Version in base suite: 3.2.11-3+deb11u4 Base version: spip_3.2.11-3+deb11u4 Target version: spip_3.2.11-3+deb11u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/spip/spip_3.2.11-3+deb11u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/spip/spip_3.2.11-3+deb11u5.dsc changelog | 8 patches/0034-fix-spip-team-securite-4831-Lever-le-flag-espace_pri.patch | 28 + patches/0035-feat-une-fonction-auth_controler_password_auteur_con.patch | 51 + patches/0036-fix-ne-pas-faire-tourner-les-aleas-et-le-hash-du-pas.patch | 40 + patches/0037-fix-Signaler-visuellement-les-liens-javascript-dans-.patch | 57 ++ patches/0038-fix-utiliser-un-base64_decode-strict-sur-_oups-et-da.patch | 72 ++ patches/0039-fix-mise-a-jour-de-l-cran-de-s-curit.patch | 42 + patches/0040-fix-envoyer-un-CSP-sandbox-sur-tous-les-documents-de.patch | 27 patches/0041-fix-appliquer-_TRAITEMENT_TYPO-sur-le-champs-CREDITS.patch | 76 ++ patches/0042-fix-ajouter-une-class-wysiwyg-sur-les-zones-ou-l-on-.patch | 53 + patches/0043-fix-securisation-du-formulaire-d-upload-d-un-plugin-.patch | 279 ++++++++++ patches/0044-fix-Les-champs-password-sont-obligatoires.-Suite-de-.patch | 36 + patches/0045-fix-D-placer-le-champ-password-en-t-te-pour-viter-qu.patch | 76 ++ patches/series | 12 14 files changed, 857 insertions(+) diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog --- spip-3.2.11/debian/changelog 2022-05-24 14:22:53.000000000 +0000 +++ spip-3.2.11/debian/changelog 2022-07-22 18:07:47.000000000 +0000 @@ -1,3 +1,11 @@ +spip (3.2.11-3+deb11u5) bullseye-security; urgency=medium + + * Backport security fixes from 3.2.16 + - Remote code execution + - XSS alowing priviledge escalation + + -- David Prévot Fri, 22 Jul 2022 20:07:47 +0200 + spip (3.2.11-3+deb11u4) bullseye-security; urgency=high * Backport security fix from 3.2.15 diff -Nru spip-3.2.11/debian/patches/0034-fix-spip-team-securite-4831-Lever-le-flag-espace_pri.patch spip-3.2.11/debian/patches/0034-fix-spip-team-securite-4831-Lever-le-flag-espace_pri.patch --- spip-3.2.11/debian/patches/0034-fix-spip-team-securite-4831-Lever-le-flag-espace_pri.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0034-fix-spip-team-securite-4831-Lever-le-flag-espace_pri.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,28 @@ +From: Cerdic +Date: Mon, 23 May 2022 17:10:14 +0200 +Subject: =?utf-8?q?fix=28spip-team/securite=234831=29_Lever_le_flag_=60espa?= + =?utf-8?q?ce=5Fprive=3D1=60_quand_on_calcule_un_traitement_via_la_balise_?= + =?utf-8?q?=60=23INFO=5F=60_dans_l=27espace_prive=2C_pour_bien_avoir_tous_l?= + =?utf-8?q?es_traitements_n=C3=A9c=C3=A9ssaires?= + +Origin: upstream, https://git.spip.net/spip/spip/commit/444220ba68ce6c5ca23e83499fdb81af6fa0385c +--- + ecrire/inc/filtres.php | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ecrire/inc/filtres.php b/ecrire/inc/filtres.php +index e4c56e5..d74b082 100644 +--- a/ecrire/inc/filtres.php ++++ b/ecrire/inc/filtres.php +@@ -4495,6 +4495,11 @@ function appliquer_traitement_champ($texte, $champ, $table_objet = '', $env = ar + + $traitement = str_replace('%s', "'" . texte_script($texte) . "'", $traitement); + ++ // signaler qu'on est dans l'espace prive pour les filtres qui se servent de ce flag ++ if (test_espace_prive()) { ++ $env['espace_prive'] = 1; ++ } ++ + // Fournir $connect et $Pile[0] au traitement si besoin + $Pile = array(0 => $env); + eval("\$texte = $traitement;"); diff -Nru spip-3.2.11/debian/patches/0035-feat-une-fonction-auth_controler_password_auteur_con.patch spip-3.2.11/debian/patches/0035-feat-une-fonction-auth_controler_password_auteur_con.patch --- spip-3.2.11/debian/patches/0035-feat-une-fonction-auth_controler_password_auteur_con.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0035-feat-une-fonction-auth_controler_password_auteur_con.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,51 @@ +From: Cerdic +Date: Thu, 7 Jul 2022 17:52:08 +0200 +Subject: =?utf-8?q?feat=3A_une_fonction_=60auth=5Fcontroler=5Fpassword=5Fau?= + =?utf-8?q?teur=5Fconnecte=28=29=60_pour_contr=C3=B4ler_facilement_le_passw?= + =?utf-8?q?ord_de_l=27auteur_connect=C3=A9?