Version in base suite: 3.2.11-3+deb11u3 Base version: spip_3.2.11-3+deb11u3 Target version: spip_3.2.11-3+deb11u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/spip/spip_3.2.11-3+deb11u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/spip/spip_3.2.11-3+deb11u4.dsc changelog | 7 patches/0020-Fix-5076-r-parer-la-fonction-bugu-e-en-n-utilisant-j.patch | 29 +++ patches/0021-ne-pas-accepter-un-test_dir-avec-des-.-dedans-lors-d.patch | 23 +++ patches/0022-spip_htmlspecialchars-sur-tous-les-affichages-de-var.patch | 73 ++++++++++ patches/0023-Securiser-l-usage-des-var_mode_xx-dans-le-debuggueur.patch | 35 ++++ patches/0024-securiser-l-affichage-de-erreur-quand-il-arrive-de-l.patch | 23 +++ patches/0025-securiser-la-construction-de-la-regexp-dans-parametr.patch | 28 +++ patches/0026-Utiliser-b-plutot-que-s-pour-etre-plus-robuste-sur-l.patch | 23 +++ patches/0027-securiser-HTTP_HOST-et-REQUEST_URI-dans-url_de_base-.patch | 37 +++++ patches/0028-echapper-sel_db-avant-de-la-reinserer-dans-une-hidde.patch | 25 +++ patches/0029-Masquer-aussi-les-cookies-sensibles-dans-_SERVER-HTT.patch | 44 ++++++ patches/0030-Securiser-le-retour-de-nettoyer_titre_email-quand-il.patch | 30 ++++ patches/0031-Incrementer-spip_version_code-pour-recompiler-les-sq.patch | 22 +++ patches/0032-Suppression-de-l-argument-formulaire_action_sign-dan.patch | 22 +++ patches/0033-Echapper-l-url-dans-le-html-affiche-https-git.spip.n.patch | 25 +++ patches/series | 14 + 16 files changed, 460 insertions(+) diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog --- spip-3.2.11/debian/changelog 2022-03-05 16:08:04.000000000 +0000 +++ spip-3.2.11/debian/changelog 2022-05-24 14:22:53.000000000 +0000 @@ -1,3 +1,10 @@ +spip (3.2.11-3+deb11u4) bullseye-security; urgency=high + + * Backport security fix from 3.2.15 + - Sanitizing and other XSS protections + + -- David Prévot Tue, 24 May 2022 16:22:53 +0200 + spip (3.2.11-3+deb11u3) bullseye-security; urgency=high * Backport security fix from 3.2.14 diff -Nru spip-3.2.11/debian/patches/0020-Fix-5076-r-parer-la-fonction-bugu-e-en-n-utilisant-j.patch spip-3.2.11/debian/patches/0020-Fix-5076-r-parer-la-fonction-bugu-e-en-n-utilisant-j.patch --- spip-3.2.11/debian/patches/0020-Fix-5076-r-parer-la-fonction-bugu-e-en-n-utilisant-j.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0020-Fix-5076-r-parer-la-fonction-bugu-e-en-n-utilisant-j.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,29 @@ +From: RastaPopoulos +Date: Sun, 6 Mar 2022 02:42:48 +0100 +Subject: =?utf-8?q?Fix_=235076_=3A_r=C3=A9parer_la_fonction_bugu=C3=A9e_en_?= + =?utf-8?q?n=27utilisant_jamais_les_cl=C3=A9s_raccourcis_qui_sont_non_fiabl?= + =?utf-8?q?es=2C_mais_les_autres_vraies_cl=C3=A9s_suivant_la_source_demand?= + =?utf-8?q?=C3=A9e=2C_celle_du_lien_ou_pas?= + +Origin: upstream, https://git.spip.net/spip/spip/commit/3b99287c9e1f7b9aee4c7e22b2a233fde5becd86 +--- + ecrire/inc/filtres_ecrire.php | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ecrire/inc/filtres_ecrire.php b/ecrire/inc/filtres_ecrire.php +index 0751d09..61a7c1d 100644 +--- a/ecrire/inc/filtres_ecrire.php ++++ b/ecrire/inc/filtres_ecrire.php +@@ -572,8 +572,11 @@ function lister_objets_lies($objet_source, $objet, $id_objet, $objet_lien) { + } else { + $res = objet_trouver_liens(array($objet_source => '*'), array($objet => $id_objet)); + } ++ // Si les liens qu'on cherche sont ceux de la table de lien, l'info est dans la clé de l'objet ++ // Sinon c'est dans "id_objet" ++ $cle = ($objet_source == $objet_lien ? id_table_objet($objet_source) : 'id_objet'); + while ($row = array_shift($res)) { +- $l[] = $row[$objet_source]; ++ $l[] = $row[$cle]; + } + + return $l; diff -Nru spip-3.2.11/debian/patches/0021-ne-pas-accepter-un-test_dir-avec-des-.