mahara-packaging team mailing list archive
-
mahara-packaging team
-
Mailing list archive
-
Message #00113
Bug#691883: mahara debdiffs
Debdiffs attached, release team cc'd.
Sorry for the delay. Had some urgent important interruptions to deal with.
As far as I know, I do not have any upload rights, so I believe this is
as far as I can go without assistance. My usual accomplice is busy until
next week some time, so if the patches are deemed ok, please proceed to
uploading if you can.
diff -Nru mahara-1.5.1/debian/changelog mahara-1.5.1/debian/changelog
--- mahara-1.5.1/debian/changelog 2012-10-28 02:11:42.000000000 +0000
+++ mahara-1.5.1/debian/changelog 2012-11-12 23:07:24.000000000 +0000
@@ -1,3 +1,36 @@
+
+mahara (1.5.1-3) unstable; urgency=high
+
+ * SECURITY UPDATE: Disable XML entity parsing to prevent XEE
+ - debian/patches/CVE-2012-2239.patch: upstream patch
+
+ * SECURITY UPDATE: Multiple cross-site scripting vulnerabilities
+ - Content passed to the error message was not escaped
+ - Escape pieform errors displayed to users
+ - debian/patches/CVE-2012-2243-0001.patch: upstream patch
+ - XHTML files prone to embedded javascript
+ - Prevent uploaded xhtml files from displaying verbatim
+ - debian/patches/CVE-2012-2243-0002.patch: upstream patch
+
+ * SECURITY UPDATE: Arbitrary file execution via clam path
+ - Remove executable bit from existing uploaded files
+ - debian/patches/CVE-2012-2244-0001.patch: upstream patch
+ - Ensure future files will not be executable
+ - debian/patches/CVE-2012-2244-0002.patch: upstream patch
+ - Remove direct path option from web configuration
+ - debian/patches/CVE-2012-2244-0003.patch: upstream patch
+
+ * SECURITY UPDATE: Prevent click-jacking attacks
+ - Add a HTTP header of X-Frame-Options to every page
+ - debian/patches/CVE-2012-2246.patch: upstream patch
+
+ * SECURITY UPDATE: Prevent SVG images being displayed
+ - SVG images displayed inline
+ - Adds SVG files to the list of files to not display by default
+ - debian/patches/CVE-2012-2247.patch: upstream patch
+
+ -- Melissa Draper <melissa@xxxxxxxxxxxxxxx> Tue, 12 Nov 2012 04:08:09 +0000
+
mahara (1.5.1-2.1) unstable; urgency=low
* Non-maintainer upload
diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2239.patch mahara-1.5.1/debian/patches/CVE-2012-2239.patch
--- mahara-1.5.1/debian/patches/CVE-2012-2239.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.5.1/debian/patches/CVE-2012-2239.patch 2012-11-12 23:07:24.000000000 +0000
@@ -0,0 +1,70 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Description: Disable XML entity parsing
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1047111
+Last-Update: 2012-09-11
+
+ Fix XML Security bug
+
+ There is a security issue with the default XML parser for PHP, where ENTITY fields are
+ loaded and substituted in text parts.
+
+ This allows possible attackers to read from internal networks, or files readable by the
+ web server user.
+
+ This includes reading of the config.php file, which contains sensitive information such
+ as the database password, and the password salt field.
+
+ The fix for this was to include a call to libxml_disable_entity_loader(true) during the
+ initialization of a page. This is based on a report from Mike Haworth
+
+ The vulnerability was present in the admin area when uploading Leap2A users, and also in
+ the user page area where a user could provide a RSS feed with specific XML ENTITY fields.
+
+ More information can be found at the following:
+ http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities
+ http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+
+diff --git a/htdocs/blocktype/externalfeed/db/upgrade.php b/htdocs/blocktype/externalfeed/db/upgrade.php
+index 90e79f9..a6ba403 100644
+--- a/htdocs/blocktype/externalfeed/db/upgrade.php
++++ b/htdocs/blocktype/externalfeed/db/upgrade.php
+@@ -106,5 +106,12 @@ function xmldb_blocktype_externalfeed_upgrade($oldversion=0) {
+ add_field($table, $field);
+ }
+
++ if ($oldversion < 2011091402) {
++ // Reset all feeds to reset themselves
++ set_field('blocktype_externalfeed_data', 'lastupdate', db_format_timestamp('0'));
++ safe_require('blocktype', 'externalfeed');
++ call_static_method('PluginBlocktypeExternalfeed', 'refresh_feeds');
++ }
++
+ return true;
+ }
+diff --git a/htdocs/blocktype/externalfeed/version.php b/htdocs/blocktype/externalfeed/version.php
+index 24b1e09..cd84230 100644
+--- a/htdocs/blocktype/externalfeed/version.php
++++ b/htdocs/blocktype/externalfeed/version.php
+@@ -28,5 +28,5 @@
+ defined('INTERNAL') || die();
+
+ $config = new StdClass;
+-$config->version = 2011091401;
++$config->version = 2011091402;
+ $config->release = '1.0.3';
+diff --git a/htdocs/init.php b/htdocs/init.php
+index 07c8c47..0865428 100644
+--- a/htdocs/init.php
++++ b/htdocs/init.php
+@@ -58,6 +58,10 @@ if (!is_readable($CFG->docroot . 'config.php')) {
+
+ init_performance_info();
+
++if (function_exists('libxml_disable_entity_loader')) {
++ libxml_disable_entity_loader(true);
++}
++
+ require($CFG->docroot . 'config.php');
+ $CFG = (object)array_merge((array)$cfg, (array)$CFG);
+ require_once('config-defaults.php');
diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2243-0001.patch mahara-1.5.1/debian/patches/CVE-2012-2243-0001.patch
--- mahara-1.5.1/debian/patches/CVE-2012-2243-0001.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.5.1/debian/patches/CVE-2012-2243-0001.patch 2012-11-12 23:07:24.000000000 +0000
@@ -0,0 +1,66 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Escape pieform errors displayed to users
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1063480
+Last-Update: 2012-10-10
+
+ CVE-2012-2243
+
+ If a user modifies a form in such as way that an error
+ is caused based on their input there is a possible XSS
+ avenue.