= + +Refs: https://git.spip.net/spip-team/securite/issues/4832 https://git.spip.net/spip-team/securite/issues/4833 + +Cherry-picked from: c994fa734fc9b50ee4dfdc4b8ec502e60001cd29 + +Origin: upstream, https://git.spip.net/spip/spip/commit/eba0c9413a32923b879d2a48893e1222dc05d4b3 +--- + ecrire/inc/auth.php | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php +index 89780eb..29facdb 100644 +--- a/ecrire/inc/auth.php ++++ b/ecrire/inc/auth.php +@@ -64,6 +64,31 @@ function inc_auth_dist() { + return $n ? $n : 1; + } + ++/** ++ * Vérifier qu'un mot de passe saisi pour confirmer une action est bien celui de l'auteur connecté ++ * @param string $password ++ * @return bool ++ */ ++function auth_controler_password_auteur_connecte(string $password): bool { ++ ++ if ( ++ empty($GLOBALS['visiteur_session']['id_auteur']) ++ or empty($GLOBALS['visiteur_session']['login']) ++ ) { ++ return false; ++ } ++ ++ $auth = auth_identifier_login($GLOBALS['visiteur_session']['login'], $password); ++ if ( ++ is_array($auth) ++ and $auth['id_auteur'] == $GLOBALS['visiteur_session']['id_auteur'] ++ ) { ++ return true; ++ } ++ ++ return false; ++} ++ + /** + * fonction appliquee par ecrire/index sur le resultat de la precedente + * en cas de refus de connexion. diff -Nru spip-3.2.11/debian/patches/0036-fix-ne-pas-faire-tourner-les-aleas-et-le-hash-du-pas.patch spip-3.2.11/debian/patches/0036-fix-ne-pas-faire-tourner-les-aleas-et-le-hash-du-pas.patch --- spip-3.2.11/debian/patches/0036-fix-ne-pas-faire-tourner-les-aleas-et-le-hash-du-pas.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0036-fix-ne-pas-faire-tourner-les-aleas-et-le-hash-du-pas.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,40 @@ +From: Cerdic +Date: Tue, 12 Jul 2022 09:49:34 +0200 +Subject: =?utf-8?q?fix=3A_ne_pas_faire_tourner_les_aleas_et_le_hash_du_pass?= + =?utf-8?q?word_quand_on_veririe_le_pass_de_l=27auteur_connecte=2C_car_cela?= + =?utf-8?q?_invalide_les_signatures_de_formulaire_et_provoque_des_petits_bu?= + =?utf-8?q?gs_de_comportement_en_cas_o=C3=B9_il_y_a_une_autre_erreur_sur_le?= + =?utf-8?q?_formulaire?= + +Origin: upstream, https://git.spip.net/spip/spip/commit/026ff873e50cc1b4d1a76bf0234a13f7c89b8712 +--- + ecrire/inc/auth.php | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php +index 29facdb..12fc4ce 100644 +--- a/ecrire/inc/auth.php ++++ b/ecrire/inc/auth.php +@@ -78,7 +78,7 @@ function auth_controler_password_auteur_connecte(string $password): bool { + return false; + } + +- $auth = auth_identifier_login($GLOBALS['visiteur_session']['login'], $password); ++ $auth = auth_identifier_login($GLOBALS['visiteur_session']['login'], $password, '', true); + if ( + is_array($auth) + and $auth['id_auteur'] == $GLOBALS['visiteur_session']['id_auteur'] +@@ -517,11 +517,11 @@ function auth_informer_login($login, $serveur = '') { + * @param string $serveur + * @return mixed + */ +-function auth_identifier_login($login, $password, $serveur = '') { ++function auth_identifier_login($login, $password, $serveur = '', bool $phpauth = false) { + $erreur = ''; + foreach ($GLOBALS['liste_des_authentifications'] as $methode) { + if ($auth = charger_fonction($methode, 'auth', true)) { +- $auteur = $auth($login, $password, $serveur); ++ $auteur = $auth($login, $password, $serveur, $phpauth); + if (is_array($auteur) and count($auteur)) { + spip_log("connexion de $login par methode $methode"); + $auteur['auth'] = $methode; diff -Nru spip-3.2.11/debian/patches/0037-fix-Signaler-visuellement-les-liens-javascript-dans-.patch spip-3.2.11/debian/patches/0037-fix-Signaler-visuellement-les-liens-javascript-dans-.patch --- spip-3.2.11/debian/patches/0037-fix-Signaler-visuellement-les-liens-javascript-dans-.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0037-fix-Signaler-visuellement-les-liens-javascript-dans-.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,57 @@ +From: Cerdic +Date: Tue, 12 Jul 2022 10:51:41 +0200 +Subject: fix: Signaler visuellement les liens javascript dans les zones + editoriales #wysiwyg ou .wysiwyg + +Refs: https://git.spip.net/spip-team/securite/issues/4833 + +Origin: upstream, https://git.spip.net/spip/spip/commit/2e71a65968f1decc760e47b13b19310b0bbfaf02 +--- + prive/themes/spip/content.css.html | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +diff --git a/prive/themes/spip/content.css.html b/prive/themes/spip/content.css.html +index 68cf7a1..a01a2b3 100644 +--- a/prive/themes/spip/content.css.html ++++ b/prive/themes/spip/content.css.html +@@ -51,8 +51,31 @@ img.lang { width: 12px; height: 12px; border: 0; } + + .chapo { font-weight: bold; color: #333; } + +-#wysiwyg a { /*color: #604A7F;*/ text-decoration: underline; } +-#wysiwyg a:hover { /*color: #f57900;*/ text-decoration: underline; } ++#wysiwyg a, .wysiwyg a { /*color: #604A7F;*/ text-decoration: underline; } ++#wysiwyg a:hover, .wysiwyg a:hover { /*color: #f57900;*/ text-decoration: underline; } ++ ++/* Signaler les liens JS suspect */ ++#wysiwyg a[href*="javascript:"], ++.wysiwyg a[href*="javascript:"] { ++ background: yellow; ++ pointer-events: none; ++} ++#wysiwyg a[href*="javascript:"]:after, ++.wysiwyg a[href*="javascript:"]:after { ++ display: inline-block; ++ content: attr(href); ++ margin-left: 0.25em; ++ font-family: 'lucida console',monospace; ++ font-size: 0.85em; ++ font-weight: normal; ++} ++#wysiwyg a[href*="javascript:"]:before, ++.wysiwyg a[href*="javascript:"]:before { ++ display: inline; ++ content: "⚠️"; ++ margin-right: 