-dedans-lors-d.patch spip-3.2.11/debian/patches/0021-ne-pas-accepter-un-test_dir-avec-des-.-dedans-lors-d.patch --- spip-3.2.11/debian/patches/0021-ne-pas-accepter-un-test_dir-avec-des-.-dedans-lors-d.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0021-ne-pas-accepter-un-test_dir-avec-des-.-dedans-lors-d.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,23 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 15:45:42 +0200 +Subject: ne pas accepter un test_dir avec des .. dedans lors du test des + repertoires en ecriture https://git.spip.net/spip-team/securite/issues/3596 + +Origin: upstream, https://git.spip.net/spip/spip/commit/edb6a01c6dd2420ed5e125385252d37b86f93d68 +--- + ecrire/install/etape_chmod.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ecrire/install/etape_chmod.php b/ecrire/install/etape_chmod.php +index 15e7d76..f4c57d8 100644 +--- a/ecrire/install/etape_chmod.php ++++ b/ecrire/install/etape_chmod.php +@@ -76,7 +76,7 @@ function install_etape_chmod_dist() { + $test_dir = _request('test_dir'); + $chmod = 0; + +- if ($test_dir) { ++ if ($test_dir and strpos($test_dir, '..') === false) { + if (substr($test_dir, -1) !== '/') { + $test_dir .= '/'; + } diff -Nru spip-3.2.11/debian/patches/0022-spip_htmlspecialchars-sur-tous-les-affichages-de-var.patch spip-3.2.11/debian/patches/0022-spip_htmlspecialchars-sur-tous-les-affichages-de-var.patch --- spip-3.2.11/debian/patches/0022-spip_htmlspecialchars-sur-tous-les-affichages-de-var.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0022-spip_htmlspecialchars-sur-tous-les-affichages-de-var.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,73 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 15:54:24 +0200 +Subject: spip_htmlspecialchars() sur tous les affichages de variable dans le + html + filtrer $adresse_ldap + https://git.spip.net/spip-team/securite/issues/3597 + +Origin: upstream, https://git.spip.net/spip/spip/commit/b28e1f9a39dd54e0f0bbfe3b211160e71d2562b7 +--- + ecrire/install/etape_ldap2.php | 31 ++++++++++++++++++++++--------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +diff --git a/ecrire/install/etape_ldap2.php b/ecrire/install/etape_ldap2.php +index 182f449..c9db6bb 100644 +--- a/ecrire/install/etape_ldap2.php ++++ b/ecrire/install/etape_ldap2.php +@@ -42,8 +42,15 @@ function install_etape_ldap2_dist() { + $tls = true; + } + } ++ else { ++ $tls_ldap == 'non'; ++ } ++ ++ // Verifions que l'adresse demandee est valide ++ $adresse_ldap = filter_var($adresse_ldap, FILTER_SANITIZE_URL) ?: ''; ++ + $ldap_link = ldap_connect($adresse_ldap, $port_ldap); +- $erreur = "ldap_connect($adresse_ldap, $port_ldap)"; ++ $erreur = "ldap_connect(".spip_htmlspecialchars($adresse_ldap).", ".spip_htmlspecialchars($port_ldap).")"; + + if ($ldap_link) { + if (!ldap_set_option($ldap_link, LDAP_OPT_PROTOCOL_VERSION, $protocole_ldap)) { +@@ -52,13 +59,19 @@ function install_etape_ldap2_dist() { + } + if ($tls === true) { + if (!ldap_start_tls($ldap_link)) { +- $erreur = "ldap_start_tls($ldap_link) $adresse_ldap, $port_ldap"; ++ $erreur = "ldap_start_tls(".spip_htmlspecialchars($ldap_link) ++ ." ".spip_htmlspecialchars($adresse_ldap) ++ .", ".spip_htmlspecialchars($port_ldap).")"; + $ldap_link = false; + } + } + if ($ldap_link) { + $ldap_link = ldap_bind($ldap_link, $login_ldap, $pass_ldap); +- $erreur = "ldap_bind('$ldap_link', '$login_ldap', '$pass_ldap'): $adresse_ldap, $port_ldap"; ++ $erreur = "ldap_bind('".spip_htmlspecialchars($ldap_link) ++ ."', '".spip_htmlspecialchars($login_ldap) ++ ."', '".spip_htmlspecialchars($pass_ldap) ++ ."'): ".spip_htmlspecialchars($adresse_ldap) ++ .", ".spip_htmlspecialchars($port_ldap); + } + } + +@@ -69,12 +82,12 @@ function install_etape_ldap2_dist() { + ), _T('info_connexion_ldap_ok'); + echo generer_form_ecrire('install', ( + "\n" +- . "\n" +- . "\n" +- . "\n" +- . "\n" +- . "\n" +- . "\n" ++ . "\n" ++ . "\n" ++ . "\n" ++ . "\n" ++ . "\n" ++ . "\n" + . bouton_suivant())); + } else { + echo info_etape(_T('titre_connexion_ldap')), info_progression_etape(1, 'etape_ldap', 'install/', true), diff -Nru spip-3.2.11/debian/patches/0023-Securiser-l-usage-des-var_mode_xx-dans-le-debuggueur.patch spip-3.2.11/debian/patches/0023-Securiser-l-usage-des-var_mode_xx-dans-le-debuggueur.patch --- spip-3.2.11/debian/patches/0023-Securiser-l-usage-des-var_mode_xx-dans-le-debuggueur.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0023-Securiser-l-usage-des-var_mode_xx-dans-le-debuggueur.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,35 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 16:03:16 +0200 +Subject: Securiser l'usage des var_mode_xx dans le debuggueur + https://git.spip.net/spip-team/securite/issues/3602 + +Origin: upstream, https://git.spip.net/spip/spip/commit/772a4baeda4eed24cbe8953fa60e7c7dcd6859a2 +--- + ecrire/public/debusquer.php | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/ecrire/public/debusquer.php b/ecrire/public/debusquer.php +index 9199bb3..6cc6a2b 100644 +--- a/ecrire/public/debusquer.php ++++ b/ecrire/public/debusquer.php +@@ -123,8 +123,9 @@ function public_debusquer_dist($message = '', $lieu = '', $opt = array()) { + } + + lang_select($GLOBALS['visiteur_session']['lang']); +- $fonc = _request('var_mode_objet'); +- $mode = _request('var_mode_affiche'); ++ $fonc = preg_replace(",\W,", "_", _request('var_mode_objet') ?? ''); ++ $mode = preg_replace(",\W,", "_", _request('var_mode_affiche') ?? ''); ++ + $self = str_replace("\\'", ''', self()); + $self = parametre_url($self, 'var_mode', 'debug'); + +@@ -816,7 +817,7 @@ function debusquer_entete($titre, $corps) { + html_lang_attributes() . + "\n" . + ('SPIP ' . $GLOBALS['spip_version_affichee'] . ' ' . +- _T('admin_debug') . ' ' . $titre . ' (' . ++ _T('admin_debug') . ' ' . spip_htmlspecialchars($titre) . ' (' . + supprimer_tags(corriger_typo($GLOBALS['meta']['nom_site']))) . + ")\n" . + "$erreur"; ++ echo "
".spip_htmlspecialchars($erreur)."
"; + } + if ($erreur_activation) { + echo "
$erreur_activation