+
+ This was displayed in the user/group CSV uploads, with
+ a malicious script in the header which causes a CSV parsing
+ error and was then passed back to the user verbatim.
+
+ This patch escapes all error messages in the pieform error
+ output.
+---
+ htdocs/lib/form/renderers/maharatable.php | 2 +-
+ htdocs/lib/pieforms/pieform/renderers/div.php | 2 +-
+ htdocs/lib/pieforms/pieform/renderers/table.php | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/htdocs/lib/form/renderers/maharatable.php b/htdocs/lib/form/renderers/maharatable.php
+index d245648..94f45e2 100644
+--- a/htdocs/lib/form/renderers/maharatable.php
++++ b/htdocs/lib/form/renderers/maharatable.php
+@@ -113,7 +113,7 @@ function pieform_renderer_maharatable(Pieform $form, $element) {
+
+ if (!empty($element['error'])) {
+ $result .= "\t<tr>\n\t\t<td class=\"errmsg\">";
+- $result .= $element['error'];
++ $result .= hsc($element['error']);
+ $result .= "</td>\n\t</tr>\n";
+ }
+
+diff --git a/htdocs/lib/pieforms/pieform/renderers/div.php b/htdocs/lib/pieforms/pieform/renderers/div.php
+index 2a6833e..701847d 100644
+--- a/htdocs/lib/pieforms/pieform/renderers/div.php
++++ b/htdocs/lib/pieforms/pieform/renderers/div.php
+@@ -61,7 +61,7 @@ function pieform_renderer_div(Pieform $form, $element) {/*{{{*/
+ }
+
+ if (!empty($element['error'])) {
+- $result .= '<div class="errmsg">' . $element['error'] . '</div>';
++ $result .= '<div class="errmsg">' . hsc($element['error']) . '</div>';
+ }
+
+ $result .= "</div>\n";
+diff --git a/htdocs/lib/pieforms/pieform/renderers/table.php b/htdocs/lib/pieforms/pieform/renderers/table.php
+index feb077f..d7b1d91 100644
+--- a/htdocs/lib/pieforms/pieform/renderers/table.php
++++ b/htdocs/lib/pieforms/pieform/renderers/table.php
+@@ -92,7 +92,7 @@ function pieform_renderer_table(Pieform $form, $element) {/*{{{*/
+
+ if (!empty($element['error'])) {
+ $result .= "\t<tr>\n\t\t<td colspan=\"2\" class=\"errmsg\">";
+- $result .= $element['error'];
++ $result .= hsc($element['error']);
+ $result .= "</td>\n\t</tr>\n";
+ }
+
+--
+1.7.11.3
+
diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2243-0002.patch mahara-1.5.1/debian/patches/CVE-2012-2243-0002.patch
--- mahara-1.5.1/debian/patches/CVE-2012-2243-0002.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.5.1/debian/patches/CVE-2012-2243-0002.patch 2012-11-12 23:07:24.000000000 +0000
@@ -0,0 +1,38 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Escape user uploaded XHTML files
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1055232
+Last-Update: 2012-10-10
+
+ CVE-2012-2243
+
+ Before this patch, if a user uploaded HTML or XML files
+ then tried to download them, or linked other users to download
+ them, they would be presented with an escaped version along
+ with a link to download the original.
+
+ This did not include XHTML files, which can cause the same
+ security issues as HTML or XML files. This patch includes the
+ XHTML mimetype of application/xhtml+xml in the test of which
+ files to escape.
+
+---
+ htdocs/lib/file.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php
+index 2a96cdc..19c7bf9 100644
+--- a/htdocs/lib/file.php
++++ b/htdocs/lib/file.php
+@@ -70,7 +70,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
+ $lastmodified = filemtime($path);
+ $filesize = filesize($path);
+
+- if ($mimetype == 'text/html' || $mimetype == 'text/xml') {
++ if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml') {
+ if (isset($options['downloadurl']) && $filesize < 1024 * 1024) {
+ display_cleaned_html(file_get_contents($path), $filename, $options);
+ exit;
+--
+1.7.11.3
+
diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2244-0001.patch mahara-1.5.1/debian/patches/CVE-2012-2244-0001.patch
--- mahara-1.5.1/debian/patches/CVE-2012-2244-0001.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.5.1/debian/patches/CVE-2012-2244-0001.patch 2012-11-12 23:07:24.000000000 +0000
@@ -0,0 +1,58 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Fix up old file permissions to remove executable
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1057238
+Last-Update: 2012-10-10
+
+ CVE-2012-2244
+
+ In previous versions of mahara, all the user uploaded files
+ had the executable bit set. This patch runs an upgrade script
+ to remove this executable bit.
