json_reply(true, $e->getMessage()); ++ } ++ + $authinstance = new stdClass(); + + // Get the auth instance with the highest priority number (which is +diff --git a/htdocs/interaction/forum/theme/raw/view.tpl b/htdocs/interaction/forum/theme/raw/view.tpl +index 100d34d..2e873ad 100644 +--- a/htdocs/interaction/forum/theme/raw/view.tpl ++++ b/htdocs/interaction/forum/theme/raw/view.tpl +@@ -59,6 +59,7 @@ + {/if} +
+ {/if} ++ + +
+ +diff --git a/htdocs/interaction/forum/view.php b/htdocs/interaction/forum/view.php +index 0ca88ff..b9fd2c2 100644 +--- a/htdocs/interaction/forum/view.php ++++ b/htdocs/interaction/forum/view.php +@@ -93,6 +93,7 @@ if ($membership && isset($_POST['checked'])) { + // check that user is only messing with topics from this forum + $alltopics = get_column('interaction_forum_topic', 'id', 'forum', $forumid, 'deleted', 0); + if ($checked == array_intersect($checked, $alltopics)) { // $checked is a subset of the topics in this forum ++ form_validate(param_variable('sesskey', null)); + if ($moderator && $type == 'sticky') { + set_field_select('interaction_forum_topic', 'sticky', 1, 'id IN (' . implode($checked, ',') . ')', array()); + $SESSION->add_ok_msg(get_string('topicstickysuccess', 'interaction.forum')); +diff --git a/htdocs/lib/mahara.php b/htdocs/lib/mahara.php +index cbb8ea0..eb2878f 100644 +--- a/htdocs/lib/mahara.php ++++ b/htdocs/lib/mahara.php +@@ -1325,12 +1325,12 @@ function pieform_configure() { + ); + } + +-function pieform_validate(Pieform $form, $values) { ++function form_validate($sesskey) { + global $USER; +- if (!isset($values['sesskey'])) { ++ if (is_null($sesskey)) { + throw new UserException('No session key'); + } +- if ($USER && $USER->is_logged_in() && $USER->get('sesskey') != $values['sesskey']) { ++ if ($USER && $USER->is_logged_in() && $USER->get('sesskey') != $sesskey) { + throw new UserException('Invalid session key'); + } + +@@ -1352,6 +1352,13 @@ function pieform_validate(Pieform $form, $values) { + } + } + ++function pieform_validate(Pieform $form, $values) { ++ if (!isset($values['sesskey'])) { ++ throw new UserException('No session key'); ++ } ++ form_validate($values['sesskey']); ++} ++ + function pieform_reply($code, $data) { + global $SESSION; + if (isset($data['message'])) { +diff --git a/htdocs/lib/view.php b/htdocs/lib/view.php +index c6c5d44..98a9d47 100644 +--- a/htdocs/lib/view.php ++++ b/htdocs/lib/view.php +@@ -889,6 +889,8 @@ class View { + if (empty($action)) { + return; + } ++ ++ form_validate(param_alphanum('sesskey', null)); + + $actionstring = $action; + $action = substr($action, 0, strpos($action, '_')); +@@ -912,7 +914,7 @@ class View { + case 'removeblockinstance': // requires action_removeblockinstance_id_\d + if (!defined('JSON')) { + if (!$sure = param_boolean('sure')) { +- $yeslink = get_config('wwwroot') . '/view/blocks.php?id=' . $this->get('id') . '&c=file&new=' . $new . '&action_' . $action . '_' . $actionstring . '=1&sure=true'; ++ $yeslink = get_config('wwwroot') . '/view/blocks.php?id=' . $this->get('id') . '&c=file&new=' . $new . '&action_' . $action . '_' . $actionstring . '=1&sure=true&sesskey=' . $USER->get('sesskey'); + $baselink = '/view/blocks.php?id=' . $this->get('id') . '&c=' . $category . '&new=' . $new; + $SESSION->add_info_msg(get_string('confirmdeleteblockinstance', 'view') + . ' ' . get_string('yes') . '' +diff --git a/htdocs/theme/raw/templates/view/blocks.tpl b/htdocs/theme/raw/templates/view/blocks.tpl +index a87d5ef..0a9b166 100644 +--- a/htdocs/theme/raw/templates/view/blocks.tpl ++++ b/htdocs/theme/raw/templates/view/blocks.tpl +@@ -7,6 +7,7 @@ + + + ++ + {if $new}{/if} +
+
+@@ -47,6 +48,7 @@ + + + ++ + +