"; diff -Nru spip-3.2.11/debian/patches/0025-securiser-la-construction-de-la-regexp-dans-parametr.patch spip-3.2.11/debian/patches/0025-securiser-la-construction-de-la-regexp-dans-parametr.patch --- spip-3.2.11/debian/patches/0025-securiser-la-construction-de-la-regexp-dans-parametr.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0025-securiser-la-construction-de-la-regexp-dans-parametr.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,28 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 17:05:47 +0200 +Subject: securiser la construction de la regexp dans parametre_url + https://git.spip.net/spip-team/securite/issues/3702 + +Origin: upstream, https://git.spip.net/spip/spip/commit/d99890f66906ab52aa18f9df6109e694192bc54e +--- + ecrire/inc/utils.php | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ecrire/inc/utils.php b/ecrire/inc/utils.php +index d927655..8ed33e3 100644 +--- a/ecrire/inc/utils.php ++++ b/ecrire/inc/utils.php +@@ -552,7 +552,12 @@ function parametre_url($url, $c, $v = null, $sep = '&') { + $a = './'; + } + +- $regexp = ',^(' . str_replace('[]', '\[\]', $c) . '[[]?[]]?)(=.*)?$,'; ++ // preparer la regexp de maniere securisee ++ $regexp = explode('|', $c); ++ foreach ($regexp as $r => $e) { ++ $regexp[$r] = str_replace('[]', '\[\]', preg_replace(',[^\w\d\[\]-],', '', $e)); ++ } ++ $regexp = ',^(' . implode('|', $regexp) . '[[]?[]]?)(=.*)?$,'; + $ajouts = array_flip(explode('|', $c)); + $u = is_array($v) ? $v : rawurlencode($v); + $testv = (is_array($v) ? count($v) : strlen($v)); diff -Nru spip-3.2.11/debian/patches/0026-Utiliser-b-plutot-que-s-pour-etre-plus-robuste-sur-l.patch spip-3.2.11/debian/patches/0026-Utiliser-b-plutot-que-s-pour-etre-plus-robuste-sur-l.patch --- spip-3.2.11/debian/patches/0026-Utiliser-b-plutot-que-s-pour-etre-plus-robuste-sur-l.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0026-Utiliser-b-plutot-que-s-pour-etre-plus-robuste-sur-l.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,23 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 17:15:50 +0200 +Subject: Utiliser \b plutot que \s pour etre plus robuste sur la regexp de + _PROTEGE_BLOCS https://git.spip.net/spip-team/securite/issues/3703 + +Origin: upstream, https://git.spip.net/spip/spip/commit/97845aa30aa8d845d88b86715eab53b1de5e9c6d +--- + ecrire/inc/texte_mini.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ecrire/inc/texte_mini.php b/ecrire/inc/texte_mini.php +index 27c2109..5dd53e2 100644 +--- a/ecrire/inc/texte_mini.php ++++ b/ecrire/inc/texte_mini.php +@@ -168,7 +168,7 @@ function traiter_echap_script_dist($regs) { + return $regs[0]; + } + +-define('_PROTEGE_BLOCS', ',<(html|code|cadre|frame|script|style)(\s[^>]*)?>(.*),UimsS'); ++define('_PROTEGE_BLOCS', ',<(html|code|cadre|frame|script|style)(\b[^>]*)?>(.*),UimsS'); + + // - pour $source voir commentaire infra (echappe_retour) + // - pour $no_transform voir le filtre post_autobr dans inc/filtres diff -Nru spip-3.2.11/debian/patches/0027-securiser-HTTP_HOST-et-REQUEST_URI-dans-url_de_base-.patch spip-3.2.11/debian/patches/0027-securiser-HTTP_HOST-et-REQUEST_URI-dans-url_de_base-.patch --- spip-3.2.11/debian/patches/0027-securiser-HTTP_HOST-et-REQUEST_URI-dans-url_de_base-.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0027-securiser-HTTP_HOST-et-REQUEST_URI-dans-url_de_base-.