+
+---
+ htdocs/artefact/file/db/upgrade.php | 17 +++++++++++++++++
+ htdocs/artefact/file/version.php | 2 +-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/htdocs/artefact/file/db/upgrade.php b/htdocs/artefact/file/db/upgrade.php
+index 92827cf..967539c 100644
+--- a/htdocs/artefact/file/db/upgrade.php
++++ b/htdocs/artefact/file/db/upgrade.php
+@@ -392,5 +392,22 @@ function xmldb_artefact_file_upgrade($oldversion=0) {
+ }
+ }
+
++ if ($oldversion < 2011082201) {
++ $baseiter = new DirectoryIterator(get_config('dataroot') . 'artefact/file/originals/');
++ foreach ($baseiter as $dir) {
++ if ($dir->isDot()) continue;
++ $dirpath = $dir->getPath() . '/' . $dir->getFilename();
++ $fileiter = new DirectoryIterator($dirpath);
++ foreach ($fileiter as $file) {
++ if ($file->isDot()) continue;
++ if (!$file->isFile()) {
++ log_error("Something was wrong about the dataroot in artefact/file/originals/$dir. Unexpected folder $file");
++ continue;
++ }
++ chmod($file->getPathname(), $file->getPerms() & 0666);
++ }
++ }
++ }
++
+ return $status;
+ }
+diff --git a/htdocs/artefact/file/version.php b/htdocs/artefact/file/version.php
+index 71d84e8..147ecf0 100644
+--- a/htdocs/artefact/file/version.php
++++ b/htdocs/artefact/file/version.php
+@@ -28,5 +28,5 @@
+ defined('INTERNAL') || die();
+
+ $config = new StdClass;
+-$config->version = 2011082200;
++$config->version = 2011082201;
+ $config->release = '1.2.0';
+--
+1.7.11.3
+
diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2244-0002.patch mahara-1.5.1/debian/patches/CVE-2012-2244-0002.patch
--- mahara-1.5.1/debian/patches/CVE-2012-2244-0002.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.5.1/debian/patches/CVE-2012-2244-0002.patch 2012-11-12 23:07:24.000000000 +0000
@@ -0,0 +1,109 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Fix saved file permissions
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1057238
+Last-Update: 2012-10-10
+
+
+ CVE-2012-2244
+
+ Currently, files that are saved by Mahara use the
+ directorypermissions config option, which defaults to
+ 0700, which allows execution.
+
+ This allows users to potentially upload files with
+ executable bits set, and if they have control of the
+ config options pathtoclam, pathtozip, or pathtounzip
+ then they could run this command when one of those
+ commands are invocated.
+
+ This patch bitwise-AND's the directory permissions
+ config with 0666, which removes any executable bit
+ and sets the result as a new config option
+ filepermissions.
+
+ A change the upload code to use this new option is made
+
+---
+ htdocs/artefact/file/lib.php | 3 ++-
+ htdocs/init.php | 1 +
+ htdocs/lib/db/upgrade.php | 2 +-
+ htdocs/lib/file.php | 2 +-
+ htdocs/lib/uploadmanager.php | 2 +-
+ 5 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/htdocs/artefact/file/lib.php b/htdocs/artefact/file/lib.php
+index eeeebc2..491965e 100644
+--- a/htdocs/artefact/file/lib.php
++++ b/htdocs/artefact/file/lib.php
+@@ -907,6 +907,7 @@ class ArtefactTypeFile extends ArtefactTypeFileBase {
+ $f->delete();
+ return false;
+ }
++ chmod($newname, get_config('filepermissions'));
+ $owner = null;
+ if ($user) {
+ $owner = $user;
+@@ -2138,7 +2139,7 @@ class ArtefactTypeArchive extends ArtefactTypeFile {
+ // Untar everything into a temp directory first
+ $tempsubdir = tempnam($tempdir, '');
+ unlink($tempsubdir);
+- mkdir($tempsubdir);
++ mkdir($tempsubdir, get_config('directorypermissions'));
+ if (!$this->handle->extract($tempsubdir)) {
+ throw new SystemException("Unable to extract archive into $tempsubdir");
+ }
+diff --git a/htdocs/init.php b/htdocs/init.php
+index 89b8e50..3e167cc 100644
+--- a/htdocs/init.php
++++ b/htdocs/init.php
+@@ -80,6 +80,7 @@ $CFG->xmldbdisablecommentchecking = true;
+ if (empty($CFG->directorypermissions)) {
+ $CFG->directorypermissions = 0700;
+ }
++$CFG->filepermissions = $CFG->directorypermissions & 0666;
+
+ // core libraries
+ require('mahara.php');
+diff --git a/htdocs/lib/db/upgrade.php b/htdocs/lib/db/upgrade.php
+index 4293c0f..fa223a5 100644
+--- a/htdocs/lib/db/upgrade.php
++++ b/htdocs/lib/db/upgrade.php
+@@ -638,7 +638,7 @@ function xmldb_core_upgrade($oldversion=0) {
+
+ if (is_dir($artefactdata . 'internal/profileicons')) {
+ if (!is_dir($artefactdata . 'file')) {
+- mkdir($artefactdata . 'file');
++ mkdir($artefactdata . 'file', get_config('directorypermissions'));
+ }
+ if (!rename($artefactdata . 'internal/profileicons', $artefactdata . 'file/profileicons')) {
+ throw new SystemException("Failed moving $artefactdata/internal/profileicons to $artefactdata/file/profileicons");
+diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php
+index 71e3da3..2a96cdc 100644
+--- a/htdocs/lib/file.php
++++ b/htdocs/lib/file.php
+@@ -795,7 +795,7 @@ function copyr($source, $dest)
+
+ // Make destination directory
+ if (!is_dir($dest)) {
+- mkdir($dest);
++ mkdir($dest, get_config('directorypermissions'));
+ }
+
+ // Loop through the folder
+diff --git a/htdocs/lib/uploadmanager.php b/htdocs/lib/uploadmanager.php
+index 322481a..0ad1efd 100644
+--- a/htdocs/lib/uploadmanager.php
++++ b/htdocs/lib/uploadmanager.php
+@@ -171,7 +171,7 @@ class upload_manager {
+ $tmpname = $this->file['tmp_name'];
+ }
+ if (move_uploaded_file($tmpname, $destination . '/' . $newname)) {
+- chmod($destination . '/' . $newname, get_config('directorypermissions'));
++ chmod($destination . '/' . $newname, get_config('filepermissions'));
+ return false;
+ }
+ return get_string('failedmovingfiletodataroot');
+--
+1.7.11.3
+
diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2244-0003.patch mahara-1.5.1/debian/patches/CVE-2012-2244-0003.patch
--- mahara-1.5.1/debian/patches/CVE-2012-2244-0003.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.5.1/debian/patches/CVE-2012-2244-0003.patch 2012-11-12 23:07:24.000000000 +0000
@@ -0,0 +1,48 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Remove clamav from site admin options
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1057238
+Last-Update: 2012-10-10
+
+ CVE-2012-2244
+
+ When a site administrator can manipulate the path for the
+ clamav scanner, they could produce either a reverse shell,
+ or allow any user to execute arbitrary remote commands by
+ setting it to an uploaded reverse shell, or to /bin/bash
+ respectively.