+ +diff --git a/htdocs/view/blocks.php b/htdocs/view/blocks.php +index b2bc6a3..de7b232 100644 +--- a/htdocs/view/blocks.php ++++ b/htdocs/view/blocks.php +@@ -74,6 +74,7 @@ $institution = $view->get('institution'); + + // check if cancel was selected + if ($new && isset($_POST['cancel'])) { ++ form_validate(param_variable('sesskey', null)); + $view->delete(); + if ($group) { + redirect(get_config('wwwroot') . 'view/groupviews.php?group='.$group); diff -Nru mahara-1.2.4/debian/patches/CVE-2010-1669.patch mahara-1.2.4/debian/patches/CVE-2010-1669.patch --- mahara-1.2.4/debian/patches/CVE-2010-1669.patch 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.4/debian/patches/CVE-2010-1669.patch 2010-07-08 17:06:31.000000000 +1200 @@ -0,0 +1,17 @@ +From: Francois Marier +Subject: Fix a SQL injection +Origin: upstream + +diff --git a/htdocs/lib/view.php b/htdocs/lib/view.php +index 86c8db9..c6c5d44 100644 +--- a/htdocs/lib/view.php ++++ b/htdocs/lib/view.php +@@ -1855,7 +1855,7 @@ class View { + {artefact_access_role} r + INNER JOIN {group_member} m ON r.role = m.role + WHERE +- m."group" = ' . $group . ' ++ m."group" = ' . (int)$group . ' + AND m.member = ' . $user->get('id') . ' + AND r.can_view = 1 + ) ga ON (ga.group = a.group AND a.id = ga.artefact)'; diff -Nru mahara-1.2.4/debian/patches/CVE-2010-1670.patch mahara-1.2.4/debian/patches/CVE-2010-1670.patch --- mahara-1.2.4/debian/patches/CVE-2010-1670.patch 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.4/debian/patches/CVE-2010-1670.patch 2010-07-08 17:06:31.000000000 +1200 @@ -0,0 +1,33 @@ +From: Richard Mansfield +Subject: authentication configuration fixes +Origin: upstream + +diff --git a/htdocs/auth/internal/lib.php b/htdocs/auth/internal/lib.php +index db6dab4..c5167b3 100644 +--- a/htdocs/auth/internal/lib.php ++++ b/htdocs/auth/internal/lib.php +@@ -171,7 +171,10 @@ class AuthInternal extends Auth { + // This allows "plaintext" passwords, which are eaiser for an admin to + // create by hacking in the database directly. The application does not + // create passwords in this form. +- return $theysent == $wehave; ++ // We don't allow empty passwords here to prevent anyone logging in to ++ // user accounts that were created by some other passwordless auth ++ // method and subsequently changed to internal. ++ return $wehave != '' && $theysent == $wehave; + } + + if ($salt == '*') { +diff --git a/htdocs/auth/xmlrpc/lib.php b/htdocs/auth/xmlrpc/lib.php +index c972f1d..922ccd5 100644 +--- a/htdocs/auth/xmlrpc/lib.php ++++ b/htdocs/auth/xmlrpc/lib.php +@@ -615,7 +615,7 @@ class PluginAuthXmlrpc extends PluginAuth { + $options = array('None'); + if (is_array($instances)) { + foreach($instances as $someinstance) { +- if ($someinstance->requires_parent == 1) { ++ if ($someinstance->requires_parent == 1 || $someinstance->authname == 'none') { + continue; + } + $options[$someinstance->id] = $someinstance->instancename; diff -Nru mahara-1.2.4/debian/patches/series mahara-1.2.4/debian/patches/series --- mahara-1.2.4/debian/patches/series 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.4/debian/patches/series 2010-07-08 17:06:31.000000000 +1200 @@ -0,0 +1,4 @@ +CVE-2010-1667.patch +CVE-2010-1668.patch +CVE-2010-1669.patch +CVE-2010-1670.patch diff -Nru mahara-1.2.4/debian/rules mahara-1.2.4/debian/rules --- mahara-1.2.4/debian/rules 2010-04-06 21:07:53.000000000 +1200 +++ mahara-1.2.4/debian/rules 2010-07-08 17:06:31.000000000 +1200 @@ -40,6 +40,7 @@ rm -rf $(CURDIR)/debian/mahara/usr/share/mahara/lib/pear/PEAR rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/pear/PEAR.php rm -rf $(CURDIR)/debian/mahara/usr/share/mahara/lib/dwoo/dwoo + rm -rf $(CURDIR)/debian/mahara/usr/share/mahara/lib/htmlpurifier # Fix broken permissions chmod -x $(CURDIR)/debian/mahara/usr/share/mahara/lib/pieforms/pieform/*/*.php