0.25em; ++ text-decoration: none; ++} + + .boutonlien { font-weight: bold; font-size: 9px; } + a.boutonlien:hover { color: #454545; text-decoration: none; } +@@ -165,4 +188,4 @@ li .puce_article_popup, li.puce_breve_popup,li.puce_site_popup { padding: 0; }*/ + h2.titrem { display: block; padding-top: 6px; padding-bottom: 4px; background-repeat: no-repeat;padding-[(#ENV{left})]:16px;background-color: #ENV{claire};font-size:14px;} + + .aide .contenu-aide,.box_mediabox .contenu-aide {padding-top:[(#ENV{margin-bottom}|strmult{1.0})em];} +-.box_mediabox .contenu-aide {min-width:450px;margin-right: 15px;} +\ No newline at end of file ++.box_mediabox .contenu-aide {min-width:450px;margin-right: 15px;} diff -Nru spip-3.2.11/debian/patches/0038-fix-utiliser-un-base64_decode-strict-sur-_oups-et-da.patch spip-3.2.11/debian/patches/0038-fix-utiliser-un-base64_decode-strict-sur-_oups-et-da.patch --- spip-3.2.11/debian/patches/0038-fix-utiliser-un-base64_decode-strict-sur-_oups-et-da.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0038-fix-utiliser-un-base64_decode-strict-sur-_oups-et-da.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,72 @@ +From: Cerdic +Date: Tue, 12 Jul 2022 11:18:06 +0200 +Subject: fix: utiliser un base64_decode strict sur _oups et dans tous les cas + echapper son contenu par entites_html + ignorer l'argument en request si le + formulaire n'est pas editable + retablir la securite sur #ENV{_oups} vu que + c'est un base64 qui ne sera modifie par aucune fonction d'echappement + +Refs: https://git.spip.net/spip-team/securite/issues/4835 + +Origin: upstream, https://git.spip.net/spip/spip/commit/18b4b253347312650a92e3836437f2f40794c042 +--- + prive/formulaires/editer_liens.html | 2 +- + prive/formulaires/editer_liens.php | 26 +++++++++++++++----------- + 2 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/prive/formulaires/editer_liens.html b/prive/formulaires/editer_liens.html +index d0f5a35..ee95e59 100644 +--- a/prive/formulaires/editer_liens.html ++++ b/prive/formulaires/editer_liens.html +@@ -11,7 +11,7 @@ + ] + + +- [
] ++ [
] + + [(#ENV{visible,0}|et{#ENV{editable}}|oui) +
+diff --git a/prive/formulaires/editer_liens.php b/prive/formulaires/editer_liens.php +index 426642c..c6ded18 100644 +--- a/prive/formulaires/editer_liens.php ++++ b/prive/formulaires/editer_liens.php +@@ -127,16 +127,20 @@ function formulaires_editer_liens_charger_dist($a, $b, $c, $options = array()) { + $skel_ajout = $table_source . '_roles_associer'; + } + +- $oups = _request('_oups'); +- if (unserialize(base64_decode($oups))) { +- // on est bon, rien a faire +- } +- elseif(unserialize($oups)) { +- // il faut encoder +- $oups = base64_encode($oups); +- } +- else { +- $oups = ''; ++ $oups = ''; ++ if ($editable) { ++ $oups = _request('_oups'); ++ $oups = $oups ? $oups : ''; ++ if ($oups) { ++ if (unserialize(base64_decode($oups, true))) { ++ // on est bon, rien a faire ++ } elseif (unserialize($oups)) { ++ // il faut encoder ++ $oups = base64_encode($oups); ++ } else { ++ $oups = ''; ++ } ++ } + } + $valeurs = array( + 'id' => "$table_source-$objet-$id_objet-$objet_lien", // identifiant unique pour les id du form +@@ -154,7 +158,7 @@ function formulaires_editer_liens_charger_dist($a, $b, $c, $options = array()) { + 'supprimer_lien' => '', + 'qualifier_lien' => '', + '_roles' => $roles, # description des roles +- '_oups' => $oups, ++ '_oups' => entites_html($oups), + 'editable' => $editable, + ); + diff -Nru spip-3.2.11/debian/patches/0039-fix-mise-a-jour-de-l-cran-de-s-curit.patch spip-3.2.11/debian/patches/0039-fix-mise-a-jour-de-l-cran-de-s-curit.patch --- spip-3.2.11/debian/patches/0039-fix-mise-a-jour-de-l-cran-de-s-curit.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0039-fix-mise-a-jour-de-l-cran-de-s-curit.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,42 @@ +From: Cerdic +Date: Wed, 13 Jul 2022 16:00:42 +0200 +Subject: =?utf-8?b?Zml4OiBtaXNlIGEgam91ciBkZSBsJ8OpY3JhbiBkZSBzw6ljdXJpdMOp?= + +Refs: https://git.spip.net/spip-contrib-outils/securite/commit/43e9519d8371a7280f5794a942861ebb0471105f + +Origin: upstream, https://git.spip.net/spip/spip/commit/7993f2a979b6729316755a42404044cc1577ee8b +--- + config/ecran_securite.php | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/config/ecran_securite.php b/config/ecran_securite.php +index 773ae6c..be5ef4f 100644 +--- a/config/ecran_securite.php ++++ b/config/ecran_securite.php +@@ -5,7 +5,7 @@ + * ------------------ + */ + +-define('_ECRAN_SECURITE', '1.4.1'); // 2021-03-12 ++define('_ECRAN_SECURITE', '1.4.2'); // 2022-07-12 + + /* + * Documentation : http://www.spip.net/fr_article4200.html +@@ -542,6 +542,17 @@ if (isset($_REQUEST['connect']) + $ecran_securite_raison = "malformed connect argument"; + } + ++ ++/* ++ * _oups donc ++ */ ++if ( ++ isset($_REQUEST['_oups']) ++ and base64_decode($_REQUEST['_oups'], true) === false) { ++ $ecran_securite_raison = "malformed _oups argument"; ++} ++ ++ + /* + * S'il y a une raison de mourir, mourons + */ diff -Nru spip-3.2.11/debian/patches/0040-fix-envoyer-un-CSP-sandbox-sur-tous-les-documents-de.patch spip-3.2.11/debian/patches/0040-fix-envoyer-un-CSP-sandbox-sur-tous-les-documents-de.patch --- spip-3.2.11/debian/patches/0040-fix-envoyer-un-CSP-sandbox-sur-tous-les-documents-de.