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,37 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 15:36:34 +0200 +Subject: securiser HTTP_HOST et REQUEST_URI dans url_de_base() + https://git.spip.net/spip-team/securite/issues/3728 + +Origin: upstream, https://git.spip.net/spip/spip/commit/754677579b34a1705a83b8d2674baaba17472b4d +--- + ecrire/inc/utils.php | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ecrire/inc/utils.php b/ecrire/inc/utils.php +index 8ed33e3..4dd8774 100644 +--- a/ecrire/inc/utils.php ++++ b/ecrire/inc/utils.php +@@ -1936,7 +1936,11 @@ function url_de_base($profondeur = null) { + } + + // note : HTTP_HOST contient le :port si necessaire +- $host = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : null; ++ if ($host = (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : null)) { ++ // Filtrer $host pour proteger d'attaques d'entete HTTP ++ $host = (filter_var($host, FILTER_SANITIZE_URL) ?: null); ++ } ++ + // si on n'a pas trouvé d'hôte du tout, en dernier recours on utilise adresse_site comme fallback + if (is_null($host) and isset($GLOBALS['meta']['adresse_site'])) { + $host = $GLOBALS['meta']['adresse_site']; +@@ -1976,6 +1980,9 @@ function url_de_base($profondeur = null) { + } + } + ++ // Et nettoyer l'url ++ $GLOBALS['REQUEST_URI'] = (filter_var($GLOBALS['REQUEST_URI'], FILTER_SANITIZE_URL) ?: ''); ++ + $url[$profondeur] = url_de_($http, $host, $GLOBALS['REQUEST_URI'], $profondeur); + + return $url[$profondeur]; diff -Nru spip-3.2.11/debian/patches/0028-echapper-sel_db-avant-de-la-reinserer-dans-une-hidde.patch spip-3.2.11/debian/patches/0028-echapper-sel_db-avant-de-la-reinserer-dans-une-hidde.patch --- spip-3.2.11/debian/patches/0028-echapper-sel_db-avant-de-la-reinserer-dans-une-hidde.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0028-echapper-sel_db-avant-de-la-reinserer-dans-une-hidde.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,25 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 15:22:37 +0200 +Subject: echapper sel_db avant de la reinserer dans une hidden (mais c'est + assez theorique car si on arrive la c'est qu'on a reussi a se connecter + dessus, + donc a priori le nom ne peut pas avoir de caracteres speciaux) https://git.spip.net/spip-team/securite/issues/3730 + +Origin: upstream, https://git.spip.net/spip/spip/commit/871777b0f56ce92c26fde3a3a53c625eb68dcff6 +--- + ecrire/install/etape_3.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ecrire/install/etape_3.php b/ecrire/install/etape_3.php +index 7af5bfc..55e22dc 100644 +--- a/ecrire/install/etape_3.php ++++ b/ecrire/install/etape_3.php +@@ -370,7 +370,7 @@ function install_etape_3_dist() { + + $hidden = predef_ou_cache($adresse_db, $login_db, $pass_db, $server_db) + . (defined('_INSTALL_NAME_DB') ? '' +- : "\n"); ++ : "\n"); + + $auteur_obligatoire = ($ldap_present ? 0 : !sql_countsel('spip_auteurs', '', '', '', $server_db)); + diff -Nru spip-3.2.11/debian/patches/0029-Masquer-aussi-les-cookies-sensibles-dans-_SERVER-HTT.patch spip-3.2.11/debian/patches/0029-Masquer-aussi-les-cookies-sensibles-dans-_SERVER-HTT.patch --- spip-3.2.11/debian/patches/0029-Masquer-aussi-les-cookies-sensibles-dans-_SERVER-HTT.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0029-Masquer-aussi-les-cookies-sensibles-dans-_SERVER-HTT.