+
+ Other executable paths, namely pathtozip, and pathtounzip
+ are only set via config.php, and not through the site admin
+ interface. This option, pathtoclam, should follow the same
+ design.
+
+
+diff --git a/htdocs/admin/site/options.php b/htdocs/admin/site/options.php
+index ab0bc6a..17c4e3d 100644
+--- a/htdocs/admin/site/options.php
++++ b/htdocs/admin/site/options.php
+@@ -344,14 +344,6 @@ $siteoptionform = array(
+ 'help' => true,
+ 'disabled' => in_array('viruschecking', $OVERRIDDEN),
+ ),
+- 'pathtoclam' => array(
+- 'type' => 'text',
+- 'title' => get_string('pathtoclam', 'admin'),
+- 'description' => get_string('pathtoclamdescription', 'admin'),
+- 'defaultvalue' => get_config('pathtoclam'),
+- 'help' => true,
+- 'disabled' => in_array('pathtoclam', $OVERRIDDEN),
+- ),
+ 'antispam' => array(
+ 'type' => 'select',
+ 'title' => get_string('antispam', 'admin'),
+@@ -612,7 +604,7 @@ function siteoptions_fail(Pieform $form, $field) {
+
+ function siteoptions_submit(Pieform $form, $values) {
+ $fields = array(
+- 'sitename','lang','theme', 'pathtoclam', 'dropdownmenu',
++ 'sitename','lang','theme', 'dropdownmenu',
+ 'defaultaccountlifetime', 'defaultaccountinactiveexpire', 'defaultaccountinactivewarn',
+ 'allowpublicviews', 'allowpublicprofiles', 'generatesitemap',
+ 'registration_sendweeklyupdates', 'institutionexpirynotification', 'institutionautosuspend',
diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2246.patch mahara-1.5.1/debian/patches/CVE-2012-2246.patch
--- mahara-1.5.1/debian/patches/CVE-2012-2246.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.5.1/debian/patches/CVE-2012-2246.patch 2012-11-12 23:07:24.000000000 +0000
@@ -0,0 +1,32 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Fix Click-Jacking attack on account deletion page
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1057240
+Last-Update: 2012-10-10
+
+ This attack has been mitigated by adding a HTTP header
+ of X-Frame-Options to every page in Mahara.
+
+ CVE-2012-2246
+
+---
+ htdocs/init.php | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/htdocs/init.php b/htdocs/init.php
+index 3e167cc..253721a 100644
+--- a/htdocs/init.php
++++ b/htdocs/init.php
+@@ -46,6 +46,9 @@ header('Cache-Control: private, must-revalidate, pre-check=0, post-check=0, max-
+ header('Expires: '. gmdate('D, d M Y H:i:s', 507686400) .' GMT');
+ header('Pragma: no-cache');
+
++// Prevent clickjacking through iframe tags
++header('X-Frame-Options: SAMEORIGIN');
++
+ // Set up error handling
+ require('errors.php');
+
+--
+1.7.11.3
+
diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2247.patch mahara-1.5.1/debian/patches/CVE-2012-2247.patch
--- mahara-1.5.1/debian/patches/CVE-2012-2247.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.5.1/debian/patches/CVE-2012-2247.patch 2012-11-12 23:07:24.000000000 +0000
@@ -0,0 +1,39 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Escape user uploaded SVG files
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1061980
+Last-Update: 2012-10-10
+
+ CVE-2012-2247
+
+ Before this patch, if a user uploaded HTML or XML files
+ then tried to download them, or linked other users to download
+ them, they would be presented with an escaped version along
+ with a link to download the original.
+
+ Unfortunately, an SVG file can possibly contain unsecure content,
+ such as javascript, that would be run on the victims browser.
+
+ This patch adds SVG files (image/svg+xml) to the list of files
+ to not display by default.