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0040-fix-envoyer-un-CSP-sandbox-sur-tous-les-documents-de.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,27 @@ +From: Cerdic +Date: Tue, 12 Jul 2022 18:14:49 +0200 +Subject: fix: envoyer un CSP sandbox sur tous les documents de IMG + +Refs: https://git.spip.net/spip-team/securite/issues/4832 + +Origin: upstream, https://git.spip.net/spip/spip/commit/793f28ac625c6991af70a0c344284d6f5a2b36ae +--- + htaccess.txt | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/htaccess.txt b/htaccess.txt +index 7a2d7b3..ec4e51d 100644 +--- a/htaccess.txt ++++ b/htaccess.txt +@@ -60,6 +60,11 @@ RewriteRule spip.php spip.php?page=ical_prive [QSA,L] + ### + # Si le fichier ou repertoire demande existe + # ignorer toutes les regles qui suivent ++ ++ RewriteCond %{REQUEST_FILENAME} -f ++ RewriteRule ^IMG/ - [env=sandbox:sandbox,skip=100] ++ Header add Content-Security-Policy "sandbox" env=sandbox ++ + RewriteCond %{REQUEST_FILENAME} -f + RewriteRule "." - [skip=100] + RewriteCond %{REQUEST_FILENAME} -d diff -Nru spip-3.2.11/debian/patches/0041-fix-appliquer-_TRAITEMENT_TYPO-sur-le-champs-CREDITS.patch spip-3.2.11/debian/patches/0041-fix-appliquer-_TRAITEMENT_TYPO-sur-le-champs-CREDITS.patch --- spip-3.2.11/debian/patches/0041-fix-appliquer-_TRAITEMENT_TYPO-sur-le-champs-CREDITS.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0041-fix-appliquer-_TRAITEMENT_TYPO-sur-le-champs-CREDITS.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,76 @@ +From: Cerdic +Date: Thu, 7 Jul 2022 16:52:16 +0200 +Subject: =?utf-8?q?fix=3A_appliquer_=5FTRAITEMENT=5FTYPO_sur_le_champs_CRED?= + =?utf-8?q?ITS_et_renseigner_le_flag_espace=5Fprive_quand_on_affiche_la_lis?= + =?utf-8?q?te_des_documents_lies_a_un_objet=2C_afin_que_du_HTML_suspect_soi?= + =?utf-8?q?t_bien_signal=C3=A9_dans_l=27interface_d=27administration?= + +Refs: https://git.spip.net/spip-team/securite/issues/4832 + +Origin: upstream, https://git.spip.net/spip/medias/commit/526dcb7d2b9ab55dc3601e8240e1a0ab0f0039fd +--- + plugins-dist/medias/base/medias.php | 2 +- + plugins-dist/medias/inc/documenter_objet.php | 2 +- + plugins-dist/medias/modeles/document_desc.html | 2 +- + plugins-dist/medias/prive/squelettes/inclure/portfolio-documents.html | 4 ++-- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/plugins-dist/medias/base/medias.php b/plugins-dist/medias/base/medias.php +index d7b4ba1..cbcb2b3 100644 +--- a/plugins-dist/medias/base/medias.php ++++ b/plugins-dist/medias/base/medias.php +@@ -40,7 +40,7 @@ function medias_declarer_tables_interfaces($interfaces) { + $interfaces['table_date']['types_documents'] = 'date'; + + $interfaces['table_des_traitements']['FICHIER'][] = 'get_spip_doc(%s)'; +- ++ $interfaces['table_des_traitements']['CREDITS']['spip_documents'] = _TRAITEMENT_TYPO; + return $interfaces; + } + +diff --git a/plugins-dist/medias/inc/documenter_objet.php b/plugins-dist/medias/inc/documenter_objet.php +index 3fea81d..b75d161 100644 +--- a/plugins-dist/medias/inc/documenter_objet.php ++++ b/plugins-dist/medias/inc/documenter_objet.php +@@ -44,7 +44,7 @@ function inc_documenter_objet_dist($id, $type) { + $marquer_doublons_doc = charger_fonction('marquer_doublons_doc', 'inc'); + $marquer_doublons_doc($champs, $id, $type, $id_table_objet, $table_objet, $spip_table_objet, '', $serveur); + +- $contexte = array('objet' => $type, 'id_objet' => $id); ++ $contexte = array('objet' => $type, 'id_objet' => $id, 'espace_prive' => test_espace_prive()); + + return recuperer_fond('prive/objets/contenu/portfolio_document', array_merge($_GET, $contexte)); + } +diff --git a/plugins-dist/medias/modeles/document_desc.html b/plugins-dist/medias/modeles/document_desc.html +index 6ffa763..f5c0dc3 100644 +--- a/plugins-dist/medias/modeles/document_desc.html ++++ b/plugins-dist/medias/modeles/document_desc.html +@@ -99,4 +99,4 @@ Distribue sous licence GPL + +
+
+- +\ No newline at end of file ++ +diff --git a/plugins-dist/medias/prive/squelettes/inclure/portfolio-documents.html b/plugins-dist/medias/prive/squelettes/inclure/portfolio-documents.html +index 2a877ec..19fd708 100644 +--- a/plugins-dist/medias/prive/squelettes/inclure/portfolio-documents.html ++++ b/plugins-dist/medias/prive/squelettes/inclure/portfolio-documents.html +@@ -16,7 +16,7 @@ + [

