Version in base suite: 3.2.4-1+deb10u1

Base version: spip_3.2.4-1+deb10u1
Target version: spip_3.2.4-1+deb10u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/spip/spip_3.2.4-1+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/spip/spip_3.2.4-1+deb10u2.dsc

 changelog                                                               |   12 +++
 patches/0012-Fix-a-PHP-7.3-compatibility-issue.patch                    |   39 ++++++++++
 patches/0013-Feu-les-temps-modernes.patch                               |   36 +++++++++
 patches/0014-R-tablir-l-ordre-un-minimum-on-ne-tol-re-aucune-mani.patch |   30 +++++++
 patches/series                                                          |    3 
 5 files changed, 120 insertions(+)

diff -Nru spip-3.2.4/debian/changelog spip-3.2.4/debian/changelog
--- spip-3.2.4/debian/changelog	2019-09-16 21:45:48.000000000 +0000
+++ spip-3.2.4/debian/changelog	2019-12-12 20:22:39.000000000 +0000
@@ -1,3 +1,15 @@
+spip (3.2.4-1+deb10u2) buster-security; urgency=medium
+
+  * Backport security fix from 3.2.7
+    - Critical security fix, allowing identified authors to inject content
+      into database
+    - Update security screen to 1.3.13
+  * Fix PHP 7.3 compatibility issue.
+    The regex were wrong, and started failing with PHP 7.3, causing plugins
+    to be disabled and impossible to be enable back on upgrade.
+
+ -- David Prévot <taffit@debian.org>  Thu, 12 Dec 2019 10:22:39 -1000
+
 spip (3.2.4-1+deb10u1) buster-security; urgency=medium
 
