diff -u php-htmlpurifier-3.3.0/debian/changelog php-htmlpurifier-3.3.0/debian/changelog
--- php-htmlpurifier-3.3.0/debian/changelog
+++ php-htmlpurifier-3.3.0/debian/changelog
@@ -1,3 +1,13 @@
+php-htmlpurifier (3.3.0-1ubuntu0.1) karmic-security; urgency=low
+
+ * SECURITY UPDATE (LP: #582576).
+ * A vulnerability has been reported in HTML Purifier, which can be
+ exploited by malicious people to conduct cross-site scripting
+ attacks.
+ * CVE-2010-2479
+
+ -- Artur Rona Wed, 24 Nov 2010 22:23:20 +0100
+
php-htmlpurifier (3.3.0-1) unstable; urgency=low
* Initial Release (Closes: #462150).
diff -u php-htmlpurifier-3.3.0/debian/control php-htmlpurifier-3.3.0/debian/control
--- php-htmlpurifier-3.3.0/debian/control
+++ php-htmlpurifier-3.3.0/debian/control
@@ -1,7 +1,8 @@
Source: php-htmlpurifier
Section: web
Priority: optional
-Maintainer: Christian Bayle
+Maintainer: Ubuntu Developers
+XSBC-Original-Maintainer: Christian Bayle
Build-Depends: debhelper (>= 7), dh-make-php (>= 0.2.3), cdbs
Standards-Version: 3.8.1
only in patch2:
unchanged:
--- php-htmlpurifier-3.3.0.orig/HTMLPurifier-3.3.0/HTMLPurifier/AttrDef.php
+++ php-htmlpurifier-3.3.0/HTMLPurifier-3.3.0/HTMLPurifier/AttrDef.php
@@ -82,6 +82,42 @@
return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/', 'rgb(\1,\2,\3)', $string);
}
+ /**
+ * Parses a possibly escaped CSS string and returns the "pure"
+ * version of it.
+ */
+ protected function expandCSSEscape($string) {
+ // flexibly parse it
+ $ret = '';
+ for ($i = 0, $c = strlen($string); $i < $c; $i++) {
+ if ($string[$i] === '\\') {
+ $i++;
+ if ($i >= $c) {
+ $ret .= '\\';
+ break;
+ }
+ if (ctype_xdigit($string[$i])) {
+ $code = $string[$i];
+ for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
+ if (!ctype_xdigit($string[$i])) break;
+ $code .= $string[$i];
+ }
+ // We have to be extremely careful when adding
+ // new characters, to make sure we're not breaking
+ // the encoding.
+ $char = HTMLPurifier_Encoder::unichr(hexdec($code));
+ if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
+ $ret .= $char;
+ if ($i < $c && trim($string[$i]) !== '') $i--;
+ continue;
+ }
+ if ($string[$i] === "\n") continue;
+ }
+ $ret .= $string[$i];
+ }
+ return $ret;
+ }
+
}
// vim: et sw=4 sts=4
only in patch2:
unchanged:
--- php-htmlpurifier-3.3.0.orig/HTMLPurifier-3.3.0/HTMLPurifier/AttrDef/CSS/FontFamily.php
+++ php-htmlpurifier-3.3.0/HTMLPurifier-3.3.0/HTMLPurifier/AttrDef/CSS/FontFamily.php
@@ -34,37 +34,10 @@
$quote = $font[0];
if ($font[$length - 1] !== $quote) continue;
$font = substr($font, 1, $length - 2);
+ }
- $new_font = '';
- for ($i = 0, $c = strlen($font); $i < $c; $i++) {
- if ($font[$i] === '\\') {
- $i++;
- if ($i >= $c) {
- $new_font .= '\\';
- break;
- }
- if (ctype_xdigit($font[$i])) {
- $code = $font[$i];
- for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
- if (!ctype_xdigit($font[$i])) break;
- $code .= $font[$i];
- }
- // We have to be extremely careful when adding
- // new characters, to make sure we're not breaking
- // the encoding.
- $char = HTMLPurifier_Encoder::unichr(hexdec($code));
- if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
- $new_font .= $char;
- if ($i < $c && trim($font[$i]) !== '') $i--;
- continue;
- }
- if ($font[$i] === "\n") continue;
- }
- $new_font .= $font[$i];
- }
+ $font = $this->expandCSSEscape($font);
- $font = $new_font;
- }
// $font is a pure representation of the font name
if (ctype_alnum($font) && $font !== '') {
@@ -73,12 +46,21 @@
continue;
}
- // complicated font, requires quoting
+ // bugger out on whitespace. form feed (0C) really
+ // shouldn't show up regardless
+ $font = str_replace(array("\n", "\t", "\r", "\x0C"), ' ', $font);
- // armor single quotes and new lines
- $font = str_replace("\\", "\\\\", $font);
- $font = str_replace("'", "\\'", $font);
- $final .= "'$font', ";
+ // These ugly transforms don't pose a security
+ // risk (as \\ and \" might). We could try to be clever and
+ // use single-quote wrapping when there is a double quote
+ // present, but I have choosen not to implement that.
+ // (warning: this code relies on the selection of quotation
+ // mark below)
+ $font = str_replace('\\', '\\5C ', $font);
+ $font = str_replace('"', '\\22 ', $font);
+
+ // complicated font, requires quoting
+ $final .= "\"$font\", "; // note that this will later get turned into "
}
$final = rtrim($final, ', ');
if ($final === '') return false;
only in patch2:
unchanged:
--- php-htmlpurifier-3.3.0.orig/HTMLPurifier-3.3.0/HTMLPurifier/AttrDef/CSS/URI.php
+++ php-htmlpurifier-3.3.0/HTMLPurifier-3.3.0/HTMLPurifier/AttrDef/CSS/URI.php
@@ -34,20 +34,16 @@
$uri = substr($uri, 1, $new_length - 1);
}
- $keys = array( '(', ')', ',', ' ', '"', "'");
- $values = array('\\(', '\\)', '\\,', '\\ ', '\\"', "\\'");
- $uri = str_replace($values, $keys, $uri);
+ $uri = $this->expandCSSEscape($uri);
$result = parent::validate($uri, $config, $context);
if ($result === false) return false;
- // escape necessary characters according to CSS spec
- // except for the comma, none of these should appear in the
- // URI at all
- $result = str_replace($keys, $values, $result);
+ // extra sanity check; should have been done by URI
+ $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
- return "url($result)";
+ return "url(\"$result\")";
}