(#PAGINATION{prive})

] +
+ +- #MODELE{document_desc,id_document,id_objet,objet} ++ #MODELE{document_desc,id_document,id_objet,objet,espace_prive} + +
+ [

(#PAGINATION{prive})

] +@@ -58,7 +58,7 @@ + [

(#PAGINATION{prive})

] +
+ +- #MODELE{document_desc,id_document,id_objet,objet} ++ #MODELE{document_desc,id_document,id_objet,objet,espace_prive} + +
+ [

(#PAGINATION{prive})

] diff -Nru spip-3.2.11/debian/patches/0042-fix-ajouter-une-class-wysiwyg-sur-les-zones-ou-l-on-.patch spip-3.2.11/debian/patches/0042-fix-ajouter-une-class-wysiwyg-sur-les-zones-ou-l-on-.patch --- spip-3.2.11/debian/patches/0042-fix-ajouter-une-class-wysiwyg-sur-les-zones-ou-l-on-.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0042-fix-ajouter-une-class-wysiwyg-sur-les-zones-ou-l-on-.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,53 @@ +From: Cerdic +Date: Tue, 12 Jul 2022 10:46:56 +0200 +Subject: fix: ajouter une class wysiwyg sur les zones ou l'on affiche CREDITS + et/ou DESCRIPTIF pour permettre le signalement de liens js + +Refs: https://git.spip.net/spip-team/securite/issues/4833 + +Origin: upstream, https://git.spip.net/spip/medias/commit/8014d6ddb28f1b06948f6d74cc1f3f0e2b1de715 +--- + plugins-dist/medias/modeles/document_desc.html | 2 +- + plugins-dist/medias/prive/squelettes/inclure/mediatheque-choisir.html | 2 +- + plugins-dist/medias/prive/squelettes/inclure/mediatheque-galerie.html | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/plugins-dist/medias/modeles/document_desc.html b/plugins-dist/medias/modeles/document_desc.html +index f5c0dc3..7f98415 100644 +--- a/plugins-dist/medias/modeles/document_desc.html ++++ b/plugins-dist/medias/modeles/document_desc.html +@@ -10,7 +10,7 @@ Distribue sous licence GPL +
+ [
(#LOGO_DOCUMENT{#URL_DOCUMENT,150,150})
] + +-
++
+

+ [(#VU|=={oui}|oui)<:medias:document_vu|attribut_html:> ] + +diff --git a/plugins-dist/medias/prive/squelettes/inclure/mediatheque-choisir.html b/plugins-dist/medias/prive/squelettes/inclure/mediatheque-choisir.html +index aca3501..68f844c 100644 +--- a/plugins-dist/medias/prive/squelettes/inclure/mediatheque-choisir.html ++++ b/plugins-dist/medias/prive/squelettes/inclure/mediatheque-choisir.html +@@ -63,7 +63,7 @@ + [(#TOTAL_BOUCLE|>{1}|oui)

] + + +- ++ + [(#TITRE|sinon{#VAL{}|concat{<:info_sans_titre:>,''}})] + [
(#DESCRIPTIF)
] + [

(#CREDITS)

] +diff --git a/plugins-dist/medias/prive/squelettes/inclure/mediatheque-galerie.html b/plugins-dist/medias/prive/squelettes/inclure/mediatheque-galerie.html +index 95f7687..5a1c15e 100644 +--- a/plugins-dist/medias/prive/squelettes/inclure/mediatheque-galerie.html ++++ b/plugins-dist/medias/prive/squelettes/inclure/mediatheque-galerie.html +@@ -75,7 +75,7 @@ + [(#TOTAL_BOUCLE|>{1}|oui)
] + + +- ++ + [(#TITRE|sinon{#VAL{}|concat{<:info_sans_titre:>,''}})] + [
(#DESCRIPTIF)
] + [

(#CREDITS)

] diff -Nru spip-3.2.11/debian/patches/0043-fix-securisation-du-formulaire-d-upload-d-un-plugin-.patch spip-3.2.11/debian/patches/0043-fix-securisation-du-formulaire-d-upload-d-un-plugin-.patch --- spip-3.2.11/debian/patches/0043-fix-securisation-du-formulaire-d-upload-d-un-plugin-.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0043-fix-securisation-du-formulaire-d-upload-d-un-plugin-.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,279 @@ +From: Cerdic +Date: Thu, 7 Jul 2022 17:54:24 +0200 +Subject: =?utf-8?q?fix=3A_securisation_du_formulaire_d=27upload_d=27un_plug?= + =?utf-8?q?in_depuis_un_zip_arbitraire_ainsi_que_du_formulaire_d=27ajout_de?= + =?utf-8?q?_nouveaux_d=C3=A9pots_=3B_dans_les_2_cas_on_demande_au_webmestre?= + =?utf-8?q?_de_saisir_son_mot_de_passe_pour_securiser_l=27action?= + +Refs: https://git.spip.net/spip-team/securite/issues/4832 et https://git.spip.net/spip-team/securite/issues/4833 + +Origin: upstream, https://git.spip.net/spip/svp/commit/7ddc9b59b7f3824f06ff4c55fdb5e4e45d30aa4c +--- + plugins-dist/svp/action/teleporter.php | 3 + + plugins-dist/svp/formulaires/ajouter_depot.html | 12 +++- + plugins-dist/svp/formulaires/ajouter_depot.php | 52 +++++++++++++---- + .../svp/formulaires/charger_plugin_archive.html | 18 ++++-- + .../svp/formulaires/charger_plugin_archive.php | 65 ++++++++++++++-------- + plugins-dist/svp/lang/svp_fr.php | 1 + + 6 files changed, 108 insertions(+), 43 deletions(-) + +diff --git a/plugins-dist/svp/action/teleporter.php b/plugins-dist/svp/action/teleporter.php +index 4e3e4e9..c4a69b6 100644 +--- a/plugins-dist/svp/action/teleporter.php ++++ b/plugins-dist/svp/action/teleporter.php +@@ -32,6 +32,9 @@ function action_teleporter_composant_dist($methode, $source, $dest, $options = a + if (!preg_match(',' . substr(_DIR_LIB, 0, -1) . ',', $dest) && !_DIR_PLUGINS_AUTO) { + die('Vous ne pouvez pas télécharger, absence de _DIR_PLUGINS_AUTO'); + } ++ if (!autoriser('ajouter', '_plugins')){ ++ return _T('svp:erreur_teleporter_chargement_source_impossible', ['source' => $source]); ++ } + + // verifier que la methode est connue + if (!$teleporter = charger_fonction($methode, "teleporter", true)) { +diff --git a/plugins-dist/svp/formulaires/ajouter_depot.html b/plugins-dist/svp/formulaires/ajouter_depot.html +index 8e0926a..cbb88dc 100644 +--- a/plugins-dist/svp/formulaires/ajouter_depot.html ++++ b/plugins-dist/svp/formulaires/ajouter_depot.html +@@ -19,14 +19,20 @@ + <:svp:info_adresse_spipzone:> +