   * Backport security fixes from 3.2.5
diff -Nru spip-3.2.4/debian/patches/0012-Fix-a-PHP-7.3-compatibility-issue.patch spip-3.2.4/debian/patches/0012-Fix-a-PHP-7.3-compatibility-issue.patch
--- spip-3.2.4/debian/patches/0012-Fix-a-PHP-7.3-compatibility-issue.patch	1970-01-01 00:00:00.000000000 +0000
+++ spip-3.2.4/debian/patches/0012-Fix-a-PHP-7.3-compatibility-issue.patch	2019-12-12 20:19:19.000000000 +0000
@@ -0,0 +1,39 @@
+From: =?utf-8?q?David_Pr=C3=A9vot?= <taffit@debian.org>
+Date: Mon, 28 Oct 2019 11:48:58 -1000
+Subject: Fix a PHP 7.3 compatibility issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Ticket #4205 : Compatibilité PHP 7.3. La librairie PCRE passe en v2, et est moins tolérante.Le caractère -, indiqué dans un bloc de caractères `[ - ]`, pour ne pas être pris pour une déclaration d’intervalle (comme `[a-z]`), doit être soit échappé avec \ soit être en tête ou en fin de la structure.(Francky)
+
+Origin: upstream, https://zone.spip.net/trac/spip-zone/changeset/112275/spip-zone
+---
+ plugins-dist/svp/inc/svp_outiller.php | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/plugins-dist/svp/inc/svp_outiller.php b/plugins-dist/svp/inc/svp_outiller.php
+index 88ac0d0..9f74f5f 100644
+--- a/plugins-dist/svp/inc/svp_outiller.php
++++ b/plugins-dist/svp/inc/svp_outiller.php
+@@ -266,9 +266,9 @@ function compiler_branches_spip($intervalle) {
+ 		$bornes['max']['incluse'] = true;
+ 	}
+ 	// On les nettoie des suffixes d'etat
+-	$borne_inf = strtolower(preg_replace(',([0-9])[\s-.]?(dev|alpha|a|beta|b|rc|pl|p),i', '\\1',
++	$borne_inf = strtolower(preg_replace(',([0-9])[\s.-]?(dev|alpha|a|beta|b|rc|pl|p),i', '\\1',
+ 		$bornes['min']['valeur']));
+-	$borne_sup = strtolower(preg_replace(',([0-9])[\s-.]?(dev|alpha|a|beta|b|rc|pl|p),i', '\\1',
++	$borne_sup = strtolower(preg_replace(',([0-9])[\s.-]?(dev|alpha|a|beta|b|rc|pl|p),i', '\\1',
+ 		$bornes['max']['valeur']));
+ 
+ 	// On determine les branches inf et sup issues du phrasage de l'intervalle
+@@ -487,7 +487,7 @@ function normaliser_version($version = '') {
+ 
+ 	$version_normalisee = '';
+ 
+-	if (preg_match(',([0-9.]+)[\s-.]?(dev|alpha|a|beta|b|rc|pl|p)?,i', $version, $matches)) {
++	if (preg_match(',([0-9.]+)[\s.-]?(dev|alpha|a|beta|b|rc|pl|p)?,i', $version, $matches)) {
+ 		if (isset($matches[1]) and $matches[1]) {
+ 			$v = explode('.', $matches[1]);
+ 			$vn = array();
diff -Nru spip-3.2.4/debian/patches/0013-Feu-les-temps-modernes.patch spip-3.2.4/debian/patches/0013-Feu-les-temps-modernes.patch
--- spip-3.2.4/debian/patches/0013-Feu-les-temps-modernes.patch	1970-01-01 00:00:00.000000000 +0000
+++ spip-3.2.4/debian/patches/0013-Feu-les-temps-modernes.patch	2019-12-12 20:19:19.000000000 +0000
@@ -0,0 +1,36 @@
+From: Cerdic <cedric@yterium.com>
+Date: Wed, 4 Dec 2019 16:11:16 +0100
+Subject: Feu les temps modernes
+
+Origin: upstream, https://git.spip.net/SPIP/spip/commit/8eb11ba132b92696eb34d606d71aa8edf40e0f69
+---
+ config/ecran_securite.php | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 773f203..b471156 100644
+--- a/config/ecran_securite.php
++++ b/config/ecran_securite.php
+@@ -5,7 +5,7 @@
+  * ------------------
+  */
+ 
+-define('_ECRAN_SECURITE', '1.3.12'); // 2019-09-16
++define('_ECRAN_SECURITE', '1.3.13'); // 2019-12-04
+ 
+ /*
+  * Documentation : http://www.spip.net/fr_article4200.html
+@@ -335,6 +335,13 @@ and $_REQUEST['action'] == 'configurer') {
+ 		}
+ 	}
+ }
++if (isset($_REQUEST['action'])
++and $_REQUEST['action'] == 'ordonner_liens_documents'
++and isset($_REQUEST['ordre'])
++and is_string($_REQUEST['ordre'])){
++	$ecran_securite_raison = "ordre a la chaine";
++}
++
+ 
+ /*
+  * Bloque les requêtes contenant %00 (manipulation d'include)
diff -Nru spip-3.2.4/debian/patches/0014-R-tablir-l-ordre-un-minimum-on-ne-tol-re-aucune-mani.patch spip-3.2.4/debian/patches/0014-R-tablir-l-ordre-un-minimum-on-ne-tol-re-aucune-mani.patch
--- spip-3.2.4/debian/patches/0014-R-tablir-l-ordre-un-minimum-on-ne-tol-re-aucune-mani.patch	1970-01-01 00:00:00.000000000 +0000
+++ spip-3.2.4/debian/patches/0014-R-tablir-l-ordre-un-minimum-on-ne-tol-re-aucune-mani.patch	2019-12-12 20:19:20.000000000 +0000
@@ -0,0 +1,30 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Wed, 4 Dec 2019 14:07:35 -1000
+Subject: =?utf-8?q?R=C3=A9tablir_l=E2=80=99ordre_un_minimum_=3B_on_ne_tol?=
+ =?utf-8?q?=C3=A8re_aucune_manifestation_en_cha=C3=AEne=2E_=28Alexis_Z=29?=
+
+Origin: upstream, https://zone.spip.net/trac/spip-zone/changeset/118898/spip-zone/_core_/plugins/medias
+---
+ plugins-dist/medias/action/ordonner_liens_documents.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/plugins-dist/medias/action/ordonner_liens_documents.php b/plugins-dist/medias/action/ordonner_liens_documents.php
+index a1be046..79f35a0 100644
+--- a/plugins-dist/medias/action/ordonner_liens_documents.php
++++ b/plugins-dist/medias/action/ordonner_liens_documents.php
+@@ -28,13 +28,13 @@ function action_ordonner_liens_dist() {
+ 	$objet = objet_type(_request('objet_source'));
+ 
+ 	// objet lié
+-	$objet_lie = _request('objet_lie');
++	$objet_lie = objet_type(_request('objet_lie'));
+ 	$id_objet_lie = intval(_request('id_objet_lie'));
+ 
+ 	// ordre des éléments
+ 	$ordre = _request('ordre');
+ 
+-	if (!$objet or !$objet_lie or !$id_objet_lie OR !$ordre or !objet_associable($objet)) {
++	if (!$objet or !$objet_lie or !$id_objet_lie or !$ordre or !is_array($ordre) or !objet_associable($objet)) {
+ 		return envoyer_json_erreur(_T('medias:erreur_objet_absent') . ' ' . _T('medias:erreur_deplacement_impossible'));
+ 	}
+ 
diff -Nru spip-3.2.4/debian/patches/series spip-3.2.4/debian/patches/series
--- spip-3.2.4/debian/patches/series	2019-09-16 21:45:48.000000000 +0000
+++ spip-3.2.4/debian/patches/series	2019-12-12 20:19:20.000000000 +0000
@@ -9,3 +9,6 @@
 0009-sanitizer-les-URLs-de-redirection-au-cas-ou-beaucoup.patch
 0010-centraliser-les-tests-identiques-c-est-plus-simple-a.patch
 0011-Mise-a-jour-de-l-ecran-de-securite.patch
+0012-Fix-a-PHP-7.3-compatibility-issue.patch
+0013-Feu-les-temps-modernes.patch
+0014-R-tablir-l-ordre-un-minimum-on-ne-tol-re-aucune-mani.patch