summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2008-03-03 09:36:49 +0100
committerPierre Schmitz <pierre@archlinux.de>2008-03-03 09:36:49 +0100
commit749e7fb2bae7bbda855de3c9e319435b9f698ff7 (patch)
treea64763b24252286d6919665d2de481f8310022ef
parentcd613277ad3c5c601d3148b99377d97aa9656d6a (diff)
MediaWiki 1.11.2 released (security)
-rw-r--r--RELEASE-NOTES18
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/api/ApiFormatJson.php2
-rw-r--r--includes/api/ApiMain.php8
-rw-r--r--includes/api/ApiQueryBase.php4
5 files changed, 32 insertions, 2 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 5115778e..4876d79b 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -3,6 +3,24 @@
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
+== MediaWiki 1.11.2 ==
+
+March 2, 2008
+
+This is a security release of the Fall 2007 snapshot release of MediaWiki.
+Possible cross-site information leaks using the callback parameter for
+JSON-formatted results in the API are prevented by dropping user credentials.
+
+MediaWiki release versions prior to 1.11 are not vulnerable, as they do
+not include the callback feature which allows client-side JavaScript on
+other sites to reach API data.
+
+Changes in this release:
+
+* User credentials are dropped for API JSON requests using a callback
+* Edit tokens are not reported for API JSON requests using a callback
+
+
== MediaWiki 1.11.1 ==
January 23, 2008
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 5afb969d..ad682b72 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -31,7 +31,7 @@ require_once( "$IP/includes/SiteConfiguration.php" );
$wgConf = new SiteConfiguration;
/** MediaWiki version number */
-$wgVersion = '1.11.1';
+$wgVersion = '1.11.2';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index ed9bd938..59f3b492 100644
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -74,7 +74,7 @@ class ApiFormatJson extends ApiFormatBase {
protected function getParamDescription() {
return array (
- 'callback' => 'If specified, wraps the output into a given function call',
+ 'callback' => 'If specified, wraps the output into a given function call. For safety, all user-specific data will be restricted.',
);
}
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 31870449..00b3f63f 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -98,6 +98,14 @@ class ApiMain extends ApiBase {
// If the current user cannot read,
// Remove all modules other than login
global $wgUser;
+
+ if( $request->getVal( 'callback' ) !== null ) {
+ // JSON callback allows cross-site reads.
+ // For safety, strip user credentials.
+ wfDebug( "API: stripping user credentials for JSON callback\n" );
+ $wgUser = new User();
+ }
+
if (!$wgUser->isAllowed('read')) {
self::$Modules = array(
'login' => self::$Modules['login'],
diff --git a/includes/api/ApiQueryBase.php b/includes/api/ApiQueryBase.php
index 28adb415..c810cfa7 100644
--- a/includes/api/ApiQueryBase.php
+++ b/includes/api/ApiQueryBase.php
@@ -215,6 +215,10 @@ abstract class ApiQueryBase extends ApiBase {
}
public function getTokenFlag($tokenArr, $action) {
+ if ($this->getMain()->getRequest()->getVal('callback') !== null) {
+ // Don't do any session-specific data.
+ return false;
+ }
if (in_array($action, $tokenArr)) {
global $wgUser;
if ($wgUser->isAllowed($action))