PatchItem12391Contrib

Patch a critical vulnerability in Locale::Maketext

Usage

This extensions applies a "hotfix" for Item12285 and Item12391 to your Foswiki 1.1.0 thru 1.1.7 system. Foswiki 1.0.x versions need to be manually patched.

NOTICE: This patch addresses a critical Foswiki vulnerability and should be installed as soon as possible.

• If a warning about MAKETEXT Rejected is displayed here, your system is patched for Item12285: Excessive parameter number 101, MAKETEXT rejected.
• If [quant,4,singular,plural] is displayed at the end of this line, your system is patched for Item12391: [quant,4,singular,plural]

When this extension is installed, it uses the Post-installation exit to apply any patch files found in the manifest. This extension ships with a hotfix for the following items:

Original Issue	Patch File	Description	Applies to
Item12285	Item12285-001	Addresses a vulnerability in Locale::Maketext.	Foswiki 1.1.0 - Foswiki 1.1.2
Item12285	Item12285-002	Addresses a vulnerability in Locale::Maketext.	Foswiki 1.1.3 - Foswiki 1.1.6
Item12391	Item12391-001	Addresses a vulnerability in Locale::Maketext.	Foswiki 1.1.0 - Foswiki 1.1.2 (Post Item12385)
Item12391	Item12391-002	Addresses a vulnerability in Locale::Maketext.	Foswiki 1.1.3 - Foswiki 1.1.6 (Post Item12385)
Item12391	Item12391-003	Addresses a vulnerability in Locale::Maketext.	Foswiki 1.1.7

Before any file is patched, a backup is copied to working/configure/backup/<Item12285-001-date-time>. Each file that is a candidate to be patched is backed up. If the extensions is installed multple times, a new backup is made for each run, regardless of whether or not the patch will be applied. For this patch, the following files are copied:

• lib/Foswiki/Macros/MAKETEXT.pm

Patches are only applied if the target file is an exact match to the original file. There is no attempt to do "fuzzy" patching. Note however that a patch can be built to cover multiple versions of the file.

There is no "dependency order" established between patches. Patches are installed in order of their patch file name.

Patches will be mapped from the default Foswiki filename to the directory location used on the target system.

This patch does not include an uninstaller routine. If this contrib is removed, the files will remain patched.

Installation

You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server.

Open configure, and open the "Extensions" section. Use "Find More Extensions" to get a list of available extensions. Select "Install".

If you have any problems, or if the extension isn't available in configure, then you can still install manually from the command-line. See http://foswiki.org/Support/ManuallyInstallingExtensions for more help.

Info

Author:	GeorgeClark
Copyright ©:	Foswiki Contributors
License:	GPL (GNU General Public License)
Dependencies:	Name Version Description Foswiki::Contrib::PatchFoswikiContrib >=1.5 Required for old Foswiki versions.
Version:	1.0
Change History:
1.0 (13 Feb 2013)	Initial version
Home:	http://foswiki.org/Extensions/PatchItem12391Contrib
Support:	http://foswiki.org/Support/PatchItem12391Contrib