+
+---
+ htdocs/lib/file.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php
+index 19c7bf9..e0199b9 100644
+--- a/htdocs/lib/file.php
++++ b/htdocs/lib/file.php
+@@ -70,7 +70,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
+ $lastmodified = filemtime($path);
+ $filesize = filesize($path);
+
+- if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml') {
++ if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml' || $mimetype == 'image/svg+xml') {
+ if (isset($options['downloadurl']) && $filesize < 1024 * 1024) {
+ display_cleaned_html(file_get_contents($path), $filename, $options);
+ exit;
+--
+1.7.11.3
+
diff -Nru mahara-1.5.1/debian/patches/series mahara-1.5.1/debian/patches/series
--- mahara-1.5.1/debian/patches/series 2012-10-27 23:18:15.000000000 +0000
+++ mahara-1.5.1/debian/patches/series 2012-11-12 23:07:24.000000000 +0000
@@ -2,3 +2,11 @@
CVE-2012-2237-0002.patch
CVE-2012-2237-0003.patch
CVE-2012-2237-0004.patch
+CVE-2012-2239.patch
+CVE-2012-2243-0001.patch
+CVE-2012-2243-0002.patch
+CVE-2012-2244-0001.patch
+CVE-2012-2244-0002.patch
+CVE-2012-2244-0003.patch
+CVE-2012-2246.patch
+CVE-2012-2247.patch
diff -Nru mahara-1.2.6/debian/changelog mahara-1.2.6/debian/changelog
--- mahara-1.2.6/debian/changelog 2012-08-13 11:24:08.000000000 +0000
+++ mahara-1.2.6/debian/changelog 2012-11-12 00:08:09.000000000 +0000
@@ -1,3 +1,35 @@
+mahara (1.2.6-2+squeeze6) stable-security; urgency=high
+
+ * SECURITY UPDATE: Disable XML entity parsing to prevent XEE
+ - debian/patches/CVE-2012-2239.patch: upstream patch
+
+ * SECURITY UPDATE: Multiple cross-site scripting vulnerabilities
+ - Content passed to the error message was not escaped
+ - Escape pieform errors displayed to users
+ - debian/patches/CVE-2012-2243-0001.patch: upstream patch
+ - XHTML files prone to embedded javascript
+ - Prevent uploaded xhtml files from displaying verbatim
+ - debian/patches/CVE-2012-2243-0002.patch: upstream patch
+
+ * SECURITY UPDATE: Arbitrary file execution via clam path
+ - Remove executable bit from existing uploaded files
+ - debian/patches/CVE-2012-2244-0001.patch: upstream patch
+ - Ensure future files will not be executable
+ - debian/patches/CVE-2012-2244-0002.patch: upstream patch
+ - Remove direct path option from web configuration
+ - debian/patches/CVE-2012-2244-0003.patch: upstream patch
+
+ * SECURITY UPDATE: Prevent click-jacking attacks
+ - Add a HTTP header of X-Frame-Options to every page
+ - debian/patches/CVE-2012-2246.patch: upstream patch
+
+ * SECURITY UPDATE: Prevent SVG images being displayed
+ - SVG images displayed inline
+ - Adds SVG files to the list of files to not display by default
+ - debian/patches/CVE-2012-2247.patch: upstream patch
+
+ -- Melissa Draper <melissa@xxxxxxxxxxxxxxx> Wed, 10 Oct 2012 01:27:23 +0000
+
mahara (1.2.6-2+squeeze5) stable-security; urgency=high
* SECURITY UPDATE: Fix multiple cross-site scripting vulnerabilities
diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2239.patch mahara-1.2.6/debian/patches/CVE-2012-2239.patch
--- mahara-1.2.6/debian/patches/CVE-2012-2239.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.2.6/debian/patches/CVE-2012-2239.patch 2012-11-12 00:08:09.000000000 +0000
@@ -0,0 +1,73 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Description: Disable XML entity parsing
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1047111
+Last-Update: 2012-09-11
+
+ Fix XML Security bug
+
+ There is a security issue with the default XML parser for PHP, where ENTITY fields are
+ loaded and substituted in text parts.
+
+ This allows possible attackers to read from internal networks, or files readable by the
+ web server user.
+
+ This includes reading of the config.php file, which contains sensitive information such
+ as the database password, and the password salt field.
+
+ The fix for this was to include a call to libxml_disable_entity_loader(true) during the
+ initialization of a page. This is based on a report from Mike Haworth
+
+ The vulnerability was present in the admin area when uploading Leap2A users, and also in
+ the user page area where a user could provide a RSS feed with specific XML ENTITY fields.
+
+ More information can be found at the following:
+ http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities
+ http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+
+diff --git a/htdocs/blocktype/externalfeed/db/upgrade.php b/htdocs/blocktype/externalfeed/db/upgrade.php
+index 8415c7d..a52c151 100644
+--- a/htdocs/blocktype/externalfeed/db/upgrade.php
++++ b/htdocs/blocktype/externalfeed/db/upgrade.php
+@@ -61,6 +61,13 @@ function xmldb_blocktype_externalfeed_upgrade($oldversion=0) {
+ }
+ }
+
++ if ($oldversion < 2009121601) {
++ // Reset all feeds to reset themselves
++ set_field('blocktype_externalfeed_data', 'lastupdate', db_format_timestamp(strtotime('-90 minutes')));
++ safe_require('blocktype', 'externalfeed');
++ call_static_method('PluginBlocktypeExternalfeed', 'refresh_feeds');
++ }
++
+ return true;
+ }
+
+diff --git a/htdocs/blocktype/externalfeed/version.php b/htdocs/blocktype/externalfeed/version.php
+index 9e1f925..4a2da30 100644
+--- a/htdocs/blocktype/externalfeed/version.php
++++ b/htdocs/blocktype/externalfeed/version.php
+@@ -28,7 +28,7 @@
+ defined('INTERNAL') || die();
+
+ $config = new StdClass;
+-$config->version = 2009121600;
++$config->version = 2009121601;
+ $config->release = '1.0.2';
+
+ ?>
+diff --git a/htdocs/init.php b/htdocs/init.php
+index 02a1dd8..7601a67 100644
+--- a/htdocs/init.php
++++ b/htdocs/init.php
+@@ -56,6 +56,10 @@ if (!is_readable($CFG->docroot . 'config.php')) {
+
+ init_performance_info();
+
++if (function_exists('libxml_disable_entity_loader')) {
++ libxml_disable_entity_loader(true);
++}
++
+ require($CFG->docroot . 'config.php');
+ $CFG = (object)array_merge((array)$cfg, (array)$CFG);
+ require_once('config-defaults.php');
diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2243-0001.patch mahara-1.2.6/debian/patches/CVE-2012-2243-0001.patch
--- mahara-1.2.6/debian/patches/CVE-2012-2243-0001.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.2.6/debian/patches/CVE-2012-2243-0001.patch 2012-11-12 00:08:09.000000000 +0000
@@ -0,0 +1,53 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Escape pieform errors displayed to users
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1063480
+Last-Update: 2012-10-10
+
+ CVE-2012-2243
+
+ If a user modifies a form in such as way that an error
+ is caused based on their input there is a possible XSS
+ avenue.