+ [(#ENV{erreurs}|table_valeur{xml_paquets})] +- ++ ++
++
++ ++ [(#ENV**{erreurs/password})] ++ ++

<:svp:explication_mot_passe:>

+
+ +- ++ +

+ +

+ + + ] +- +\ No newline at end of file ++ +diff --git a/plugins-dist/svp/formulaires/ajouter_depot.php b/plugins-dist/svp/formulaires/ajouter_depot.php +index 3daa180..cafbcb2 100644 +--- a/plugins-dist/svp/formulaires/ajouter_depot.php ++++ b/plugins-dist/svp/formulaires/ajouter_depot.php +@@ -20,7 +20,12 @@ if (!defined("_ECRIRE_INC_VERSION")) { + **/ + function formulaires_ajouter_depot_charger_dist() { + // On ne renvoie pas les valeurs saisies mais on fait un raz systematique +- return array(); ++ ++ $nb = (int)sql_countsel('spip_depots'); ++ return array( ++ 'xml_paquets' => $nb ? '' : "https://plugins.spip.net/depots/principal.xml", ++ 'password' => '', ++ ); + } + + /** +@@ -36,17 +41,40 @@ function formulaires_ajouter_depot_charger_dist() { + function formulaires_ajouter_depot_verifier_dist() { + + $erreurs = array(); +- $xml = trim(_request('xml_paquets')); + +- if (!$xml) { +- // L'url est obligatoire +- $erreurs['xml_paquets'] = _T('svp:message_nok_champ_obligatoire'); +- } elseif (!svp_verifier_adresse_depot($xml)) { +- // L'url n'est pas correcte, le fichier xml n'a pas ete trouve +- $erreurs['xml_paquets'] = _T('svp:message_nok_url_depot_incorrecte', array('url' => $xml)); +- } elseif (sql_countsel('spip_depots', 'xml_paquets=' . sql_quote($xml))) { +- // L'url est deja ajoutee +- $erreurs['xml_paquets'] = _T('svp:message_nok_depot_deja_ajoute', array('url' => $xml)); ++ if (!autoriser('ajouter', '_depots')) { ++ $erreurs['message_erreur'] = _T('svp:erreur_teleporter_chargement_source_impossible', ['source' => '']); ++ } ++ else { ++ if (empty($password = _request('password'))) { ++ $erreurs['password'] = _T('info_obligatoire'); ++ } ++ else { ++ include_spip('inc/auth'); ++ if (!auth_controler_password_auteur_connecte($password)) { ++ $erreurs['message_erreur'] = _T('svp:erreur_teleporter_chargement_source_impossible', ['source' => '']); ++ } ++ } ++ ++ $xml = trim(_request('xml_paquets')); ++ if (!$xml){ ++ // L'url est obligatoire ++ $erreurs['xml_paquets'] = _T('svp:message_nok_champ_obligatoire'); ++ } ++ ++ if (empty($erreurs)) { ++ if (!svp_verifier_adresse_depot($xml)) { ++ // L'url n'est pas correcte, le fichier xml n'a pas ete trouve ++ $erreurs['xml_paquets'] = _T('svp:message_nok_url_depot_incorrecte', ['url' => $xml]); ++ } elseif (sql_countsel('spip_depots', 'xml_paquets=' . sql_quote($xml))) { ++ // L'url est deja ajoutee ++ $erreurs['xml_paquets'] = _T('svp:message_nok_depot_deja_ajoute', ['url' => $xml]); ++ } ++ } ++ ++ } ++ if (count($erreurs)) { ++ set_request('password'); + } + + return $erreurs; +@@ -81,7 +109,9 @@ function formulaires_ajouter_depot_traiter_dist() { + } else { + $retour['message_ok'] = _T('svp:message_ok_depot_ajoute', array('url' => $xml)); + spip_log("ACTION AJOUTER DEPOT (manuel) : url = " . $xml, 'svp_actions.' . _LOG_INFO); ++ set_request('xml_paquets'); + } ++ set_request('password'); + $retour['editable'] = true; + + return $retour; +diff --git a/plugins-dist/svp/formulaires/charger_plugin_archive.html b/plugins-dist/svp/formulaires/charger_plugin_archive.html +index aafc243..8f139dd 100644 +--- a/plugins-dist/svp/formulaires/charger_plugin_archive.html ++++ b/plugins-dist/svp/formulaires/charger_plugin_archive.html +@@ -1,4 +1,4 @@ +-
++
+

<:svp:titre_form_charger_plugin_archive:>

+ + [

(#ENV*{message_ok})

