summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2007-09-11 00:19:58 +0200
committerPierre Schmitz <pierre@archlinux.de>2007-09-11 00:19:58 +0200
commitd7d08bd1a17618c7d77a6b9b2989e9f7293d6ed6 (patch)
treed782e2d1f10104181ccdeb8231409f3f4b2aae12
parentd354da0fd0f521019c67bf12eefe527d4cf84017 (diff)
added security patch -> 1.10.2
-rw-r--r--RELEASE-NOTES31
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/api/ApiFormatBase.php7
3 files changed, 37 insertions, 3 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index a2bc56c5..ac1b7a47 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -3,6 +3,37 @@
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
+== MediaWiki 1.10.2 ==
+
+September 10, 2007
+
+This is a security fix update to the Spring 2007 quarterly release snapshot.
+A possible HTML/XSS injection vector in the API pretty-printing mode has
+been found and fixed.
+
+The vulnerability may be worked around in an unfixed version by simply
+disabling the API interface if it is not in use, by adding this to
+LocalSettings.php:
+
+ $wgEnableAPI = false;
+
+Not vulnerable versions:
+* 1.11 >= 1.11.0
+* 1.10 >= 1.10.2
+* 1.9 >= 1.9.4
+* 1.8 >= 1.8.5
+
+Vulnerable versions:
+* 1.11 <= 1.11.0rc1
+* 1.10 <= 1.10.1
+* 1.9 <= 1.9.3
+* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
+
+MediaWiki 1.7 and below are not affected as they do not include
+the faulty function, however the BotQuery extension is similarly
+vulnerable unless updated to the latest SVN version.
+
+
== MediaWiki 1.10.1 ==
July 13, 2007
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index d9bd3760..d8f9a621 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -31,7 +31,7 @@ require_once( 'includes/SiteConfiguration.php' );
$wgConf = new SiteConfiguration;
/** MediaWiki version number */
-$wgVersion = '1.10.1';
+$wgVersion = '1.10.2';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index 192c51a7..782a4161 100644
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -145,8 +145,11 @@ for more information.
* This method also replaces any '<' with &lt;
*/
protected function formatHTML($text) {
- // encode all tags as safe blue strings
- $text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;">&lt;\1&gt;</span>', $text);
+ // Escape everything first for full coverage
+ $text = htmlspecialchars($text);
+
+ // encode all comments or tags as safe blue strings
+ $text = preg_replace('/\&lt;(!--.*?--|.*?)\&gt;/', '<span style="color:blue;">&lt;\1&gt;</span>', $text);
// identify URLs
$protos = "http|https|ftp|gopher";
$text = ereg_replace("($protos)://[^ '\"()<\n]+", '<a href="\\0">\\0</a>', $text);