Update to MediaWiki 1.22.15

author: Pierre Schmitz <pierre@archlinux.de> 2014-12-18 09:47:12 +0100
committer: Pierre Schmitz <pierre@archlinux.de> 2014-12-18 09:47:12 +0100
commit: b88ab0086858470dd1f644e64cb4e4f62bb2be9b (patch)
tree: 6cd21b1fe19aac4e9738e32d9e046d4e053353cd
parent: 888eab1a076a287bddd84fdf9dd9c57154c91e3f (diff)
6 files changed, 27 insertions, 13 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index 20c19471..9d10f222 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -3,6 +3,20 @@
 Security reminder: MediaWiki does not require PHP's register_globals. If you
 have it on, turn it '''off''' if you can.
 
+== MediaWiki 1.22.15 ==
+
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+
+=== Changes since 1.22.14 ===
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+  could lead to xss. Permission to edit MediaWiki namespace is required to
+  exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+  $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+  part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+
 == MediaWiki 1.22.14 ==
 
 This is a security and maintenance release of the MediaWiki 1.22 branch.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 6feac36b..78568107 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration;
  * MediaWiki version number
  * @since 1.2
  */
-$wgVersion = '1.22.14';
+$wgVersion = '1.22.15';
 
 /**
  * Name of the site. It must be changed in LocalSettings.php
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index c11f16cb..ea2fcc78 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -510,7 +510,7 @@ class ApiMain extends ApiBase {
 			array( '.*?', '.' ),
 			$wildcard
 		);
-		return "/https?:\/\/$wildcard/";
+		return "/^https?:\/\/$wildcard$/";
 	}
 
 	protected function sendCacheHeaders() {
diff --git a/includes/api/ApiQueryLogEvents.php b/includes/api/ApiQueryLogEvents.php
index 0e8c5e61..ecd117e4 100644
--- a/includes/api/ApiQueryLogEvents.php
+++ b/includes/api/ApiQueryLogEvents.php
@@ -36,7 +36,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
 	}
 
 	private $fld_ids = false, $fld_title = false, $fld_type = false,
-		$fld_action = false, $fld_user = false, $fld_userid = false,
+		$fld_user = false, $fld_userid = false,
 		$fld_timestamp = false, $fld_comment = false, $fld_parsedcomment = false,
 		$fld_details = false, $fld_tags = false;
 
@@ -49,7 +49,6 @@ class ApiQueryLogEvents extends ApiQueryBase {
 		$this->fld_ids = isset( $prop['ids'] );
 		$this->fld_title = isset( $prop['title'] );
 		$this->fld_type = isset( $prop['type'] );
-		$this->fld_action = isset( $prop['action'] );
 		$this->fld_user = isset( $prop['user'] );
 		$this->fld_userid = isset( $prop['userid'] );
 		$this->fld_timestamp = isset( $prop['timestamp'] );
@@ -157,7 +156,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
 		$this->addOption( 'USE INDEX', $index );
 
 		// Paranoia: avoid brute force searches (bug 17342)
-		if ( !is_null( $title ) || !is_null( $params['action'] ) ) {
+		if ( !is_null( $title ) ) {
 			$this->addWhere( $db->bitAnd( 'log_deleted', LogPage::DELETED_ACTION ) . ' = 0' );
 		}
 		if ( !is_null( $user ) ) {
@@ -300,7 +299,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
 			$title = Title::makeTitle( $row->log_namespace, $row->log_title );
 		}
 
-		if ( $this->fld_title || $this->fld_ids || $this->fld_type ) {
+		if ( $this->fld_title || $this->fld_ids ) {
 			if ( LogEventsList::isDeleted( $row, LogPage::DELETED_ACTION ) ) {
 				$vals['actionhidden'] = '';
 			} else {
@@ -318,6 +317,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
 
 		if ( $this->fld_type ) {
 			$vals['type'] = $row->log_type;
+			$vals['action'] = $row->log_action;
 		}
 
 		if ( $this->fld_details && $row->log_params !== '' ) {
diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php
index 147ffcd5..65371ad7 100644
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -1657,7 +1657,7 @@ Try [[Special:Search|searching on the wiki]] for relevant new pages.',
 # Revision deletion
 'rev-deleted-comment'         => '(edit summary removed)',
 'rev-deleted-user'            => '(username removed)',
-'rev-deleted-event'           => '(log action removed)',
+'rev-deleted-event'           => '(log details removed)',
 'rev-deleted-user-contribs'   => '[username or IP address removed - edit hidden from contributions]',
 'rev-deleted-text-permission' => "This page revision has been '''deleted'''.
 Details can be found in the [{{fullurl:{{#Special:Log}}/delete|page={{FULLPAGENAMEE}}}} deletion log].",
@@ -1709,7 +1709,7 @@ Other administrators on {{SITENAME}} will still be able to access the hidden con
 'revdelete-legend'            => 'Set visibility restrictions',
 'revdelete-hide-text'         => 'Revision text',
 'revdelete-hide-image'        => 'Hide file content',
-'revdelete-hide-name'         => 'Hide action and target',
+'revdelete-hide-name'         => 'Hide target and parameters',
 'revdelete-hide-comment'      => 'Edit summary',
 'revdelete-hide-user'         => "Editor's username/IP address",
 'revdelete-hide-restricted'   => 'Suppress data from administrators as well as others',
diff --git a/thumb.php b/thumb.php
index 913adc18..dc3093c0 100644
--- a/thumb.php
+++ b/thumb.php
@@ -131,12 +131,12 @@ function wfStreamThumb( array $params ) {
 		// Format is <timestamp>!<name>
 		$bits = explode( '!', $fileName, 2 );
 		if ( count( $bits ) != 2 ) {
-			wfThumbError( 404, wfMessage( 'badtitletext' )->text() );
+			wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
 			return;
 		}
 		$title = Title::makeTitleSafe( NS_FILE, $bits[1] );
 		if ( !$title ) {
-			wfThumbError( 404, wfMessage( 'badtitletext' )->text() );
+			wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
 			return;
 		}
 		$img = RepoGroup::singleton()->getLocalRepo()->newFromArchiveName( $title, $fileName );
@@ -146,7 +146,7 @@ function wfStreamThumb( array $params ) {
 
 	// Check the source file title
 	if ( !$img ) {
-		wfThumbError( 404, wfMessage( 'badtitletext' )->text() );
+		wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
 		return;
 	}
 
@@ -306,7 +306,7 @@ function wfStreamThumb( array $params ) {
 
 	$user = RequestContext::getMain()->getUser();
 	if ( $user->pingLimiter( 'renderfile' ) ) {
-		wfThumbError( 500, wfMessage( 'actionthrottledtext' ) );
+		wfThumbError( 500, wfMessage( 'actionthrottledtext' )->parse() );
 		return;
 	}
 
@@ -452,7 +452,7 @@ function wfExtractThumbParams( $file, $params ) {
  * Output a thumbnail generation error message
  *
  * @param $status integer
- * @param $msg string
+ * @param string $msg HTML
  * @return void
  */
 function wfThumbError( $status, $msg ) {
author	Pierre Schmitz <pierre@archlinux.de>	2014-12-18 09:47:12 +0100
committer	Pierre Schmitz <pierre@archlinux.de>	2014-12-18 09:47:12 +0100
commit	b88ab0086858470dd1f644e64cb4e4f62bb2be9b (patch)
tree	6cd21b1fe19aac4e9738e32d9e046d4e053353cd
parent	888eab1a076a287bddd84fdf9dd9c57154c91e3f (diff)