] +@@ -12,16 +12,22 @@ + +

<:svp:telecharger_archive_plugin_explication:>

+
+-
++
+ +- [(#ENV{erreurs/archive})] +- ++ [(#ENV**{erreurs/archive})] ++ +
+
+ +- [(#ENV{erreurs/destination})] ++ [(#ENV**{erreurs/destination})] ++ +

<:svp:explication_destination:>

+- ++
++
++ ++ [(#ENV**{erreurs/password})] ++ ++

<:svp:explication_mot_passe:>

+
+
+

+diff --git a/plugins-dist/svp/formulaires/charger_plugin_archive.php b/plugins-dist/svp/formulaires/charger_plugin_archive.php +index 3565c49..f743cef 100644 +--- a/plugins-dist/svp/formulaires/charger_plugin_archive.php ++++ b/plugins-dist/svp/formulaires/charger_plugin_archive.php +@@ -21,7 +21,8 @@ if (!defined("_ECRIRE_INC_VERSION")) { + function formulaires_charger_plugin_archive_charger_dist() { + return array( + 'archive' => '', +- 'destination' => '' ++ 'destination' => '', ++ 'password' => '' + ); + } + +@@ -37,33 +38,51 @@ function formulaires_charger_plugin_archive_charger_dist() { + function formulaires_charger_plugin_archive_verifier_dist() { + include_spip('inc/plugin'); // _DIR_PLUGINS_AUTO + $erreurs = array(); +- if (!$archive = _request('archive')) { +- $erreurs['archive'] = _T('info_obligatoire'); +- } else { +- // Validité de l'url de l'archive +- $infos_archive = pathinfo($archive); +- if (!isset($infos_archive['extension'])) { +- $erreurs['archive'] = _T('svp:message_nok_url_archive'); ++ ++ if (!autoriser('ajouter', '_plugins')) { ++ $erreurs['message_erreur'] = _T('svp:erreur_teleporter_chargement_source_impossible', ['source' => '']); ++ } ++ else { ++ ++ if (!$archive = _request('archive')) { ++ $erreurs['archive'] = _T('info_obligatoire'); + } else { +- // calcul du répertoire de destination +- if (!$destination = _request('destination')) { +- $destination = $infos_archive['filename']; ++ // Validité de l'url de l'archive ++ $infos_archive = pathinfo($archive); ++ if (!isset($infos_archive['extension'])) { ++ $erreurs['archive'] = _T('svp:message_nok_url_archive'); ++ } else { ++ // calcul du répertoire de destination ++ if (!$destination = _request('destination')) { ++ $destination = $infos_archive['filename']; ++ } ++ $destination = str_replace('../', '', $destination); ++ set_request('destination', $destination); ++ ++ // si la destination existe, on demande confirmation de l'ecrasement. ++ $dir = _DIR_PLUGINS_AUTO . $destination; ++ if (is_dir($dir) and !_request('confirmer')) { ++ $base = dirname($dir); ++ $nom = basename($dir); ++ $backup = "$base/.$nom.bck"; ++ $erreurs['confirmer'] = _T('svp:confirmer_telecharger_dans', [ ++ 'dir' => joli_repertoire($dir), ++ 'dir_backup' => joli_repertoire($backup) ++ ]); ++ } + } +- $destination = str_replace('../', '', $destination); +- set_request('destination', $destination); ++ } + +- // si la destination existe, on demande confirmation de l'ecrasement. +- $dir = _DIR_PLUGINS_AUTO . $destination; +- if (is_dir($dir) and !_request('confirmer')) { +- $base = dirname($dir); +- $nom = basename($dir); +- $backup = "$base/.$nom.bck"; +- $erreurs['confirmer'] = _T("svp:confirmer_telecharger_dans", array( +- 'dir' => joli_repertoire($dir), +- 'dir_backup' => joli_repertoire($backup) +- )); ++ if (empty($password = _request('password'))) { ++ $erreurs['password'] = _T('info_obligatoire'); ++ } ++ else { ++ include_spip('inc/auth'); ++ if (!auth_controler_password_auteur_connecte($password)) { ++ $erreurs['message_erreur'] = _T('svp:erreur_teleporter_chargement_source_impossible', ['source' => '']); + } + } ++ + } + + return $erreurs; +diff --git a/plugins-dist/svp/lang/svp_fr.php b/plugins-dist/svp/lang/svp_fr.php +index a8aaaf3..1336c07 100644 +--- a/plugins-dist/svp/lang/svp_fr.php ++++ b/plugins-dist/svp/lang/svp_fr.php +@@ -95,6 +95,7 @@ $GLOBALS[$GLOBALS['idx_lang']] = array( + 'erreur_teleporter_type_fichier_inconnu' => 'Type de fichier inconnu pour la source @source@', + 'erreurs_xml' => 'Impossible de lire certaines descriptions XML', + 'explication_destination' => 'Le chemin sera calculé depuis le nom de l’archive si vous ne le remplissez pas.', ++ 'explication_mot_passe' => 'Saisissez votre mot de passe pour sécuriser l\'installation', + + // F + 'fieldset_debug' => 'Débug', diff -Nru spip-3.2.11/debian/patches/0044-fix-Les-champs-password-sont-obligatoires.-Suite-de-.patch spip-3.2.11/debian/patches/0044-fix-Les-champs-password-sont-obligatoires.-Suite-de-.patch --- spip-3.2.11/debian/patches/0044-fix-Les-champs-password-sont-obligatoires.-Suite-de-.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0044-fix-Les-champs-password-sont-obligatoires.-Suite-de-.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,36 @@ +From: Matthieu Marcillaud +Date: Tue, 12 Jul 2022 17:03:33 +0200 +Subject: fix: Les champs password sont obligatoires. Suite de bf5756e + +Origin: upstream, https://git.spip.net/spip/svp/commit/c1e8d0e396332447d1df1cc10daacc9ce11b363b +--- + plugins-dist/svp/formulaires/ajouter_depot.html | 2 +- + plugins-dist/svp/formulaires/charger_plugin_archive.html | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/plugins-dist/svp/formulaires/ajouter_depot.html b/plugins-dist/svp/formulaires/ajouter_depot.html +index cbb88dc..4e0432f 100644 +--- a/plugins-dist/svp/formulaires/ajouter_depot.html ++++ b/plugins-dist/svp/formulaires/ajouter_depot.html +@@ -21,7 +21,7 @@ + [(#ENV{erreurs}|table_valeur{xml_paquets})] + +
+-
++
+ + [(#ENV**{erreurs/password})] + +diff --git a/plugins-dist/svp/formulaires/charger_plugin_archive.html b/plugins-dist/svp/formulaires/charger_plugin_archive.html +index 8f139dd..78bab2b 100644 +--- a/plugins-dist/svp/formulaires/charger_plugin_archive.html ++++ b/plugins-dist/svp/formulaires/charger_plugin_archive.html +@@ -23,7 +23,7 @@ + +