+
+ This was displayed in the user/group CSV uploads, with
+ a malicious script in the header which causes a CSV parsing
+ error and was then passed back to the user verbatim.
+
+ This patch escapes all error messages in the pieform error
+ output.
+
+---
+ htdocs/lib/form/renderers/maharatable.php | 2 +-
+ htdocs/lib/pieforms/pieform/renderers/table.php | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/htdocs/lib/form/renderers/maharatable.php b/htdocs/lib/form/renderers/maharatable.php
+index 23a76b4..0628df9 100644
+--- a/htdocs/lib/form/renderers/maharatable.php
++++ b/htdocs/lib/form/renderers/maharatable.php
+@@ -109,7 +109,7 @@ function pieform_renderer_maharatable(Pieform $form, $element) {
+
+ if (!empty($element['error'])) {
+ $result .= "\t<tr>\n\t\t<td class=\"errmsg\">";
+- $result .= $element['error'];
++ $result .= hsc($element['error']);
+ $result .= "</td>\n\t</tr>\n";
+ }
+
+diff --git a/htdocs/lib/pieforms/pieform/renderers/table.php b/htdocs/lib/pieforms/pieform/renderers/table.php
+index c09bbdc..3e7b649 100644
+--- a/htdocs/lib/pieforms/pieform/renderers/table.php
++++ b/htdocs/lib/pieforms/pieform/renderers/table.php
+@@ -92,7 +92,7 @@ function pieform_renderer_table(Pieform $form, $element) {/*{{{*/
+
+ if (!empty($element['error'])) {
+ $result .= "\t<tr>\n\t\t<td colspan=\"2\" class=\"errmsg\">";
+- $result .= $element['error'];
++ $result .= hsc($element['error']);
+ $result .= "</td>\n\t</tr>\n";
+ }
+
+--
+1.7.11.3
+
diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2243-0002.patch mahara-1.2.6/debian/patches/CVE-2012-2243-0002.patch
--- mahara-1.2.6/debian/patches/CVE-2012-2243-0002.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.2.6/debian/patches/CVE-2012-2243-0002.patch 2012-11-12 00:08:09.000000000 +0000
@@ -0,0 +1,37 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Escape user uploaded XHTML files
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1055232
+Last-Update: 2012-10-10
+
+ CVE-2012-2243
+
+ Before this patch, if a user uploaded HTML or XML files
+ then tried to download them, or linked other users to download
+ them, they would be presented with an escaped version along
+ with a link to download the original.
+
+ This did not include XHTML files, which can cause the same
+ security issues as HTML or XML files. This patch includes the
+ XHTML mimetype of application/xhtml+xml in the test of which
+ files to escape.
+---
+ htdocs/lib/file.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php
+index 1c7481c..2b92193 100644
+--- a/htdocs/lib/file.php
++++ b/htdocs/lib/file.php
+@@ -70,7 +70,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
+ $lastmodified = filemtime($path);
+ $filesize = filesize($path);
+
+- if ($mimetype == 'text/html' || $mimetype == 'text/xml') {
++ if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml') {
+ if (isset($options['downloadurl']) && $filesize < 1024 * 1024) {
+ display_cleaned_html(file_get_contents($path), $filename, $options);
+ exit;
+--
+1.7.11.3
+
diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2244-0001.patch mahara-1.2.6/debian/patches/CVE-2012-2244-0001.patch
--- mahara-1.2.6/debian/patches/CVE-2012-2244-0001.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.2.6/debian/patches/CVE-2012-2244-0001.patch 2012-11-12 00:08:09.000000000 +0000
@@ -0,0 +1,61 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Fix up old file permissions to remove executable
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1057238
+Last-Update: 2012-10-10
+
+ CVE-2012-2244
+
+ In previous versions of mahara, all the user uploaded files
+ had the executable bit set. This patch runs an upgrade script
+ to remove this executable bit.