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,44 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 14:39:21 +0200 +Subject: Masquer aussi les cookies sensibles dans $_SERVER['HTTP_COOKIE'] et + $_ENV['HTTP_COOKIE'] (suite de #54 et + https://git.spip.net/spip-team/securite/issues/4494) + +Origin: upstream, https://git.spip.net/spip/spip/commit/901f583021938d4b1b1632cc8ec51950a1f3e988 +--- + ecrire/inc/utils.php | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/ecrire/inc/utils.php b/ecrire/inc/utils.php +index 4dd8774..040e2f8 100644 +--- a/ecrire/inc/utils.php ++++ b/ecrire/inc/utils.php +@@ -3181,16 +3181,27 @@ function exec_info_dist() { + if (autoriser('webmestre')) { + $cookies_masques = ['spip_session', 'PHPSESSID']; + $cookies_backup = []; ++ $server_backup = ['HTTP_COOKIE' => $_SERVER['HTTP_COOKIE']]; ++ $env_backup = ['HTTP_COOKIE' => $_ENV['HTTP_COOKIE']]; ++ $mask = '******************************'; + foreach ($cookies_masques as $k) { + if (!empty($_COOKIE[$k])) { + $cookies_backup[$k] = $_COOKIE[$k]; +- $_COOKIE[$k] = '******************************'; ++ $_SERVER['HTTP_COOKIE'] = str_replace("$k=".$_COOKIE[$k], "$k=$mask", $_SERVER['HTTP_COOKIE']); ++ $_ENV['HTTP_COOKIE'] = str_replace("$k=".$_COOKIE[$k], "$k=$mask", $_ENV['HTTP_COOKIE']); ++ $_COOKIE[$k] = $mask; + } + } + phpinfo(); + foreach ($cookies_backup as $k => $v) { + $_COOKIE[$k] = $v; + } ++ foreach ($server_backup as $k => $v) { ++ $_SERVER[$k] = $v; ++ } ++ foreach ($env_backup as $k => $v) { ++ $_ENV[$k] = $v; ++ } + } else { + include_spip('inc/filtres'); + sinon_interdire_acces(); diff -Nru spip-3.2.11/debian/patches/0030-Securiser-le-retour-de-nettoyer_titre_email-quand-il.patch spip-3.2.11/debian/patches/0030-Securiser-le-retour-de-nettoyer_titre_email-quand-il.patch --- spip-3.2.11/debian/patches/0030-Securiser-le-retour-de-nettoyer_titre_email-quand-il.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0030-Securiser-le-retour-de-nettoyer_titre_email-quand-il.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,30 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 14:28:15 +0200 +Subject: =?utf-8?q?Securiser_le_retour_de_nettoyer=5Ftitre=5Femail_quand_il?= + =?utf-8?q?_est_utilis=C3=A9_dans_un_squelette_=28Louka=29_https=3A//git=2E?= + =?utf-8?q?spip=2Enet/spip-team/securite/issues/4829?= + +Origin: upstream, https://git.spip.net/spip/spip/commit/ac67fc5be53e2e085c0599144a217b440dd72fa1 +--- + ecrire/inc/filtres.php | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/ecrire/inc/filtres.php b/ecrire/inc/filtres.php +index 064a44e..e4c56e5 100644 +--- a/ecrire/inc/filtres.php ++++ b/ecrire/inc/filtres.php +@@ -4839,7 +4839,13 @@ function supprimer_timestamp($url) { + function filtre_nettoyer_titre_email_dist($titre) { + include_spip('inc/envoyer_mail'); + +- return nettoyer_titre_email($titre); ++ $titre = nettoyer_titre_email($titre); ++ // on est dans un squelette : securiser le retour ++ if (strpos($titre, '<') !== false) { ++ $titre = interdire_scripts($titre); ++ } ++ ++ return $titre; + } + + /** diff -Nru spip-3.2.11/debian/patches/0031-Incrementer-spip_version_code-pour-recompiler-les-sq.patch spip-3.2.11/debian/patches/0031-Incrementer-spip_version_code-pour-recompiler-les-sq.patch --- spip-3.2.11/debian/patches/0031-Incrementer-spip_version_code-pour-recompiler-les-sq.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0031-Incrementer-spip_version_code-pour-recompiler-les-sq.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,22 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 14:30:21 +0200 +Subject: Incrementer spip_version_code pour recompiler les squelettes + +Origin: upstream, https://git.spip.net/spip/spip/commit/2ce34e62ebe457d06339d5b3cb92852d1d80635c +--- + ecrire/inc_version.