<:svp:explication_destination:>

+
+-
++
+ + [(#ENV**{erreurs/password})] + diff -Nru spip-3.2.11/debian/patches/0045-fix-D-placer-le-champ-password-en-t-te-pour-viter-qu.patch spip-3.2.11/debian/patches/0045-fix-D-placer-le-champ-password-en-t-te-pour-viter-qu.patch --- spip-3.2.11/debian/patches/0045-fix-D-placer-le-champ-password-en-t-te-pour-viter-qu.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0045-fix-D-placer-le-champ-password-en-t-te-pour-viter-qu.patch 2022-07-22 18:07:47.000000000 +0000 @@ -0,0 +1,76 @@ +From: Matthieu Marcillaud +Date: Wed, 20 Jul 2022 16:32:40 +0200 +Subject: =?utf-8?q?fix=3A_D=C3=A9placer_le_champ_password_en_t=C3=AAte_pour?= + =?utf-8?q?_=C3=A9viter_qu=E2=80=99un_input_le_pr=C3=A9c=C3=A9dent_soit_aut?= + =?utf-8?q?ocompl=C3=A9t=C3=A9_comme_un_champ_de_login?= + +Refs: #4857 +(cherry picked from commit 73507210608a61bff08b09801792fda49397f49a) + +Origin: upstream, https://git.spip.net/spip/svp/commit/3390c60b3ff364664c58c8da39ed51c25f9a1532 +--- + plugins-dist/svp/formulaires/ajouter_depot.html | 13 +++++++------ + plugins-dist/svp/formulaires/charger_plugin_archive.html | 12 ++++++------ + 2 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/plugins-dist/svp/formulaires/ajouter_depot.html b/plugins-dist/svp/formulaires/ajouter_depot.html +index 4e0432f..be7bfb3 100644 +--- a/plugins-dist/svp/formulaires/ajouter_depot.html ++++ b/plugins-dist/svp/formulaires/ajouter_depot.html +@@ -12,6 +12,12 @@ +
+

<:svp:info_ajouter_depot:>

+
++
++ ++ [(#ENV**{erreurs/password})] ++ ++

<:svp:explication_mot_passe:>

++
+
+ +

+@@ -21,12 +27,7 @@ + [(#ENV{erreurs}|table_valeur{xml_paquets})] + +

+-
+- +- [(#ENV**{erreurs/password})] +- +-

<:svp:explication_mot_passe:>

+-
++ +
+ +

+diff --git a/plugins-dist/svp/formulaires/charger_plugin_archive.html b/plugins-dist/svp/formulaires/charger_plugin_archive.html +index 78bab2b..a295223 100644 +--- a/plugins-dist/svp/formulaires/charger_plugin_archive.html ++++ b/plugins-dist/svp/formulaires/charger_plugin_archive.html +@@ -12,6 +12,12 @@ + +

<:svp:telecharger_archive_plugin_explication:>

+
++
++ ++ [(#ENV**{erreurs/password})] ++ ++

<:svp:explication_mot_passe:>

++
+
+ + [(#ENV**{erreurs/archive})] +@@ -23,12 +29,6 @@ + +

<:svp:explication_destination:>

+
+-
+- +- [(#ENV**{erreurs/password})] +- +-

<:svp:explication_mot_passe:>

+-
+
+

+
diff -Nru spip-3.2.11/debian/patches/series spip-3.2.11/debian/patches/series --- spip-3.2.11/debian/patches/series 2022-05-24 14:20:12.000000000 +0000 +++ spip-3.2.11/debian/patches/series 2022-07-22 18:07:47.000000000 +0000 @@ -31,3 +31,15 @@ 0031-Incrementer-spip_version_code-pour-recompiler-les-sq.patch 0032-Suppression-de-l-argument-formulaire_action_sign-dan.patch 0033-Echapper-l-url-dans-le-html-affiche-https-git.spip.n.patch +0034-fix-spip-team-securite-4831-Lever-le-flag-espace_pri.patch +0035-feat-une-fonction-auth_controler_password_auteur_con.patch +0036-fix-ne-pas-faire-tourner-les-aleas-et-le-hash-du-pas.patch +0037-fix-Signaler-visuellement-les-liens-javascript-dans-.patch +0038-fix-utiliser-un-base64_decode-strict-sur-_oups-et-da.patch +0039-fix-mise-a-jour-de-l-cran-de-s-curit.patch +0040-fix-envoyer-un-CSP-sandbox-sur-tous-les-documents-de.patch +0041-fix-appliquer-_TRAITEMENT_TYPO-sur-le-champs-CREDITS.patch +0042-fix-ajouter-une-class-wysiwyg-sur-les-zones-ou-l-on-.patch +0043-fix-securisation-du-formulaire-d-upload-d-un-plugin-.patch +0044-fix-Les-champs-password-sont-obligatoires.-Suite-de-.patch +0045-fix-D-placer-le-champ-password-en-t-te-pour-viter-qu.patch