+
+---
+ htdocs/artefact/file/db/upgrade.php | 17 +++++++++++++++++
+ htdocs/artefact/file/version.php | 2 +-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/htdocs/artefact/file/db/upgrade.php b/htdocs/artefact/file/db/upgrade.php
+index f83aa2d..ac41cab 100644
+--- a/htdocs/artefact/file/db/upgrade.php
++++ b/htdocs/artefact/file/db/upgrade.php
+@@ -271,6 +271,23 @@ function xmldb_artefact_file_upgrade($oldversion=0) {
+ }
+ }
+
++ if ($oldversion < 2009111202) {
++ $baseiter = new DirectoryIterator(get_config('dataroot') . 'artefact/file/originals/');
++ foreach ($baseiter as $dir) {
++ if ($dir->isDot()) continue;
++ $dirpath = $dir->getPath() . '/' . $dir->getFilename();
++ $fileiter = new DirectoryIterator($dirpath);
++ foreach ($fileiter as $file) {
++ if ($file->isDot()) continue;
++ if (!$file->isFile()) {
++ log_error("Something was wrong about the dataroot in artefact/file/originals/$dir. Unexpected folder $file");
++ continue;
++ }
++ chmod($file->getPathname(), $file->getPerms() & 0666);
++ }
++ }
++ }
++
+ return $status;
+ }
+
+diff --git a/htdocs/artefact/file/version.php b/htdocs/artefact/file/version.php
+index 880a04b..1550ed2 100644
+--- a/htdocs/artefact/file/version.php
++++ b/htdocs/artefact/file/version.php
+@@ -28,7 +28,7 @@
+ defined('INTERNAL') || die();
+
+ $config = new StdClass;
+-$config->version = 2009111201;
++$config->version = 2009111202;
+ $config->release = '1.2.0';
+
+ ?>
+--
+1.7.11.3
+
diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2244-0002.patch mahara-1.2.6/debian/patches/CVE-2012-2244-0002.patch
--- mahara-1.2.6/debian/patches/CVE-2012-2244-0002.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.2.6/debian/patches/CVE-2012-2244-0002.patch 2012-11-12 00:08:09.000000000 +0000
@@ -0,0 +1,108 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Fix saved file permissions
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1057238
+Last-Update: 2012-10-10
+
+ CVE-2012-2244
+
+ Currently, files that are saved by Mahara use the
+ directorypermissions config option, which defaults to
+ 0700, which allows execution.
+
+ This allows users to potentially upload files with
+ executable bits set, and if they have control of the
+ config options pathtoclam, pathtozip, or pathtounzip
+ then they could run this command when one of those
+ commands are invocated.
+
+ This patch bitwise-AND's the directory permissions
+ config with 0666, which removes any executable bit
+ and sets the result as a new config option
+ filepermissions.
+
+ A change the upload code to use this new option is made
+
+---
+ htdocs/artefact/file/lib.php | 3 ++-
+ htdocs/init.php | 1 +
+ htdocs/lib/db/upgrade.php | 2 +-
+ htdocs/lib/file.php | 2 +-
+ htdocs/lib/uploadmanager.php | 2 +-
+ 5 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/htdocs/artefact/file/lib.php b/htdocs/artefact/file/lib.php
+index aacf11e..8345a0b 100644
+--- a/htdocs/artefact/file/lib.php
++++ b/htdocs/artefact/file/lib.php
+@@ -815,6 +815,7 @@ class ArtefactTypeFile extends ArtefactTypeFileBase {
+ $f->delete();
+ return false;
+ }
++ chmod($newname, get_config('filepermissions'));
+ if (empty($user)) {
+ global $USER;
+ $user = $USER;
+@@ -1849,7 +1850,7 @@ class ArtefactTypeArchive extends ArtefactTypeFile {
+ // Untar everything into a temp directory first
+ $tempsubdir = tempnam($tempdir, '');
+ unlink($tempsubdir);
+- mkdir($tempsubdir);
++ mkdir($tempsubdir, get_config('directorypermissions'));
+ if (!$this->handle->extract($tempsubdir)) {
+ throw new SystemException("Unable to extract archive into $tempsubdir");
+ }
+diff --git a/htdocs/init.php b/htdocs/init.php
+index 02a1dd8..0c13175 100644
+--- a/htdocs/init.php
++++ b/htdocs/init.php
+@@ -74,6 +74,7 @@ $CFG->xmldbdisablecommentchecking = true;
+ if (empty($CFG->directorypermissions)) {
+ $CFG->directorypermissions = 0700;
+ }
++$CFG->filepermissions = $CFG->directorypermissions & 0666;
+
+ // core libraries
+ require('mahara.php');
+diff --git a/htdocs/lib/db/upgrade.php b/htdocs/lib/db/upgrade.php
+index c686cbd..5beddce 100644
+--- a/htdocs/lib/db/upgrade.php
++++ b/htdocs/lib/db/upgrade.php
+@@ -633,7 +633,7 @@ function xmldb_core_upgrade($oldversion=0) {
+ $artefactdata = get_config('dataroot') . 'artefact/';
+ if (is_dir($artefactdata . 'internal/profileicons')) {
+ if (!is_dir($artefactdata . 'file')) {
+- mkdir($artefactdata . 'file');
++ mkdir($artefactdata . 'file', get_config('directorypermissions'));
+ }
+ if (!rename($artefactdata . 'internal/profileicons', $artefactdata . 'file/profileicons')) {
+ throw new SystemException("Failed moving $artefactdata/internal/profileicons to $artefactdata/file/profileicons");
+diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php
+index a774213..1c7481c 100644
+--- a/htdocs/lib/file.php
++++ b/htdocs/lib/file.php
+@@ -752,7 +752,7 @@ function copyr($source, $dest)
+
+ // Make destination directory
+ if (!is_dir($dest)) {
+- mkdir($dest);
++ mkdir($dest, get_config('directorypermissions'));
+ }
+
+ // Loop through the folder
+diff --git a/htdocs/lib/uploadmanager.php b/htdocs/lib/uploadmanager.php
+index b49c1df..1bf3cb1 100644
+--- a/htdocs/lib/uploadmanager.php
++++ b/htdocs/lib/uploadmanager.php
+@@ -155,7 +155,7 @@ class upload_manager {
+ }
+
+ if (move_uploaded_file($this->file['tmp_name'], $destination . '/' . $newname)) {
+- chmod($destination . '/' . $newname, 0700);
++ chmod($destination . '/' . $newname, get_config('filepermissions'));
+ return false;
+ }
+ return get_string('failedmovingfiletodataroot');
+--
+1.7.11.3
+
diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2244-0003.patch mahara-1.2.6/debian/patches/CVE-2012-2244-0003.patch
--- mahara-1.2.6/debian/patches/CVE-2012-2244-0003.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.2.6/debian/patches/CVE-2012-2244-0003.patch 2012-11-12 00:08:09.000000000 +0000
@@ -0,0 +1,53 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Remove clamav from site admin options
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1057238
+Last-Update: 2012-10-10
+
+ CVE-2012-2244
+
+ When a site administrator can manipulate the path for the
+ clamav scanner, they could produce either a reverse shell,
+ or allow any user to execute arbitrary remote commands by
+ setting it to an uploaded reverse shell, or to /bin/bash
+ respectively.