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ecrire/inc_version.php b/ecrire/inc_version.php +index 22a2d63..912b201 100644 +--- a/ecrire/inc_version.php ++++ b/ecrire/inc_version.php +@@ -383,7 +383,7 @@ define('_SPIP_EXTRA_VERSION', ''); + #define('_DEV_VERSION_SPIP_COMPAT',"3.1.3"); + // version des signatures de fonctions PHP + // (= date de leur derniere modif cassant la compatibilite et/ou necessitant un recalcul des squelettes) +-$spip_version_code = 20211021; ++$spip_version_code = 20220413; + // version de la base SQL (= numero SVN de sa derniere modif) + $spip_version_base = 23375; + diff -Nru spip-3.2.11/debian/patches/0032-Suppression-de-l-argument-formulaire_action_sign-dan.patch spip-3.2.11/debian/patches/0032-Suppression-de-l-argument-formulaire_action_sign-dan.patch --- spip-3.2.11/debian/patches/0032-Suppression-de-l-argument-formulaire_action_sign-dan.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0032-Suppression-de-l-argument-formulaire_action_sign-dan.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,22 @@ +From: Christophe Laffont +Date: Wed, 20 Apr 2022 09:33:39 +0200 +Subject: Suppression de l'argument `formulaire_action_sign` dans l'url ACTION + Ticket #5155 + +Origin: upstream, https://git.spip.net/spip/spip/commit/8283532c94dac9f08c1fd250b433491d3fe22c84 +--- + ecrire/balise/formulaire_.php | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ecrire/balise/formulaire_.php b/ecrire/balise/formulaire_.php +index 6cb7143..d119765 100644 +--- a/ecrire/balise/formulaire_.php ++++ b/ecrire/balise/formulaire_.php +@@ -248,6 +248,7 @@ function balise_FORMULAIRE__contexte($form, $args) { + // nettoyer l'url + $action = parametre_url($action, 'formulaire_action', ''); + $action = parametre_url($action, 'formulaire_action_args', ''); ++ $action = parametre_url($action, 'formulaire_action_sign', ''); + } + + /** diff -Nru spip-3.2.11/debian/patches/0033-Echapper-l-url-dans-le-html-affiche-https-git.spip.n.patch spip-3.2.11/debian/patches/0033-Echapper-l-url-dans-le-html-affiche-https-git.spip.n.patch --- spip-3.2.11/debian/patches/0033-Echapper-l-url-dans-le-html-affiche-https-git.spip.n.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0033-Echapper-l-url-dans-le-html-affiche-https-git.spip.n.patch 2022-05-24 14:20:12.000000000 +0000 @@ -0,0 +1,25 @@ +From: Cerdic +Date: Wed, 13 Apr 2022 15:03:28 +0200 +Subject: Echapper l'url dans le html affiche + https://git.spip.net/spip-team/securite/issues/3733 + +Origin: upstream, https://git.spip.net/spip/svp/commit/bf0ff95ac535f1aa53e6a946ea739fd71106f182 +--- + plugins-dist/svp/action/actionner.php | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/plugins-dist/svp/action/actionner.php b/plugins-dist/svp/action/actionner.php +index d0c4f41..24a5783 100644 +--- a/plugins-dist/svp/action/actionner.php ++++ b/plugins-dist/svp/action/actionner.php +@@ -49,8 +49,9 @@ function action_actionner_dist() { + include_spip('inc/config'); + if (lire_config('svp/mode_pas_a_pas') == 'oui') { + include_spip('inc/minipres'); ++ include_spip('inc/filtres'); + $pres = $actionneur->presenter_actions(); +- $btn = "[ Action Suivante ]"; ++ $btn = "[ Action Suivante ]"; + $styles = " +