Update to MediaWiki 1.22.9

9 files changed, 62 insertions, 4 deletions

diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index be1d96a7..44067ff8 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -3,6 +3,20 @@
 Security reminder: MediaWiki does not require PHP's register_globals. If you
 have it on, turn it '''off''' if you can.
 
+== MediaWiki 1.22.9 ==
+
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+
+=== Changes since 1.22.8 ===
+
+* (bug 68187) SECURITY: Prepend jsonp callback with comment.
+* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used
+  for loading a new page in Javascript,instead of relying on the URL in the link
+  that has been clicked.
+* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and
+  ParserOutput.
+* (bug 59147) The img_metadata field was not being decoded from bytea into text.
+
 == MediaWiki 1.22.8 ==
 
 This is a security and maintenance release of the MediaWiki 1.22 branch.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 4eb979ac..cd631a8b 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration;
  * MediaWiki version number
  * @since 1.2
  */
-$wgVersion = '1.22.8';
+$wgVersion = '1.22.9';
 
 /**
  * Name of the site. It must be changed in LocalSettings.php
diff --git a/includes/ImagePage.php b/includes/ImagePage.php
index 7ea06b0e..d696a17c 100644
--- a/includes/ImagePage.php
+++ b/includes/ImagePage.php
@@ -420,6 +420,8 @@ class ImagePage extends Article {
 
 					if ( $page > 1 ) {
 						$label = $out->parse( wfMessage( 'imgmultipageprev' )->text(), false );
+						// on the client side, this link is generated in ajaxifyPageNavigation()
+						// in the mediawiki.page.image.pagination module
 						$link = Linker::linkKnown(
 							$this->getTitle(),
 							$label,
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 7f0454f6..6bfba78b 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -1574,6 +1574,8 @@ class OutputPage extends ContextSource {
 		$this->addModuleScripts( $parserOutput->getModuleScripts() );
 		$this->addModuleStyles( $parserOutput->getModuleStyles() );
 		$this->addModuleMessages( $parserOutput->getModuleMessages() );
+		$this->mPreventClickjacking = $this->mPreventClickjacking
+			|| $parserOutput->preventClickjacking();
 
 		// Template versioning...
 		foreach ( (array)$parserOutput->getTemplateIds() as $ns => $dbks ) {
@@ -1874,6 +1876,16 @@ class OutputPage extends ContextSource {
 	}
 
 	/**
+	 * Get the prevent-clickjacking flag
+	 *
+	 * @since 1.24
+	 * @return boolean
+	 */
+	public function getPreventClickjacking() {
+		return $this->mPreventClickjacking;
+	}
+
+	/**
 	 * Get the X-Frame-Options header value (without the name part), or false
 	 * if there isn't one. This is used by Skin to determine whether to enable
 	 * JavaScript frame-breaking, for clients that don't support X-Frame-Options.
diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index 342a580f..4140583e 100644
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -65,7 +65,9 @@ class ApiFormatJson extends ApiFormatBase {
 		$callback = $params['callback'];
 		if ( $callback !== null ) {
 			$callback = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $callback );
-			$this->printText( "$callback($json)" );
+			# Prepend a comment to try to avoid attacks against content
+			# sniffers, such as bug 68187.
+			$this->printText( "/**/$callback($json)" );
 		} else {
 			$this->printText( $json );
 		}
diff --git a/includes/filerepo/file/LocalFile.php b/includes/filerepo/file/LocalFile.php
index fe769be2..d18f42e4 100644
--- a/includes/filerepo/file/LocalFile.php
+++ b/includes/filerepo/file/LocalFile.php
@@ -423,6 +423,8 @@ class LocalFile extends File {
 
 		$decoded['timestamp'] = wfTimestamp( TS_MW, $decoded['timestamp'] );
 
+		$decoded['metadata'] = $this->repo->getSlaveDB()->decodeBlob( $decoded['metadata'] );
+
 		if ( empty( $decoded['major_mime'] ) ) {
 			$decoded['mime'] = 'unknown/unknown';
 		} else {
diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php
index 502f0fd1..460f3211 100644
--- a/includes/parser/ParserOutput.php
+++ b/includes/parser/ParserOutput.php
@@ -55,6 +55,7 @@ class ParserOutput extends CacheTime {
 		private $mExtensionData = array(); # extra data used by extensions
 		private $mLimitReportData = array(); # Parser limit report data
 		private $mParseStartTime = array(); # Timestamps for getTimeSinceStart()
+		private $mPreventClickjacking = false; # Whether to emit X-Frame-Options: DENY
 
 	const EDITSECTION_REGEX = '#<(?:mw:)?editsection page="(.*?)" section="(.*?)"(?:/>|>(.*?)(</(?:mw:)?editsection>))#';
 
@@ -330,6 +331,7 @@ class ParserOutput extends CacheTime {
 		$this->addModuleMessages( $out->getModuleMessages() );
 
 		$this->mHeadItems = array_merge( $this->mHeadItems, $out->getHeadItemsArray() );
+		$this->mPreventClickjacking = $this->mPreventClickjacking || $out->getPreventClickjacking();
 	}
 
 	/**
@@ -629,4 +631,15 @@ class ParserOutput extends CacheTime {
 	function setLimitReportData( $key, $value ) {
 		$this->mLimitReportData[$key] = $value;
 	}
+
+	/**
+	 * Get or set the prevent-clickjacking flag
+	 *
+	 * @since 1.24
+	 * @param boolean|null $flag New flag value, or null to leave it unchanged
+	 * @return boolean Old flag value
+	 */
+	public function preventClickjacking( $flag = null ) {
+		return wfSetVar( $this->mPreventClickjacking, $flag );
+	}
 }
diff --git a/resources/Resources.php b/resources/Resources.php
index 06120008..3b06e1be 100644
--- a/resources/Resources.php
+++ b/resources/Resources.php
@@ -981,7 +981,11 @@ return array(
 	),
 	'mediawiki.page.image.pagination' => array(
 		'scripts' => 'resources/mediawiki.page/mediawiki.page.image.pagination.js',
-		'dependencies' => array( 'jquery.spinner' )
+		'dependencies' => array(
+			'mediawiki.Uri',
+			'mediawiki.util',
+			'jquery.spinner',
+		)
 	),
 
 	/* MediaWiki Special pages */
diff --git a/resources/mediawiki.page/mediawiki.page.image.pagination.js b/resources/mediawiki.page/mediawiki.page.image.pagination.js
index fb44a76f..11ed0ae4 100644
--- a/resources/mediawiki.page/mediawiki.page.image.pagination.js
+++ b/resources/mediawiki.page/mediawiki.page.image.pagination.js
@@ -31,7 +31,16 @@
 	function ajaxifyPageNavigation() {
 		// Intercept the default action of the links in the thumbnail navigation
 		$( '.multipageimagenavbox' ).one( 'click', 'a', function ( e ) {
-			loadPage( this.href );
+			var page, uri;
+
+			// Generate the same URL on client side as the one generated in ImagePage::openShowImage.
+			// We avoid using the URL in the link directly since it could have been manipulated (bug 66608)
+			page = Number( mw.util.getParamValue( 'page', this.href ) );
+			uri = new mw.Uri( mw.util.wikiScript() )
+				.extend( { title: mw.config.get( 'wgPageName' ), page: page } )
+				.toString();
+
+			loadPage( uri );
 			e.preventDefault();
 		} );