summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2013-11-14 23:19:13 +0100
committerPierre Schmitz <pierre@archlinux.de>2013-11-14 23:19:13 +0100
commitaf4da56f1ad4d3ef7b06557bae365da2ea27a897 (patch)
treec018c4033c36be77f9ec699cfd485be82c7542d7 /includes
parent91e194556c52d2f354344f930419eef2dd6267f0 (diff)
Update to MediaWiki 1.21.3
Diffstat (limited to 'includes')
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/Sanitizer.php39
-rw-r--r--includes/actions/RawAction.php3
-rw-r--r--includes/installer/OracleUpdater.php7
-rw-r--r--includes/specials/SpecialUploadStash.php2
-rw-r--r--includes/upload/UploadBase.php6
6 files changed, 53 insertions, 6 deletions
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 0e493eb0..a56ef849 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration;
* MediaWiki version number
* @since 1.2
*/
-$wgVersion = '1.21.2';
+$wgVersion = '1.21.3';
/**
* Name of the site. It must be changed in LocalSettings.php
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 2dff081d..849e4d66 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -854,6 +854,27 @@ class Sanitizer {
$value = preg_replace_callback( $decodeRegex,
array( __CLASS__, 'cssDecodeCallback' ), $value );
+ // Normalize Halfwidth and Fullwidth Unicode block that IE6 might treat as ascii
+ $value = preg_replace_callback(
+ '/[!-z]/u', // U+FF01 to U+FF5A
+ function ( $matches ) {
+ $cp = utf8ToCodepoint( $matches[0] );
+ if ( $cp === false ) {
+ return '';
+ }
+ return chr( $cp - 65248 ); // ASCII range \x21-\x7A
+ },
+ $value
+ );
+
+ // Convert more characters IE6 might treat as ascii
+ // U+0280, U+0274, U+207F, U+029F, U+026A, U+207D, U+208D
+ $value = str_replace(
+ array( 'ʀ', 'ɴ', 'ⁿ', 'ʟ', 'ɪ', '⁽', '₍' ),
+ array( 'r', 'n', 'n', 'l', 'i', '(', '(' ),
+ $value
+ );
+
// Remove any comments; IE gets token splitting wrong
// This must be done AFTER decoding character references and
// escape sequences, because those steps can introduce comments
@@ -869,8 +890,24 @@ class Sanitizer {
$value = substr( $value, 0, $commentPos );
}
+ // S followed by repeat, iteration, or prolonged sound marks,
+ // which IE will treat as "ss"
+ $value = preg_replace(
+ '/s(?:
+ \xE3\x80\xB1 | # U+3031
+ \xE3\x82\x9D | # U+309D
+ \xE3\x83\xBC | # U+30FC
+ \xE3\x83\xBD | # U+30FD
+ \xEF\xB9\xBC | # U+FE7C
+ \xEF\xB9\xBD | # U+FE7D
+ \xEF\xBD\xB0 # U+FF70
+ )/ix',
+ 'ss',
+ $value
+ );
+
// Reject problematic keywords and control characters
- if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
+ if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
} elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix', $value ) ) {
return '/* insecure input */';
diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php
index d1d457c0..12ce9f98 100644
--- a/includes/actions/RawAction.php
+++ b/includes/actions/RawAction.php
@@ -94,6 +94,9 @@ class RawAction extends FormlessAction {
# Output may contain user-specific data;
# vary generated content for open sessions on private wikis
$privateCache = !User::groupHasPermission( '*', 'read' ) && ( $smaxage == 0 || session_id() != '' );
+ // Bug 53032 - make this private if user is logged in,
+ // so we don't accidentally cache cookies
+ $privateCache = $privateCache ?: $this->getUser()->isLoggedIn();
# allow the client to cache this for 24 hours
$mode = $privateCache ? 'private' : 'public';
$response->header( 'Cache-Control: ' . $mode . ', s-maxage=' . $smaxage . ', max-age=' . $maxage );
diff --git a/includes/installer/OracleUpdater.php b/includes/installer/OracleUpdater.php
index b416f4b6..90b4c877 100644
--- a/includes/installer/OracleUpdater.php
+++ b/includes/installer/OracleUpdater.php
@@ -202,7 +202,12 @@ class OracleUpdater extends DatabaseUpdater {
protected function doPageRestrictionsPKUKFix() {
$this->output( "Altering PAGE_RESTRICTIONS keys ... " );
- $meta = $this->db->query( 'SELECT column_name FROM all_cons_columns WHERE owner = \''.strtoupper($this->db->getDBname()).'\' AND constraint_name = \'MW_PAGE_RESTRICTIONS_PK\' AND rownum = 1' );
+ $meta = $this->db->query( 'SELECT column_name FROM all_cons_columns WHERE owner = \'' .
+ strtoupper( $this->db->getDBname() ) .
+ '\' AND constraint_name = \'' .
+ $this->db->tablePrefix() .
+ 'PAGE_RESTRICTIONS_PK\' AND rownum = 1'
+ );
$row = $meta->fetchRow();
if ( $row['column_name'] == 'PR_ID' ) {
$this->output( "seems to be up to date.\n" );
diff --git a/includes/specials/SpecialUploadStash.php b/includes/specials/SpecialUploadStash.php
index ddf0c6da..066dcfc9 100644
--- a/includes/specials/SpecialUploadStash.php
+++ b/includes/specials/SpecialUploadStash.php
@@ -303,6 +303,8 @@ class SpecialUploadStash extends UnlistedSpecialPage {
header( "Content-Type: $contentType", true );
header( 'Content-Transfer-Encoding: binary', true );
header( 'Expires: Sun, 17-Jan-2038 19:14:07 GMT', true );
+ // Bug 53032 - It shouldn't be a problem here, but let's be safe and not cache
+ header( 'Cache-Control: private' );
header( "Content-Length: $size", true );
}
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 5a823622..e72669d4 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -406,10 +406,10 @@ abstract class UploadBase {
return $status;
}
- if ( $wgVerifyMimeType ) {
- $this->mFileProps = FSFile::getPropsFromPath( $this->mTempPath, $this->mFinalExtension );
- $mime = $this->mFileProps['file-mime'];
+ $this->mFileProps = FSFile::getPropsFromPath( $this->mTempPath, $this->mFinalExtension );
+ $mime = $this->mFileProps['file-mime'];
+ if ( $wgVerifyMimeType ) {
# XXX: Missing extension will be caught by validateName() via getTitle()
if ( $this->mFinalExtension != '' && !$this->verifyExtension( $mime, $this->mFinalExtension ) ) {
wfProfileOut( __METHOD__ );