summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2011-04-13 05:42:02 +0200
committerPierre Schmitz <pierre@archlinux.de>2011-04-13 05:42:02 +0200
commit124299758ca7454561118f466a0470905758924f (patch)
treef4d09ea1286d6747ae36aecd4ba28dfb04c9e7c5 /includes
parent3bddedf685051638fdba61268ad195fee041db1c (diff)
update to MediaWiki 1.16.3
Diffstat (limited to 'includes')
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/RawPage.php2
-rw-r--r--includes/Sanitizer.php47
-rw-r--r--includes/WebRequest.php17
-rw-r--r--includes/specials/SpecialImport.php29
5 files changed, 79 insertions, 18 deletions
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 155bb7c0..7993d95c 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -33,7 +33,7 @@ if ( !defined( 'MW_PHP4' ) ) {
}
/** MediaWiki version number */
-$wgVersion = '1.16.2';
+$wgVersion = '1.16.3';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
diff --git a/includes/RawPage.php b/includes/RawPage.php
index 8e515af3..2b610318 100644
--- a/includes/RawPage.php
+++ b/includes/RawPage.php
@@ -125,7 +125,7 @@ class RawPage {
#
# Just return a 403 Forbidden and get it over with.
wfHttpError( 403, 'Forbidden',
- 'Invalid file extension found in PATH_INFO. ' .
+ 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
'Raw pages must be accessed through the primary script entry point.' );
return;
}
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index b5725ce8..26837b3c 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -726,29 +726,35 @@ class Sanitizer {
/**
* Pick apart some CSS and check it for forbidden or unsafe structures.
- * Returns a sanitized string, or false if it was just too evil.
+ * Returns a sanitized string. This sanitized string will have
+ * character references and escape sequences decoded, and comments
+ * stripped. If the input is just too evil, only a comment complaining
+ * about evilness will be returned.
*
* Currently URL references, 'expression', 'tps' are forbidden.
*
+ * NOTE: Despite the fact that character references are decoded, the
+ * returned string may contain character references given certain
+ * clever input strings. These character references must
+ * be escaped before the return value is embedded in HTML.
+ *
* @param $value String
- * @return Mixed
+ * @return String
*/
static function checkCss( $value ) {
+ // Decode character references like &#123;
$value = Sanitizer::decodeCharReferences( $value );
- // Remove any comments; IE gets token splitting wrong
- $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
-
- // Remove anything after a comment-start token, to guard against
- // incorrect client implementations.
- $commentPos = strpos( $value, '/*' );
- if ( $commentPos !== false ) {
- $value = substr( $value, 0, $commentPos );
- }
-
// Decode escape sequences and line continuation
// See the grammar in the CSS 2 spec, appendix D.
- static $decodeRegex, $reencodeTable;
+ // This has to be done AFTER decoding character references.
+ // This means it isn't possible for this function to return
+ // unsanitized escape sequences. It is possible to manufacture
+ // input that contains character references that decode to
+ // escape sequences that decode to character references, but
+ // it's OK for the return value to contain character references
+ // because the caller is supposed to escape those anyway.
+ static $decodeRegex;
if ( !$decodeRegex ) {
$space = '[\\x20\\t\\r\\n\\f]';
$nl = '(?:\\n|\\r\\n|\\r|\\f)';
@@ -763,6 +769,21 @@ class Sanitizer {
}
$value = preg_replace_callback( $decodeRegex,
array( __CLASS__, 'cssDecodeCallback' ), $value );
+
+ // Remove any comments; IE gets token splitting wrong
+ // This must be done AFTER decoding character references and
+ // escape sequences, because those steps can introduce comments
+ // This step cannot introduce character references or escape
+ // sequences, because it replaces comments with spaces rather
+ // than removing them completely.
+ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+
+ // Remove anything after a comment-start token, to guard against
+ // incorrect client implementations.
+ $commentPos = strpos( $value, '/*' );
+ if ( $commentPos !== false ) {
+ $value = substr( $value, 0, $commentPos );
+ }
// Reject problematic keywords and control characters
if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index b6d6d27a..8a0ef48b 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -688,10 +688,27 @@ class WebRequest {
* but only by prefixing it with the script name and maybe some other stuff,
* the extension is not mangled. So this should be a reasonably portable
* way to perform this security check.
+ *
+ * Also checks for anything that looks like a file extension at the end of
+ * QUERY_STRING, since IE 6 and earlier will use this to get the file type
+ * if there was no dot before the question mark (bug 28235).
*/
public function isPathInfoBad() {
global $wgScriptExtension;
+ if ( isset( $_SERVER['QUERY_STRING'] )
+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+ {
+ // Bug 28235
+ // Block only Internet Explorer, and requests with missing UA
+ // headers that could be IE users behind a privacy proxy.
+ if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
+ || preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) )
+ {
+ return true;
+ }
+ }
+
if ( !isset( $_SERVER['PATH_INFO'] ) ) {
return false;
}
diff --git a/includes/specials/SpecialImport.php b/includes/specials/SpecialImport.php
index 6beeab7f..248709a8 100644
--- a/includes/specials/SpecialImport.php
+++ b/includes/specials/SpecialImport.php
@@ -45,7 +45,7 @@ class SpecialImport extends SpecialPage {
* Execute
*/
function execute( $par ) {
- global $wgRequest;
+ global $wgRequest, $wgUser, $wgOut;
$this->setHeaders();
$this->outputHeader();
@@ -56,6 +56,28 @@ class SpecialImport extends SpecialPage {
return;
}
+ if( !$wgUser->isAllowed( 'import' ) && !$wgUser->isAllowed( 'importupload' ) )
+ return $wgOut->permissionRequired( 'import' );
+
+ # TODO: allow Title::getUserPermissionsErrors() to take an array
+ # FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what
+ # getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected'
+ $errors = wfMergeErrorArrays(
+ $this->getTitle()->getUserPermissionsErrors(
+ 'import', $wgUser, true,
+ array( 'ns-specialprotected', 'badaccess-group0', 'badaccess-groups' )
+ ),
+ $this->getTitle()->getUserPermissionsErrors(
+ 'importupload', $wgUser, true,
+ array( 'ns-specialprotected', 'badaccess-group0', 'badaccess-groups' )
+ )
+ );
+
+ if( $errors ){
+ $wgOut->showPermissionsErrorPage( $errors );
+ return;
+ }
+
if ( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit' ) {
$this->doImport();
}
@@ -84,6 +106,9 @@ class SpecialImport extends SpecialPage {
return $wgOut->permissionRequired( 'importupload' );
}
} elseif ( $sourceName == "interwiki" ) {
+ if( !$wgUser->isAllowed( 'import' ) ){
+ return $wgOut->permissionRequired( 'import' );
+ }
$this->interwiki = $wgRequest->getVal( 'interwiki' );
if ( !in_array( $this->interwiki, $wgImportSources ) ) {
$source = new WikiErrorMsg( "import-invalid-interwiki" );
@@ -133,8 +158,6 @@ class SpecialImport extends SpecialPage {
private function showForm() {
global $wgUser, $wgOut, $wgRequest, $wgImportSources, $wgExportMaxLinkDepth;
- if( !$wgUser->isAllowed( 'import' ) && !$wgUser->isAllowed( 'importupload' ) )
- return $wgOut->permissionRequired( 'import' );
$action = $this->getTitle()->getLocalUrl( array( 'action' => 'submit' ) );