+
+ Other executable paths, namely pathtozip, and pathtounzip
+ are only set via config.php, and not through the site admin
+ interface. This option, pathtoclam, should follow the same
+ design.
+
+---
+ htdocs/admin/site/options.php | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/htdocs/admin/site/options.php b/htdocs/admin/site/options.php
+index 95b02e1..edcb1a5 100644
+--- a/htdocs/admin/site/options.php
++++ b/htdocs/admin/site/options.php
+@@ -93,13 +93,6 @@ $siteoptionform = array(
+ 'defaultvalue' => get_config('viruschecking'),
+ 'help' => true,
+ ),
+- 'pathtoclam' => array(
+- 'type' => 'text',
+- 'title' => get_string('pathtoclam', 'admin'),
+- 'description' => get_string('pathtoclamdescription', 'admin'),
+- 'defaultvalue' => get_config('pathtoclam'),
+- 'help' => true,
+- ),
+ 'sessionlifetime' => array(
+ 'type' => 'text',
+ 'size' => 4,
+@@ -247,7 +240,7 @@ function siteoptions_fail(Pieform $form, $field) {
+
+ function siteoptions_submit(Pieform $form, $values) {
+ $fields = array(
+- 'sitename','lang','theme', 'pathtoclam',
++ 'sitename','lang','theme',
+ 'defaultaccountlifetime', 'defaultaccountinactiveexpire', 'defaultaccountinactivewarn',
+ 'allowpublicviews', 'allowpublicprofiles', 'creategroups', 'createpublicgroups', 'searchplugin',
+ 'registration_sendweeklyupdates', 'institutionexpirynotification', 'institutionautosuspend',
+--
+1.7.11.3
+
diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2246.patch mahara-1.2.6/debian/patches/CVE-2012-2246.patch
--- mahara-1.2.6/debian/patches/CVE-2012-2246.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.2.6/debian/patches/CVE-2012-2246.patch 2012-11-12 00:08:09.000000000 +0000
@@ -0,0 +1,32 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Fix Click-Jacking attack on account deletion page
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1057240
+Last-Update: 2012-10-10
+
+ This attack has been mitigated by adding a HTTP header
+ of X-Frame-Options to every page in Mahara.
+
+ CVE-2012-2246
+
+---
+ htdocs/init.php | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/htdocs/init.php b/htdocs/init.php
+index 0c13175..7da62d5 100644
+--- a/htdocs/init.php
++++ b/htdocs/init.php
+@@ -44,6 +44,9 @@ header('Cache-Control: private, must-revalidate, pre-check=0, post-check=0, max-
+ header('Expires: '. gmdate('D, d M Y H:i:s', 507686400) .' GMT');
+ header('Pragma: no-cache');
+
++// Prevent clickjacking through iframe tags
++header('X-Frame-Options: SAMEORIGIN');
++
+ // Set up error handling
+ require('errors.php');
+
+--
+1.7.11.3
+
diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2247.patch mahara-1.2.6/debian/patches/CVE-2012-2247.patch
--- mahara-1.2.6/debian/patches/CVE-2012-2247.patch 1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.2.6/debian/patches/CVE-2012-2247.patch 2012-11-12 00:08:09.000000000 +0000
@@ -0,0 +1,41 @@
+Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
+Subject: Escape user uploaded SVG files
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/
+Last-Update: 2012-10-10
+
+Bug #1061980
+CVE-2012-2247
+
+Before this patch, if a user uploaded HTML or XML files
+then tried to download them, or linked other users to download
+them, they would be presented with an escaped version along
+with a link to download the original.
+
+Unfortunately, an SVG file can possibly contain unsecure content,
+such as javascript, that would be run on the victims browser.
+
+This patch adds SVG files (image/svg+xml) to the list of files
+to not display by default.
+
+Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09
+---
+ htdocs/lib/file.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php
+index 2b92193..a61daf5 100644
+--- a/htdocs/lib/file.php
++++ b/htdocs/lib/file.php
+@@ -70,7 +70,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
+ $lastmodified = filemtime($path);
+ $filesize = filesize($path);
+
+- if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml') {
++ if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml' || $mimetype == 'image/svg+xml') {
+ if (isset($options['downloadurl']) && $filesize < 1024 * 1024) {
+ display_cleaned_html(file_get_contents($path), $filename, $options);
+ exit;
+--
+1.7.11.3
+
diff -Nru mahara-1.2.6/debian/patches/series mahara-1.2.6/debian/patches/series
--- mahara-1.2.6/debian/patches/series 2012-08-13 11:24:08.000000000 +0000
+++ mahara-1.2.6/debian/patches/series 2012-11-12 00:08:09.000000000 +0000
@@ -12,3 +12,11 @@
saml_multi_default_config.patch
CVE-2012-2237-0001.patch
CVE-2012-2237-0002.patch
+CVE-2012-2239.patch
+CVE-2012-2243-0001.patch
+CVE-2012-2243-0002.patch
+CVE-2012-2244-0001.patch
+CVE-2012-2244-0002.patch
+CVE-2012-2244-0003.patch
+CVE-2012-2246.patch
+CVE-2012-2247.patch
